Hi! You may not know me, but to be brief let’s just mention I conduct cyber forensics, investigations and security awareness for living for 25+ years. A few weeks ago I got called in to do some forensics analysis for a customer (they talked about some mystery around weird system actions and reactions). Upon further analysis with both teams, they saw infections that seemed to use the Active Directory to very quickly spread out into the network and we assumed it was a targeted attack. What we did not know that phase 1 of what we all believed to be a fiction or cool script of Die Hard 4.0 movie back in 2007 just got real (you can not make this stuff up…). They called it Fire Sale, a cyber attack against a whole country (hello hybrid warfare and cyber war) this attack ultimately led to a collapse of all computer controls, leading to an economy crash and other bad consequences (like whacking out an entire industry…). How real is it to perform such an attack? Well, one of industry anti-malware leaders, Eugene Kaspersky may have predicted the future roughly 1,5 years ago. But lets just get to facts for a moment: it was a normal Sunday when one of media industry security analysts got me onto a conference call with another company I am on the board of. Not that it surprised me that they are working mid-Sunday (as do I so don’t ask), it was rather the facts that were really interesting and frightening: the entire media industry and TV channels were simultaneously reporting being under an unknown cyber attack that disrupted computer operations and acted in a very unpredictable manner. The attack started on Sunday October 25th, just as state-wide elections were going on in Ukraine (coincidence?). While several hacktivist groups tried to take credit for the attack, there is not enough (conclusive) evidence to pinpoint it to a specific party – we’ll leave this to those “special services” and politicians to figure that one out.
As I mentioned, the attack was a covert multi-stage infection of a company’s infrastructure hitting one target after another, causing computers to restart and become unbootable. At this stage, two things seemed obvious: we were dealing with targeted cyber-attack, perhaps with political motives and aimed at disruption of an entire industry. However, investigation has brought up a plethora of details that challenge the initial statement…
Attack symptoms and initial impression
While we wait for some verification of official results with some 3-letter agencies we are working with, as well as dedicated forensics & security malware reverse engineers and full disclosure will be done by a local CERT, I’ll share how things looked from the front lines.
Targets were multiple Microsoft Windows platforms, without version or function dependencies, including Active Directory Domain Controllers, Desktops, video-editing workstations, accounting computers etc.
Typical observable behavior of infected assets was an Unexpected Shutdown of Operating System after which system became unbootable: MBR was missing (I wonder why…). A second symptom was a 100% fill-up of the system partition, which as we know makes system behave abnormally and per Microsoft’s recommendation “Asks to contact a System Administrator”. From internal security team’s perspective it looked like random Windows machines fully crash without any obvious reasons or relationships. A third and no less important symptom was all colleagues in same industry calling up each other and reporting those same first 2 symptoms…
A Few things were clear for me at this point:
- It was a targeted attack, thoroughly planned and orchestrated way ahead of the date it was actually set in motion.
- This is not a 0-day vulnerability exploitation. Attack is multi-stage involving either social engineering and insiders or a multi-layer, modular and synchronized system of weaponization, delivery and command and control, hello to Cyber Kill Chain model 😉
- The timing of the attack is not random: it happened exactly on the day of local state elections aimed either at disruption of elections media coverage (which never happened) or the date was used as a decoy to distract from main attack’s purpose. This also could be a one hell of a presentation of new cyber weapon’s capabilities on a countrywide scale.
I recommended my colleagues to brace themselves, put any doubts aside and focus on 2 things: reduction of collateral damage and maximum evidence collection. We tried to get anything we can: PCAP’s, snapshots, screenshots, windows logs, SIEM & IPS alerts, memory dumps and of course malware sample. Obviously traditional anti-virus and other active defense systems were silent. During first 24 hours of the attack we were able to obtain a virus called “ololo.exe” and uploaded it to VirusTotal, just to find out that not a single Anti-Virus was aware of this malware. To be continued with results of malware reverse analysis and results of initial investigation…
Michael Goedeker MSc.| CEH, CISSP, CHFI, CCISO, ISO27001 LA
Security Researcher and Trainer
Board Member of SOC Prime and
CEO of Auxilium Cyber Security