Processing Conti Leaks thru Carver Analysis

all right hello everyone um this is Will Baggett we're going to discuss the compromised Conti chats and the methodology used to process those as a cyber threat intelligence analyst thank you for tuning in to b-sides Charlotte it's greatly appreciated it's a fantastic local hacker convention they put on in Charlotte and it's an honorary part of it so I'm will Baggett certified combat collection engineer that's an older certification I got when I was teaching NATO Special Forces certified fraud examiner uh other shirts too but for this course this class it's relevant uh very short career path so you know the filter that I'm coming through for the approach for this talk I was in financial Tech I worked for SunTrust pre-wik UK from there we got recruited I went to the intelligence Community uh did a lot of stuff and things in the cyber world human collection from that I've decided to resign and stay in the Charlotte area instead of moving back to DC worked for a couple of years in Belgium as a NATO Special Forces cyber instructor teaching drone forensics phone forensics um desktop ocean training the Drone forensics is a lot of fun um good way to get in trouble a thing called covet hit I ended up getting a job as an Insider threat consultant to a large pharmaceutical firm during covid uh after that ended I went to a cyber threat intelligence role where I am now it's a fantastic company but we're not going to mention their name because I'd have to get company concurrence legal would have to approve the conversation and that just takes things way too long so we won't mention who I'm working for this talk is going to cover four main topics uh the content ransomware group the Russian Ukrainian cyber warfare efforts that have been ongoing since 14 of what is Insider threat what does that mean because it's such a compartmented stovepipe esoteric Byzantine there's some three dollar words for you uh disciplined part of cyber some people may or may not know what it does so we'll touch on that and the last in the core of the presentation is the Carver analysis method and how that applied to what was leaked out so for the audience because this is a 15-minute talk 40 minutes ish with time for questions in real person time real space the red slides of the background is where we had stopped if we had a week we'd pivot to an open exercise I leave that there just as a thought for if you want to play after the talk or pause and go try whatever I'm suggesting great the yellow slides are things that were found from the leak that happened months or years after the league well a year and a half after the leak that way you can differentiate what the slides mean like ransomware so if you've been watching the news if this is the talk back in Vegas definitely it's a topic of concern uh ransomware and the variant of wipeware or gang of criminals usually sometimes funded by nation states will send malware find exploited vulnerability and do reconnaissance Excel trait key data and then once they have the key data they have a team of Experts of Consultants that will go through and determine how big the payout can be from a company and once that's executed they'll have a name and shame to try and gauge on how deep we want to go for this a name and chain for Caesars has been breached here's some of the data they refuse to pay the uh Ransom to get their data back so we're going to start publicly embarrassing a variant that came out of the Russian Ukraine effort has been wiperwear same thing but instead of holding the data hostage for money they'll just completely wipe the data from a pure academic point of view it's better than kinetic strikes loss of life or ransomware where the data could be gone the data's gone the hardware is recoverable no one's generally dead unless you power supply water supply food supply but generally it's a less destructive method of cyber warfare so copy is a russian-based ransomware group came out in mid-2020 dated the extraction the name and chain just like uh Alpha just like the other big ransomware groups clock using move it and it came out later not to get ahead of myself but this is a fundraising element of the Russian government they'll take the ransom millions of dollars and send it back to the Russian government to use in the Russian legal Invasion the Ukraine so in 2021 Conti far outperformed the rest of the ransomware groups not completely combined but very close 180 million dollars per year in Revenue they'll attack usually same method excuse me they'll either send a phishing link spray the passwords they'll use a cve that's not been patched to gain access once they have access to the data they'll exfiltrate it to their command site and then they'll send the ransom email you know if we can see even step through here also don't connect to these C2 sites from your corporate laptop that gives the imprint to the ransomware operator that you have an interest in them that puts you on the radar that gives nights weekends overtime hours that's a paperwork generating event we don't want those in cyber so to tie all this together May 2021 Colonial Pipeline and those of us here on the East Coast were definitely impacted by that Colonial pipeline had not to editorialize as the first talk for the conference and we don't need will editorializing this early in the morning Colonial pipeline had quite a few cyber vacancies open unfulfilled they weren't taking the cyber security role for this infrastructure quite as serious as they should and Dark Side sent a phishing email to one of the administrators at Colonial pipeline that locked up the Billing System and then we had gasoline shortages on the East Coast for at least a solid week if not longer and disrupted the East Coast Economy just from one ransomware attack so we're cyber security began to Pivot a little bit more to paying attention to what ransomware was doing we're now more in tune with it seeing the damage that can be done the uh transitioning from that to the Russian Ukraine cyber warfare effort a couple of things to get in here there's a lot of new techniques that have happened the one we were talking about in NATO's office of wall of text but it was a brilliant combined effort when Ukrainian troops land near the Russian border activate their phones in your personal fund to battle right um a Soldiers the Ukrainian soldiers would get attacked saying you are surrounded you're abandoned you're going to die in the battlefield concurrently the soldiers families get text message saying your son has been killed in action the parents then call or text the family member in the war zone which is doing quite a few things it's triangling their location it's validating their osynth it's uh generating Telemetry for Siegen collection so this is a fairly complex effort by Russia to demoralize the Ukrainian troops and if they can find your cell phone on the network you can easily locate them with mortar shells artillery which is pretty devastating in combat so this is something we were training the NATO Coalition troops that when you go into combat you don't need to have your electronic devices with you because it's everything from U.S Special Forces down to that one of my students was a cherry farmer edible a former Soviet States doesn't understand cyber truly outstanding sniper which is what you need on the battlefield but he needs to understand the bumps on camera can't bring these things with you because it is going to give away your location Ukraine also had some fantastic psychological operations during the conflict they released a list of all the Russian spies they claimed were operating in Europe names addresses SIM card numbers mz's a list of all the uh Foreign Service workers for the Russian Federation whether or not all 620 were truly Russian intelligence operatives doesn't matter because now they have the label of being one so the even though they may have had the most benign job working for the embassy Gathering contacts for a brain export I don't know but now that they've been tainted as being a possible Russian foreign service worker I can't talk today possible Russian spy they've now been isolated and they're ability to operate in Europe has been severely degraded if we were in the classroom we'd pivot over to bellingcat and we look at some of the work billing cat has done where they can take the Russians as they change kind of change identities go overseas conduct assassination operations like the famous one where they two operatives claimed they went to London or went to Britain to look at a mosque or look at a church and then flew home the day after the uh Russian dissonant was murdered bellingcat has gone through sifted the ocean details and been able to identify each FSB officer so this would be something we would stop spend 30 45 minutes on to determine what can you find as a new student for osynth on the Russian intelligence operations of course the intelligence Services react to this and acrylic uh our friend is saying I'm telling you right now that Russian Foreign Service Officer is not real so that's a pretty good psychological trick another one of NATO talked about both sides for Russians and NATO allies both created fake trender profiles to catfish and elicit information from each side again you're a Warsaw looking for love on Tinder is probably a bad idea but here we are so Russia invades Ukraine February 2022. the Cyber threat intelligence team we were directed where I am to monitor for new threats from the Russian invasion because they promised to take down the U.S economy for anyone who assists the resistance to Russia so we mentioned the Colonial pipeline exploit that was still fresh in our minds less than a year later Russia invades Ukraine Kanti puts out a statement saying we thoroughly support Russia if anyone attacks Russia we'll use our resources still go against you know that goes up to a spot report goes up to leadership two hours later contina says well maybe not we're not taking they're trying to backpedal I don't need to read the wall of text to you something happened of where there's trying to backpell and dissemble from being closely tied to Russia most of us on the team found that a little bit odd most of the threat intelligence community in cyber community as well as intelligence community yeah thumbs up with that we say who was Conti because that was the moment where Conti as they would say back in the 70s jumped the shark things go south the first emails start going out that Conte is is leaking all the data there's a very specific filing hyphen x v was it geez I can't see today xzvf1 dot tzg that's a very special file name that wouldn't be hard to find at all it's Splunk on your network they said we're going to delete everything internally so he's got recurring access things have been staged and this starts to grow just like any other viral event on the internet headlines start coming out the security researcher we can't say that he is part of the the sole Ukrainian working for Conti he like 660 000 messages belonging to the ransomware game he played he released everything so the first thing that goes up and again the red student exercise we can see by the date joined February 2022 this wasn't something he's had ready to leave this is a spur of the moment decision this wasn't there's one Russian ransomware that hit a mortgage provider that never really made the U.S news but the leak came from an account dedicated to discussion of this months before the actual ransomware hit so right here realizing we're not live and I can't point you can't see me who are they following who are their followers who's retweeting this who's quoting and if I was a Foreign Service adversary I would say this is of Interest who's looking at this journalist intelligence analyst sock puppets for more seasons threat intelligence analysts who are not using their true name and not using true uh location they're using a VPN there's a lot of intelligence you can gather from this in and of itself also you don't have to go in and follow them you can just remember twitter.com contileaks and not burn yourself that your corporate Twitter account is now following the Conti leaks that you have interest in this so again if this is a class would probably take 30 minutes to discuss this go through do some analysis there are some where you can see the Facebook Links of official Army units and see all the people who like and thumbs up or whatever I'm not on Facebook everyone who's congratulating The Colonel on his recent award okay now we can go through and see everyone who's interested in this one action same thing here why are you following this and then we're going to talk about Kanti but getting to the data takes a little bit of operational security what I would do is go to teamfolique.com twitterinfolique.com and then I would plug in Conti leaks and my email address and I'll get a free report to my email they're not I've been using this site for a few years it's not spammy you know I get names GPS I would get a report I can see what's coming in from this account this may or may not work still another opsec exercise we would do to say you know for the damage for things that can be leaked I would have the students go open Twitter just do a simple search for my new debit card and this blossomed out from a 20 minute exercise to a four hour exercise because of just the things people find that you wouldn't believe they were in cyber or getting started or experience doesn't matter but this is still a mind-numbing just you have to shut the lid and worry about the state of humanity that people are still advertising and sharing their new debit cards their new passport their new airplane tickets so you can see that yeah leaks happen not only do they happen they happen a very personal level they have it on nation state level but it's out there getting back into this I like to give the idea of not just a talk but here's something you can work with to help learn the concept A little bit more uh the leaker went through separated these out this is great they're all acrylic and you can see when the leaks are starting to come out someone translates into English now things truly take off 393 messages 60 694 total everything in the Rock means everything source code plans intents software quality assurance testing onboarding daily Chit Chat that we see in teams not the was it the 38 terabytes of teams AI data that was leaked from Microsoft oops this is dedicated just to Conti only so the yellow background is current stuff so right before I gave this presentation at uh b-sides Las Vegas they found a year and three months later that yes there is a connection between Conti leaders and Russian government contacts this is a nation-state operated Endeavor from the Russian intelligence service this is something that wasn't determined until months after analysis so you got your triage and that's where we're going to get to the triage of the immediate impact to my company versus the Deep CIA DIA NSA fbi-ish level of analysis so we've seen what The Insider threat can do we've seen what he the one actor did what is an Insider threat usually when we're dealing with a data breach or discussing an external actor who's discovered a misconfigured C3 C3 bucket for Amazon solarwinds massive breach like we dealt with in 2021 the more recent MGM Caesar's breach brought on by ransomware but it's usually there's a hole in the dam when water is pouring toward as opposed to someone working in the dam who actually opens the lever to let beta out whether it's Snowden Edwardson with uh his NSA leagues Robert Hansen disclosing the key data of very protected identities of people working against the Russians inside Russia or nebula betraying The Avengers team because he had 2014 nebula with 2023 Avengers team for the Battle of New York and people use science fiction and adventure movies because we have so many NBA's that we have things that happen we can't discuss we can go to the commonalities of science fiction movies that's why people do this it only takes one unexpected action to breach your organization no one's expecting this no one thought the one Ukrainian researcher on the team would leak this out no one thought vent I'm pointing the screen like y'all can see me no one thought the one Shield ring over scarif would be the weak point even though it is very strongly shielding physical incursion it's shielding uh Transmissions out if you physically damage it with another spaceship just like we saw here with a hammerhead Corvette and take out that literal firewall then the data is going to be able to escape just like klop with move it we're still logging hundreds of breached organizations from this combination so the traditional motivations for espionage I don't know if it was a CIA training class or Tom Clancy novel where it came from Tom Clancy novels were so close to accuracy that we became using a lot of his writings for training so I'm not sure if his chicken and egg thing but the ideology is mice money ideology conscience compromise eagle or excitement so we definitely have ideology this leakers country has been invaded by Russia we have conscience and then we have probably more I don't know if the eagle or excitement he said I can stand up I can do something about this getting into the more the deeper motivations for uh Espionage Rascals reciprocity Authority scarcity commitment career liking social proof those are more in-depth behavioral analysis of an asset rather than just ascribing motivation to One internal leaker however these are also the very same effective elements of phishing emails which is what we just had that took down in GMC's Palace which is one of the slot machines are showing bios screens and doing knp of paper receipts right now the time of this talk so this talk this Insider threat it was a one-time event because after he's leaked everything out he's not coming back he's not reapplying to rejoin Conte he's lost his access he should have he should have been off boarded at this point directly attributable to one individual and it damages unquantifiable they are no longer a threat they've tried to resurface and use them the same C2 but it's not there it's not happening the data was compartmentalized by Conti but not effectively you had people who thought that Conti was operating as a pin testing they thought they're like a bishop fox or a mandent instead of a brain smart group but data was saying she was organized they were showing the exact things that we look for as Insider threat analysts they're staging the data for reconnaissance they look for exfiltration they're conducting reconnaissance they're harvesting the data so this would be another discussion for Insider threat not the venue but to get the idea going how would you detect this Behavior would it be a leadership issue would it be sensors through EDR software would it be Splunk dashboard how would you do this does he have a personal Conti laptop for this data if you're harvesting a 100 million dollar 189 per year for a small team you should probably have your own laptops so how is this individual leaking the data out did he copy today and email it from a secondary site I.E did he use USBS to get the data just like UNC was 58 out of China is now using North Korea using USBS with sobu this just broke right before my talk so how are they getting the data these are the things I would look at a little bit after the fact but how is heating the data how can we change this in our organization so we don't have massive breaches again if we can survive this leak so going pivoting back to the CTI chair giving this talk exactly from where I process the first League we have raw intelligence from an unsourced with alleged first-hand access is this propaganda usually when you have a battlefield data find talking about drone forensics if a drone cra