USCYBERCOM v. the Internet Research Agency

Some details have emerged regarding the recently reported attacks on the Internet Research Agency (recently renamed the Federal News Agency). Keep in mind, these details were reported by FAN itself.

FAN reported that the initial intrusions were via a poisoned word document and an iPhone 7+. The end result of the operation, apparently, was the destruction of a raid controller at a central server in FAN headquarters and reformatting of server systems co-located at facilities in Sweden and Estonia.

Now, keep in mind, there is only one source reporting these details — FAN itself. And the original article outlining the attack, written in Russian, is just a bit heavy on the propaganda angle. It doesn't cover any significant details regarding command and control infrastructure, or implants used, or really anything of any technical detail. This, of course, doesn't mean that Russian authorities don't have samples, but it does make the article a bit less interesting to read, unfortunately.

But not all is lost! They do have some information on the initial footholds. First, the weaponized word document was a typical phishing lure with information of interest to the target. The email itself wasn't published, but it does seem like a reasonably sophisticated spear phishing attack, as it spoofed the email address of a FAN employee as the originator. After the document was opened, it installed a rootkit on the attacked system. It does seem that the rootkit was able to establish a connection to some C&C server somewhere, but the contents of that communication weren't reported. Furthermore, the compromised system couldn't be used to pivot to other internal infrastructure either as the network it was on was partitioned from the primary internal FAN LAN.

The iPhone 7+ attack is much more interesting. While the first system was compromised via a traditional spearphishing attack, the iPhone attack was much more sophisticated. FAN doesn't mention the version of iOS that the iPhone was running, but they do roughly cover the process of compromise. Apparently, the iPhone was attached to a Windows computer (again, the specific version of Windows isn't mentioned). When attached via a USB cable, iTunes automatically popped up and did the usual iTunes things, as well as apparently downloading a rootkit. After the rootkit was installed, the computer was completely compromised and provided full access to the internal LAN. They also mention that Amazon was the C&C endpoint, which is entirely possible. It seems that USCYBERCOM would want more anonymity. But perhaps, with routing C&C traffic through fast-flux networks and external foreign ISPs, there's really no need. I expect that they wanted people to know who did this, first, and second, it's not like they're breaking any laws. Well, in the US at least. So why bother with a bunch of fancy C&C obsfuscation?

The iTunes attack vector is interesting simply because I haven't seen that one before. I also wonder how the iPhone was originally compromised. iPhone exploits are expensive on the open market after all — as of January of this year, the going price for remote exploits was $2 million. Yes, that's right. And that's what the researchers get paid — you can bet buyers are paying at least double that.

Now, that said, they don't identify the employee that owned the phone, but they do describe an apparent detention of an editor, which could very well been used as an opportunity to install an implant on the iPhone, if the editor was, in fact, the employee that owned the compromised phone.

Interesting TPPs, no doubt! I expect that we'll see more sophisticated attacks in the future though. This time, USCYBERCOM wanted to be caught. Next time, well, I wouldn't count on it.