fireeye government forum - tomorrow's threat landscape

Copyright © FireEye, Inc. All rights reserved.1

4TH ANNUAL FIREEYE GOVERNMENT FORUM 2017


TOMORROW’S THREAT LANDSCAPE15 MARCH 2017FIREEYE ISIGHT INTELLIGENCE

Christopher B. Porter Manager, Threat Intelligence AnalysisFireEye Horizons




Top Line Trends



China: Activity Since Redline

• Chinese APT activity predominantly impacting non-US companies

• Overall downward trend continues from mid-2014• South East Asia, Japan, and Australia experience

public and private sector breaches, significant focus on South China Sea tensions



China’s Plan: Agree to Stop Doing Things They Didn’t Want to Do Anymore• Presidents Xi and Obama agreed in September 2015 to

end cyber espionage for the purposes of commercial profit.• Xi has cracked down on corruption and centralized control

since taking power in 2013, and restricting China’s cyber operations enhances that push.

• China’s future as a technology leader, rather than a perpetual second-mover, relies on building up domestic capability to innovate as a process (not just industry) and on international norms supporting intellectual property rights.

• The Xi-Obama Agreement was one of four that China would initiate in 2015 with key countries (Russia, the U.S., the U.K., and Germany) that points to a broad agenda to meet domestic goals and counter foreign pressure over hacking.



Active Network Compromises

conducted by 72 suspected China-based

groups by month



So What Have China’s Hackers Been Up To Then?• Slowdown – Operations targeting US organizations declined precipitously, starting in March 2015. Only a few

confirmed cases of IP theft, and those involve the defense sector, aerospace, government services, and other companies probably not covered by the Agreement.

• Reorganization - A PLA reorganization at the end of 2015 included the centralization of cyber forces in the new Strategic Support Force for conducting cyber operations and information warfare. Such a change is likely a complicated effort affecting tactical planning, and could include changing physical locations, establishing new lines of control and authority, or altering funding streams.

• Move to Classic Pol-Mil Espionage - Multiple Chinese threat groups are targeting Southeast Asian countries, especially government and military organizations. This has included the Philippines and Vietnam, among others, where Chinese threat actors probably pursue these organizations to collect intelligence on sensitive South China Sea disputes. We have observed some commercial targeting in both Japan and South Korea.

• Robbing Peter Instead - Multiple suspected China-based threat actors have been targeting Russian government and commercial targets, as well as similar targets around Central Asia and Eastern Europe, such as Estonia, Mongolia, and Uzbekistan. The Russia-based targets appear associated with Russian government and security organizations as well as Russian entities associated with nuclear and satellite technologies.

• Competitive Intelligence Rather Than Theft – Many Chinese acquisitions align with industry investments outlined in the Five Year Plan, including artificial intelligence, biotechnology, and online services. At least two companies sought for Chinese acquisition were previously compromised by China-based threat actors where executive emails, financial statements, and insurance policies were stolen.



Russia: Beyond the U.S. Election

• APT28 and APT29: Russian Government sponsored groups, long history of political espionage at key US and EU government institutions

• Information Operations are the focus, taking on an overt element in the U.S., signals escalation

• Emboldened and focused on refinement of successful operations—activity continues after the election



APT28 Basics: Targets

APT28 In operation since

at least 2007 Highly persistent

and brazen group Supported by the

Russian Government



APT28 Network Activity Has Likely Supported Information Operations as they “Hack and Leak”

20142015

TV5 MondeFebruary 2015, April 2015

U.S. Democratic Congressional Campaign CommitteeMarch – October 2016

U.S. Democratic National CommitteeSeptember 2016

Ukrainian Central Election CommissionMay 2014

World Anti-Doping AgencySeptember 2016

John PodestaMarch – November 2016

2016



APT28’s Operational Changes Since 2014

Leveraging Zero Day Vulnerabilities

Increasing reliance on public code depositories

Obtaining credentials through fabricated Google App authorization and Oauth access

Moving laterally through a network relying on only on legitimate tools

APT28 Evolving tools and

tactics to support Russia’s military and political objectives



Exposure Not Necessarily Effective at Disrupting Operations



APT29 – Legitimate Services for C2• Checks real, preselected

Twitter accounts for instructions on downloading an image file.

• Image files hosted on cloud drive services and contain commands hidden with steganography.

• Commands are encrypted but not themselves malicious.

• Exfil works by pushing data to cloud drives.

• Must monitor endpoint, not just network!



What Does the Future Hold?• “Rise of the rest” – many countries have the capability, need, and resources for offensive cyber programs.

Most have bought or rented capability until now but we will see more players going forward, with significant risk for regional stability given different command-and-control structures being put in place.

• Early indicator: South Asia-origin operations have greatly increased, appear to be for both government and for-hire. Vietnam-origin groups increasingly assertive in their region.

• Balkanization of the Internet accelerating. Few countries share U.S. vision of free speech utopia online—almost all want national control that reflect some degree of local values. For defenders, this creates multiple threat surfaces around the world for each data requirement and could lead to norms that demand access to data, backdoors for law enforcement, weakening overall security.

• Early indicators: ICANN moving outside USG control, increased data localization laws, legal challenges, UK Great Firewall, FBI/Apple

• Mass individualized targeting – Projecting state power at distance and scale against many individuals or private organizations to affect political outcomes. Facilitated by US policy that focuses on defending silos of critical infrastructure rather than countering adversary behavior. Not just about influence or warfare, but a new way of managing state-individual relations that, coupled with rising nationalism, will create many divisions within Western societies: religion, internationalism, etc.

• Early indicators: Successful indigenously developed domestic surveillance systems, OPM, investment in big data technologies by adversaries



QUESTIONS?