Technical Report about the RUAG attack

Published: 2016-05-23
Last Updated: 2016-05-24 13:39:04 UTC
by Rick Wanner (Version: 1)
4 comment(s)

RUAG is a Swiss based company that participates in the aerospace, defense, and space industries. In January of 2016 they detected an external compromise in their network. Further investigation revealed that they had been compromised since at least September of 2014.

The most interesting thing, in my mind, is that this attack was not particularly advanced or stealthy but demonstrated an almost textbook attack profile. From the report summary:

" The attackers showed great patience during the infiltration and lateral movement. They only attacked victims they were interested in by implementing various measures, such as a target IP list and extensive fingerprinting before and after the initial infection. After they got into the network, they moved laterally by infecting other devices and by gaining higher privileges."

They went after high profile targets:

" One of their main targets was the active directory, as this gave them the opportunity to control other devices, and to access the interesting data by using the appropriate permissions and group memberships"

Command and Control (C&C) and exfiltration was over HTTP on port 80, a port almost every organization will have open.

" The malware sent HTTP requests to transfer the data to the outside, where several layers of Command-and-Control (C&C) servers were located. These C&C servers provided new tasks to the infected devices."

This report is good reading for system and network defenders because it describes the various components of the attack.  It is interesting to read and ask if you have the instrumentation and controls in your network to prevent or at least detect a similar compromise.

The recommendations are not ground-breaking.  They are things we have all heard before and should be doing in our own networks, but inevitably get push back when recommend or try to implement due to the perceived impact on users. Here is a high level summary of the recommendations:

System level

  • blocklisting and whitelisting 
  • minimizing privilege
  • restricting common hacker tool usage
  • up to date patching and updates

Active Directory

  • closely monitor your crown jewels
  • two factor authentication
  • have AD externally audited regularly

Network Level

  • all Internet traffic through one choke point
  • proxy and log all Internet access
  • internal network segregation
  • internal network instrumentation (netflow data logging)
  • DNS logging

Logging 

  • long term log archives (2 years or more) of crucial systems such as 
  • centralized logging
  • continuous log analysis against known IOCs

The summary report is available here.  The detailed report is available here.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
4 comment(s)

Comments

For me personally, the link in your article didn't work until I removed the trailing:
.download.pdf/TR-ZF-e.pdf
The link that worked for me was:
https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technischer_bericht_apt_case_ruag_summary.pdf
It could be my network not liking the subsequent .pdf .pdf perhaps.
Psst: the link to the detailed report points to a "local" file (c:).
Looks like one of the links was messed up. Fixed. Thanks for the pointer.

Rick
Interesting. Double checked that link and it works for me on a couple of different computers and browsers. Weird proxy maybe?

Diary Archives