Inside the Mind of the APT Adversary

Maros speaker.

I was going to say

So, thank you. Thank you for uh inviting me. So, who am I? Quick, dirty. I worked at the NSA. Did a lot of reverse engineering for the NSA, tracked AP hackers all over the world. And from there, I moved over to McAfee where we did the same thing. We tracked APS. We had threeletter agencies that we consulted with assisted them with reports understanding different nation states and what they're targeting. And this was back in 2013. From there, at the time, McAfee was a subsidiary of Intel. And I moved over to Intel where I did more research. They had over 700,000 endpoints that I could go and hunt. You name the AP and they were in the

network. Right? This is one of the things that I want to really drive home today is that people really don't understand what they're up against. From there, I moved over did a lot of research with the BIOS team at Intel. It was a once in a-lifetime opportunity. And then I moved over to Sentinel 1 where they gave me a little bit more freedom to go ahead and and publish some of the reports. The one cool thing about today is that I have my own company. So I don't have any lawyers telling me you can't say something. This is my words, my experience, and the Fs that I give is zero. So you guys are going to get the

truth and you're going to understand what like really you're up against. So this is just a a key some key takeaways what you're up against, right? The origin story. There's a report that I never released that I wrote in 2013 called Java Funk. Shout out to Dave Marcus. I know he's watching live. research the researchers and the gunslingers and we go into Q&A and I want everyone to go ahead and ask me questions of my experience whether it's offense or defense so we'll get into that but what is the world up against right China steals IP from thousands of companies and governments like they're to me in a way they're the best in terms of

stealing IP taking it and then bringing it into their ecosystem to create duplicates of like fighter jets, aircraft carriers. You guys heard of Huawei? Well, their first product that they pushed out was a replica of the IOS for Cisco. They left the Cisco logo and everything like that. And it was just crazy to me, right? So, let me break it down because a lot of times people don't go into this and they don't talk about the China's military hacking like industrial complex, right? At the top is the Chinese Communist Party and underneath that is the PLA. We'll go into that and the MSS. And the one thing that people don't understand is that Chinese citizens when

they're born, they're loyal to the party, not to the country, to the party. So this is why you see in universities a lot of times there's like raids on on like Chinese like they're working for foreign government. They get tapped on the shoulder and they say, "Hey, we want you to steal this." And this happens all the time. You could Google it. It happened, I think, last month, a big raid in in Australia. And let's break this down, right? This is how the PLA works. The arrow shows the second bureau, right? You're going to hear AP a lot, which stands for advanced persistent threats. The father, I don't want to bore you with the details of each one. What I want to do

is give you stories, give you the history of where we were and where we are now. So the father of the AP report, AP report, was my mentor. He calls me up one day and he says, "Marco, come over here now. I can't tell you over the phone. Just come here." I drive 45 minutes to a bar, grab a drink, and he's like, "I broke the matrix. It's over. I changed the world forever." I'm like, "What are you talking about, dude? What is What do you think you changed?" And he goes, "Well, Mandant, he worked for Mandant." He goes, "They finally allowed me to publish my research and it should be coming out in the next month or two."

So he begins to tell me and unravel all of the attack life cycle for AP1, their infrastructure, their identities. And the one thing that I was impressed with that he told me was how they collect data. They collect data and then they have a funnel down into subject matter experts and that data is then transcribed into Chinese. This is we were talking about the Cisco and the Huawei. So they have in that one bureau 30,000 people. One bureau. Understand what that is? I've worked at Intel. I worked at NSA. The max we had on teams was 40. Imagine having 30,000 people at your disposal. And just to put context to that, that's like if you do the math and

you do all 14 bureaus, that's around 500,000 people just working on stealing IP, grabbing the data, and then going ahead and converting that for for them. Now, if you look at it, you look at corporations, they hire pentesters, okay? You get a report, you don't do anything. This is what advanced persistent threat is. They're not going to stop. They're going to keep on coming. And like I said, at one point, I worked on a network where you had two different APS, one Russian, one Chinese, were fighting each other to kick the other one off. So that's that's what you're dealing with. And people just think of the day-to-day. I look at the long term. So the cool thing when he

told me he broke the matrix, he did. He broke the matrix. The at AP1 report forced Obama and President Jingping from China to have a sitdown just to talk about cyber security. That's all they did. And it was because of that report. And just that one report, the two biggest superpowers had a discussion, signed the treaty that they wouldn't hack each other. One month after that, they hacked each other again. It was like nothing. So, you know, I remember when the report was released, my mentor text me at 11:59. He goes, "Here we go." 12:00. It was the front page of the New York Times and the game hasn't been the same since. We went from nation state to calling

names of like different actors to AP. He invented the word AP and because of that a lot of us now have jobs. So kudos to him. But then you have to deal with the MSS where that's the Ministry of State Security. They're an agency that has spent 14 years targeting thousands of critics, businesses, pol like politics, politicians, and their espionage as well is wid spread just like the PLA. So this includes like acting as a journalist and targeting spear fishing people, compromising emails, cloud storage accounts, data records, routers, home routers. So there was this article that came out last month that they targeted the spouses, the wives of White House officials as well as US senators. So it

just goes to show you they want everything, all the data. They want to know what they know and what is going to come out before, you know, so they could understand and position themselves correctly. All right. So then you have the gunslingers in the south. They are the gangsters. They are the they're talented. And then there's like elite. We call them gunslingers because they drop zero days for fun. Guns for hire. I'm telling you, they drop and and just understand like when I talk about zero days, imagine spear fishing someone and dropping an O day and wasting it. That's how they do. So, these gunslingers are in the south. Um, they created companies. They consult for the PLA, the

MSS, and like I said, they're the talent. They're the upandcomers. They're getting their money. You know, Guangu and and Shishwang down here is where the real talent, the real gangsters are. And there's I'm talking about hundreds, maybe thousands of companies that the MSS employs as well as the PLA. So, I was introduced to Win NTI, which is a Chinese threat actor. They write malware. When I was at McAfee, like I said, we were a subsidiary of Intel and I got a call from two individuals at Intel and they were like, "We detected a pattern and with high certainty, we know it's like an AP, but we don't have the skills to reverse it." So, they kick it off to me and and this

is the first time I revealed this report. McAfee no longer exists. So, like I said, shout out Dave Marcus. He's the one who named it Java Funk. And this was in 2013. This campaign went after tech and the auto industry. And the binary was just a recon mission. What it did is it attacked the network. It lived off the land with the tools, grabbed all the information, and posted it posted that file to a domain. For me, it was it was very simple. And what I specifically told them, I said, "Listen, these guys will be back in your network in 6 months, guaranteed. So prepare yourself." They were in their network five months. It took them five months. So they beat my

time. I thought it was going to be six. So here's the cool thing. So this is kind of the binary on the top right here where I kind of reversed it. This is virus total. And here's a variant in 2020. So what I love to do is, you know, my trade is reverse engineering. What I do is take those binaries and do a diff, right? The diff allows you to see what changed in the binary. When you see what changed, what I like to do is predict what they're missing. What is that next iteration of it? So that's the way I think. I act like the threat actor and I'm like what am I missing here?

What do I need to build? How do I do it? How do I deploy this even faster? And then you can see when you're reversing the differences the the entropy some of it is just a little bit of changes, right? And this gets modified over iterations over time over time. So then you could understand the whole story for years. So they're constantly upgrading these frameworks and as soon as you start tracking them, you write Yara rules and so on and so forth and and you know that's how you track ABTs. So what I always love to say is research the researchers. When I'm reading I'm like what did they miss? 90% of research that comes out

they miss something. This research was from Silance. It was a blog and at the time I had a friend that was working there and they put out this report initial the initial report and it only had two files and I'm like hold on we're talking about like wasting o days you have a signed certificate. You're not going to waste a signed certificate to go after the gaming industry. So on the right hand side was I took the serial which was very simple and looked at what else has been signed with it. That was the cluster of what was being put out and what was seen in the wild. So I sent it over to them and I was like you need to

update this whole report and like redo your report cuz it's not just gaming. It's it's way bigger than that. So cysts go Talos are gangsters, right? This report, they put out a report. I don't know if you guys heard when um the Chinese went after CC cleaners supply chain attack, but they released this report and didn't even call us at Intel. My friend called me and was like, "Did you see this blog?" And I was like, "No." And as you can see, I circled it. That's the proxy for Intel. So they targeted, they made sure that that they were going after these specific companies and that they had the correct proxy so they could go

out and fetch updates. And that was that was really interesting because it was like three weeks to figure out like what was the second stage, what happened there. So then we go into, you know, the operations of a gunslinger, right? This is this is really important because it just came out about a a month ago, right? And I soon was founded in Shanghai in 2010. And the the CEO, Wuhabu, I think that's how you pronounce his name, is like a first generation red hacker, early member of the Green Army. I mean, he has 70 employees, right? And all they do is hack all day. And they started their labs in 2013 as well, right? And this this group

like there was a disgrunting employee that went ahead and posted up all of these inside knowledge of presentations and what they do. And this is the research team. You have a for hire. This is not a pentesting team. This is no, we hack [ __ ] We go in, we collect, and we have our customers, whether it's the MSS or PLA or even private companies, come to them and say, "Who do you want to hack?" And they pay them. So, this is some of their tooling. So, I've been tracking Shadow Pad, the Windows implants, as well as Treadstone Wini for a while. And this is what they do. They are collaborating. And if you guys don't

know, the win NTI is also a framework that is shared across many AP groups. And what what I think of is not only their process, but how bold they are of not caring, just letting everyone know this is what we do, right? 247 support. So that means they have ops. Not surprising but how bold they are in their presentations like we have access to Nepal and as well as India. I seen the Kazakhstan shirt there. They have access all over the world, right? Like clean. What do you want? The thing that I look at is the talent and how easy everything comes to them, right? They're constantly hacking 24 by7, getting access, bringing it into

their ecosystems and really doing their thing. And I want to pivot because last night I was speaking to Moises over there. Kudos to you. And he was telling me he was like a year and a half in to the game. And the way I look at it, all aspects of security are linked. If you How many of you do offense pen penetration tests, defense? Okay, they're linked. Period. If you are a penetration tester, you must learn how to bypass defenses. So you need to become an expert not only in defense tools but how to bypass right exploits, understand them, understand the littlest minute details. Today I just got a call from the port authority of Puerto

Rico. They were hacked right two weeks ago. I told them like we need to meet because China is coming after you guys. Like just the ports in general, the vessels, right? So this is what I always say. If you're on defense, you must learn offense. If you're on offense, you must learn defense. And when we were talking yesterday, I was I was speaking to him and I was telling him, "That's cool. You've been in the game for a while. But here's the thing that I would recommend to you guys and and everyone. If you're penetration testers, go find your favorite AP and be them." So if it's AP41, AP, you pick it. Become them. Be

the expert just like them. Make sure you write the tools. These are places where you can go and get those reports. So I would recommend WinNTI. If you're a penetration tester, look at when Win NTI, mimic them, write your own tools based on what the reports say and make sure if you want to be good and you want to upgrade your level, you act like them and you defend just against those specific AP reports. It's to me it's a must. And what we're up against is everyone here that's in cyber security is needed. How many of you are going to Defcon? Raise your hand. All right. So if you don't know about Defcon and I think we could say

it, right? Yeah. So, we're creating a village slash communities called LaVa all for Latin America and we're it's it's going to be all Spanish talks, Portuguese, English, and that's going to be a two-day event at Defcon. So, I would highly recommend that. And my favorite quote, this is this is my favorite quote of security. If you're in security, there's two things. You're like a toilet paper. Either you're on the roll or you're getting [ __ ] on. Period. Period. Because when you're dealing with high stress like investigations or even penetration, you must stay calm. You must understand this too shall pass. So, I do want to open it up for Q&A. And that was pretty pretty fast. And I know

we're already behind schedule, but I need at least two or three four questions. [Music] You can ask it to me in Spanish.

like cutting edge of technology. So you will see the techniques and it's not about like learning the tool, it's about understanding how to tie the tools together, right? So when I'm talking about like the Java funk report, it was very simple. They took the tools that was on the land, they grabbed the information from the PCs and everything like that, the network information, and they knew the network better than the guys at Intel did. So un reading those and understand how they are connected is very important. Thank you.

Okay.

Uh the question is what is your recommendation for the companies about this dark scenario because this reality is too dark for us but the companies can think all the time in security they have others things to do. Mhm. Be great question. So, this is what I always say because I I experienced it. Security is always going to be in the red. It's a cost. Let's say you're a bank or you manufacture goods. What you want to do is express a compromise like a ransomware. I'll give you a great example. The Port Authority of Puerto Rico, not the Port Authority, sorry, the Auto Expressway was hit. They could have had a $100,000 pentest to like figure out where were their

flaws, but they didn't. And they got hit with a ransomware. They paid they lost in revenue $5.3 million and they paid out 9 million to that. So what's 100K to around $14 million that you just paid out? And that's how you start beginning to understand the you not that you have to scare them but you have to be like you have to inform them the consequences right so if security isn't important you need to get to the root and say if this happened the worst case scenario where you IP was stolen or you got hit with ransomware what does that look like and this happened at Intel Intel didn't have any security. They weren't that serious

because they made chips until there was the two vulnerabilities on the chip that affected everything. Now they take uh security seriously because it hit their stock and they have a pentest and researchers on every specific like organization business unit. So now they take it serious because they understand they lost around like two billion in in market revenue just because the vulner and the vulnerabilities weren't serious but everybody made a big deal about it in front of you. Go for it. You got the mic. Maybe uh perhaps the short version of that is connecting cyber risk to financial risk. Uh sorry I I was just trying to make sure like it was clear to some of the folks

where you're going with that, my friend. Um, what are you seeing in relation to critical infrastructure infrastructure?

Yeah, I got one word. You're [ __ ] That's it. Like, you're [ __ ] like it's it's really bad in in terms of if you look at what's happening with the ports where they want to take out um the Chinese cranes that's part of that infrastructure right and the thing is throwing money at the problem isn't the answer is getting talented people like you guys to assist with these issues

The situation that you mentioned is extremely critical and it's the the 1% the top 1% of Colombia is just the 1% of 50 million people but the 1% the top 1% in China is like the really really really top is something extremely granular but still very massive and the thing is that universities of course the the easiest way in which you can migrate to any country is studying. So that's like a very vulnerable part in the security of any country and it's that because they are the top of the top they can really compete in terms of academic results against any other country. They can enter in the universities that they want. Then when they are inside the

universities, they can participate in the greatest internships with the best companies and now they are inside in like very critical projects with very critical data. How can we compete against that? How can we prevent that? Yeah, it's that's difficult and and you know I'm this is this is the harsh reality. It's when someone and I stated it on the slide when someone has been born in in China, you could get that told like shoulder tapped. So, you know, hey, we need this. It happened at Google. They just arrested someone I think like two months ago for like trying to steal the AI technology. It just happens is look, you throw money at a problem, it's going to be hard when you

don't have the talent. You throw people at the problem, eventually you're going to like solve it and be at the top. And it's it's very hard. This is why one of the things is like it's it's difficult to say in public, but it's hard if if someone has been born in China, it's hard to think about like do I hire this person because of what they might steal. And if you do hire them, you must isolate them from potential IP theft or something like that. And it's this is the reality. People don't want to talk about it is is difficult, but it's the truth.

Go. Come on. Throw it. Throw it. Thank you. Uh, two questions. The first is um um you show some map with the maybe the the regions of the world that they have um guns for cyber security and there is one country in LA latam can you explain if you know something about that why is that uh countries you're talking about this map no oh oh yeah yeah yeah this one that one it looks like Colombia wasn't on there No, it was Peru. Peru. Peru. Do you have some comments about the I think the region. Yeah, I think you it it says a lot about why they don't target Latin America, right? But if if you

notice like and if you do research like China's taken over Africa for like mining and how they do it is they go to a government and negotiate. we'll build the infrastructure for you. We'll build airports. We'll build everything knowing that they will default on the loan and this is how they capture like that that nation and try to impose their will on it and it's happening all the time. Okay. Right. Now the the other question is that it it's it shocked me that um some attacker will waste um million of dollars in a zero day vulnerability just for a fishing campaign. Yeah. How is that even possible? How is the the I've been Yeah. I've been in

places that you have a binder like this and all of it is zero days. Just think of that. bind it like this o days. So wasting it, wasting a O day depending on what it is. I mean, you know, it's if you have a lot of them, are you really wasting it, right? And especially if you want to get into this environment, you're going to do what you need to do. And that's the thing, they're persistent and it's it's, you know, what what the world's up against. And and for me, like I said, I've had so many presentations that I had a lot of things redacted cuz I couldn't speak about it. And like for me, this is the

first time I could like speak freely and not be like red taped and a lawyer or threatened to get fired. So that's a good thing. Any other questions? Thank you. All right. Yeah. Oh, what was Yeah. Yeah, that was it. Thank you guys. I appreciate it. That's my knowledge and sharing it with you. [Music] [Applause]