State of the Hack 07: FireEye Summit 2018 Edition

Every year, FireEye Cyber Defense Summit (CDS) brings together leading cyber security experts from across the globe to share security challenges and successes through the lens of front-line experience. We always look forward to the Summit because it provides us the opportunity to meet up with friends and industry colleagues that we don’t see regularly throughout the year. On this episode of State of the Hack, we are joined by teams that shared and analyzed new research at the event, including the FLARE crew that analyzed the Carbanak source, the analysts that powered the APT38 report, and the espionage team that keeps up with the political side of the GRU’s activities. In addition to sharing their research, all three sets of guests are connected by the opportunity that each had to compare their original, forward looking security analysis to newly-revealed ground truth information.

Episode Recap and More Information

“FLARE vs. Carbanak”: Let’s get this out of the way first for those who are wondering, FLARE stands for FireEye Labs Advanced Reverse Engineering. This team’s reverse engineering abilities support various efforts in our organization, and the tools they release publicly are a boon to the community. Most recently, they wrapped up the fifth annual Flare-On challenge! In this segment, we sit down with two Staff Reverse Engineers on the FLARE team, Michael Bailey (@mykill) and James “Tom” Bennett (@jtbennettjr), who were at CDS this year to discuss the results of nearly 500 total hours of analysis of the Carbanak source code we acquired. This included 100,000 lines of Carbanak source code and dozens of binaries. We deep dive into how FLARE conducts that kind of analysis and what it’s taught us about FIN7 and the other groups that use Carbanak. Among other takeaways, they share how they modified the Carbanak video player source to play FIN7 videos, covered in our recent FIN7 blog post.

“Upgrading to APT38”: FireEye recently released details on a particularly aggressive threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. We refer to this group as APT38. In this segment, we welcome two core contributors to the APT38 report: Nalani Fraser, Manager of the Advanced Analysis Team, and Jackie O’Leary, Senior Analyst on the Advanced Analysis Team. As soon as Nalani and Jackie joined us, we wasted no time getting into the specifics about their research into APT38, including how long they’d been tracking them, what makes the group unique, what are the group’s tactics, techniques and procedures, and what it means to be upgraded to an APT group. Unlike all of our other show guests, they aren’t on Twitter – which makes us sad.

“Understanding the GRU Indictments”: We had the chance to pick the brains of John Hultquist (@JohnHultquist), Director of Threat Intelligence, and Ben Read (@bread08), Senior Manager of Cyber-espionage Analysis. John and Ben provide a lot of media color and discuss geopolitical ramifications of complex technical reports by translating the news into lay terms. In this segment, we start with the recently announced indictments charging Russian GRU officers with international hacking and related influence and disinformation operations, then bounce to APT28, and the conversation keeps going from there.

State of the Hack® is FireEye's monthly broadcast series, hosted by Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, cyber espionage, attack trends, and tales from the front lines of responding to targeted intrusions. If you want to experience the magic, you can watch all State of the Hack episodes now. All episodes are also available as podcasts.