Lessons (not) learned from the Kyivstar Wiper Attack - Ben Aveling

[applause] Thank you. Thank you. I hope the audible's about right. Okay. I'll start with the usual disclaimer. Everything I say here today is my opinion and everything I say here today is based on publicly available information. There is no insider information in this talk. On the morning of the 12th of December, Keefar, Ukraine's largest telco, kind of stopped being a telco. 25 million people lost internet, communications everything. They had been broken into maybe six months earlier. Don't really know. They'd had intruders in their network for they'd had intruders in their network for six months without really detecting them. The security services had warned them that something might be up, but there wasn't enough information in the

warning for it to be actioned on. And then about two weeks before Christmas, Sandstar acted, tried to wipe out the network, took out 14, 15 million virtual machines, thought they took out the cloud storage, said, "Yep, backup systems gone as well." Keestar responded, "Don't panic. Everything's going to be fine. Everything's going to be great. It's just a small glitch. And it kind of was. They had services back up the same day, some services. So your home internet, your fixed lines. Mobile came back up over the next couple of days, starting with the big cities and working out to the regions. International was out for a bit longer, but after eight days, everything was back. So they got some things wrong, but they

got some things right. Nobody here will be surprised to learn that APS target critical infrastructure. There's been numerous attacks on telecommunication companies, telecommunication cables, hospitals, drug testing agencies. There's been physical attacks. Most of these most of us are oblivious to most of these attacks because systems are redundant. You take out one telecommunications cable, traffic switches to another one. But make no mistake, we are under constant attack. If you're critical infrastructure, you're a target. If you're not critical infrastructure, you might still be a target. Hotel chains have been breached. Not so much because they care about the hotel chain, but because they like to know who's traveling, VIPs, travel, all that information is in the hotel

information systems. They get breached. Fancy Bear Apt 28 got one of their crews caught in a car park a couple of years ago with a a bootload of wireless communication tapping systems. Since then, they've discovered another technique. You break into a small business, you hijack their Wi-Fi, you hijack the the next company's Wi-Fi, and then you use that to attack the target you want. They've if you're a supplier to a target, you're a target. And a lot of us are suppliers to a to in critical infrastructure or to the suppliers of critical infrastructure. And critical infrastructure is everything that's essential for daily life. Remember the toilet paper panics. Anything that can cause disruption is a target.

And I promised that this talk was kind of introductory to intermediate. So I should probably start with some definitions. There's some very capable teenagers out there. There's some serious crime and some serious disruption that has been committed by teenagers. And teenagers earned a do have things in common. They've got a lot of time on their hands. They have no real fear of consequences. Even for teenagers in Western companies, they're they're teenagers. They're not treated as adults. They get picked up. They get released. APS have the same immunity for different reasons. The Russians are not going to hand over people to the West. Occasionally they'll go for holidays somewhere silly and get caught. But if they're not silly,

it's a job. It's a 9-to-five job. They do have differences. Cyber criminals have to basically make themselves known. They want to monetize your assets. And there's very few ways to do that that you will not notice. A ransom letter is noticeable. H being cryptolocked is noticeable. Having crypto miners running up large bills in your data centers should be fairly noticeable. About the only thing that's not immediately noticeable is if they then on sell that access to somebody else, but then that becomes noticeable too. Another thing that they have in common is fishing or social engineering. Teenagers are very good at it. APS are very good at it. One thing that's different is criminals aren't patient. Teenagers aren't

patient. APS are patient because they want to persist. They want to stay in your network forever. Usually, they might want to steal data from you. They might want to steal data about your customers. They might want to use your network to get into other people's networks. This means that they do not want to be disruptive. They they're patient. It's not all zero days. They have zero days. They do use zero days. They don't always use zero days in part because they don't have to. Fishing works very well. Spear fishing works even better. But they use zero days. The reason not to use zero days wildly is every time you use a zero day, you might get caught. You might burn

your zero day. At the same time, other people have access to the same zero days. So even if you don't get your own zero day burnt, somebody else might burn your zero day for you. So you don't not want to use them either. That's a waste. overuse them, use them on low value targets as a waste. Not using them also lost opportunity. We have writeups on how APS work. Some APS including AP44 which is to which the Keefstar attacks been attributed. We don't have a really good write up of the Keefar attack, but we have writeups of other attacks. We know yes they use zero days but they just use fishing and they do a lot of living off the land and

a lot of the commands they they use have been documented. There are documented IoC's indicators of compromises that your socks can and should be looking for. Vault Typhoon, one of the Chinese APS, also well documented, also likes to live off the land, has been up to five years in telecom companies, is in many of the major telecom companies in the world. I'm not telling tales out of school. This is well known. Um they they're trying to contain they're trying to evict them, but they're in there. They've got access to they've had access to lawful intercept which means back doors effectively legal back doors. They're in there. They're in there because they want to spy on VIPs.

They're also in there because they want to know who the lawful intercept systems are targeting in. They want to know, are our people being targeted? Because that lets them know that their agents have been rumbled and they're really hard to get rid of. They are very persistent. It's not all doom and gloom. We have examples of how they work. We can use these to say how good are our defenses. Looking at Keefar, the perimeter defenses failed. This is normal. Perimeter defenses will fail. Users are human. Users make mistakes. The better your perimeter defenses, the less often it fails. But perimeter defenses are not enough. We like to call it defense in depth. Defense in depth is a technical term

that means we are not very good at this. We need lots of opportunities to stop the attacker. We need to give ourselves as many opportunities as possible. Perimeter defenses segmentation for Keefar. Segmentation worked well. The attackers got at the virtual machines, but they didn't have as much luck. They didn't get at the hardware. If they'd gotten at the hardware and they tried, then it would have been months to recover if at all. We know that Keefar's attempts to protect their identity management systems, their privileged access systems failed. We know that the attackers stole credentials using malware which speculation mimicats and we know that they got into the active directory. I've put zero trust on this list because

everybody recommends zero trust. I've put asterisks after it because zero trust is really really hard and nobody seems to be very good at it. identity. I've put one asterisk to because it's also actually hard. People say it's important. They're right. It is important. People say you should know everything on your network. Keyar had 25 million customers. They probably don't even know how many boxes are on their network, let alone what all of them are. And this is normal for a big company. Probably the best you can do and what you should aim to do is make sure that for any given box on your network, you have a way to ask that box who owns you

because it's the orphans, the things that shouldn't be there that you need to worry about. MFA is great, but cyber criminals have found ways to get around MFA. You need fishing resistant MFA, and you need to be very aware about your supply chain. Who has access to your networks? Are there humans who have access to your networks? Because we had a lot of breaches coming through that way. We see a lot of that. But also, what are you inviting into your network? If you're downloading libraries off the internet, well, I'm not going to say don't do it, but are they segmented? Are they isolated? What's the worst that could happen when, not if, when those

libraries get breached? Because that happens. It was really big one last week. Keyar got their detection wrong. We know that the detection's hard. KESTAR got their response fairly well, I hesitate to say right, but it was sufficient. It was adequate and it was dramatic. When they worked out that they were under attack, they took down their own network. They denied the attacker access. They they doed themselves, which is not cannot have been a calm thing to have done, but they had the confidence to do it. They said, "Okay, this is going to be bad, but the consequences of not doing it are worse." Question. Would your own defenders feel that they had the authority to do

that? Or would they be too afraid that we'll get in trouble? We we can't we can't react in a way that's going to do damage to our own networks. You'll remember one of the bigger I don't really want to call the cyber attacks outages. Um mine's blank. Crowd Strike. There was at least one company which managed to accidentally defend themselves by Crowd Strike by having their DNS servers update first. Wasn't deliberate, but it was effective. The DNS servers went down and it protected the rest of the network. Ablative DNS

recovery was necessary for Kefar. Apts do not give you your data back. They will occasionally disguise what they do as a wiper attack. Sorry. They will occasionally disguise a wiper attack as crypto locking and say, "Send us money." Fine. Send money. You're still not getting your data back. Criminals will usually try to give you your data back. Sometimes they will succeed. Sometimes they won't. Um if they do, it can take a long time. And if you pay ransoms, you're making yourself a target for ransom. Have backups. Test your backups. Make sure your backups are isolated, not available to the network. Because cyber criminals, they know that if they can't get at your backups, they're not

going to get the ransom. Test test everything. If you haven't tested it, assume it's not going to work. Don't just start your red team outside the perimeter. Start your red team everywhere that you don't want an attacker to be. If this means giving your red team the ability to inject packages into your build system, do it. Anything that's offtarget for your red team is not offtarget for a legitimate attacker. They will happily go anywhere, do anything. Tabletop what can happen test. To recap, early in 2023, Keestab was breached. In June, they were they did get some warning from Ukrainian security services. We don't know how much warning it. We don't know to what extent they acted on

it, whether it was actionable, whether they followed up. But if you do get these warnings, do take them seriously. December 12th, the VM fleet was destroyed. The hardware survived and then eight days later everything's back up. They estimated the total cost at about a hundred million. In other words, not significant, but could have been a lot worse.

Questions? >> I do have a question for you. You mentioned the

I'm wondering.

>> Okay. So, the question was about pivoting from network to network and you mean Wi-Fi networks? >> Um, assume your Wi-Fi network is under attack. So for a long time we've relied on multiffactor to protect Wi-Fi networks. Geography is a factor. If you can't get at the network, if you can't get into the room with the computer, that's protection. But these days that protection is not really there anymore. So yeah, um use modern Wi-Fi. Old Wi-Fi is just awful. It's You may have heard of wired equivalent Wi-Fi. That means the same protection that's offered by a piece of copper wire if the attacker can get at it. So, >> yep. question or do I

>> So the question was why did Keefar's defenders decide to doss their own system because that also dosed the attackers. So the attackers were still going, you take down the network, you've denied the attacker access to the network. The attacker is in Russia. They're coming in across the network. The only way they can get to the system is through the network. You have people on the ground. So, you can go and bring the systems back up, take them off the the network if you need to bring them back up, and you've stopped the damage. You've stopped the bleeding. You've also stopped everything functioning. So, it's a gamble. But they knew that they were under attack and

they figured that better to take a temporary hit now which it'll be easy to recover than to let the attack continue and who knows what's going to happen.

>> Yes. There.

I've found nothing in the English language press. There might be stuff in the Ukrainian press. Um, if anybody's got contacts in Kear or the Ukrainian security forces, they might be able to get more. There could be a lot of reasons why it wasn't acted on and we don't know how the security forces knew that Kear was under attack. They may have wanted to protect sources and methods. They may have been deliberately somewhat vague. They may not have given Keefstar enough information other than you are under attack to which Kefar would have said yes. It's Thursday. We just don't know and we don't know how much more information Ke tried to get but and we also don't know how many

false positives they've also given. We know that there was one apparently true positive but they may very well have had a had a lot of warnings that came to nothing.

It was both. So the the question was the attack on the hardware failed. Was that more due to the defenders or the attackers? So there was a couple of things that happened there. The attackers were trying to download firmware as far as I can tell. I can't see another way it could be done remotely. So they're trying to download firmware. The attackers to some extent were getting in their each other's way. So the attack was not as well coordinated as it could have been. The defenders pulled the network out from under the attackers. The attackers were working manually. So that stopped the attack. Also Kear big company been going for a long time probably operating on tight

budgets. They had a lot of different hardware which means that you would have needed a lot of different firm types firmware images to be able to attack every bit of hardware. But given enough time attacks will succeed. Okay. One more question. Okay. All right. Thank you all. [applause]

Thanks very much, Ben. Um, we've got a little bit of a pause. We've got a nice little uh crossover break. So, if anyone needs to do comfort break, now is the time to do it. Uh, one little piece of housekeeping just to manage everyone's expectations. So, again, thanks again to Rapid 7 for supporting the subtitling. Um, and thanks also to Blackduck who are sponsoring the afterparty. Don't bother hassling them that yet. They do not have the wristbands. They will not have the wristbands until 1:00 p.m. and then you can hassle them. Um, so thanks very much. Uh, we'll have Stuart McMurray up in about 10 minutes. Um, and then apart from that, look after yourselves.