hakan Profile picture
22 Apr, 13 tweets, 4 min read
Hi!

For the past six months, @FlorianFlade and I've been working on a podcast. Today is release day of "Der Mann in Merkels Rechner". At its core, we wanted to answer one question: How exactly can you find out who is behind a hacking operation?

br.de/mediathek/podc…

(1/6)
We chose to focus on the intrustion of the 🇩🇪parliament in 2015. Hacked by #FancyBear/#APT28. Since there's an arrest warrant, you can tell the story front to back. The podcast has five episodes and is in German. I'm going to summarize key bits here, one thread per episode
(2/6)
We spoke with dozens of people, if possible, on-record, e.g.:
Adrian Nish (BAE Systems), he alerted the Germans
@nunohaien of Crowdstrike
Adam Hickey, Deputy Assistant Attorney General at DoJ
Dutch intel agency MIVD
Michael Hange, former head of @BSI_Bund
@ciaranmartinoxf
As is often the case with these types of investigations, many people didn't want to speak on-record, which is always a bummer, but understandable, obviously. Of note: No german authority was willing to speak on-record. Also their prerogative.
This investigation is not scoop-driven per se, but I sincerely hope that each and every episode has at least one (or more) tidbits that you weren't aware of. (5/6)
(I'm going to tweet about this in the coming days, you might want to mute me, if that sort of thing seems obnoxious to you!)
Let's start with a technical piece of information. How Germany's foreign intel agency (and really any agency with this capability) was able to monitor APT28-traffic because of the way the hackers designed their malware, specifically X-Tunnel.
APT28 uses X-Tunnel to reach machines that are not connected to the internet. Basically, you infect one machine that has an internet connection and use it to reach other machines within the local network (that machine doesn't necessarily have an internet connection).
ESET has a good paper, read it here: welivesecurity.com/wp-content/upl… Upon establishing contact the server needs to know that the infected client really belongs to the hackers. So they are starting to share keys.
How do you do that? The malware says, to the server: "Look, you have a table, right? Check row X, I'm going to use that key". Some fancy footwork in between.

If all is well, the server replies with "OK" using that same key.
Keep in mind, you only have 256 keys and all Xtunnel samples share the same table, (Thomas Dupuy of Eset, author of the paper told me: “All sample we analyzed had the same table.”)
As an intel agency, this is pretty good, since you can pre-compute those encrypted "OK"-values and write a simple rule monitoring the internet for one of these encrypted keys. If it shows up, you know you got an APT28 connection.
The Germans knew this. And since APT28 used X-Tunnel at least until mid-2018, they were in a good position to spot ongoing attacks.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with hakan

hakan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hatr

11 Nov 20
For the U.S. crowd:

I obtained a chat between ransomware group Revil and a german copper manufacturer. Revil demanded 7.5 million but settled for 1.27 USD.

(I got access to 240 Revil-samples. Only the minority had still live-chats in place.)

tagesschau.de/wirtschaft/ran…
Reuters had a story about these negotiations here: reuters.com/article/uk-cyb… (by @jc_stubbs), @ValeryMarchive detailed them here lemagit.fr/actualites/252…
I reached out to the hackers in two separate chats, but they fairly quickly deleted my messages. Sort of rude.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!