·¹µå»è½º, ÇØÅ·ÆÀ ÀÚ·á ½ÉÃþºÐ¼®...'5163ºÎ´ë°¡ °¡Àå Àû±ØÀû'ÃÖ¼Ò 15°³±¹¿¡¼ ÃÖ¼Ò 109°³ÀÇ IP·Î Á¢¼Ó...°¨¿°½ÃŰ·Á ´Ù¾çÇÑ °¡»óÀÇ °³ÀÎ ¼¹ö»ç¿ë,³×´ú¶õµå¿¡ º»»ç¸¦ µÐ ¾Ç¼º ÄÚµå °¨º° ¹× º¸¾È Àü¹®È¸»çÀÎ ·¹µå»è½º(RedSocks)´Â 21ÀÏ ÇØÅ·ÆÀ¿¡¼ À¯ÃâµÈ ¼¼ºÎ ÀڷḦ ¿ªÃßÀûÇÏ°í ½ÉÃþ ºÐ¼®ÇÑ °á°ú¸¦ ¹ßÇ¥Çß´Ù. ±â»ç ¹Ù·Î°¡±â ¢Ñ http://bit.ly/1IjRJhn Tuesday, July 21, 2015 Deep dive into attribution trove of Hacking Team ÇØÅ·ÆÀÀÇ ¿ªÃßÀû ÀÚ·á¿¡ ´ëÇÑ ½ÉÃþ ºÐ¼® Attribution is probably one of the toughest things to deal with during a major Cyber Security breach, yet it is one of the most demanded skills. »çÀ̹ö °ø°ÝÀÇ ¿ªÃßÀûÀº ÁÖ¿ä »çÀ̹ö º¸¾È ÇØÅ· ½Ã ´Ù·ç±â¿¡ °¡Àå Èûµç °Íµé ÁßÀÇ ÇϳªÀÏ ¼ö ÀÖÀ¸¸é¼ °¡Àå ¸¹ÀÌ Ã£´Â ±â¼ú Áß Çϳª´Ù. Earlier in the first incident response cases, attribution was based solely on IP address location. Even though proxy servers have been there all along, individuals, companies and researchers could easily get away with this type of attribution. ÀÌÀü Ãʱ⠻ç°Ç ´ëÀÀ »ç·Ê¿¡¼ ¿ªÃßÀûÀº ¾ÆÀÌÇÇ(IP) ÁÖ¼Ò À§Ä¡¿¡¸¸ ÀÇÁ¸Çß´Ù. ÇÁ·Ï½Ã ¼¹öµéÀÌ ±× À§Ä¡¿¡ ÀÖ¾ú´ø °æ¿ì¿¡µµ °³ÀÎÀ̳ª ȸ»ç ¹× ¿¬±¸ÀÚµéÀº ÀÌ·¯ÇÑ ¿ªÃßÀûÀ» ½±°Ô ÇØ³¾ ¼ö ÀÖ¾ú´Ù. Attribution and Advanced Persistent Threats »çÀ̹ö °ø°Ý ¿ªÃßÀû ¹× Áö´ÉÇüÁö¼ÓÀ§Çù Since recent years, and especially since the community has started to attribute and specifically mention certain hacker groups by giving them a name, this ability to attribute cyber attacks has been a spear point for companies to showcase their skills. Often were fashionable names created and in other cases solely the abbreviation APT (Advance Persistent Threat), with a connecting number has been used to identify specific hacker groups. ÃÖ±Ù µé¾î, ƯÈ÷ Ä¿¹Â´ÏƼ°¡ »çÀ̹ö °ø°Ý ¿ªÃßÀûÀ» ÇÏ°í ±¸Ã¼ÀûÀ¸·Î ƯÁ¤ ÇØÄ¿ ±×·ìµé¿¡ À̸§À» ºÙ¿© À̵éÀ» ¹àÈ÷±â ½ÃÀÛÇÑ ÀÌ·¡·Î »çÀ̹ö °ø°ÝÀ» ¿ªÃßÀûÇÏ´Â ÀÌ·¯ÇÑ ´É·ÂÀº ȸ»çµéÀÌ ÀڽŵéÀÇ ±â¼úÀ» ½Ã¿¬ÄÚÀÚ ÇÒ ¶§ ÇÏÀ̶óÀÌÆ®°¡ µÇ¾î¿Ô´Ù. Á¾Á¾ ¸ÚÁø À̸§µéÀÌ ¸¸µé¾îÁ³°í, ¶Ç ´Ù¸¥ °æ¿ì¿¡´Â APT(Áö´ÉÇüÁö¼ÓÀ§Çù)ÀÇ ¾àÀÚ¿¡ ¿¬°á ¹øÈ£¸¸ ºÙÀÎ À̸§ÀÌ Æ¯Á¤ ÇØÄ¿ ±×·ìÀ» ½Äº°ÇÏ´Â µ¥¿¡ ¾²¿´´Ù. Attribution is not easy, attribution can be based on all sorts of circumstantial evidence. As long as that unique specific blueprint pops up during the whole attack, you can be able to attribute an attack. ¿ªÃßÀûÀº ½±Áö ¾ÊÀ¸¸ç ¸ðµç À¯ÇüÀÇ Á¤È²Àû Áõ°Å¿¡ ±Ù°ÅÇÒ ¼ö ÀÖ´Ù. µ¶Æ¯ÇÑ Æ¯Á¤ û»çÁøÀÌ ´ë·®°ø°Ý ¿ÍÁß¿¡ °©Àڱ⠳ªÅ¸³ª±â¸¸ ÇÑ´Ù¸é ±× °ø°ÝÀÌ ´©±¸¿¡ ÀÇÇÑ °ÍÀÎÁö ÆÄ¾ÇÇÒ ¼ö ÀÖ´Ù. One thing most people often forget is that we are living on huge globe, with continents, habits and completely different mindsets. Cyber attacks in Europe and America are completely different by nature than cyber attacks in the Asia Pacific region and let alone from Russia. ´ëºÎºÐÀÇ »ç¶÷µéÀÌ Á¾Á¾ ¸Á°¢ÇÏ´Â »ç½ÇÀº ¿ì¸®°¡ ¿ÏÀüÈ÷ ´Ù¸¥ »ç°í¹æ½Äµé°ú ½À°ü ±×¸®°í ¿©·¯ ´ë·ú¿¡ °ÉÄ£ °Å´ëÇÑ Áö±¸¿¡ »ì°í ÀÖ´Ù´Â Á¡ÀÌ´Ù. À¯·´À̳ª ¹ÌÁÖ´ë·ú¿¡¼ÀÇ »çÀ̹ö °ø°ÝÀº ¾Æ½Ã¾Æ ÅÂÆò¾ç Áö¿ª¿¡¼ÀÇ »çÀ̹ö °ø°Ý°ú´Â ±× ¼º°ÝÀÌ ¿ÏÀüÈ÷ ´Ù¸£¸ç ·¯½Ã¾ÆÀÇ °ø°ÝÀº ¸»ÇÒ °Íµµ ¾ø´Ù. Hacking Team ÇØÅ·ÆÀ In order to help future attribution cases, we @RedSocks have decided to pinpoint all specific details from the Hacking Team leak as much as possible, and get to the slightest detail into pinpointing who is behind them. ÇâÈÄ ¿ªÃßÀû »ç·ÊµéÀ» µ½±â À§ÇØ, ¿ì¸® ·¹µå»è½º(@RedSocks)´Â ÇØÅ·ÆÀ ´©Ãâ ¼¼ºÎÀÚ·áµéÀÇ °¡´ÉÇÑ ¸ðµç ƯÁ¤ ¼¼ºÎ»çÇ×µéÀ» Á¤È®È÷ ¼³¸íÇÏ°í ±×µé ¹èÈÄ¿¡ ´©°¡ ÀÖ´ÂÁö¸¦ ¹àÈ÷±â À§ÇØ ¾ÆÁÖ ÀÚ¼¼È÷ Á¶»çÇϱâ·Î °áÁ¤Çß´Ù. What stands out most is the different use-cases you see in how specific parties are maintaining contact with hacking team. There are clients that don’t really mind if their identity is known, clients that are in a hurry, and clients that care about their identity. A lot of Hacking Teams clients for example use Gmail, Yahoo and Outlook email addresses. Some clients even prefer to only have contact by phone, and others only via encrypted email. °¡Àå µÎµå·¯Á® º¸ÀÌ´Â Á¡Àº ƯÁ¤ ºÎ·ù°¡ ÇØÅ·ÆÀ°úÀÇ Á¢ÃËÀ» ¾î¶² ½ÄÀ¸·Î À¯ÁöÇϴ°¡¿¡ ÀÖ¾î¼ °¢±â ´Ù¸¥ »ç¿ë »ç·ÊµéÀÌ ÀÖ´Ù´Â °ÍÀÌ´Ù. ÀڽŵéÀÇ Á¤Ã¼°¡ ¾Ë·ÁÁö´Â °ÍÀ» ²¨¸®Áö ¾Ê´Â °í°´µµ ÀÖ°í, ½Ã°£¿¡ Âѱâ´Â °í°´µµ ÀÖÀ¸¸ç ÀÚ½ÅÀÇ Á¤Ã¼°¡ µå·¯³ªÁö ¾Êµµ·Ï Á¶½ÉÇÏ´Â °í°´µµ ÀÖ´Ù. ÇØÅ·ÆÀ °í°´µéÀÇ »ó´ç¼ö°¡ °¡·É Áö¸ÞÀÏ, ¾ßÈÄ ±×¸®°í ¾Æ¿ô·è À̸ÞÀÏ ÁÖ¼Ò¸¦ »ç¿ëÇÑ´Ù. ½ÉÁö¾î ÀϺΠ°í°´µéÀº ÀüÈ Á¢Ã˸¸À» ¼±È£ÇÏ°í ¶Ç ´Ù¸¥ °í°´µéÀº ¾ÏÈ£ÈµÈ À̸ÞÀÏÀ» ÅëÇØ¼¸¸ Á¢ÃËÇÑ´Ù. It turns out a few (if not all) customers prefer to have their Collector server in their own home country. (ÀüºÎ´Â ¾Æ´Ï´õ¶óµµ) ÃÖ¼Ò ¸î¸î °í°´Àº ÀÚ±¹ ³»¿¡ ÄÝ·ºÅÍ ¼¹ö¸¦ º¸À¯Çϱ⸦ ¿øÇÏ´Â °ÍÀ¸·Î ³ªÅ¸³´Ù. The massive Hacking Team leak allowed us to gain insight in the client infrastructure of Hacking Team. The Hacking Team company used various anonymizers and you can find them in our previous post on Hacking Team. ¹æ´ëÇÑ ¾çÀÇ ÇØÅ·ÆÀ ÀÚ·á À¯ÃâÀº ÇØÅ·ÆÀÀÇ °í°´ ÀÎÇÁ¶ó¸¦ µé¿©´Ùº¼ ¼ö ÀÖµµ·Ï ÇØÁÖ¾ú´Ù. ÇØÅ·ÆÀ »ç´Â ´Ù¾çÇÑ ÀÍ¸í ¼ºñ½º¸¦ ÀÌ¿ëÇßÀ¸¸ç ÀÌ¿¡ ´ëÇØ¼´Â ÇØÅ·ÆÀ¿¡ ´ëÇÑ ¿ì¸®ÀÇ ÀÌÀü ±Û¿¡¼ ÀÐÀ» ¼ö ÀÖ´Ù. On the bottom of this blog post is a list of associated Hacking Team Collector server anonymizers and connected email addresses. ÀÌ ºí·Î±× ÇÏ´Ü¿¡´Â ¿¬°áµÈ ÇØÅ· ÆÀ ÄÝ·ºÅÍ ¼¹ö ÀÍ¸í ¼ºñ½ºµé°ú ±×¿¡ ¿¬°áµÈ À̸ÞÀÏ ÁÖ¼ÒµéÀÇ ¸ñ·ÏÀÌ ÀÖ´Ù. These details should give researchers the ability to gather valuable information about current and future APT groups, their tool set, IP ranges, capabilities and motives. ÀÌ·¯ÇÑ ¼¼ºÎ»çÇ×µéÀº ¿¬±¸Àڵ鿡°Ô ÇöÀç¿Í ¹Ì·¡ÀÇ APT ±×·ìµé°ú ±×µéÀÇ µµ±¸µé, IP ¹üÀ§, ´É·Â°ú µ¿±âµé¿¡ °üÇÑ °¡Ä¡ ÀÖ´Â Á¤º¸¸¦ ¼öÁýÇÒ ¼ö ÀÖµµ·Ï ÇØÁÙ °ÍÀÌ´Ù. We have highlighted some for you: µ¶ÀÚ¸¦ À§ÇØ ´ÙÀ½ ¸î °¡Áö ÁÖ¿ä »çÇ×À» Á¤¸®Çß´Ù. The 5163 Army Division customer 5163 À°±ººÎ´ë °í°´ This customer was one of the most active users, it is associated with the email address: ÀÌ °í°´Àº °¡Àå Àû±ØÀûÀÎ »ç¿ëÀÚµé Áß Çϳª·Î¼ devilangel1004@gmail.comÀ̶ó´Â À̸ÞÀÏ ÁÖ¼Ò¿Í ¿¬°üµÈ´Ù. It has connected with at least 109 different IP addresses from at least 15 different countries. All of them where TOR exit nodes. It can be noted that this customer had good operational security in place in order to hide its original location on the internet. ÀÌ »ç¿ëÀÚ´Â ÃÖ¼Ò 15°³±¹¿¡¼ ÃÖ¼Ò 109°³ÀÇ ¾ÆÀÌÇÇ(IP)·Î Á¢ÃËÇß´Ù. ÀÌµé ¸ðµÎ°¡ Å丣 Ãⱸ ³ëµå(TOR exit node)¿´´Ù. ÀÌ »ç¿ëÀÚ´Â ÀÚ½ÅÀÇ ÀÎÅÍ³Ý À§Ä¡¸¦ ¼û±â±â À§ÇØ ¿î¿µº¸¾È ü°è¸¦ ¾ÆÁÖ Àß ¼³Ä¡ÇÑ Á¡ÀÌ ÁÖ¸ñµÈ´Ù. This customer was using a large variety of VPS infrastructure to infect its targets: ÀÌ °í°´Àº ¸ñÇ¥ ´ë»óÀ» °¨¿°½Ã۱â À§ÇØ ¾ÆÁÖ ´Ù¾çÇÑ VPS(Virtual private server, °¡»ó °³ÀÎ ¼¹ö È£½ºÆÃ) ÀÎÇÁ¶ó¸¦ »ç¿ëÇϰí ÀÖ¾ú´Ù. DE – 198.105.125.107 The 5163 Army Division is thought to be the front office of National Intelligence Service of South Korea. 5163 À°±ººÎ´ë´Â Çѱ¹ÀÇ ±¹°¡Á¤º¸¿øÀÇ À§Àå »ç¹«½Ç·Î ¿©°ÜÁø´Ù. To summon some very specific characteristics that can be noticed during an attack I have decided to write some down that are able to help you. And others that can easily cause tunnel vision, and thus should be taken less into account. °ø°Ý Áß¿¡ ¹ß°ßµÉ ¼ö ÀÖ´Â ¸î¸îÀÇ ¸Å¿ì ±¸Ã¼ÀûÀΠƯ¡µéÀ» º¸¿©ÁÖ±â À§ÇØ, µ¶ÀÚ¸¦ µµ¿ï ¼ö ÀÖ´Â ¸î °¡Áö »çÇ×À» ¾Æ·¡¿¡ ±â·ÏÇϱâ·Î ÇÑ´Ù. ±×¸®°í ÅͳΠºñÀüÀ» (¿ªÁÖ: Á¼Àº ½Ã¾ß) ½±°Ô ÀÏÀ¸Å³ ¼ö ÀÖ´Â ´Ù¸¥ °ÍµéÀÌ ÀÖ°í, À̵éÀº µû¶ó¼ ´ú °í·ÁµÇ¾î¾ß ÇÑ´Ù. Attribution: ¿ªÃßÀû: Helpful: µµ¿òµÇ´Â °Í: Tunnel vision: ÅͳΠºñÀüÀ» ÀÏÀ¸Å³ ¼ö ÀÖ´Â »çÇ×: Below is a list of customer email addresses, customers code names, customer names and connecting IP addresses. Researches willing to receive the complete list are free to contact us. ¾Æ·¡´Â °í°´µéÀÇ À̸ÞÀÏ ÁÖ¼Ò, ÄÚµå À̸§, °í°´ À̸§, ±×¸®°í ¿¬°áµÈ ¾ÆÀÌÇÇ ÁÖ¼Ò°¡ ÀûÈù ¸®½ºÆ®ÀÌ´Ù. ¿ì¸®¿¡°Ô ¿¬¶ôÇϸé Àüü ¸®½ºÆ®¸¦ ¹ÞÀ» ¼ö ÀÖ´Ù. devilangel1004@gmail.com SKA devilangel 176.10.99.202 CH (¿ªÁÖ: ½ºÀ§½º) ![]()
±¹Á¤¿ø °ü·Ã±â»ç¸ñ·Ï
|