The Art of Cyberwarfare by Jon DiMaggio - A Book Review
Posted on December 4, 2024 • 20 minutes • 4048 words
Table of contents
The Book
Jon DiMaggio, a chief security strategist at Analyst1, wrote the Art of Cyberwarfare. He has also worked in various companies that use cyber threat intelligence. It was published in 2022 and can be found on Amazon.
In his book, he explains advanced threat actors, nation-states’ roles and operations in the cyber domain. It helps readers understand those actors’ motives for their actions in cyberspace. It is invaluable to understand some historical case studies and the evolution of the domain.
He also guides readers to analyze potentially malicious actions, taking proactive and reactive measures for incidents, and attributing an attack to a threat actor via related methods. If you’re interested in nation-state actors’ and criminal groups’ roles and motives in cyber warfare and cyber attacks, you should check his “guide to espionage, ransomware and organized crime.”
I want to cite specific points from the book:
The Citations
Anthem provided healthcare benefits to U.S. federal government employees, so by comparing the stolen healthcare data with travel information disclosed in security clearance investigations, the attacker was able to correlate a list of individuals they believed to be CIA intelligence operatives secretly working in Africa and Europe. (p.16)
Nation-states succeed in targeting private-sector companies because the companies either don’t believe a foreign government will attack them or simply don’t understand how to defend against advanced attackers. (p.16)
In Anthem’s case, the total cost due to the breach is unknown; however, a U.S. court ordered Anthem to pay $115 million in 2018. (p.17)
Essentially, the adversary had won, silencing Sony. Eventually Sony did a limited film release, which made far less than initially projected. This is one of the most well-known and publicized examples demonstrating how nation-state attackers target private corporations. (p.18)
They are patient, objective-oriented, and have vast resources at their disposal. For these reasons, mitigation is often the most misunderstood and mishandled aspect of defending against nation-state attacks. If you begin preparing for a nation-state attack while it’s underway, or even when you realize you’re being targeted, it’s too late. (p.19)
In June 2016, the North Atlantic Treaty Organization (NATO) recognized cyberspace as an official domain of warfare. (p.24)
Since the discovery of Titan Rain, however, the United States has identified a growing number of nation-state espionage groups originating from China. Allegedly, China has launched some of the most successful cyber-espionage campaigns to date. (p.26)
Since Hidden Lynx had access to Bit9’s genuine certificate, it could whitelist any file it wanted. (p.26)
…a watering hole is a legitimate website taken over by an attacker and used to infect visitors. (p.26)
For the first time, a private-sector company had forced a military organization to cease operations. (p.27)
To identify the hacker, Stoll decided to set a trap that would lure the attacker into a specific part of the system while allowing him to trace the malicious activity back to its source. In other words, he set up the world’s first honeypot. (p.31)
…to identify him as Markus Hess, a man located in Hannover, Germany. As it turns out, Hess was a student at the University of Hagen who worked as a hired operative for the KGB conducting hacking operations on behalf of the USSR. (p.31)
Today, Russia operates one of the most advanced offensive cyber programs. (p.31)
Using this method, the DoD learned the stolen files had been exfiltrated to an IP address associated with the Russian Academy of Sciences, a government-supported organization linked to the Russian military. (p.33)
For additional information about Moonlight Maze, take a look at the detailed and accurate summary of the investigation written by Chris Doman, “The First Cyber Espionage Attacks: How Operation Moonlight Maze Made History,” at Medium.com. (p.34)
Hagelin agreed to provide the new model to the U.S. government for review before it went to market. This alone provided the United States with an obvious strong advantage, since the technology was cutting-edge at the time. (p.47)
…when the programmable logic controllers (PLCs)—units responsible for controlling and monitoring plant operations—began to reboot randomly. (p.49)
To investigate the issue, plant administrators sent logs and data to VirusBlockAda, an endpoint security vendor based in Belarus. (p.49)
Finding that it used multiple zero-days is substantial, since before Equation, Stuxnet was the only malware seen with this level of exploitation capability. (p.52)
Sinkholing is when a defender isolates communications intended for adversary infrastructure and redirects them to their own infrastructure for defensive and analysis purposes. (p.53)
Additionally, the team identified a number of Equation C&C domains in which the registration had expired. Reregistering the expired domains allowed GReAT to stand up expired infrastructure. (p.54)
Arguably the most impressive module allows for the collection of traffic from GSM base station controllers. This capability enables the attacker to spy on mobile phone networks, something no other malware discussed in this book can do. (p.55)
…according to reporting from The Intercept, the cleanup operation may have failed, leaving the attacker with a stealthy foothold to continue operations. Publicly, Belgacom disputes the claim, making it challenging to know if the attacker still has access. (p.56)
One of the reasons victims are in the dark is due to Regin’s method of storing and exfiltrating stolen data. Regin stores victim data in memory and then transfers it to an attacker-controlled server without ever writing to the victim disk. While other malware has used memory to store small amounts of its own code, it’s rare to see memory used to collect and store stolen victim data. (p.56)
Another unique and interesting event involving Regin took place in 2011, years before its discovery. In 2011, before version 2.0’s operational use, version 1.0 samples appear to have intentionally been removed from existence. (p.57)
The limited samples found in the wild exist only because the attackers made mistakes during the removal process or lost access to the environment before its deletion. (p.57)
These experts require greater knowledge and understanding of the adversary than most threat analysts, as they need to understand the political and military motivations of the attacker and remain up-to-date on the country’s current events. (p.59)
Here’s something you may not have realized: Financial gain isn’t always the objective of these nation-state attacks. (p.60)
The governments that executed these operations—primarily Iran and North Korea—did so to make a statement, retaliate, or weaken the economic strength of the nation in which the bank operates. (p.60)
Cybersecurity officials blamed China at first: the attack relied on adversary infrastructure located in China, and Chinese names were found in the malware. Future evidence would later prove these attributions incorrect, serving as an excellent example as to why it is smart to use more reliable supporting evidence before making public attribution assessments. (p.66)
…the attackers directly infected the intended target with the wiper, which itself functioned as a denial of service. (p..66)
…before deploying the wiper malware on victims’ systems, the attackers gained control of an account with administrative access to Ahnlabs’ patch management software within the targets’ local environment. (p.66)
If the victims had installed either Hauri or Ahnlabs antivirus software on their systems, the wiper component activated itself only after disabling the security software, ensuring its successful execution. (p.68)
The attackers often were not interested in compromising additional recipients; however, they included them, so the actual target saw familiar email addresses in the “To” or “CC” line of the email. This tactic demonstrates the level of detail and planning the attackers put into their spear-phishing emails. (p.71)
…a unique attribute of these attacks is the amount of time the North Korean attackers spent learning the banks’ policies and procedures. Here, the objective for the attackers was to better understand how employees handle and conduct financial transactions. (p.72)
The drawback of fileless malware is its lack of persistence. Since the disk is not written to, fileless malware can be deleted if the infected system reboots or restarts. The NESTEGG malware, however, addresses this shortcoming by monitoring the victim system to detect shutdown and reboot functions. When it identifies either of these events, the malware installs a copy of itself onto the victim’s hard drive to reinstate itself once the operating system restores. After rebooting and reinstalling, the malware deletes the copy written to the hard disk and once again exists only in memory on the victim system. (p.74)
Typically, no single entity would (or should) have complete access to the systems and components used to conduct a bank’s financial transactions. (p.75)
Bangladesh’s network may have been particularly vulnerable, as it reportedly lacked a firewall to protect against outside intrusion. (p.75)
This included the operator accounts necessary to access the local SWIFT Alliance application. (p.75)
If the targeted institution had proper security controls in place, the creation of the operator accounts should have appeared to the institution as an uncommon or unusual event. (p.76)
In addition to this, the attackers unsuccessfully attempted to log in to the Alliance application. Unfortunately, neither the creation of the operator accounts nor the failed login attempts alerted anyone, and the attackers gained complete access to the bank’s local SWIFT systems. (p.76)
In February 2016, the attacker-created SWIFT operator accounts attempted at least 35 transactions. In total, North Korea tried to steal nearly one billion dollars from the Bangladesh Bank. (p.76)
Ironically, these attackers, who spent a year carefully planning every detail of the heist, made a mistake in the most critical phase of their attack: they misspelled the name of a destination bank in one of the transaction requests. (p.77)
Still, the attackers successfully made away with approximately 101 million dollars from Bangladesh Bank. (p.78)
Experts theorize that North Korea targets smaller banks in countries with weaker economies, as these are likely to have less operational funding and therefore are more likely to have outdated software and security controls. (p.78)
FASTCash operations have become one of the largest growing threats to financial institutions. (p.80)
While nation-state attacks are rare, the monetary loss from a single attack is far greater than that from traditional cyberattacks. (p.84)
For example, WannaCry—arguably the most destructive ransomware attack to date—would fail to execute if Kaspersky, ESET, or Symantec antivirus software was up-to-date and running on the victim system. (p.85)
The spear-phishing emails delivered a Microsoft Excel document, which exploited the Dynamic Data Exchange (DDE) to provide attackers with the initial access to the victim system. (p.86)
Of particular note: the PowerShell commands were Base64 encoded, making their actions difficult to identify. As a defender, you should look for encoded PowerShell commands actively running in your environment. Attackers commonly use this tactic, which has little legitimate use in a production environment. (p.87)
In some cases, the GoGalocker attacker hid in the environment for up to 10 days prior to executing the ransomware attack. (p.88)
If true, Garmin itself may have committed a crime, since the U.S. government placed sanctions on EvilCorp when the indictment was released. The sanctions made it illegal for a U.S.-based institution to do business with or send money to any account controlled or used by the men named in the indictment. These issues highlight the complexities and challenges that organizations face when attacked by advanced cybercriminals such as EvilCorp. (p.100)
However, this attack also introduced a new tactic not seen in the previous nation-state bank attacks. Shortly before attempting to execute fraudulent transactions, the attacker launched a ransomware attack on the bank’s corporate network. (p.101)
…we discussed Ryuk using both Emotet and Trickbot in their attacks. Emotet provided the initial access, at which point the PowerShell scripts executed and downloaded Cobalt Strike. From there, Trickbot obtained credentials, whereas Mimikatz fulfilled this function in other attacks. (p.104)
Before the ransomware encryption phase, the attackers copy sensitive victim data and exfiltrate it to attacker-owned infrastructure. This provides multiple benefits. First, the attacker can demand money not only for the encryption key needed to restore victim data but also to prevent the victim’s data from being sold or released to the public. (p.105)
On at least one occasion, the attacker behind Ragnar Locker attacks hired a call center in India to contact and pressure the victim into paying the ransom. (p.106)
Maze often uses social media to publicly disclose they have breached and stolen victim data to increase the likelihood the compromised organization pays. RaaS providers host their own websites to release small amounts of sensitive victim data. The longer the victim takes to pay, the more data they release. (p.106)
…my analysis concluded that the people behind DarkSide are Russian. DarkSide operators spend time on Russian malware forums. They write their posts in Russian, and their ransomware checks its victims’ systems to ensure their default language is not Russian; if it is, the ransomware will not execute. (p.107)
On May 13, 2021, U.S. President Joe Biden issued an executive order to increase cybersecurity requirements and standards for federal government-associated infrastructure. The same day, all of DarkSide’s infrastructure went offline. (p.107)
Further, the post alleged that, somehow, someone had withdrawn all of DarkSide’s proceeds from ransomware attacks, transferring the funds from DarkSide’s Bitcoin wallets to an unknown wallet address, leaving the criminals empty-handed. While no one took credit for the actions against the gang, it seems probable that the U.S. government was behind the takedown activity. (p.108)
One of the best defensive measures you can take to protect against these types of attacks is to design, implement, and enforce a principle of least privilege throughout your environment. (p.108)
A general user should not have administrative access unless there is a valid business need. (p.108)
Additionally, tools and resources should be locked down. (p.108)
…just because current versions of Microsoft Windows come equipped with PowerShell doesn’t mean every user and system should have it available to them. (p.108)
Most users in your environment shouldn’t have access to these legitimate tools, and especially not to administrative tools such as PSExec and WMIC. (p.108)
For example, most businesses don’t need their users to access .rar, .dll, or .exe files received through email. If the business need doesn’t exist and the risk isn’t warranted, simply don’t allow it. (p.109)
Unfortunately, paying attackers only encourages them to continue ransom operations. Organizations such as Norsk that stand their ground and refuse to reward attackers by paying the ransom are rare. Nevertheless, both cybersecurity and law enforcement experts agree: you should never pay a ransomware attacker. (p.110)
Unfortunately, CyberBerkut would reappear in future attempts to disrupt elections. The group conducted propaganda campaigns in the 2016 U.S. election, eventually helping researchers and security vendors connect the dots, leading them to the conclusion that CyberBerkut was in fact a Russian intelligence agency. (p.115)
When accessed, the link downloaded a modified version of the denial-of-service tool Slowloris. (p.117)
For now, know that you should never trust an email based on the sender address shown in the email body. (p.119)
Two separate Russian military intelligence units allegedly conducted these operations; the Department of Justice indictment attributed this complex, multiobjective attack to the operators assigned to Unit 26165 and Unit 74455, both of which are part of Glavnoje Razvedyvatel’noje Upravlenije (GRU), the Russian military’s main intelligence directorate. In the private industry, cyber defenders and researchers track these groups under various names, such as APT28, Fancy Bear, Sednit, and Swallowtail. (p.120)
During the online interview with Motherboard, Guccifer 2.0 claimed Russia had nothing to do with the attacks, that they alone did all of the work. But at some point Motherboard questioned Guccifer 2.0 in Romanian: their native language. In that moment, Guccifer 2.0 began to hesitate, taking much longer to respond. (p.124)
Additionally, as you can see in Figure 4-8, the “Last Modified By” stamp shows Cyrillic characters that translate to “Felix Edmundovich Dzerzhinsky.” (p.125)
Researching the name revealed that Dzerzhinsky was the director of the Russian State Political Directorate, Russia’s first intelligence service and secret service. (p.125)
However, on at least one occasion, Guccifer 2.0 failed to activate the VPN client before logging on. As a result, they left their real, Moscow-based Internet Protocol address in the server logs of an American social media company (likely Twitter), and these logs likely ended up in the hands of the Department of Justice as evidence of the Russian connection. (p.126)
Several of them resided on the IP address 194.187.249.135; the U.S. Department of State had previously identified this IP address as belonging to infrastructure used in part of Russian GRU Unit 74455’s operations. Also, Unit 74455 frequently uses mail.com email addresses to register its domains and create accounts for phishing operations. (p.127)
Free, open source denial-of-service tools such as Slowloris and the Low Orbit Ion Cannon have made it easy for hacktivist groups to allow their followers to participate in attacks. (p.136)
Bulletproof hosting (BPH) is a good example of infrastructure as a service and is popular among cybercriminals. Unlike legitimate infrastructure providers, BPH providers allow malicious activities to take place on their networks and domains. For example, you can host malware on its servers or use the BPH for command and control of botnets and other malicious and illegal activities. BPH providers often sell their services in criminal markets, allowing anyone who can pay for the service to take advantage of its malicious capabilities. This also provides a level of anonymity for BPH customers, since they aren’t registering infrastructure themselves. (p.138)
The most common technique used to weaponize a legitimate website in watering-hole attacks is to gain access and place an HTML iframe in a web page’s source code. (p.140)
SQL injection Frequently used to target web servers, a type of attack that is often the initial vector to compromise and stage watering-hole attacks. (p.141)
…you should always use a model to ensure your attribution is evidence based. (p.142)
…you may consider adopting the publicly available attribution guidelines provided by the Office of the Director of National Intelligence. (p.144)
Understanding the attacker’s motivations through the TTPs they use can help in qualifying the agent behind the attacks. (p.147)
** Dynamic DNS** is appealing to attackers because it provides them with an additional anonymity level and makes attribution more difficult for defenders. (p.151)
Often, you can use a simple search query to show the domains registered to an email address. Tools such as “whoisology.com” also exist to identify the number of domains registered. (p.153)
Another clue that a registrant might be a domain broker lies in the number of domains registered. If the registration information is associated with many domains, it may belong to a broker. Most individuals registering domains for their own use will own fewer than 50 domains. If you see more than 50 domains, the account is likely associated with either a domain broker or a legitimate corporate entity that has registered the domains as infrastructure for business purposes. Thus, consider it a red flag if you cannot link a large number of domains to a corporate entity. (p.154)
One of the most significant trends in recent targeted attacks is for the attacker to live off the land. Living off the land is when an attacker uses the tools already present in a victim’s environment to perform their attack. (p.154)
Match the time zone with world regions or countries that use the same time zone. For example, if you saw an email with a “+0730,” it would indicate the email originated from North Korea. Always take note of these details. (p.167)
If you view a website’s archive for one of the dates on which it hosted malware, you could very well infect yourself. This is especially true if the compromised domain used JavaScript or an iframe to redirect visitors to other malicious infrastructure. (p.170)
Malicious code hidden within legitimate applications and protocols can bypass firewalls, intrusion detection systems, endpoint detection, and other automated defenses. (p.172)
In this example, however, the attacker developed malware that relied on a domain generation algorithm (DGA) to determine the C&C server. (p.172)
Before you begin hunting, consider any legal and ethical boundaries you may unintentionally cross if you misuse a tool. (p.185)
Many of the tools we’ll discuss use both passive and active techniques to achieve the desired results. Unless you’re a penetration tester or have received the proper authorization, stick to passive techniques. Some active techniques may be considered hacking, and because of that, they carry legal penalties. (p.185)
Open source information can sometimes help you identify an adversary’s infrastructure, that is, if you know where to look and what to look for. (p.185)
DNSDB is a for-pay service, offered by Farsight Security, that provides access to passive DNS data. (p.185)
PassiveTotal provides access to data that you can use to footprint, or discover and enumerate, infrastructure. (p.186)
DomainTools is a service that lets you view domain registration and IP resolution data. (p.186)
Whoisology maintains both current and historical domain registration records. (p.186)
DNSmap is a command line tool used to discover subdomains. (p.187)
Hybrid Analysis is another malware repository that can provide dynamic analysis of malware and assist in discovering related infrastructure and samples. (p.188)
Joe Sandbox is a malware repository that has both free and for-pay services. A free account allows users to search for malware samples using their hashes or other identifying traits. (p.189)
Hatching Triage is especially useful when analyzing ransomware. The interface provides you with the ransom note, any of the attacker email addresses used to communicate with the victim, and any URLs included in the attack, such as payment and data-leak websites, making it easy to review and extract pertinent information. (p.190)
Cuckoo is different than the other malware analysis tools discussed thus far. While those malware repositories are owned by commercial companies, you can host and run Cuckoo Sandbox locally, in your environment. Thus, the malware you analyze won’t be made public, as it would with the other commercially owned solutions. (p.190)
Cuckoo is open source and modular, which allows analysts and researchers to tailor it to fit their needs. The tool is extremely robust and does much more than the high-level functions discussed here. Explore its other features on its website. (p.191)
Source code search engines, such as NerdyData, are tools that allow for searching the source code of web pages themselves, as opposed to the content you see when navigating to the page. (p.192)
The website “deeponionweb.com” is a good place to find information on underground criminal markets. (p.194)
ThreatNote is an open source threat intelligence platform; it provides a centralized platform to collect and track cyberattack-related content and events. You can use it to store various kinds of data collected during a cyber investigation, whether they be endpoint and network indicators or context about an attack campaign. (p.196)
Recon-ng is a free, publicly available reconnaissance framework. The tool, written in Python, is designed and laid out in a manner similar to the Metasploit framework. (p.199)
Another modular-based information gathering tool designed for penetration testing, TheHarvester is similar to Recon-ng but does not have as many capabilities. (p.199)
SpiderFoot is a free open source tool whose graphical interface allows users to make queries against various data types. It is useful for day-to-day investigations, and it can save you time when you’re researching open source information. (p.200)
Maltego is a visual data analysis tool created by Paterva. It accepts entities, or indicators, and then runs Python code, known as transforms, to conduct various actions against an entity. (p.200)
…not every email you investigate will be malicious, so it is essential to identify evidence to prove or disprove your claims. (p.202)
Why would a media contact list for an Asia-based economic summit communicate with a software update domain? (p.211)
The open source research you conducted also revealed that the Sofacy/Sednit malware is associated with only one attacker. Because of this, you should try to identify other recent Sofacy/Sednit samples, as the attacker could use additional related malware to target your organization in future attacks. (p.215)
Taking information from your attack and using it to find related threat data is a process known as pivoting. (p.216)
Conclusion
I’d like to thank Mr. Jon DiMaggio for his insightful work. It gives interesting details for investigating attacks of nation-state actors. Governments are always trying to dominate any warfare, including cyberspace. With the rise of the military and internet complexes, we can also expect rising related conflicts or incidents. If you’re a security analyst looking to learn more about advanced actors in that space, you should check The Art of Cyberware.