C3Subtitles: 33c3: Visiting The Bear Den
back

Visiting The Bear Den

A Journey in the Land of (Cyber-)Espionage

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:59:02
Language
English
Abstract
Sednit, a.k.a Fancy Bear/APT28/Sofacy, is a group of attackers
operating since at least 2004 and whose main objective is to steal
confidential information from specific targets. Over the past two years,
this group's activity increased significantly, in particular with numerous attacks against foreign affairs ministries and embassies all over the world. They are supposedly behind the DNC hack, and the WADA hack, which happened earlier this year. This talk presents the results of a two-year hunt after Sednit, during which we dug up and analyzed many of their software.

Technically speaking, Sednit is probably one of the best espionage
group out there. Not only have they created a complex software ecosystem -- composed of tens of different components --, but they also regularly come out with 0-day exploits. Also remarkable is their ability to very quickly integrate newly published techniques in their toolkit.

In particular, we will explain how they tend to operate and we will dive into technical details of their most impressive components:

- DOWNDELPH, a mysterious downloader deployed in very rare cases and with advanced persistence methods. In particular, we found a Windows bootkit dropping this component, and also a Windows rootkit, both never documented.

- XTUNNEL, a network proxy tool able to transform an infected machine into a pivot to contact computers normally unreachable from the Internet. Heavily obfuscated, and based on a custom encrypted protocol, XTUNNEL is a major asset in Sednit post-infection toolkit.

- XAGENT, the flagship Sednit backdoor, for which Windows, Linux and iOS versions have been developed. Built as a modular framework around a so-called "kernel", it allows to build flexible backdoors with, for example, the ability to switch between various network protocols.

- SEDKIT, a full-fledged exploit-kit, which depending on the target's configuration may drop 0-day exploits or revamped exploits.

And also, during our tracking, we also gained a great visibility on Sednit post-infection modus operandi, a world full of Mimikatz and various custom hacking tools.

Talk ID
8094
Event:
33c3
Day
1
Room
Saal 6
Start
11 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Jessy Campos