Kopiluwak, Fancy Bear, Cozy Bear?
What is on your mind if you hear those words?
Those words contain something about coffee, cute animal and far away from something dangerous. But in security world those words have big concern because it related with APT attack, especially related with APT28 and APT29. On 2016 Fancy Bear and Cozy Bear so famous in cyber world, because they are indicated with cyber attack during US election.
Can cyber attack group interfere elections process?
Since 2007 APT28 active but received public attention during 2016 when it was indicated in series of cyber attack to the US presidential election. APT28 and APT29 indicated actors behind the cyber attacks targeted government organizations, think tanks, universities, and corporations. APT29 entered into the party systems in summer 2015 and APT28 entered in spring 2016.
In summer 2015, APT29 spearphishing campaign directed emails contain malicious link to over 1,000 recipients, including U.S. Government victioms. APT29 success send spearphising email and host malware, the results are they are compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.
In spring 2016, APT28 do same spearphising campaign, but this time they are tricked recipients into changing their passwords throught fake webmail domain hosted on APT28 infrastructure. With the credential, APT28 was able to gain access and steal informations from systems. And because APT28 and APT29 attack during election and leak cresidential data on U.S election it was interfere or influence the democratic process.
Figure 1. APT28 and APT29 attack process on US election. (source: GRIZZLY STEPPE – Russian Malicious Cyber Activity)
In 2016 also Taiwan election was reported that the election was going to be the target of a series of attacks by Chinese threat actors. Attacker use ofiice documents like .doc, .docs, .xls and pdf ,that contain macros and executable program when office documents was click opened. And then program behind the document (malware, backdoor, etc) will active without notification.
On 2015 the APT28 group stole 16 gigabytes of data from the German parliament. The hackers used a malware to gain access the internal servers of the Bundestag. This attack was indicated for preparing attck election process on Germany.
On 2017, Denmark reported a cyber intrusion in several Defense Ministry. According to the report, hackers belonging to the notorious APT28, were behind the attack that was part of an ongoing cyber espionage campaign that targeted the Danish Defense Ministry.
And also in 2017, APT28 group launched spearphishing against the campaign of the French Presidential candidate Emmanuel Macron. The APT28 attacks against the Emmanuel Macron staff used replicas of legitimate URLs and exploited the attack technique dubbed.
On 2018, Cambodia election process also targeted by cyber attack. Chinese APT effortsrelated with this attack use spearphising with office document. Chinese APT base on FireEye analysis identified new tools, EVILTECH and DADBOD.
Range of cyber attack in Election process
- DEFACEMENT
Defacement describes the illegal modification of online content. Defacement is a type of attack often carried out as part of a politically motivated attack to spread propaganda. Taking into account that election commissions, as well as political parties and interest groups, use online channels to communicate with the public, this underlines the potential for future attacks.
- DENIAL-OF-SERVICE ATTACKS
In some ways comparable to the defacement of websites are Denial-of-Service (DoS) attacks that are aiming to make websites or services unavailable. Typical targets within the context of elections are websites of election commissions, political parties and candidates.
- ESPIONAGE/DATA EXFILTRATION
Two of the most widely publically discussed attacks within the US presidential election 2016 were related to the alleged exfiltration of data. It was reported that offenders were able to obtain data (e-mails) both from computer systems of the Democratic Nation Convention.
- PUBLICATION OF OBTAINED INFORMATION
Both in the reported attacks in the 2016 US presidential election and in the 2017 French election, the mere fact that offenders obtained access to e-mails was not seen as the greatest damage, it was the fact that those e-mails were published and make some debates about election process.
- ATTACKS AGAINST ELECTION SERVER
Election server have some crucial data that can make chaos election process, because it source of all election data. If election process not use voter machine and still use conventional methode (use paper), attacking election server can be most target because it contain some data like : result, voter data, region raw data, etc. Some methods attack usually :
- Injection Flaws are broad web application attack techniques that attempt to send commands to a browser, database, or other system, allowing a regular user to control behavior. The most common example is SQL injection, which subverts the relationship between a webpage and its supporting database, typically to obtain information contained inside the database. Another form is command injection, where an untrusted user is able to send commands to operating systems supporting a web application or database.
- Cross-site scripting (XSS) vulnerabilities allow threat actors to insert and execute unauthorized code in web applications. Successful XSS attacks on websites can provide the attacker unauthorized access.
- Server vulnerabilities may be exploited to allow unauthorized access to sensitive information. An attack against a poorly configured server may allow an adversary access to critical information including any websites or databases hosted on the server.
- MISLEADING INFORMATION
Both the US election and France election, whose computer systems were reported to have been hacked and internal e-mails published, have indicated that some published e-mails were manipulated to mislead the public. Mixing authentic and manipulated documents could be a strategy to maximise the negative impact of such an attack. This was not the only incident where “misleading” or “fake” news played a role.
RECOMMENDED MITIGATION
- Patch applications and operating systems – Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use best practices when updating software and patches by only downloading updates from authenticated vendor sites.
- Application whitelisting – Whitelisting is one of the best security strategies because it allows only specified programs to run while blocking all others, including malicious software.
- Restrict administrative privileges – Threat actors are increasingly focused on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Reduce privileges to only those needed for a user’s duties. Separate administrators into privilege tiers with limited access to other tiers.
- Network Segmentation and Segregation into Security Zones – Segment networks into logical enclaves and restrict host-to-host communications paths. This helps protect sensitive information and critical services and limits damage from network perimeter breaches.
- Input validation – Input validation is a method of sanitizing untrusted user input provided by users of a web application, and may prevent many types of web application security flaws, such as SQLi, XSS, and command injection.
- File Reputation – Tune Anti-Virus file reputation systems to the most aggressive setting possible; some products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control.
- Understanding firewalls – When anyone or anything can access your network at any time, your network is more susceptible to being attacked. Firewalls can be configured to block data from certain locations (IP whitelisting) or applications while allowing relevant and necessary data through.
Refrences :
- INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2017 (EUROPOL)
- GRIZZLY STEPPE – Russian Malicious Cyber Activity (Joint Analysis Report DHS and FBI)
- SENATE INTELLIGENCE COMMITTEE: RUSSIA AND 2016 ELECTION (FireEye)
- https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
- https://www.symantec.com/blogs/election-security/apt28-espionage-military-government
- https://pwc.blogs.com/cyber_security_updates/
- https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack
- https://resources.infosecinstitute.com/
- http://securityaffairs.co/wordpress/58361/apt/emmanuel-macron-apt28.html
- https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html
- https://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/
Теперь буду знать
Anyone produced a few decent components presently there. We appeared on the net for any problem and found most people undoubtedly go along with together with your web site.
coque samsung a50 darty https://www.anten.fr/collections/coque-samsung-a50
Amoxicillin Bladder Infection Viagra Fiable Cialis Madrid En Mano [url=http://viaaorder.com]viagra[/url] Buy Dapoxetine 90mg Generic Levitra Bayer Prezzo Healthyman Com
buy cheap web traffic
[url=http://ogtraffic.com]Click here>>>[/url]
Can I simply just say what a comfort to discover somebody that actually knows what they’re discussing on the web. You definitely realize how to bring an issue to light and make it important. A lot more people have to read this and understand this side of your story. I was surprised you’re not more popular because you surely possess the gift.
[url=http://fastwebdesign.ro]web design bucuresti[/url]
Spot on with this write-up, I honestly feel this web site needs a lot more attention. I’ll
probably be returning to see more, thanks
for the advice!
Hey! Do you know if they make any plugins to protect against hackers?
I’m kinda paranoid about losing everything I’ve worked
hard on. Any tips?
This is really attention-grabbing, You’re an overly skilled blogger.
I have joined your feed and look ahead to in the hunt for extra of your fantastic post.
Additionally, I’ve shared your website in my social networks
You ought to take part in a contest for one of the greatest blogs on the web. I’m going to highly recommend this web site!
[url=https://www.mattressdelight.com/best-mattress-for-heavier-person/]best mattress for overweight couple uk [/url]
It’s difficult to find experienced people about this topic, but you seem like you know what you’re talking about! Thanks
[url=https://www.mattressdelight.com/best-mattress-for-newborns/]safest crib mattress 2019[/url]
Good post. I certainly appreciate this website. Thanks!
[url=https://www.mattressdelight.com/best-mattress-for-belly-sleeper]best mattress for combination sleepers[/url]
You need to be a part of a contest for one of the best websites online. I will recommend this site!
[url=https://www.manumanu.com]manumanu[/url]
You should be a part of a contest for one of the most useful blogs on the internet. I’m going to recommend this site!
[url=http:///www.manulescu.com]manu manumanu[/url]
I’m more than happy to discover this site. I wanted to thank you for your time just for this fantastic read!! I definitely really liked every little bit of it and I have you book marked to check out new things on your site.
canadian pharmacies shipping to usa
http://canadianpharmaciesprofmeds.com/
[url=http://canadianpharmaciesprofmeds.com/]online pharmacy canada[/url]
Thanks for posting this info. Its really usefull but check the spelling because I noticed few errors.
You can check my site also here:
[url=https://articolepescuitmagazindepescuit.blogspot.com]pat pescuit[/url]
That’s probably badly explained in just a paragraph but hopefully you get the idea.
I think the conversation between bloggers in the comments sections is a really undervalued thing. I read an interesting note in a post at ConversationAgent.com the other day about how a Valeria met a good blogging colleague – in the comments section of another blog.
Whether or not this happens though, and how it happens, is hard to predict. Does it just depend on who is commenting and how they respond, or is there something the blogger can do to encourage that? And if so, is it related to content, context or controversey? Or just to starting great conversations to begin with?
The simple answer is, there isn’t one simple answer. But this is one great conversation!
When you wrap up your content too tightly, though, you cut off the circulation – or in other words, you shut down conversation.
Great post. The conclusion is one aspect of my writing that I need to approve upon. I’ll definitely incorporate some of these ideas.
The posts that I think will generate the most response typically don’t. Blogging is funny like that…
I remember hearing from a radio broadcast expert who taught that the very first thing you should think about is the final line of what you want to say on air.