æ°ãããããžã§ã¯ãããããŸãããã®æçš¿ãããGroup-IBã®å°é家ãäžæµã®ã¹ãã·ã£ãªã¹ãã玹ä»ãã圌ãã®ä»äºãç 究ãäºäŸããã¬ãŒãã³ã°ãåããæ¹æ³ãšå ŽæããããŠãã¡ãããçŸåšã®æ¬ å¡ãžã®ãªã³ã¯ãæåã®ã²ã¹ã㯠ã¢ãã¹ã¿ã·ã¢ã»ãããã¯ã§ããç§ãã¡ã¯åœŒå¥³ã®ã€ã³ã¿ãã¥ãŒãçŽæ¥è©±æ³ã§ããããŠåœŒããèšãããã«ãã«ãããªãã§è¡ããŸãã
:
: .
: Threat Intelligence Group-IB.
: Threat Intelligence & Attribution Analyst.
: 29 .
: .
: 9 , (APT).
: APT, ,
-æ°ããããžã¿ã«å µåšã®éçºããŒããã€è匱æ§ã®æªçšãæªæã®ããããã°ã©ã ã®æ°ããé ä¿¡æ段ãšé åžã®ãã¹ããäžåœãåæé®®ãç±³åœãã€ã©ã³ã«ã¯ç¬èªã®ãµã€ããŒè»ãããããã«ã³ãã€ã³ããã«ã¶ãã¹ã¿ã³ãå米諞åœããã®ã¬ãŒã¹ã«åå ããŠããŸãã 2017幎ãã3幎以äžãç§ã¯APTïŒAdvanced Persistent ThreatïŒãç 究ããŠããŸãããè€éãªæšçåè åšãç¹å¥ãªãµãŒãã¹ã«ããæ»æããŸãã¯ããæ¿åºã®ããã«ãŒã°ã«ãŒããšãåŒã°ãã4ã5ã®æ°ããã°ã«ãŒãããããŸããæ¯å¹Žç»å ŽããŸããçŸåšãäžçã«ã¯70以äžã®ã°ã«ãŒãã掻åããŠãããäžæçã«ãäœè¿·ãããŠããã°ã«ãŒããããŸã ç§å¯è£ã«æŽ»åããŠããã°ã«ãŒãã¯å«ãŸããŠããŸãããã»ãšãã©ã®APTã¯ãµã€ããŒã¹ãã€æŽ»åã察象ãšããŠããã劚害è¡çºã劚害è¡çºã¯å°ãªããªã£ãŠããŸããåæé®®ã®ã°ã«ãŒãLazarusãšæå·é貚亀æãæ»æããå€æ°ã®äžåœã®APTã«çŽé¢ããŠäŸå€ããããŸãããéè¡ãã²ãŒã éçºè ã¯ãéã皌ãã
芪æ¿åºã°ã«ãŒãã¯ãå¿ ããããå¶æãçãããã«ãŒãã§ã¯ãªãã9.00ãã18.00ãŸã§åŸæ¥ã®ãã³ã«ãŒã§åããŠããŸãããããã¯ããæéã®äžã§ã䜿çšãããã¹ãã·ã£ãªã¹ãããŸãã¯ç¥åœãžã®ææ ããç¯çœªãç¯ããµã€ããŒæåœè ïŒäžéšãããŸãïŒïŒããŸãã¯ããã®åå µ-ã絊äžãã®ããã«ãŒã§ããå¯èœæ§ããããŸããé åæžãæ¯æé¡ïŒããã³æ¯æããããã©ããïŒã®æ现æžã¯ãããŸããããåžå Žãããé«ããšæããŸãã圌ãã¯ããªãç¹å®ã®ä»äºãããŠããããã§ãããããŠããªã¹ã¯ã¯é©åã§ãã
ããã«ãŒãè¿œæ±ããåæ©ã«é¢ä¿ãªãããµã€ããŒæ»æã¯ç¯çœªã§ãããæ³åŸéåã§ãããã€ã¢ãïŒãããªãå·ïŒã§ã®æ°ŽåŠçã·ã¹ãã ã®å¶åŸ¡ã·ã¹ãã ã«å¯Ÿããæè¿ã®æ»æã¯ãã³ã³ãã¥ãŒã¿ãŒãžã®ãªã¢ãŒãã¢ã¯ã»ã¹ã䌎ã話ã§ãã TeamViewerã¯ãåŸæ¥å¡ããªã¢ãŒãã§äœããå¶åŸ¡ã§ããããã«ãã·ã³ã«ã€ã³ã¹ããŒã«ãããŸãããã¢ã«ãŠã³ãã¯ãã¹ã¯ãŒãã§ä¿è·ãããŠããŸããããæ»æè ã¯ãã¹ã¯ãŒããæšæž¬ããããšãã§ããŸããã圌ã¯2åãã°ã€ã³ãã2åç®ã¯ãã€ã³ã¿ãŒãã§ã€ã¹èšå®ã®æ°Žé žåãããªãŠã ã®éçæ¯çãã人ã®å¥åº·ã«é倧ãªå®³ãåãŒãå¯èœæ§ã®ãããã®ã«å€æŽããŸããããããèŠãŠãäŒç€Ÿã®åŸæ¥å¡ã¯ããã«èšå®ãå®å šã«æ»ããŸããããããŠãããã¯ãµã€ããŒãã³ã¯ãã¬ãã·ãªãŒãºããã®ããããã§ã¯ãããŸãããæšå¹Žãåæé®®ã®ããã«ãŒã¯ãã€ã³ãã®ã¯ãã³ã¯ã©ã åååçºé»æã®çºé»æãåæ¢ããããšã«æåããããããããªãé«ã¬ãã«ã®åŸæ¥å¡ã®ã¯ãŒã¯ã¹ããŒã·ã§ã³ãå±éºã«ããããã2020幎ã«ã¯ãã€ã¹ã©ãšã«ã®æ»æè ã¯æµæ°Žã·ã¹ãã ã«ã¢ã¯ã»ã¹ããããšãã§ããããã«ã¯å¡©çŽ ã¬ãã«ããªã¢ãŒãã§å€æŽããããšããŸãããããã¯äžæ¯ã®æ³¢ãåŒãèµ·ãããã§ãããã APTæ»æããŸã 倧èŠæš¡ãªäººåœã®æ倱ããããããŠããªãããšã¯éåžžã«å¹žéã§ãã
APT- -æ»æã§äœ¿çšããæŠè¡ãšæé ã¯ãéåžžã®ãµã€ããŒç¯çœªè ã«ãæ¡çšãããŠããŸããããšãã°ã2017幎ã«ããã¹ââããŒãã°ã«ãŒããã©ã³ãµã ãŠã§ã¢WannaCryãBadRabbitãNotPetyaã䜿çšããåŸãã©ã³ãµã ãŠã§ã¢ã®ç¯çœªæ»æã®æ¬åœã®æµè¡ãäžçãåžå·»ããŸãã-圌ãã®å©ããåããŠãæ»æãæåããå Žåãšåãããã«çšŒãããšãã§ããŸãæ»æã®æè¡çãªå®è¡ãšã³ã¹ããã¯ããã«åçŽã§ãããšããäºå®ã«ãããããããéè¡...éè¡ãæ»æããŠãéãçãã ãåŒãåºãããããŠããCobaltãSilenceã®ãããªãå€å žçãªãééçåæ©ã®ããç¯çœªã°ã«ãŒãã§ãããã©ã³ãµã ãŠã§ã¢ã®äœ¿çšã«åãæ¿ããæ°éããŒãããŒã·ããããã°ã©ã ã®ã¡ã³ããŒã«ãªããŸãããç§ãã¡ã®æšå®ã«ãããšãã©ã³ãµã ãŠã§ã¢æ»æã«ãã被害ã¯ãæšå¹Žã¯çŽ2,000件ã§ãå°ãªããšã10åãã«ã«ã®ãŒããŸãããããã¯ãæãæ§ãããªèŠç©ããã«ãããã®ã§ãã
: Threat Intelligence
, . åäŸã®é ãç§ã¯èŠå¯å®ã«ãªããããšæã£ãŠããŸããããããŠã10幎çã§ç§ã¯FSBã¢ã«ãããŒã«å ¥ãããšããŸãã-ç§ã¯è»äººã®å®¶æããæ¥ãŸããã Group-IBã®åã¯ããŠã€ã«ã¹å¯ŸçäŒç€Ÿã§1幎éåããŠããŸãããããã§ã«å ±éæ©é¢ã§Group-IBã«é¢ãããã¥ãŒã¹ã«æ°ã¥ããŸããã圌ãã¯æ°ãã調æ»ãçºè¡šãã調æ»ãè¡ããé®æã«åå ããŸãããåœæãæ å ±ã»ãã¥ãªãã£äŒæ¥ã®åžå Žã«ã¯ãã¬ãŒã€ãŒãã»ãšãã©ããŸããã§ããããããã§ãGroup-IBã¯ãµã€ããŒç¯çœªãžã®äžå¯å®¹ããã¯ãããžãŒãžã®åºè³ã§éç«ã£ãŠããŸãããããã§éçºã®æ©äŒãèŠã€ããã®ã¯èå³æ·±ãããšã§ãããã ã£ãã 2013幎ã«Group-IBã«åå ãããšããè åšã€ã³ããªãžã§ã³ã¹éšéã¯åã«åæéšéãšåŒã°ãããã¯ãã£ãã¹ãã®èª¿æ»ãã調æ»éšéãããã«ãŒãç¹å®ããŠèº«å ã確èªããã®ãæ¯æŽãããŸã§ããŸã£ããç°ãªãåé¡ã«åãçµãã§ããŸããã7幎éã§ãç§ãã¡ã®3人ã®éšéã¯ã30人以äžã®åŸæ¥å¡ãæãããµã€ããŒã€ã³ããªãžã§ã³ã¹éšéã«æé·ããŸããã
ãµã€ããŒã€ã³ããªãžã§ã³ã¹ã¯ç°ãªããŸãã ä»æ¥ãè åšã€ã³ããªãžã§ã³ã¹ãšTIããŒã«åžå Žã¯ã顧客ã«å¹³å¡ãªããã©ãã¯ãªã¹ããïŒãæªããã¢ãã¬ã¹ããæªãããã¡ã€ã³ã®ãªã¹ãïŒãéä¿¡ããããšã«èŠçŽãããããšããããããŸããç§ãã¡ã«ãšã£ãŠãGroup-IBã§ã¯ãè åšã€ã³ããªãžã§ã³ã¹ãšã¢ããªãã¥ãŒã·ã§ã³ã¯æ»æè ã«é¢ããç¥èã§ããè åšãåæããã ãã§ã¯ãã¯ãååã§ã¯ãããŸãããCTOã®DimaVolkovãèšãããã«ãæ¬åœã®è åšã«çŽé¢ãããšãã¯ãéèŠãªè³ªåã®1ã€ã«çããå¿ èŠããããŸãã誰ãããªããæ»æããŠããŠãã©ã®ãããªå©ããåããŠããã®ã§ããããããã®ããŒã¿ã«å ããŠãç§ãã¡ã¯ã¯ã©ã€ã¢ã³ãã«äœæ¥ããããã®ããŒã«ãæäŸããç¬èªã®ãµãŒãã¹ãæäŸããŸããããã«ãããã¢ã¯ãã£ããªã¿ã¹ã¯ã®äžéšãããã§ã«å¿ èŠãªçµéšãšã¹ãã«ãæã£ãŠããã¹ãã·ã£ãªã¹ãã®è©ã«ç§»ããŸããçŸåšãæ©æ¢°ç¥èœãšèªååã·ã¹ãã ã«ãã£ãŠå€ãã®ããšãè¡ãããŠããŸããããããããã¯ãç¹çŽ°ãªæäœæ¥ããåŠå®ãããã®ã§ã¯ãããŸããã
ç§ã®æåã®å€§ããªç 究ã®1ã€ã¯ãISISããµããŒãããããã«ãŒã«ãããã·ã¢ãžã®æ»æã«é¢ãããã®ã§ããããã©ãŒãã¹ã¯ãã®ããšã«ã€ããŠæ¬¡ã®ããã«æžããŠããŸã ããã°ããŒãã«ã€ã¹ã©ã ã«ãªãå¶ãããŒã ã·ã¹ãã Dzããã¡ã©ã¬ããŒã ã°ã«ãŒãã®ã€ã¹ã©ã æåŸã®ããã«ãŒãæ¿åºæ©é¢ãæ°éäŒæ¥ã®çŽ600ã®ãã·ã¢ã®ãŠã§ããµã€ããæ»æããŸããããåœæã¯ãŸã åæåã§å°äžã«ã¢ã¯ã»ã¹ã§ããŠããŸãããããã«ãŒãã©ãŒã©ã ã«è¡ãããµã€ããŒã€ã³ããªãžã§ã³ã¹ïŒè åšã€ã³ããªãžã§ã³ã¹ïŒã«åœ¹ç«ã€ããŸããŸãªæ å ±ãããŒã¿ãç»é²ãåéãããããã«åºã¥ããŠã¯ã©ã€ã¢ã³ãã«ã¬ããŒããäœæããŸãããããæç¹ã§ãç§ãå°äžã«åŸäºããã®ã¯éå±ã«ãªãããã£ãšé£ããä»äºã欲ããã£ãã®ã§ãç§ã®ãªãŒããŒã§ããCTOGroup-IBã®DmitryVolkovã¯ãäžåœã®APTã®1ã€ã«ã€ããŠèª¿æ»ããããšãææ¡ããŸãããããããã¹ãŠå§ãŸã£ãã®ã§ã
ç§ã®ä»äºã§ã¯ãè³ãæããã°ããåããå¿ èŠããããŸã...ãããŠäžè¬çã«ã¯åããŸããããæ¥ãäžåœã®èŠªæ¿åºã°ã«ãŒãã«ããæ»æã®èª¿æ»ãè¡ãããšãã§ããŸãããã®åŸããã€ãžã§ãªã¢ã®æ€åºã«ãŒã«ã®ããªã¬ãŒãã©ã®ããã«é£æ¥ãããïŒæè¿ãã€ã³ã¿ãŒããŒã«ãšã®å ±åäœæŠããããŸãã ïŒãå€æ¹ãŸã§ã«å€æããŸããã誰ãããã·ã¢ã®ããã«ãŒã®ååããDDOSã¯ã©ã€ã¢ã³ããæã£ãŠããããš...
infobezã®å¥³ã®åïŒãããããã§ããã ããäœã§ããïŒç§ã¯ãã®ãããªè³ªåãå«ãã§ããããšããã«ããããã«ããæèœã«ã¯æ§å¥ã¯ãããŸããããæ§å¥ã¯é¢ä¿ãããŸãããåªããã¢ããªã¹ããç 究è ã«ãªãããšããããã§ãªãããšããããŸãã
ãã®ãŸãŸã®äœæ¥ïŒå°ãã®å éšäœæ¥
ç§ã®å žåçãªäžæ¥ã¯ãäžæ¯ã®ã³ãŒããŒãšãã€ãã¿ãŒããå§ãŸããŸããç§ã«ã¯åªãã賌èªããŒã¹ããããŸããç§ã賌èªããŠããç 究è ããžã£ãŒããªã¹ããããŠãç§ã賌èªããŠããŸãããã®ãœãŒã·ã£ã«ãããã¯ãŒã¯ã§ã¯ãinfobezãããŸããŸãªæ»æã«é¢ããããŒã¿ã亀æããŠãããšãã³ããŒãå ±åããŠããŸããããšãã°ãéåœã®äŒæ¥ESRCã¯çŸåšãéåžžã«èå³æ·±ã調æ»ãè¡ã£ãŠããŸãããŸããAPTãä»ããŠããã€ãã®ç¹æ®ãªé»å ±ãã£ãã«ã賌èªããŠããŸããããã§ã¯ãã³ãã¥ããã£ãéåžžã«æ確ã«æ©èœããŠããŸããããç 究è ãããã«ãŒã°ã«ãŒãã®ç®¡çãµãŒããŒãèŠã€ãããã®ããŒã¿ãé»å ±ãã£ãã«ã«ããããããå Žåã圌ãã¯ãã®äºä»¶ã«é¢ããæ å ±ã調æ»ããŠç Žæ£ããã®ã«åœ¹ç«ã¡ãŸãã APTã«é¢ãã話é¡ã¯éåžžãéåžžã«ããã«èå³æ·±ã詳现ã§å€§ãããªããããŸããããµã€ããŒãšããžããã£ãã·ã³ã°ãžã®é¢å¿ã¯ããã»ã©é«ããããŸããããŸãããããã人æ°ã®ããã©ã³ãµã ãŠã§ã¢ãé€ããŠã
ã©ã®ãããªå Žåã§ããäœæ¥ã¯åæããå§ãŸããŸããååãšããŠãç§ãç 究ãããžã§ã¯ããéå§ããåã«ãç§ã¯ãã§ã«æ å ±ã®ããŒã«ãæã£ãŠããŸãïŒç§ãã¡ãšä»ã®èª°ãïŒä»ã®ãã³ããŒãŸãã¯ã¢ããªã¹ãããïŒã®äž¡æ¹ã䜿çšãããããã€ã®æšéŠ¬ãæªæã®ããããã¥ã¡ã³ãããã¡ã€ã³ããªã³ã¯ãªã©ã®ããã·ã¥ãªã©ãæ€åºãããã€ã³ãžã±ãŒã¿ãŒãã¹ãã³ã¢ãããå§ããŸããããããã¹ãŠã®ã€ã³ãžã±ãŒã¿ãŒãããŸã 誰ãèŠãŠããªãããŒã¿ã§è£è¶³ããå¯èœæ§ã«ã€ããŠãã¹ãããŠããŸãã ãããã¯ããèµ·ãããŸããç§ã®äœæ¥ããŒã«ïŒè åšã€ã³ããªãžã§ã³ã¹ãšã¢ããªãã¥ãŒã·ã§ã³ã®éçºãã°ã«ãŒãIBãããã¯ãŒã¯ã°ã©ãïŒã¯ããããã䜿çšããŠã䟵害ã®è¿œå ã®ææšããã°ããèŠã€ããã¯ã©ã€ã¢ã³ãã«ã¢ã©ãŒããšããŠéä¿¡ããŸããããã«ããã顧客ã¯æ»æãé²ããäžèŠãªã¢ã¯ãã£ããã£ããããã¯ããããšãã§ããŸãã
åçïŒGroup-IBãããã¯ãŒã¯ã°ã©ã
ã䜿çšããŠã°ã«ãŒãã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã調æ»ããäŸã³ãã¥ããã£å ã®ã°ã«ãŒããšããã«ãŒã®éã®éå»ã®ã€ãªãããæ°å¹Žã«ããããµã€ããŒç¯çœªè ããã®ããŒã¿ããããŸããããã¯è²ŽéãªããŒã¿ã§ã-ã¡ãŒã«ãé»è©±ãã€ã³ã¹ã¿ã³ãã¡ãã»ã³ãžã£ãŒããã¡ã€ã³ãšIPã®ããŒã¿ããŒã¹ãæªæã®ããããã°ã©ã ã«é¢é£ããããŒã¿ãããšãã°ãGroup-IB TIïŒAããŒã¿ããŒã¹ã«ã¯ããµã€ããŒç¯çœªè ããããŸã§ã«äœ¿çšãããã¹ãŠã®ãã¡ã€ã³ãããã17幎以äžã®å€æŽã®å±¥æŽããããŸããåã ã®ç¯çœªã°ã«ãŒãã®è©³çŽ°ããææžããã«ã€ããŠè©±ãããšãã§ããŸãã 1ã€ã®ã°ã«ãŒããåããµãŒããŒã䜿çšããŠãããã2ã€ã®ãæ°ã«å ¥ãã®ãããã€ããŒã«ãã¡ã€ã³åãç»é²ããŠããããšãããã£ãŠããŸãããã®ãã¹ãŠã®ããŒã¿ãGroup-IBã·ã¹ãã ã®å€éšè åšãã³ãã£ã³ã°ã«ããŒãããåºåã§å¹æçãªè åšãã³ãã£ã³ã°ãšåŒã°ãããã®ãååŸããŸãã
, , .é·æé座ã£ãŠãã£ã©ã¯ã¿ãŒãç£èŠããè¿œå ã®ã¢ã«ãŠã³ããèŠã€ããããšããŠãèŠã€ãããªãããšããããŸã...ããããŠçªç¶ã圌ãã€ã³ã¿ãŒãããã«æçš¿ãããã¹ã¯ãªãŒã³ã·ã§ãããå€ãåçã«åœŒã®å人çãªã¡ãŒã«ã瀺ããããšãããããŸããç§ãã¡ã¯ãããæ·±ããããæ·±ãåæãæãäžããå¿ èŠããããŸããããªãã¯ãã§ã«è¿œå ã®ã¢ã«ãŠã³ãã圌ãšå¯Ÿè©±ã§ãã人ã ãæ¢ãå§ããŠããŸããããªããç¹å®ã®éœåžãèšç®ãããªãã°ãããªãã¯ãã§ã«ããå€ãã®æ å ±ãæã«å ¥ããŸããæã ããªãã¯ãã§ã«éããç¥ã£ãŠããããšãèµ·ãããŸããæãããã¯äœã§ããããïŒããã¯ãœãŒã·ã£ã«ãããã¯ãŒã¯ããã®åçããŸãã¯åœŒã®ã¬ãŒã«ãã¬ã³ãã®Instagramã®åçã§ããå¯èœæ§ãããã女ã®åã¯ããªã-ç«å£ãèŠããªã©-èšãæããã°ãOSINTããªãŒãã³ãœãŒã¹ã€ã³ããªãžã§ã³ã¹ã Group-IBã®ãã¹ãŠã®æè¡éšéããã®ããŒã«ãææããŠããŸãããããããã«ç¬èªã®OSINTããããŸãã
ç§ãã¡ã調æ»äžã§ããç§ãã¡ã°ã«ãŒãIBã¯æ»æãè©Šã¿ãªãã£ããšæããŸããïŒç§ãã¡ã¯æ¬åœã®ãµã€ããŒç¯çœªã«çŽé¢ããŠããŸãã圌ãã¯ç§ãã¡ãè ããããšããŠããŸãã圌ãã¯ãæšæ¶ããéããŸããããã¡ãããã¯ã¬ãã¹ãšã¯ç°ãªããä»ã®æšæ¶ã¯ãã«ãŠã§ã¢ããã®ãã®ãå€ãã§ãã
æçµçã«ã¯ããµã€ããŒç¯çœªãé²ãããã«ãã¹ãŠã®åæãå¿ èŠã«ãªããŸãããµã€ãšã³ã¹ãã£ã¯ã·ã§ã³ã®ããã«èãããŸãããããã«ãŒãAPTãæ»æãè¡ãåã§ãæ»æãäºæž¬ã§ããŸããã€ã³ãã©æŽåã®æ®µéã§ããæ»æãç¹å®ããã客æ§ã«èŠåããŸããããã«ãè åšã€ã³ããªãžã§ã³ã¹ãšã¢ããªãã¥ãŒã·ã§ã³ã®ããŒã¿ã¯ãããŒã¯ãŠã§ããã¢ã³ããŒã°ã©ãŠã³ãããã«ãŒãã©ãŒã©ã ããã®æ å ±ã§åŒ·åãããä»ã®ãœãªã¥ãŒã·ã§ã³ã§äœ¿çšããããããã¢ããªã¹ãã¯è åšã®æãå®å šãªå šäœåã確èªããç¯çœªæŽ»åãæ倧éã®ç²ŸåºŠã§ç¹å®ã§ããŸãã
éåœããã«ã¬ãªã¢ãžïŒAPTã®é¢šæ¯
APT, â â â â .ç§ã¯åœŒãã®ã¢ãããŒããã奜ããã§ã-圌ãã¯åœŒãã®ä»äºã«å¯Ÿããææ ®æ·±ãéæšæºçãªã¢ãããŒãã§ããããšãã°ãæ¢æ€ãšæµžéã®æ®µéã§ã圌ãã¯ãåè£è ããšã®è¶ çŸå®çãªã€ã³ã¿ãã¥ãŒãè¡ããçæãæ±ããã«é·æéãã¬ã€ããŸããããã«ã圌ãã¯çµ¶ããéçºããŠããèå³æ·±ãããŒã«ãæã£ãŠããŸããåœåã圌ãã¯éåœãšç±³åœã«å¯Ÿããå€å žçãªãµã€ããŒã¹ãã€æŽ»åããå§ãŸãããããŠåœŒãã¯ãéã貎éãªæ å ±ããŸãã¯åŠšå®³è¡çºãçãããšãã§ããæ®éçãªå µå£«ã«ãªããŸããã LazarusãKimsukyãªã©ã®åæé®®ã®ã°ã«ãŒãã¯ãæ¯å¹Žãæ»ææ¹æ³ãšããŒã«ã®çå®ãªçºå±ã瀺ããŠããŸããæšå¹Žãåæé®®ã®ããã«ãŒã«ããå€æ°ã®æ»æãäžçäžã®è»äºè«è² æ¥è ãæšçã«ããŸãããã³ã¡ã«ãµã³ãã¯ããã«ã€ããŠæžããŠããŸããå€åããªãã¯ãã®ãããªãã¬ã¹ãèªãã ã§ããã:)
åæé®®ã«ã¯ãç§ã®æèŠã§ã¯ã倧ããªãã«ãŒããã°ã«ãŒãããããŸããã©ã¶ã«ã¹ã¯ãããŸããŸãªéäžæ žçãªã¿ã¹ã¯ã解決ããããã«ãã¢ã³ããªãšã«ãªã©ã®ææ®äžã«ããããŸããŸãªããŒã ãæã£ãŠããŸããã¡ãªã¿ã«ããããã®åæé®®ã®APTã®äž¡æ¹ã®ååã¯ã人æ°ã®ããã³ã³ãã¥ãŒã¿ãŒã²ãŒã ããã£ã¢ãããã®ç 究è ã«ãã£ãŠåãããŠããŸãã
ã€ã©ã³ã§ã¯ãAPTã°ã«ãŒããžã®åŸæ¥å¡ã®æ¡çšã¯åŠçã®ãã³ãããçŽæ¥è¡ãããŸããã€ã©ã³ã®ããã«ãŒã«é¢ããããã¬ã«é¢ããèšäºãå ¬éããåŸã被åã®1人ã®ååãšååãææžã«èšèŒãããŠããŸãããæåãç§ãã¡ã¯çããŸãã-ããªãã¯èª°ã®ååãå»ãŸããŠãããã決ããŠç¥ããŸããããããããã€ãŠåœŒã®ã¡ãŒã«ãããã«ãŒã®ãªãœãŒã¹ã«å ¬éãããŠããããšãå€æããç§ãã¡ã«éåžžã«èå³ãæã£ãŠããŸãããããããã¹ãŠã解æããçµæãè匱æ§ãæªçšããæ¹æ³ãåŠã¶ããšã«å°å¿µããŠãããã©ãŒã©ã ã§ããŸããŸãªã¢ã«ãŠã³ããèŠã€ããŸãããããã«ããããããã³ã°ãè¡ã£ãã®ã¯ãŸãã«ãã®äººç©ã®ããã¬ã€ãã£ãŒãã§ããããšãããã«ç¢ºä¿¡ã§ããŸãããç§ãã¡ã調æ»çµæãçºè¡šãããšãã圌ã¯ãã€ãã¿ãŒã«æ¬¡ã®ç²Ÿç¥ã§æžããïŒããªãããªãã¯ãã 人ã ãéé£ããã®ããããªãã¯æ±ºããŠç¥ããªãã人ãèšç«ããããããããªãããããã¯åœŒã¯ã€ãŸãããã®ãïŒãããã°ããããŠã圌èªèº«ããã®ã¡ãã»ãŒãžãåé€ããŸããïŒããã¯åœŒãçã£åããéé£ããŸããã
ã¢ã¡ãªã«ã®APTã«ã€ããŠã¯èããŠããŸããããããã¯ããããååšããªããšããæå³ã§ã¯ãããŸãããã¢ã¡ãªã«ã®ãã³ãã¯ãããŸãããã»ãšãã©äœããããŸãããã¿ã¹ã¯ã«åãçµã¿ãä»ã®äººãã¹ãã€ãããããçµç¹ãããã°ã«ãŒãã1ã€ããã®ã«ããªãå€ãã®å°ããªAPTã°ã«ãŒããå¿ èŠãªã®ã§ããïŒä¿®èŸçãªè³ªåãç±³åœã§ã¯ããã¹ãŠãNSAãšå¯æ¥ã«é¢é£ããŠããŸããã€ãŸãããããã®ãŒããã€æ»æããã®ä»ã®è匱æ§ãããŒã«ãåããããªã倧èŠæš¡ãªãããã¯ãŒã¯ããããŸãããŠã£ããªãŒã¯ã¹ãæçš¿ãããã®ã¯ãNSAãæã£ãŠãããã®ã®ããäžéšã§ãã
å·ã§åãããã·ã¢ã®ããã«ãŒãã¯ãä»ã西æŽã§ã¯éåžžã«ãã¡ãã·ã§ããã«ã§èªå€§å®£äŒã®è©±é¡ã«ãªã£ãŠããŸãããã¹ã³ãã§ã®ããã«ãŒæ»æã¯ãç¹å®ã®ã°ã«ãŒããæ確ã«ç€ºãå®éã®æè¡ããŒã¿ã«åºã¥ãã®ã§ã¯ãªããç·è¿«ããæ¿æ²»ç¶æ³ïŒãã·ã¢å¯Ÿç±³åœãã€ã¹ã©ãšã«å¯Ÿã€ã©ã³ãåæ鮮察éåœïŒã«åºã¥ããŠç¹å®ã®åœã«çµã³ä»ããããããšããããããŸããã°ã«ãŒãã¯ãã°ãã°åœæã䜿çšãããã©ãã¯ãé£èªåããããšããããšãå¿ããªãã§ãã ãããããšãã°ãããã¯ã©ã¶ããããããšã§ããäžè¬çã«ãããã·ã¢ã®ããã«ãŒãã¯90幎代åŸåã®ãã®ã§ãã ããã·ã¢äººãã¯ååšãããããã·ã¢èªã話ãã-äžä¿äž»çŸ©åŸã®åœã ã®äººã ãããŸãããããŠãããã·ã¢ã®ããã«ãŒãæãã¯ãŒã«ã ããšããã®ã¯ãã¯ãäºå®ã§ã¯ãããŸãããã°ã«ãŒãã¯æ··åãããŠãããããŸããŸãªåœç±ã®äººã ã§æ§æãããŠããŸãã
ãã¹ãŠãåçŽã ãšã¯æããªãã§ãã ãããAPTã¯ããã©ãã¯ãé£èªåããåœæãæãããç¢å°ãåããããšãè©Šã¿ãããšããããããŸããåãã€ã©ã³ã®MuddyWaterã¯ãFin7ãæš¡å£ããããšããããšããå§ãŸããŸãããã©ã¶ãã®å Žåã®ããã«ãåæé®®ã«å±ããç¹å®ã®IPã¢ãã¬ã¹ã«ã¢ã¯ã»ã¹ããå Žåããã®åŸããããåæé®®ã§ãããšå®£èšã§ããŸãããããŠãããã¯äžéšã®ãã³ããŒãè¡ã£ãŠããããšã§ãããã以å€ã®å Žåã¯ãæ»æãããã¿ãŒã²ããã確èªããããæ»æå ã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã確èªããããã³ãŒããäœæããéã®ã³ã¡ã³ãã®æ¹æ³ã§ç¢ºèªãããããããšããã§ããŸãããåã·ãæµ·ã§æ»æããã£ãå Žåããã®å°åã«é¢å¿ã®ããåœãé¢äžããŠãããšæšæž¬ã§ããŸãããããŠãããªãã¯ãã§ã«ã©ã®ãããªçš®é¡ã®ããŒã«ã䜿çšãããŠããããç解ãå§ããŠããŸããããã¯PlugXããã€ã®æšéŠ¬ã§ãããããããããééããªãäžåœã§ãããããŠãã€ã³ãã©ã¹ãã©ã¯ãã£ã«å°éããŸãããããã¯ç¢ºãã«äžåœã®IPã¢ãã¬ã¹ã§ãã
ãã¹ã¿ãªãŒã·ãŒã¯ã¬ãããšã¬ããªã³ã°ããã¯ã®ãªã¹ã
ããªãèªèº«ã®èªå·±åçºã«ã¯äžéããããŸããããšãŒããããã¢ãžã¢ã§åããããšæããŸããä»ã®æ å ±ã»ãã¥ãªãã£ã®å°é家ãšçµéšã亀æããæ©äŒãå¢ããã®ã§ãèãæ¹ãç解ãããã®å°åã§APTãå ·äœçã«ã©ã®ããã«æ©èœããããæ³åããããšãã§ããŸããç°¡åã«ã§ãããšæããŸããGroup-IBã¯ãå幎ã«ã·ã³ã¬ããŒã«ã«ã°ããŒãã«æ¬ç€Ÿãéèšããæšå¹Žã¯ã¢ã ã¹ãã«ãã ã«ãšãŒãããæ¬ç€ŸãéèšããŸãããããŒã«ãé²åããAPTã°ã«ãŒããæ¶ããããšã¯ãªãã®ã§ãç§ã¯åžžã«ä»äºãããŸããããã«ãç§ã®è·æ¥ã¯éèŠããããŸãã
ç§ãã¡ã¯çãã¹ãŒããŒãã«ãã¿ã¹ã¯ã§ãïŒå€ãã®å ŽåãããŸããŸãªãœãŒã¹ãã倧éã®ããŒã¿ãååŸããŠåæããå¿ èŠããããããã¯éªšã®æããããã»ã¹ã§ãããããã£ãŠãåå¿è ã«ãšã£ãŠã¯ã奜å¥å¿ãå¿èåãªã©ãããã€ãã®è³è³ªãéèŠã§ããæ°ããã¿ã€ãã®æ»æãè匱æ§ã®åºçŸãç£èŠããããã«ãããããã¿ã€ãã®æ»æã«é¢ãããã¹ãŠã®æ¿æ²»ãã¥ãŒã¹ã«é ããªãããã«ããå¿ èŠããããŸããã»ãšãã©ã®å Žåãæ å ±ã»ãã¥ãªãã£ã®å°éæè²ãåããæ¹ã察象ãšããŠããŸãããç§ã®å Žåã¯ããã§ã¯ãªãã®ã§ããã®å Žã§çµéšãç©ãããšãã§ããŸããã€ãŸããèå³ã®ãã人ãªããåé¡ã®æ ¹åºã«ããããšã«æ £ããŠããŠãITã®ç¥èãããïŒITã®ç¥èãå¿ èŠã§ãïŒãååãšããŠããžã¥ãã¢ã¢ããªã¹ããååŸã§ããŸãããã§ã«ãã®åéã§ã®éçºãçµéšããŠããŸããäž»ãªãã®ã¯ãéçºãžã®ç®èº«ãšé¡æã§ãã
è·æ¥ã«æ²¡é ããããè åšã€ã³ããªãžã§ã³ã¹ã¢ããªã¹ããšããŠã¬ãã«ã¢ãããããããããã«ã次ã®å°ããªåç §ãªã¹ãããå§ãããŸãã
- CIAã®ããã©ã³ã§ããRichardsHeuerã®ãPsychologyofIntelligence Analysisãã®æ代ãè¶ è¶ããå€å žãããã¯ãç§ãã¡ã®è³ãçæããæèããšã©ãŒãå¶éïŒèªç¥ãã€ã¢ã¹ïŒã®ç¹æ®æ§ã説æããŠããŸããããšãã°ãäºæããªãçŸè±¡ãèªèããã«ã¯ãäºæ³ãããæ確ãªæ å ±ãå¿ èŠã§ãããç§ãã¡ã¯ãäºæ³ããããã®ãç¥èŠããåŸåããããŸããã
- ãµã€ããŒè åšã€ã³ããªãžã§ã³ã¹ã®åºæ¬ååãšæŠå¿µã¯ãè åšã€ã³ããªãžã§ã³ã¹ïŒMWRInfoSecurityã®DavidChismonãMartyn Ruksã«ããåéãåæãè©äŸ¡ã«èšèŒãããŠããŸãã
- , Cyber Threat Intelligence, APT, «Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage by Timo Steffens». , , .
- Kill Chain, Diamond Model MITRE ATT&CK â , Cyber Threat Intelligence, : âMITRE ATT&CK: Design and Philosophy , ATT&CK, . MITRE ATT&CK, .
- Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric Hutchins, Michael Cloppert, and Rohan Amin â Kill Chain, , .
- The Diamond Model of Intrusion Analysis by Sergio Caltagirone, Andrew Pendergast, and Chris Betz â , CTI.
- , , APTNotes. , , , , , , .
- , â
Threat Intelligence & Attribution Analyst?
è åšã€ã³ããªãžã§ã³ã¹ããã³ã¢ããªãã¥ãŒã·ã§ã³ã¢ããªã¹ãã®å°éè·ã«é¢å¿ã®ããæ¹ã®ããã«ãåœç€Ÿã¯ãµã€ããŒè åšã«é¢ããæ å ±ãåéããå¹æçãªã€ã³ã·ãã³ã察å¿ãšè åšç£èŠã®ããã«TIããŒã¿ã§ãµã€ããŒã»ãã¥ãªãã£ããã»ã¹ã匷å ããå®è·µçãªã³ãŒã¹ãæäŸããæºåãã§ããŠããŸã ã
Group-IB Threat IntelligenceïŒAttribution Analystã³ãŒã¹ã®ç®æšã¯ããªãŒãã³ãšã¯ããŒãºã®äž¡æ¹ã®ããŸããŸãªã¿ã€ãã®ãœãŒã¹ããæå³ã®ããæ å ±ãåéããŠããã®æ å ±ã解éããæ»æã®æºåã®å åãç¹å®ããæ¹æ³ãæããããšã§ãããã®ããã°ã©ã ã«ã¯ãGroup-IBãµã€ããŒã€ã³ããªãžã§ã³ã¹éšéã®ã±ãŒã¹ã¹ã¿ãã£ã«åºã¥ããå®è·µçãªæŒç¿ãå«ãŸããŠããŸãããã®ã¢ãããŒãã¯ãåŠçãæ¥åžžã®ç·Žç¿ã§åŸãç¥èãããã«é©çšã§ããããã«ããããã«éèŠã§ãã
çã«ããªã£ãŠããä»äºïŒ
ãããŠãã1ã€ã®éèŠãªçºè¡šãGroup-IBã¯æè¡ããŒã ã匷åããŸããããŒã ã®äžå¡ã«ãªããç§ãã¡ãšäžç·ã«äžçãå€ããŸãããïŒçŸåšã120以äžã®ç©ºåžãããããã®ãã¡60ã¯æè¡ã¹ãã·ã£ãªã¹ãã§ãã詳现㯠ãã¡ããGroup-IBã¯æ¬¡äžä»£ã®ãšã³ãžãã¢ã§ããç§ãã¡ã¯å€§èãªã¢ã€ãã¢ãå ·çŸåãããµã€ããŒç¯çœªã調æ»ãããµã€ããŒæ»æãé²ããæ»æè ããã®æŠè¡ãããŒã«ãã€ã³ãã©ã¹ãã©ã¯ãã£ã远跡ããããã®é©æ°çãªãã¯ãããžãŒãäœæããŸãã
åå ããŸãããïŒ