ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE STUDY Friday 2 nd June, 2017 Stanislav Špaček Pavel Čeleda, Martin Drašar, Martin Vizváry
Introduction Hacking Team Story Began as a security services provider in 2003 Founders had previous experience with spyware development Recently develops tools for “offensive security” Remote Control System Galileo (RCS) System for targeted surveillance of individuals Available exclusively to the governmental agencies System details were not released to the public Analyzing an Off-the-Shelf Surveillance Software Page 2 / 17
The Hacking Team Data Leak Data Leak Carried out by an unknown hacker in July 2015 RCS and full documentation was made public Research Objectives Analyze RCS functions and processes Run the system in KYPO cyber range Evaluate short and long term impact of the data leak Analyzing an Off-the-Shelf Surveillance Software Page 3 / 17
Remote Control System Galileo Analyzing an Off-the-Shelf Surveillance Software Page 4 / 17
Architecture Shards Master Node Collector 1 Anonymizer Chain 1 Target Device 1 Internal Firewall Collector 2 Anonymizer Chain 2 Target Device 2 Console Operator Network External Network Analyzing an Off-the-Shelf Surveillance Software Page 5 / 17
APT x RCS Surveillance Operation Lifecycle Mandiant, APT1: Exposing One of China’s Cyber Espionage Units Analyzing an Off-the-Shelf Surveillance Software Page 6 / 17
Surveillance Operation Analyzing an Off-the-Shelf Surveillance Software Page 7 / 17
Phase 1 – Compilation Agent 001 Create agent Operator Target Console Collector Anonymizer Chain Target Device Master Node Requires target device specification (type, OS) Agent — spyware tailored for a speci fi c target device Analyzing an O ff -the-Shelf Surveillance Software Page 8 / 17
Phase 2 – Infiltration Operator Target Infiltrate device Console Collector Anonymizer Chain Target Device Master Node Depends on chosen infection vector Usually carried out “outside” the RCS Analyzing an Off-the-Shelf Surveillance Software Page 9 / 17
Phase 3 – Persistence Operator Target Data extraction & agent update Console Collector Anonymizer Chain Target Device Master Node The agent synchronizes at set intervals Extracted data is stored at the RCS database Analyzing an Off-the-Shelf Surveillance Software Page 10 / 17
Phase 4 – Exfiltration Operator Target End operation Dispose of agent Console Collector Anonymizer Chain Target Device Master Node The operation is terminated All agents are ordered to uninstall during next synchronization Analyzing an Off-the-Shelf Surveillance Software Page 11 / 17
Novel Approaches in RCS Analyzing an Off-the-Shelf Surveillance Software Page 12 / 17
Frontend Agent Properties adopted from known malware Infection vectors – targeted malware Surveillance functions – spyware C&C communication – multilayered botnet Lacks deep customization options of APT malware Focused on stealth at the expense of function Analyzing an Off-the-Shelf Surveillance Software Page 13 / 17
Backend Administrative Interface Every action available through point & click Exhaustive user documentation and system wizards Consumer Support Updates to infection vectors, functions etc. Access to 0-day exploits Hacking Team had a kill switch for each sold instance of RCS Analyzing an Off-the-Shelf Surveillance Software Page 14 / 17
Conclusion Analyzing an Off-the-Shelf Surveillance Software Page 15 / 17
Conclusion Short-Term Effect No large misuse incidents were reported Contributed to Adobe Flash deprecation Long-Term Effect Marginal – RCS adopted processes from existing malware Administrative interface – might make APT attacks widely accessible Support processes – used in advanced mass spread malware frameworks Analyzing an Off-the-Shelf Surveillance Software Page 16 / 17
THANK YOU FOR YOUR ATTENTION Stanislav Špaček www.kypo.cz @csirtmu spaceks@ics.muni.cz
Recommend
More recommend
