ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE - - PowerPoint PPT Presentation

ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE

HACKING TEAM CASE STUDY

Friday 2nd June, 2017

Stanislav Špaček

Pavel Čeleda, Martin Drašar, Martin Vizváry

Introduction

Hacking Team Story Began as a security services provider in 2003 Founders had previous experience with spyware development Recently develops tools for “offensive security” Remote Control System Galileo (RCS) System for targeted surveillance of individuals Available exclusively to the governmental agencies System details were not released to the public

Analyzing an Off-the-Shelf Surveillance Software Page 2 / 17

The Hacking Team Data Leak

Data Leak Carried out by an unknown hacker in July 2015 RCS and full documentation was made public Research Objectives Analyze RCS functions and processes Run the system in KYPO cyber range Evaluate short and long term impact of the data leak

Analyzing an Off-the-Shelf Surveillance Software Page 3 / 17

Remote Control System Galileo

Analyzing an Off-the-Shelf Surveillance Software Page 4 / 17

Architecture

Shards Anonymizer Chain 1 Anonymizer Chain 2 Target Device 1 Target Device 2 Master Node Console Operator Network External Network Collector 1 Collector 2 Internal Firewall

Analyzing an Off-the-Shelf Surveillance Software Page 5 / 17

APT x RCS Surveillance Operation Lifecycle

Mandiant, APT1: Exposing One of China’s Cyber Espionage Units Analyzing an Off-the-Shelf Surveillance Software Page 6 / 17

Surveillance Operation

Analyzing an Off-the-Shelf Surveillance Software Page 7 / 17

Phase 1 – Compilation

Anonymizer Chain Console Collector Target Device Master Node Agent 001 Operator Create agent Target

Requires target device specification (type, OS) Agent — spyware tailored for a specific target device

Analyzing an Off-the-Shelf Surveillance Software Page 8 / 17

Phase 2 – Infiltration

Anonymizer Chain Console Collector Target Device Master Node Operator Target Infiltrate device

Depends on chosen infection vector Usually carried out “outside” the RCS

Analyzing an Off-the-Shelf Surveillance Software Page 9 / 17

Phase 3 – Persistence

Anonymizer Chain Console Collector Target Device Master Node Operator Target Data extraction & agent update

The agent synchronizes at set intervals Extracted data is stored at the RCS database

Analyzing an Off-the-Shelf Surveillance Software Page 10 / 17

Phase 4 – Exfiltration

Anonymizer Chain Console Collector Target Device Master Node Operator Target End operation Dispose of agent

The operation is terminated All agents are ordered to uninstall during next synchronization

Analyzing an Off-the-Shelf Surveillance Software Page 11 / 17

Novel Approaches in RCS

Analyzing an Off-the-Shelf Surveillance Software Page 12 / 17

Frontend

Agent Properties adopted from known malware

Infection vectors – targeted malware Surveillance functions – spyware C&C communication – multilayered botnet

Lacks deep customization options of APT malware Focused on stealth at the expense of function

Analyzing an Off-the-Shelf Surveillance Software Page 13 / 17

Backend

Administrative Interface Every action available through point & click Exhaustive user documentation and system wizards Consumer Support Updates to infection vectors, functions etc. Access to 0-day exploits Hacking Team had a kill switch for each sold instance of RCS

Analyzing an Off-the-Shelf Surveillance Software Page 14 / 17

Conclusion

Analyzing an Off-the-Shelf Surveillance Software Page 15 / 17

Conclusion

Short-Term Effect No large misuse incidents were reported Contributed to Adobe Flash deprecation Long-Term Effect Marginal – RCS adopted processes from existing malware Administrative interface – might make APT attacks widely accessible Support processes – used in advanced mass spread malware frameworks

Analyzing an Off-the-Shelf Surveillance Software Page 16 / 17

THANK YOU FOR YOUR ATTENTION

www.kypo.cz

Stanislav Špaček

@csirtmu spaceks@ics.muni.cz