FROM MY 2nd BOOK -- HOW REAL CYBEROPS AGAINST THE SAID INSTITUTION WOULD WORK -- ON CURRENT PETITIONS
With the current political environment and my second book,
Fold The Wagon that showcases a story connected to the elections 2022,
I think I ought to speak especially on cyber part of the Petitions in the court.
There are too much lies and i can hold it anymore. Cyber is science and math.
Not what is being fed to the public.
I have been doing cyber for more than 22 years, with CNO for almost half of that.
Working overseas will real pros, has made me a better CNOer.
As I unveil the horseshit we are seeing on those court documents,
remember Cyber Security is part of Cyber and not the other way round.
The current state of Cyber is Information Operations,
not Information Security and not the old one either that we used to call Computer Security.
Things have changed my friends.
In my book,
there is Computer Network Exploitation operation conducted but not for Election purposes as per the book
and the storyline, but for a covert collection of intelligence against an individual in the said institution.
Sometimes SIGINTERS, will do this all the time depending on the orders and objectives.
On the Novel, that CNO Op started around March and its meant for a deep attack
into the institution due to some evidence required to nail an offender.
But let’s discuss the
propaganda and lies we are seeing on social media now and how
a real (Computer Network Operation) CNO would be executed against the said institution’s infrastructure.
So for an attack on such an institution;
operations to plan, execute and infil would start at least on year 2020.
Latest Jan 2021. You have to remember IEBC is a large infrastructure with almost 400 computers.
That is servers and endpoints.
First the attackers (We will call them, "The Operators") would need to do some extensive planning and development of the Arsenal required to accomplish this operation.
They would have to make sure they have reserve cyber weapons/toolsets just in case others are burned during exploitation,
by EDRs or PSP along the way.
Remember by default, all windows machines have something we call AMSI by default.
This is a DLL that hooks into every process as amsi.dll,
e.g. when you execute PowerShell,
it will be there. Microsoft windows also has other guards like ETW that we will talk about at a later date,
which is also essential for defense on operating system level.
So, these operators would totally make sure that these are covered during Resource Development stage before Procedures and Concepts are laid down.
EDRs too hook into major DLLs that are required by several process and check for malicious content in memory.
The operators would need to make sure they unhook these too especially if they Identify which AV and EDR was used for this attack.
Now this would be a major part of CONOPs (Concept of Operations) which is tested and done in stage two.
The operators would need to make sure they understand the environment they are about to work on.
Because according to the petition, the Objective of the whole CNO operation would be to replace the images/pdfs uploaded from Polling Stations.
Obviously this is to, intercept, duplicate, clone and insert data in real time and eventually the adversary would totally need a really good toolset that has sockets-back to the attacker’s controller module/network,
EDR unhooking and other bypasses plus Artificial Intelligence capability to execute the objectives outlined as (intercept, duplicate, clone devices and insert data in real time).
If this was done, then hands down to the new APT, we will totally call you APT-Simba-Mkuu. But, in real sense these are the kind of ops many SIGINTERs have done against terrorist suspected institutions.
First steps first,
the operators would need to run OPE which is means Operational Preparation of the Environment.
They would need to write light tools to get the exact information they need from systems they can collect easily from.
Here they will have written tools that they don’t care much for,
if they get burned and also they will try see what is reachable publicly.
The tools that they would actually use here are small stealers, implants and loaders that act as Stage0 also called, BurnAnduse toolset.
Getting public information would be easy,
because they just need to use old school Reconnaissance methodology to get domains,
IP addresses, some emails etc.
But the data that will change how OPE works will come from burn-use tools.
These, will tell them the internal IP range and machine/station subnetting,
Operating Systems’ used, PSP that could be in-place,
server infrastructure/VLAN, AD information, which subnet are the ICT people sitting,
if there is a hidden subnet, is there any form of air gaping. This is done quickly and fast.
With the operators understanding this,
they will prepare a lab that had such a replica from the intelligence they just collected for wargaming and RnD.
This is where asphalt whacks the tires.
Welcome to stage two of the OCO (Offensive Cyber Operations).
This is where real planning is done because the important part is that you do not want to be caught.
You need access there for as long as possible,
but with heavy collection especially surveillance on target machines.
That would mean a full dragnet of the IEBC infrastructure without anyone ever knowing you were there.
These are the actual APT standards.
This is Cyberops SOP.
Checkout the differences between MIL and Civilian services as below, during phase 1 and 2 planning:
On stage two,
there will be a lot of back and forth,
maps will be drawn on areas of concern,
The Operators will war game what goes where and what happens when a certain tool is discovered/blown.
Then how to quietly replace from reserve weapons.
The planning also discussed which programming languages to use.
Which concepts to use during the operation and how to sequence tooling.
Which EDR and PSP is in place.
Which tools/weapons are needed and how to chain them up.
Who are the ICT guy on target location?
How are they especially with their work ethic?
Is there anyone who can be exploitable etc. etc. etc.
The tooling starts.
This is stage three.
This is like three months after stage two
and wargaming is cleared and now the operators do know what to do with minimal risks on tango.
Let’s say mid-2020.
The Operators start development of the tools.
They will need to buy the EDR on subject network or find a way to get one.
They will test what they are writing and the best working bypasses,
the best unhooking and other tests as the tools are being made and stockpiled.
They have to get servers ready,
domains, proxying channels to C2 and other resources required for online operations.
They have to make sure they understand how chaining of the toolkit will be mastered before execution.
This will be tested on their labs and environment and reserve toolset will be done and also tested.
The labs infrastructure will have to make sure that the samples executed during
tests are never caught or uploaded to sandboxes because that will be a burn before even the operation starts.
All tools should be done with exception of accidental leak of offensive code before push to the AOO (Area of Operations).
Remember,
by default,
windows will upload anything suspicious even if it’s a batch file to online sandboxes either Microsoft intelligence
and or also VirusTotal (most likely done by the analysts there during telemetry checks.)
Coding and testing can take 4 to 6 months.
So the CNE would start end of 2020.
And full go through from Jan 2021 to this year.
The adversaries would get access,
laterally move like they did during OPE,
but this time slowly and more subtle collecting data,
and making sure they push surveillance on each machine of interest.
e.g. if they get to ICT VLAN,
they would need to make sure they are key logging all boards and clicks, the
microphone is recording what everyone says at their desks,
screenshots are running to make sure there no miss of any event.
If it’s the Council/Lawyers office,
they would get webcam information on each desktop,
who is meeting who,
which legal challenges are there and screenshot on what/which tasks/assignments are being done by each officer.
Then down to the floor of senior management,
Microphones and Webcam shots plus file downloads would be really important for decision making by Adversaries leadership as operations continue.
If all this is done cleanly, next would be to find machines owned by contractors.
These usually have amazing data and also information on hidden infrastructure or the air gapped boxes.
If the operators jump into these, well and good too.
They will be on the main databases in no time.
With this full dragnet,
the adversaries would be able to move within the institution’s and
observe as decisions are made from High offices to ICT,
to contractors and to everyone working in that organization.
The operators would also have easy access to move their tools
and also implant mobile devices like tablets and phones.
This would be important to also intercept SMSs, SIGNAL, WHATSAPP, TELEGRAM etc.
As far as you can see, this requires seasonal teams.
So let’s look at the TTPs that would be on this OP.
From stage one to the last,
there would be some IOCs caught somewhere by Microsoft Windows,
a PSP or EDR.
If let’s say the initial access was a phishing attack via attachment,
then there is an email somewhere,
though the operators in some way,
once they get in they will try to delete via a tactic we call Defensive Evasion.
But that phish,
if it was a document that executed AMSI, MSTIC would have caught it and helped to collect the IOC
and send to their Sandboxes for evaluation.
Now that would be sample one and it being used as early as 2020 for OPE,
then by now all Sandboxes and major CTI report avenues,
the Cyber security community would be in the know about the new adversary,
APT-Simba-Mkuu and its new APT tactics.
However, Initial access tactics that they would use:
a) Use of an insider.
b) Wifi penetration.
c) Phishing attack.
d) If they are good, then it could be some Supply chain tactic.
Execution and Persistence
a) There would be some command-line here and there,
probably dropping of VBS, BAT, WMI,
PowerShell and Unix/Linux bashscripting/bash etc.
Defensive Evasion
a) Maybe manipulation of tokens
b) Probably to bypass mark of the web during phishing they could
try deploy containers (IMG, ISO etc) with stage one downloader or loader even probably for Stage0
c) Execution guardrails would be used a lot especially on the loaders,
because loaders do bring the real First stage implants to bear.
They totally would not want such a PE or ELF to be caught.
d) With loaders coming in,
hiding of essential Artifacts would be paramount which means,
we would see later some amazing EDR unhooking to impair defenses with removal of
other IOCs coupled with Obfuscation of such executed files.
Though, in most ways obfuscation would also be very high on initial access and entry during OPE and also the main CNO op.
As they bring the implants,
in some case they would try do side-loading depending on which target they are collecting
from as far security is concerned and so many other techniques they would use.
e) Other things we would expect to see are like hijacking of how process and
application are executing and their flow.
Surveillance
a) This would be heavy from password/credential capture,
definitely they will need access to the portals and act as the real employee.
They will need to log into server arrays downstairs as the ICT team.
They will need to access other essential services as ICT personnel.
b) The operators would laterally collect surveillance data across the infrastructure,
i.e. keylog, audio, screenshots,
folders/files, webcams, cloned-boxes etc.
via a Command and Control channel to a Listening Post.
Collection/Exfiltration would be heavy and spread out to several command and control servers across the globe,
hiding via https or maybe even pretending to be PDF upload-traffic on packet level to avoid
scrutiny especially with stealers.
Objective & Impact
a) The attackers obviously now have a full covert access to the network.
They can control everything.
They totally have access to the Portals and all servers and all endpoints plus any devices required for the objective.
This is full dragnet.
They can intercept,
duplicate anything.
The issue is to make sure that there is minimal delay.
Remember those PDFs are sent via email, also uploaded via FTP and Web from Polling stations.
They have to make sure the implants running part of the objective understand all these channels,
have the ability to capture the data,
intercept all resources used for the uploads,
change what is needed before anyone sitting at a desk learns there was delays,
then replace such targeted data and have the recipient upload the double on Portal.
Obviously apart from this implant,
these actors would also drop a silent backdoor to help recover access in case they are caught.
Which can be a webshell on webserver to a Housekeeping-implant on silent none used boxes.
There is also this scenario that is coming up about an actor going for the webservers.
Well, let’s debunk it because there is a lot scriptkiddie and horseshit there:
Any CNOer/SIGINTer would tell you for this kind of objective,
everything requires stealth and skill,
none of such professionals would approach it on such a Course Of Action (COA).
Actually the CNO-Skilled planners would shoot it down,
real quick upon inception.
But anyway for chances of understanding how this would work.
The operators would need to find an O-Day that can take on the Web Application service that is publically reachable.
Then they would totally have spent some time writing the exploit,
perfecting it to make sure they don’t crap the live system when it heavily being accessed by millions of users,
which is actually impossible to null for such a service to allow shell.
But, with high confidence,
I am sure that would cause a Denial of Service instead or the Operating system would be rendered unstable,
therefore a shutdown.
But let’s belief it works,
for a moment,
script-kiddies are also humans. Lets give them some credit.
They would totally need to upload a webshell as the first backdoor.
A new one in this case that is supported by the webserver application.
Therefore,
they would need a local exploitation toolkit for privilege escalation.
After attaining UID-0, what next,
an implant that has AI capability to quickly manipulate data.
This scenario would fail badly and it’s a kind of tactic that a
beginner/skiddie would suggest because in real life operations,
as someone’s APT,
we would have to think of defensive action and making sure we have housekeeping access.
Stealth is also paramount in real ops,
so this idea of going through web-application is easily thrown off the window because
it totally dumbs operational security.
SUMMARY
All in all, this blog,
showcases use of tools sequencing and TTPs that would successfully
breach security of that institution. So when anyone goes and presents,
there was some form of hacking,
we need to see those IOCs since they are the first bunch of evidence in a scientific investigation after a Cyber Incidence.
The adversaries would totally use lots of tools as they execute requirements.
In short,
the Cyber Security Community,
needs to first stress the need of IOCs to affirm infrastructure penetration and to showcase there was system breach because that is where we would generate TTPs used by the attackers and from there we can tell this was no conjecture.
Otherwise,
Ladies and Gentlemen,
everything else is horseshit,
noise and wind.
Cyber Investigations and evidence collection is
conducted through science and math for both Defensive
Cyber Operations and Offensive Cyber Operations.