Hi!
For the past six months, @FlorianFlade and I've been working on a podcast. Today is release day of "Der Mann in Merkels Rechner". At its core, we wanted to answer one question: How exactly can you find out who is behind a hacking operation?
br.de/mediathek/podc…
(1/6)
For the past six months, @FlorianFlade and I've been working on a podcast. Today is release day of "Der Mann in Merkels Rechner". At its core, we wanted to answer one question: How exactly can you find out who is behind a hacking operation?
br.de/mediathek/podc…
(1/6)
We chose to focus on the intrustion of the 🇩🇪parliament in 2015. Hacked by #FancyBear/#APT28. Since there's an arrest warrant, you can tell the story front to back. The podcast has five episodes and is in German. I'm going to summarize key bits here, one thread per episode
(2/6)
(2/6)
We spoke with dozens of people, if possible, on-record, e.g.:
Adrian Nish (BAE Systems), he alerted the Germans
@nunohaien of Crowdstrike
Adam Hickey, Deputy Assistant Attorney General at DoJ
Dutch intel agency MIVD
Michael Hange, former head of @BSI_Bund
@ciaranmartinoxf
Adrian Nish (BAE Systems), he alerted the Germans
@nunohaien of Crowdstrike
Adam Hickey, Deputy Assistant Attorney General at DoJ
Dutch intel agency MIVD
Michael Hange, former head of @BSI_Bund
@ciaranmartinoxf
As is often the case with these types of investigations, many people didn't want to speak on-record, which is always a bummer, but understandable, obviously. Of note: No german authority was willing to speak on-record. Also their prerogative.
This investigation is not scoop-driven per se, but I sincerely hope that each and every episode has at least one (or more) tidbits that you weren't aware of. (5/6)
(I'm going to tweet about this in the coming days, you might want to mute me, if that sort of thing seems obnoxious to you!)
Let's start with a technical piece of information. How Germany's foreign intel agency (and really any agency with this capability) was able to monitor APT28-traffic because of the way the hackers designed their malware, specifically X-Tunnel.
APT28 uses X-Tunnel to reach machines that are not connected to the internet. Basically, you infect one machine that has an internet connection and use it to reach other machines within the local network (that machine doesn't necessarily have an internet connection).
ESET has a good paper, read it here: welivesecurity.com/wp-content/upl… Upon establishing contact the server needs to know that the infected client really belongs to the hackers. So they are starting to share keys.
How do you do that? The malware says, to the server: "Look, you have a table, right? Check row X, I'm going to use that key". Some fancy footwork in between.
If all is well, the server replies with "OK" using that same key.
If all is well, the server replies with "OK" using that same key.
Keep in mind, you only have 256 keys and all Xtunnel samples share the same table, (Thomas Dupuy of Eset, author of the paper told me: “All sample we analyzed had the same table.”)
As an intel agency, this is pretty good, since you can pre-compute those encrypted "OK"-values and write a simple rule monitoring the internet for one of these encrypted keys. If it shows up, you know you got an APT28 connection.
The Germans knew this. And since APT28 used X-Tunnel at least until mid-2018, they were in a good position to spot ongoing attacks.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
