The Unbearable Lightness of APTing

Friday 2 October 14:30 - 15:00, Green room

Yaniv Balmas (Check Point Software Technologies)
Shahar Tal (Check Point Software Technologies)
Ron Davidson (Check Point Software Technologies)

  download slides (PDF)

APT campaigns are typically described with awe surrounding technical achievements enabled by the level of resources and capacity conceivably available to nation-state governments and intelligence agencies alone, often dubbed APT groups. These reports contribute to the perception of a very high technological barrier-to-entry to the advanced targeted campaign 'market'.

This talk will present in detail our investigation of a carefully orchestrated targeted campaign that had been active since 2012 until interrupted by our Threat Research operation in 2015. This attacker group was observed employing several attack techniques, exploiting vulnerabilities and notably operating a custom-made malware implant codenamed Explosive.

As the investigation unfolded, our researchers collected evidence of this campaign successfully infiltrating many organizations, with a target distribution strongly aligned with a nation-state/political group interest.

A closer inspection of this never-before-seen malware took our researchers by surprise. Expecting a technical masterpiece of well-trained secret agents and world-class cryptographers, Explosive turned out to be the creation of mere mortal developers with an astute persistency and determination. Despite the unremarkable technical nature of the implant, the attackers had near-flawless success in gathering intelligence while remaining covert and undetected by common security solutions.

We unravel the campaign one technical feature at a time, using the opportunity to educate the audience, debunking common malware myths, ultimately detailing our attribution of the attacker group.

Click here for more details about the conference.

Yaniv Balmas

Yaniv Balmas

Yaniv Balmas is a software engineer and a seasoned professional in the security field. He wrote his very first piece of code in BASIC on the new Commodore-64 that he received for his eighth birthday. As a teenager, he spent his time looking for ways to hack computer games and break BBS software. This soon led to diving into more serious programming, and ultimately, the security field where he has been ever since. Yaniv is currently working as a security researcher and deals mainly with analysing malware and vulnerability research.

@ynvb

Shahar Tal

Shahar Tal

Shahar Tal leads a team of vulnerability researchers at Check Point Software Technologies. Prior to joining Check Point, Shahar held leadership roles in the Israel Defense Force (IDF), where he was trained and served as an officer in elite technology R&D units. Shahar (that's Major Tal, to you) brings over ten years of experience in his game, eager to speak and share in public domain. He is a proud father, husband and security geek who still can't believe he's getting paid to travel to awesome Infosec cons. When you meet him, ask him to show you his hexdump tattoo.

@jifa

Ron Davidson

Ron Davidson

Dr. Ron Davidson is Head of Threat Intelligence & Research for Check Point Software Technologies. In this role, Ron leads Check Point's cyber research and threat intelligence activities, including malware and vulnerability research, attacks and exploits analysis, as well as intelligence and data-analytics operations. Ron has vast experience in network and cyber security, both in government (over 20 years of service in military and cyber intelligence) and in the private sector. Ron earned his B.Sc. in maths and computer science from Tel Aviv University and his Ph.D. in systems engineering from Stanford University.

 

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.