Title: SNOWGLOBE: From Discovery to Attribution

Release Date: 2015-01-17

Document Date: 2011-01-01

Description: This 2011 CSEC presentation describes how the agency analysed SNOWGLOBE, which it considered “to be a state-sponsored CNO effort, put forth by a French intelligence agency”: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.

Document: Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security

Establishment Canada

SNOWGLOBE:

From Discovery to Attribution

CSEC CNT/Cyber Cl
SIGDEV 2011 Cyber Thread

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

UNCLASSIFIED

1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

OVERVIEW

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

2

UNCLASSIFIED

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Overview

• Discovery

• Development

• Victimology

• Attribution

• SNOWGLOBE.

• Questions and Comments

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

la sécurité du canada par la superior!

UNCLASSIFIED

li+i

Canada

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

DISCOVERY

I Discovery
Development
Victimology
Attribution
SNOWGLOBE
Questions

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

UNCLASSIFIED

4

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Discovery

• Discovered in November 2009

• Existing CNE Access

• WARRIORPRIDE as a sensor

I - REPLICANTFARM for anomaly detection

• XML info from implant

• Signature-based detection of anomalous activity and known techniques

• Noticed: Command-line to create password protected RAR

- Always the same password

• Retrieved files associated with activity

- Identified unknown malware through reverse engineering

• Collecting email from specific, targeted accounts

• “Felt like" a Fl-collecting tool

• Pointed to first discovered LP

• Provided intial comms analysis to allow signature deployment in passive
collection

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

li+i

Canada

TO CANJ5AUS, GBR, NZL, L

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security

Establishment Canada

Centre de la sécurité

des télécommunications Canada

DEVELOPMENT

I Discovery
Development
Victimology
Attribution
SNOWGLOBE
Questions

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

UNCLASSIFIED

6

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Implant

• SNOWBALLS

- Found and identified wmimgmt.exe and wmimgmt.dll (later
called the SNOWBALL implant).

- Creates a service -> loads wmimgmt.exe injects
wmimgmt.dll into IE.

- Later upgraded SNOWBALL to SNOWBALL 2

• Very similar beaconing.

• SNOWMAN

- More sophisticated implant, discovered mid-2010

- Less is known about SNOWMAN, but efforts against it
continue.

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

li+i

Canada

TO CAN7AUS, GBR, NZL, L

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

l+l

Communications Security
Establishment Canada

Centre de la sécurité

des télécommunications Canada

SNOWBALL Beacons

I

Content

crc= 491ffa 2e746f245 26085 78761f6fbe02
4293

flag

qKmP2amaqYHdl7GE99nZrY qjmpn9lb6346Kdp%2Fiw44
6rlKFIkgpWjupDerZmyg5%2 FX7oWH3bfAmYvClraLupS
M%2BqGeuP%2BV4eDk%2 F4S%2Fi7mYzLuQr4fe5520
gcWYrJiu2Iz6x06uwqbbjou Z%2B9KlhNHAv5algd%2B
plcW94N%2FiyuLfh%2FrMl Y3Csdy Oi5CmuYm80YXz7
oKNlqbAgZqQlKqFoILTqN 7mgdW%2FxYGBwpP2j6
%2BUu9Ctg8jGoseeh9% 2BY4sqansyziKqJn%2FO
b3c6YlbeHp5DCs4aqjYvn %2BL6n9dbuxOfKlü2NqN
uC7rjnutmbvYWihYz61% 2FDYgO%2FYhICZ%2F%
2BzS53Get4W%2Bwb3N 84Scw4L4hraE2LmM%2F
MiA80ne3uzE6NruOYfo3v TRivSC40T8l6ue953Xr4ql
gJD9ldzf7MTotuXBhuPE99 iK9IfX2oL70qe4ldPgxJWN
wrHcjouQlqTK96PfvYyym 4rn9ImD2Zj4yqvRlo%2Blh
dKQiZqs47q%2FnND3wY 7r3PLIkOeV

Meaning/decrypt

a 32-byte checksum
beacon size in bytes

Description field, Values can be: flag, segment, len

Login/Domain (owner): SYSTEM/AUTORITE NT (user)
Computer name: EXPORT Organization (country):
(France) OS version (SP): 5.1 (Service Pack 3) Default
browser: iexplore.exe IE version: Mozilla/4.0
(compatible; MSIE 6,0; Win32) Timeout:
3600(min)4800(max) First launch: 07\30\2009 12:29:37
Last launch : 11\20\2009 10:32:42 Mode: Service |
Rights: Admin | UAC: N/A ID: 08184

User-Agent: Mozilla/4.0 (compatible; MSI 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

/O ll+l

Canada

TO CANßAUS, GBR, NZL, L

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Passive Collection

• EONBLUE

- Global Access capability deployed across collection programs,
including SPECIALSOURCE and CANDLEGLOW (FORNSAT).

- Provides passive cyber-threat detection.

- Allowed us to find additional infrastructure by using signatures
for known SNOWGLOBE beacons

• Traditional

- As always, a huge asset

- With passive access, we were able to see an operator log in to
an LP

• Single-token authentication + weak hash = breakthrough.

• Seeing the operator log in provided enough to get into the LPs for
ourselves.

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

/O ll+l

Canada

TO CAN9AUS, GBR, NZL, L

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Infrastructure

• Most infrastructure hosted in FVEY nations

• US, Canada, UK, Czech Republic, Poland, Norway

• Two types of infrastructure:

- Parasitic

• outbase.php or register.php LP nested in a directory under root
domain

• Unsure if this infrastructure is acquired via exploitation, some sort
of special-source access, or some combination of the two

• This type seems to be found primarily, but not exclusively, on
French-language sites

- Free hosting

• outbase.php or register.php LP directly under root

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

/O ll+l

Canada

TO CANJAUS, GBR, NZL, L

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Infrastructure

• Most infrastructure hosted in FVEY nations

• US, Canada, UK, Czech Republic, Poland, Norway

• Two types of infrastructure:

- Parasitic

• outbase.php or register.php LP nested in a directory under root
domain

• Unsure if this infrastructure is acquired via exploitation, some sort
of special-source access, or some combination of the two

• This type seems to be found primarily, but not exclusively, on
French-language sites

- Free hosting

• outbase.php or register.php LP directly under root

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

/O ll+l

Canada

TO CANJAUS, GBR, NZL, L

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Infrastructure: C2

a securité a anadapar la supériorité de nntormation V/(ll IdQd.

TOP SECRET // COMINT // REL TO CANJAUS, GBR, NZL, L

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’informatioi

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Infrastructure: C2

Repository 1.3.5:

■rts pdf J*

1/3J li l"V

“S'

taulfrjf'rPto PAH.!

• hr .11

I T- I lltltbl^1 a.I I Uil

EfAH Itirtwf
hi*

[ + 1 TUMPOnlt «#1- «»PWi ■ iwily

ILMnil 3UO-4HO

—■—«-i se-ie/w/j* - P ttjfi a-

<>>> dm l 4TBO^WÈt pd( IT III

aaWWM - Ci-, a*

ill 1-anHiJULt*«! Ch»cl jrowr part » *

-fLL la ni rniit Ljr nmr.LBfl IC? p*rLa t-n »and ■ 1 C 2314 bylflil

OÎÏ fc-ig iTIKr-i '.ALi fj[

JCIC/CWJf - CTCTiGT j-~m—4--

HAP. 3 TO CiEfrLflJ-.t lei JU-aundar Hoahsl 14 Au*j 2UD»

!*tur«irjir* nrJLsn 7jp« RKR - T icr Iwlp



FiLi ud .S*fe.t3AgB%JU.l \AiteLn.L>a'fc ra/tc-r^ ■ pdf

Cannot r #jii~l cor.t«aLi or C

H-MiM |j»>H

TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’informatioi

/i 1.+.

a sécurité d anadapar la supériorité de l’information V/(ll IdQd.

TOP SECRET // COMINT // REL TO CANJAUS, GBR, NZL, L

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security

Establishment Canada

Centre de la sécurité

des télécommunications Canada

VICTIMOLOGY

Discovery

Development

Victimology

Attribution

SNOWGLOBE

Questions

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

UNCLASSIFIED

14

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Victimology: Iran

• Iranian MFA

• Iran University of Science and Technology

I* Atomic Energy Organization of Iran
• Data Communications of Iran

• Iranian Research Organization for Science Technology,
Imam Hussein University

• Malek-E-Ashtar University

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

li+i

Canada

TO CANJAUS, GBR, NZL, L

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Victimology: Global

• Five Eyes

- Possible targeting of a French-language Canadian media
organization

• Europe

- Greece

• Possibly associated with European Financial Association

- France

- Norway

- Spain

• Africa

- Ivory Coast

- Algeria

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

/O ll+l

Canada

TO CANJAUS, GBR, NZL, L

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security

Establishment Canada

Centre de la sécurité

des télécommunications Canada

ATTRIBUTION

Discovery

Development

Victimology

Attribution

SNOWGLOBE

Questions

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

UNCLASSIFIED

17

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Attribution: Binary Artifacts

• ntrass.exe

- DLL Loader uploaded to a victim as
part of tasking seen in collection

- Internal Name: Babar

- Developer username: titi

• Babar is a popular French
children’s television show

• Titi is a French diminutive for
Thiery, or a colloquial term for a
small person

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’informatioi

TOP

/O 11+1

Canada

// COMINT // REL TO CANJAUS, GBR, NZL, L

1*1

• ko used instead of kB - a quirk of the French technical
community

• English used throughout C2 interface, BUT phrasing
and word choice are not typical of a native English
speaker

- An attempt at obfuscation?

• Locale option of artifact within spear-phishing attack set
to "fr FR"

Attribution: Language

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

/O ll+l

Canada

TO CANJAUS, GBR, NZL, L

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Attribution: Intelligence Priorities

• Iranian science and technology

- Notably, the Atomic Energy Organization of Iran

- Nuclear research

• European supranational organizations

- European Financial Association

• Former French colonies

- Algeria, Ivory Coast

• French-speaking organizations/areas

- French-language media organization

• Doesn’t fit cybercrime profile

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

/O ll+l

Canada

TO CAN2AUS, GBR, NZL, L

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security

Establishment Canada

Centre de la sécurité

des télécommunications Canada

SNOWGLOBE.

Discovery

Development

Victimology

Attribution

SNOWGLOBE

Questions

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

21

UNCLASSIFIED

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

SNOWGLOBE.

• CSEC assesses, with moderate certainty,

SNOWGLOBE to be a state-sponsored CNO effort, put
forth by a French intelligence agency

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

li+i

Canada

TO CAN2AUS, GBR, NZL, L

1*1

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

SNOWGLOBE Program

• C2 nodes worldwide (including Canada, US, UK)

- Free hosting

- Compromised

• 3 implants

- SNOWBALL 1

- SNOWBALL 2

- SNOWMAN

• Victims in Spain, Greece, Norway, France, Algeria,
Cote d’Ivoire

- Intense focus on Iranian science and technology organizations

• Likely French intelligence

- Specific agency unknown

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

/O ll+l

Canada

TO CAN2AUS, GBR, NZL, L

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR,

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

What We Don’t Know

• Any persona details

• How they get their non-free LPs

- Exploitation?

- Special source?

• Last hop (operator to infrastructure)

- Believed to be Tor-based...

• Which agency within the French intelligence community
might be responsible

- Who’s driving the intelligence requirements

• Efforts against the SNOWMAN crypt continue

, USA

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canadapar la supériorité de l’informatioi

TOP SECRET // COMINT

/O ll+l

Canada

TO CAN2AUS, GBR, NZL, L

Overall Classification: TOP SECRET II COMINT II REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security

Establishment Canada

Centre de la sécurité

des télécommunications Canada

QUESTIONS AND COMMENTS

Discovery

Development

Victimology

Attribution

SNOWGLOBE

Questions

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

UNCLASSIFIED

25

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh