CNC Server 1 82.146.166.56 CNC Server 2 209.239.79.47 CNC Server 3 41.213.121.180 Watering Hole Wordpress eu-society.com Watering Hole Wordpress aromatravel.org Watering Hole Wordpress bss.servebbs.com Watering Hole Detected URL Watchlist C2 List C2 List C2 List CnC Beaconing Detected C2 Malware CnC Channels Advantage Hosting Fingerprinting and whitelisting during watering-hole operations Theft - Credential Theft Domain Registration C2 List C2 List C2 List Spear-phishing in tandem with 0-day exploits Unauthorized Access Infiltration of organisations via third party supplier/partner Unauthorized Access Custom recon tool to compromise and identify credentials of the network Theft - Credential Theft Multiple means of C2 communications given the diversity of the attacker toolset Advantage rootkit communicates during the same time as network activity, encoded with an XOR key Advantage Kernel-centric rootkit waits for network trigger before launching Advantage Kernel centric exfiltration over TCP/UDP/DNS/ICMP/HTTP Theft Exfiltration over HTTP/HTTPS Theft Use of previously undocumented functions in their Kernel centric attacks Advantage Privilage Escalation Vulnerability CVE-2013-5065 The Epic Turla Campaign The Epic Turla Campaign Advantage - Political SNAKE Campaign The SNAKE Campaign Advantage - Political SNAKE The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits – virtually undetectable by conventional security products. This threat actor group has been operating continuously for over a decade, infiltrating governments and strategic private sector networks in that time. The most notorious of their early campaigns led to a breach of classified US military systems, an extensive clean-up called ‘Operation Buckshot Yankee’, and led to the creation of the US Cyber Command. Whilst the sophisticated rootkit is used for persistent access to networks, the group also leverage more straight-forward capabilities for gaining an initial toe-hold on targets. This includes the use of watering-hole attacks and basic remote access tools. The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits – virtually undetectable by conventional security products. SNAKE Turla WRAITH Russia Moscow snake@gmail.com twitter.com/snake Russian Political Expert Advantage - Political Theft - Intellectual Property