Title: BYZANTINE HADES: An Evolution of Collection

Release Date: 2015-01-17

Document Date: 2010-06-01

Description: This June 2010 NSA presentation for the SIGDEV conference describes efforts to trace a suspected Chinese cyber attack: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.

Document: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(S//REL)BYZANTINE HADES: An
Evolution of Collection

NTOC, V225

SIGINT Development Conference

June 2010

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(S)What is BYZANTINE

HADES?

• (S)BYZANTINE HADES = Chinese CNE

• (S)My Focus: Byzantine Candor

í'íi.sní.jn

"1

fj LÍV9
/ Bflrfcal

KAZAKHSTAN

1

Baürttash

Harbin

NGOLIA

Ui un iqi

J> i Shenyang
Qinhugnqdacy-T ,

TiiTjMn

Pend/

.Zherii^hGLi^ Sw j,

Nanjin^Xg, hai
WiJltón NirigbcL Eaat

i“ -V CTnrta

Cnengdj

yhiongqin^-^

L nana

MEPÄI'

, Philippine
\ Sea

Quangzhou

Taiwan

-^nyiBmü
9, A =i_

Hainan.
Daú iis

BANGL.

....

China

Sera

li‘i

NORTH

.-A,:

\ PACIFIC

V"

\OCEAH

iFiArj

Arabian

Sea

o \ w eiflkm

il m

JlVl

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

2

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(S)BYZANTINE HADES Sets

•(S)BYZANTINE CANDOR

• 80% of targeting against

- DoD

- Economic / Commodities (Oil Deals)

- Current geopolitical / economic events
(S)BYZANTINE RAPTOR

• Resurfaced Summer ‘08

• 90% of activity targets DoD

• Has targeted Congress

(S)BYZANTINE ANCHOR

• Fairly universal targeting, but have observed

- Weapon systems, information systems,
NASA

(S)BISHOP KNIGHT

• Recent U.S. activity against (about 80%)

- NASA, DoE, DoD, Defense Contractors
(S)BYZANTINE VIKING

• PLAN TRB

(S)MAVERICK CHURCH

• Formerly BISHOP

(S)BYZANTINE TRACE

• 95% of activity targets Ministry of Affairs /
Defense

• Has targeted DoD, but not recently
(S)DIESEL RATTLE

• Within US: ISP's, defense contractors,
government

• Japan

(S)BYZANTINE FOOTHOLD

• 50% of activity targets TRANSCOM

• 40% targets PACOM, U.S. Gov, defense
contractors

(S)BYZANTINE PRAIRIE

• Inactive since March 2008
(S)POP ROCKS

• 2009 Navy Router Incident

• Video Conference Providers
iCARBON PEPTIDE

TOPS

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(S)BYZANTINE CANDOR

• (S)Formerly Titan Rain III

• (S)Targeted E-mail Spearphishing tied to malware

• (S)Uses Dynamic DNS for mid-point C2 /
Infrastructure; steganography to facilitate C2
(StegC2)

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

4

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)lnitial Searches

• (U)Reports

• (U)Task terms into SIGINT

• Pinwale

• XKeyScore

• (U)Link to other activity

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)Analysis Tools

• (U)Crossbones

• (U)Domain and IP resolution

• (U)Google

• (U)TuningFork

• (U)Reports

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

6

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(S//SI)Enabling Active Collection

• (S//SI)Pass IP to TAO

• (S//SI)Determine if host is vulnerable

• (S//SI)TAO Collection

• (S//SI)Review Collection

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

7

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)And Analysis Reveals

• (S)Hacker techniques

- Not Sneaky

• (S)Attribution

- Operate different from TAO

• (S)Exfiltration

• (S)lndications of future targets

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

8

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(S//REL) BYZANTINE CANDOR Infrastructure

Classification: TOP SECRET//COMINT//REL TO USA, FVEY

Legend

A. BH CANDOR
Continents

BYZANTINE CANDOR
C2 Hop Points

Plate Carrée Projection
Central Meridian: 0.00

Classification: TOP SECRET//COMINT//REL TO USA, FVEY

As of 12 Aug 09 (8 weeks) -350 observed

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

9

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(S)Command and Control over FaceBook

- Mozilla Firefox

File Edit View History Bookmarks oriels Help

□H3

Bj

http;//www facebook.com/proFile. php?id=

;ref=proFile

Û •

Google

P

Most Visited ¡_ Customise Links (3 FrBeFHotmail Windows Media Windows

Do you want FireFox to remember this password?

Remember Never for This Site Not Now y

This is your Publisher.:]^ it to post content, like photos or links to your wall,

Create an Ad

T 'Upload a Picture
II Take a Picture

Edit My Profile

Write something about yourself.

Information

Birthday:

Friends

Your Profilo > Wall

Help

What's on your mind?

Attach €D S

Video



Victim malware posts
to FaceBook page

Remove

029228Jo Craw No.soarmanlFace Meet5=615:C.555056Face Meets':—0S9S15/5 <9
4 hours ago 1 Comment Like 1 Share

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAA4AAAAA4fug4AtAnNIbgBTMQhVGhpcyBwcm9ncmFtENhbm5vdCBiZ5BydW4gaW4gRE9TIGh

ZGUuDQOKJAAAAAAAAABJvs5DDd-gEA3FoBAI\i36AQdsOsEA2foB.COw64QEÍfi(-„:

ncriVfl pik a i"}£ a b en /Fr.DnriH nrir^ t~ t- di-^iz nt-ii- ire ftTPpsDnlini^^r^riri

Tülpln^^a^SmäT

Become a Fan

30% off Electronics



Alibaba c

"Your Wall displays^igur pp:
share directly with you.
fl By default, your Wall is visibli

Done

s as well as posts that your friends

to anyone who visits your profile.

j Start [¿f & >J I Facebo Firefox * Gh...

BYZANTINE responds
with implant commands



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

10

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS)*Sigh*

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

11

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)Success Stories - Ours and

Theirs

• (S)TRANSCOM compromise by BC
-Targeted two CDC’s involved in development
- Over 2500 files exfiltrated

• Contractor’s certificates

• System-specific code

• Program related documents

• Admin passwords to GDSS Low-to-High guards

• GDSS Message formatting

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

12

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)Success Stories

• (S).gov networks

• (S)Significant World Events Targeting

- Headlines

- Shanghai World Expo

- Any news that’s fit to print!

• (S)Future Victims

- Spear Phishing

- Web C2

- Victim research

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

13

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)Knowledge Gaps

• (S)Additional hacker attribution

- ArrowEclipse

• (S)How exfiltration is planned

• (S)Who is requesting the information

• (U)Overall picture

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

14

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

15

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U//FOUO)Byzantine Candor: A
TAO Success Story

Computer Science Development Program Intern
TAO\ Requirements and Targeting \ Cyber Counter-Intelligence

SIGINT Development Conference
June 2010

Derived From: NSA/CSSM 1-52
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Udi6UibUU/UlUp Declassify On: 203502&L

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

U)lt Begins...

• (TS)lntrusion activity detected on DOD
networks.

• (TS)NTOC requested TAO assistance in
targeting foreign hosts involved in order to
provide actionable intelligence to the CND
community.



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

17

Service

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(S)What is a hop-point?

• (S)Hop-Point

• Computer exploited by an actor

• Generally of little Intelligence value

• Used to connect to victims and conduct
operations

• (TS)Majority of BC hop-points are US based.
•(TS)There are a number of foreign hop-points

• CCNE targets foreign hop-points

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

18

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(S)Email Masquerades

Actor

(TS)ldentification of hop points

• Victim Callbacks

• Other hop-points

(TS)Types of Operations/Activities witnessed

• Vulnerability/Port Scans

• Remote Desktop Masquerades/ Email Masquerades

• Spearphising

• Remote Access tools

• Altering callback domains



Victims

• Personal web surfing (Checking e-mail, stock portfolio,
surfing not safe for work material, etc)

19

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)lt continues...

• (TS)We began conducting numerous operations on hop-points.

• Exploiting new hosts

• Collecting from existing hosts

• (TS)Started to put some pieces together and found the IP ranges the
actors were coming from.

• Unfortunately for us, the range is dynamic

• Difficult to track

• Difficult to target

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

20

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

U)ARROWECLIPSE to the rescu

• (TS)ARROWECLIPSE

• Targeting the infrastructure of BC

• Exploited key routers in the ISP

• Gained access to billing and customer records.

• Attribute user accounts to IP addresses on a given date/time

• Ability to attribute a CNE event to a user account

• Attribute user account names to billing addresses

• Billing address is 3PLA

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

21

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)What else can we do?

• (TS)So we can attribute CNE events to user accounts. What else can
we do?

• Using router accesses we can survey and capture remote
desktop traffic exiting the source range.

• New hop points!

• Exploit the source network.

• Man-in-the-Middle operation

• We sit in the middle of the traffic, we can observe it and
modify it.

• Let’s add something extra to the traffic.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

22

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)MitM

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

23

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)Results

• (TS)Exploited 5 “computers” tied to known BC accounts.

• “Computers” - 3 Virtual Machines, 2 Physical Machines

• Exploited additional boxes not tied to known accounts.

• (TS)Exploiting the boxes was the easy part. Accessing the machines is a
different story.

• Lots of waiting

• Lots of luck

• Wading through “uninteresting” data

•Pictures of family pets, old family photos

• Wading through “interesting” but unrelated data

•Pictures of PLA in uniform

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

24

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)Accessing the machines

• (TS)Late October 2009

• Finally interactively access an exploited virtual machine.

* with
• 3PLA

• Probable CNE operations team lead

• (TS)Since then we have conducted numerous operations against the 5
source network machines

• (TS)Accessed a probable home/personal use box tied to

• Used work ISP credential for personal box

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

25

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(U)Results

• (TS)Excellent sources of data

• Used in interactive operations

• CDCs, USG Entities, Foreign Governments, etc

• Future target research

• Bio’s on senior White House officials, CDC employees, USG
employees, etc.

• Victim data

• Source code and New tools

• USB tools, exploits, remote access tools, etc.

• Actor information

• Email Addresses, Screen names,Pictures, etc

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

26

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS)Cuteboy

• (TS)CNE Actor

• (TS)Probable team lead

• (TS)Poor op-sec

• (TS)lmplanted a VM associated with
ISP account.

• (TS)Bonus: Implanted a physical box
associated with ISP account, less
frequently seen.

27


e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh