RUAG Breach – A lesson in cyber espionage tradecraft tools & techniques

Following a successful data breach of Swiss defense contractor RUAG – specialising in aerospace technology – the Swiss Governmental Computer Emergency Response Team (GovCERT) took the unusual step of publishing a comprehensive data breach report.

The reasons given for publishing the report:

…to give organizations the chance to check their networks for similar infections, and to show the modus operandi of the attacker group.

You can download the summary technical report here (PDF) – 2 pages

And the full espionage report here (PDF) – 34 Pages

If the full report is a little TL;DR for your time or taste – or even if you have read it – hopefully I can persuade you to spend an hour watching the below video put together by @TradecraftTues featuring a livestream interactive discussion between @_devonkerr_  @chrisbisnett & @KyleHanslovan on:

Reviewing the techniques hackers used to compromise the Swiss technology company RUAG. During this discussion, we’ll dissect the breach report published by the Swiss Governmental Computer Emergency Response Team (GovCERT). We’ll highlight how the actors used peer-to-peer style communication to reduce their network footprint and leveraged Active Directory to control devices. Lastly, we’ll provide some recommendations and countermeasures which could have been used to reduce the impact of this APT attack.

Granted many of us familiar with advanced group attack methodology, however, this discussion reveals many nuggets of interest and is replete with advise for defenders.

I’ll not babble on, give it a watch; it’s well worth your time and hope you enjoy it as much I did:

Make sure to give @TradecraftTues a follow on Twitter.