Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for OrganizationsJuly 17, 2018
A recent indictment revealed how the GRU (Russia’s Military Intelligence agency) used both influence operations and network intrusions to achieve its policy aims. More precisely, the GRU weaponized the use of the network intrusions in its influence operations. The indictment goes into detail about the TTPs (Tactics, Techniques and Procedures) used by the attackers and it is worthwhile to pay careful attention to the adversary tradecraft that was used and how it can be defended against. For this blog we have used the MITRE ATT&CK™ framework as our methodology to play back the findings of the indictment. In doing so, we aim to provide key lessons organizations can take away from this indictment.
Not all organizations share the same threat model and so not all organizations are high-profile targets for nation-state cyber operations. However, the TTPs used are shared among many different classes of actors, including cybercriminals, and also provide a taste for what many actors will be using to perform intrusions in the future.
Stage #0: Reconnaissance
PRE-ATT&CK TTPs: All techniques
The GRU performed the following tasks:
- Social media reconnaissance to identify targets for spearphishing emails
- “[R]esearched the DCCC (Democratic Congressional Campaign Committee) and DNC (Democratic National Committee) computer networks to identify technical specifications and vulnerabilities”
- “[R]an a technical query for the DCCC’s internet protocol configurations to identify connected devices”
DS Mitigation advice: Inform employees that their social media profiles may be of interest to adversaries. Provide advice on how to lock down profiles if requested. Ensure that network services are patched and running supported versions of software. Credentials, especially for admin accounts, should use strong passwords and two factor authentication (2FA) should be enabled wherever possible.
Stage #1 Initial Access
Four TTPs were used by the GRU to perform the initial compromise:
1. ATT&CK TTP: Spearphishing attachment, Spearphishing link
Unsurprisingly spearphishing is still the go-to tactic of many threat actor groups as it has proven to be so successful in the past. The GRU uses spearphishing in a variety of ways.
- A target company was compromised and that company’s branding, and by assumption the address book, was used to target its customers. The branding reuse is an effective technique to provide legitimacy to a social engineering attack.
- A URL-shortener service was used in order to masquerade as a legitimate service and to redirect targets to credential harvesting sites. These credentials were then reused in later stages of the attack.
- The targeting of personal accounts.
- Fake document lures.
DS Mitigation advice: Use of an email filtering system or service can help to identify some spearphishing threats particularly around malicious attachments. Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. 2FA is essential for email accounts, especially with a security key where possible. Employees should be made aware that personal accounts are regularly targeted by certain adversaries and to not enter credentials online unless they are expecting to do so.
2. ATT&CK TTP: Trusted Relationship
Once the GRU had gained access to the DCCC network, it then proceeded to use that access to attack the DNC network. It used the keylogging and screenshot capabilities of their X-Agent malware in order to capture the credentials which it then proceeded to reuse.
DS Mitigation advice: 3rd parties, such as suppliers and partner organizations, typically have privileged access via a trusted relationship into certain environments. These relationships can be abused by attackers to subvert security controls and gain unauthorized access into target environments. Managing trusted relationships, like supply chains, is an incredibly complex topic. The NCSC (National Cyber Security Center) has an excellent overview of this challenging topic.
3. ATT&CK TTP: Valid Accounts
The GRU used credentials stolen through a spearphishing attack to login to the DCCC network. Our assessment is that RDP (Remote Desktop Protocol) is an ideal targeting for reusing stolen credentials.
DS Mitigation advice: Access to RDP servers and other servers that provide remote access should be limited. IP whitelisting where appropriate is an effective control. Another method is to ensure that RDP is only accessible via a VPN that supports strong authentication.
4. ATT&CK TTP: Drive-by Compromise
The GRU edited the target’s own website and “the Conspirators registered the domain actblues[.]com, which mimicked the domain of a political fundraising platform that included a DCCC donations page. Shortly thereafter, the Conspirators used stolen DCCC credentials to modify the DCCC website and redirect visitors to the actblues[.]com domain”.
DS Mitigation advice: Change management and file integrity monitoring (FIM) for websites and other external assets is an important part of ensuring that no unauthorized changes are made. For users, ensuring that browsers are patched to the latest version, vulnerable plugins are disabled and an adblocker is used, are important steps to staying safe while browsing.
Stage #2 Execution
ATT&CK TTP: Exploitation for Client Execution
Once the GRU successfully compromised its targets, it deployed its malware implants to establish a foothold. The use of exploits in the GRU spearphishing campaigns was discussed in open source reporting from Microsoft.
The indictment describes this occurring after a successful spearphishing campaign. Most likely a variety of complementary techniques were used. The GRU used a custom, cross-platform toolkit called “X-Agent”, which was developed in-house for this purpose. X-Agent is a Remote Access Trojan (RAT) that has the ability to “to monitor individual employees’ computer activity, steal passwords, and maintain access to the DCCC network”.
One key finding is that the GRU relied on the Linux version of the toolkit, which remained undetected on the target’s network after the Incident Response effort had begun four months previously.
DS Mitigation advice: Up-to-date antivirus and other Endpoint Detection & Response (EDR) systems can provide protection against some malware variants. Protective monitoring can help detect unauthorized behavior both on the endpoint and on the network. Ensure that security teams have knowledge and understanding of all environments assists with rooting out adversaries which are capable of operating on different platforms.
Stage #3 Persistence
ATT&CK TTP: Bootkit, Login Item, Modify Existing Service, Valid Accounts, Launch Agent, etc.
As mentioned previously, the GRU deployed implants for a variety of systems, which allowed it to persist in the target environment despite active Incident Response (IR) processes. The indictment does not go into detail as to how the GRU maintained persistence to survive reboots etc. during their standard operational procedure. However, open source reporting shows that the GRU also used a number of other persistence mechanisms, such as modifying logon scripts, modifying registry keys, and scheduled tasks.
DS Mitigation advice: Maintaining presence in a target environment typically requires the use of administrator privileges. Following the advice in Stage #4, as well as monitoring for the creation of new scheduled tasks, as an example, can limit the adversary’s options. The NCSC Windows 10 End User Device (EUD) guidance provides advice on how to securely configure Windows devices. The website adsecurity.org has excellent advice on how to securely administer a Windows network.
Stage #4 Privilege Escalation
The indictment does not contain any directly obvious reference to privilege escalation. This fact in itself is interesting. For the GRU’s mission, that is, data theft, privilege escalation was not necessary in order to achieve its goals.
DS Mitigation advice: Patching operating systems and applications to prevent privilege escalation is important, as well as limiting who has access to admin accounts. It is worth keeping in mind that adversaries may not always need administrative access in order to achieve their goals. Privileged Identity Management (PIM) and Privileged Access Management solutions can provide added oversight to prevent accounts being misused and abused.
Stage #9 Collection
ATT&CK TTP: Data from Local System/Network Shared Drive, Email Collection, Input Capture, Screen Capture, Data Staged, Data from Information Repositories
The GRU team’s mission was to steal data (in particular, research and planning documents) for later use in influence operations. In order to complete this mission, it performed the following actions:
- Took keylogs and screenshots of targets including capturing the DCCC’s online banking information and passwords in use.
- “[R]esearched PowerShell commands related to accessing and managing the Microsoft Exchange Server”. This activity was directly related to the theft of thousands of emails from the target organizations.
- Gained access to the target’s analytics machines that were hosted by a cloud provider. “These computers contained test applications related to the DNC’s analytics. After conducting reconnaissance, the Conspirators gathered data by creating backups, or “snapshots,” of the DNC’s cloud-based systems using the cloud provider’s own technology. The Conspirators then moved the snapshots to cloud-based accounts they had registered with the same service, thereby stealing the data from the DNC”.
DS Mitigation advice: Large amounts of storage being used up unexpectedly is another signal that something potentially suspicious is occurring. Monitoring of key servers to ensure that only specific scripts, such as PowerShell scripts, are able to run and that the appropriate logging is in place to monitor PowerShell and other scripting activity is important. Audit logs for cloud services (e.g., Amazon Cloudtrail for AWS) need to be periodically reviewed to ensure that sensitive data is not subject to unauthorized access.
Stage #10 Exfiltration
Once the GRU had collected its targeted data, it needed to move that data out of the target environments for analysis. The GRU then:
- Compressed and exfiltrated the files that it gathered out of the target networks using the custom “X-Tunnel” tool to an external machine.
DS Mitigation advice: Blocking egress traffic that is not necessary for the organization’s requirements can assist with limiting an attacker’s options in terms of communicating outside of the organization. Web proxies can provide granular controls for restricting egress traffic types and destinations.
The GRU tradecraft presented in the indictment is not necessarily the most technically sophisticated in terms of 0day exploits and exotic command and control (C2) techniques. However, it points to an exceptionally determined adversary. It uses a variety of TTPs in order to compromise its targets and is constantly hunting for the weak points in its targets’ defenses.
Digital Shadows recommends a defense in depth approach to dealing with high-capability adversaries. That is, multiple, partially overlapping security controls that mutually reinforce each other in order to provide increased resiliency to network intrusions. While it may not be possible to keep out all types of adversaries, the more difficult they find it to compromise an organization, the fewer adversaries will be capable of successfully breaching the organization’s defenses.
To learn more, listen to our podcast episode on this topic below: