that. it. i just see himself in his a hardcore mowers search or reverse engineer and he also likes to break code and my voice breaking terms or for that so stage is open to jesse let's visit to their brand.

and you a thank you very much solace i'm a little is also looking at the sentinel trail and during the past two years we have been monitoring ago called sudden it's one way to go league's join to motivate them to.

idea that can be with me here today said lee. and this book is based on the technical white be able to be available on all blush want to read.

so as i said is we call this group senate but depending on the result shows they have their names like between the agency bell services and this is a group of medical doing so good at that since at least two thousand and four and that interest is mainly about geopolitics.

as you might have seen in the news they are very famous of the moments they are supposedly behind the hike of the democratic national committee and also the water antidoping as insane.

in his presentation i once thought by giving you some context around this group that's all that i will describe a textbook case of the current operations during which will begin to that tool set and i thought i would present a different and strands operation also run by descending go during the last few years. and finally i would contribute some muscle known and open questions. so let's start with some context around the synagogue.

so what kind of people or people are there to and for once we know very precise to some of the targets because they made a mistake during one of the fishing campaigns for it all use the bitterly service to shop on the new fishing year olds but for it to said the bitter profile private so we had access to around four thousand shot on you. wells do in six months in two thousand and fifteen.

here's an example of for you all that was shortened in could it contains the e-mail address of the targets and also his real name so this point identifying the targets was pretty easy.

in this list they're all embassies in ms result more than forty countries there is need to an e.u. institutions and finally there is a lot of individuals involved in his tenure of politics. in fact those targets they will also holds always hear you can see a time line with the sun is all his exploits for two thousand and fifteen only and all does not it is have been reported since and i'm not even talking here about the revamped exploit they use their his many of them also an.

we are going to see that later.

the story doesn't end in two thousand and sixteen just as an example the good looks but another says go disclosed in a good season for us and in the windows johnno like a month ago i think and the exploits was indifferent nobody can control on the remote computer on the when we know one third to achieve inability.

still it is privileges and but as the sun box i want to describe the exposed him there is enough information and doughnuts but this shows the synagogue is quite resourceful.

also this is the kind of group the deployed many custom software as of of the bus daniels from the locals to end corruption proxy tools including different types of by durrell's in short they were quite a lot.

and before going for though i want to mention a few this famous. first even if a truck discernible pretty closely during the last wheels we might be missing part of the picture shows. and as more of his also as we could have to go bay's on the tool kit even they might be divided in september and finally we are not competent to do any sort of a tradition but all results might provide you insist that may be useful that.

so i thought all done it in the senate toolkits with cells.

sellers actually year can name for fictional sunday target he walks for governments and has access to sensitive information the chain of events and the timing that i am going to describe all in line with several really cases we've investigated during the last wheels and when you sail cells as a. it's the quays to prison part of the senate took it.

somewhere out recently it's monday nine thirty a.m. and sells the rub the rise of four and he opens an email this immense supposedly came from cut for which provides wriggle repulse and geopolitics except that's if we close to the euro world's that is that the diamond mimics that is to misread father.

mean but also a u.i. is the same as not to go on the legitimacy what the website said that night he was uncertain inserted in the middle polled to identify the target.

but lets us cells tricks on the euro and this is when cells from it said kit which is the senate exploited and it is only useful targeted attacks.

as we just so it's untrue points is usually you always making legitimate what sites and the exposure to infection usually start from talking to phishing e-mails but we've also seen from or direction from such a from hacked websites we film succeeds in september two thousand and fourteen for the first time. it is still in use.

so was a classic expected when you visit you receive a landing page that when you build a reconnaissance report on the machine doesn't get lending binge contains around two hundred lines of just quit and the could stay the same above the less show. you can see here to fight expect of the spending page forces to retrieve the time zone and then between married the purposes of just tripped object called never get on screens and finally it will and humid the plug installed in the boroughs oh. as you can see there is a special case for him to explore all well as of a and floods detected by a special methods but the way it can stay off from the the locals.

did you know here's the report from such from shown its edges and file and you can see ten things a lot of information such as that the sort of can select its the targets very precisely not only based on the configuration but also based on the language they speak in the same zones are out there are in.

however we don't know precisely what their operators are looking for we crawled expert with bugs configuration and different ip addresses sometimes it lost some time doesn't works and so far we don't really know why.

but it's a that cells are selected to be exploited.

and this is one sells visit the senate exploit factory so here's a list of exploit that we saw from such good since the beginning. and as you can see three of them also exposed at the time they were used.

also interesting me there was an exploit for my capital which is a coming to fall austin made by the company from ukraine and it's probably mainly used by people from eastern europe. and though the exploits of event exploits and i am going to describe one of them right now.

so is exploited the city two thousand and fourteen six three two and there's nobody to isn't ago will flow in the entire to explore the district engine that follows a bitter read write operations with sosa to during the expert for the city in october two thousand and fifteen on this case it was only reusing have to. the city to disable the safe mode and to don't know to build with all shell. but at the beginning of the year with phone a very different version of the specs boyd a more complex one that was used in february two thousand and sixteen. this is president is able to say no but the rich and executed a rope chain because pretty big from four hundred lines of the district's an interest only his custom so.

try to read everything but there's a bit if i could have the function building the rope chain and just to give you an example.

you can see here function to retrieve the code section rest of the deal on windows seven as you can sit that's a lot of the fault.

jones of the thought of this code is actually based on inspired by a presentation made it back at us a two thousand and fourteen and once again the sun go on and afraid of digging into complex exploit to make shoes of them in real life examples.

but to sell stays know that said the explosion loans the below them.

this is this is one sells me it's supposed to set up close usually don't know it but such it's like in such case and this component actually interest to binaries but all poet and in some but it failed to do know a defense company deployed in the victim and we did a portion of support out in march two thousand and fifteen.

so it starts with the the up on you can see here is very simple walk flow but he contends some interesting fills the fos one is a weird and gentle district so here's just a bit extra for x. rays so fast it will look at the locate the ten but before on it said the loss by to the body for that too.

and then it will create to us by with a very specific name it true then write one million time in this file and then read one million time in the same file that's all that it will check if the last bite of the done by befell still contains the body for the two if it doesn't so the ultimate executive so this could discuss trend. this but we believe this isn't even intimidation trick because they replaced it with a more common one in the most recent simple and also it might create in to help drive the operation that may delay the execution of the software also it may take to emulate also wrong be implementing them or in management.

so next step is to decrypt the pillow and to the compressed is operational in two incidents a plus plus plus the name uploaded by the rebels you can sit here on the screen.

after all of the local may use a local privileges dilution exploits depending on the simple one of these two cities may be used the first one was aware that at the time they used it and the second one is another gift from the hacking to mix. and finally the group amid the beloved assistant on the system interesting he was so many different techniques used of other past month some of them only used when the doorbell rings with system privileges you can see here just of show them right the windows come have checked hijacking and the just code executed with don't run the other thirty two. those techniques will first seen in of them on wells and sitting inspiration in crime want is something very common for the sin.

at this moment the village is running in such from should have. and the payload is actually go ricans and small well and you can see hill a simplified will forget. establishing the initial connection with this in several would be the first step. several times in the last few months but the fastest will try to rich google dot com and if you force it moves on how about if it doesn't fortune to retrieve the prosecution shoals for instance off well folks typical books for the profile fine and to abbas's if it exceeded it will come to distances of all gel the proxy. using those credentials and then if all the previous techniques didn't watch it will wait for user to launch the bros only not to inject into it.

the next step is to send a full state report on this to the since his fellow this report begins with the nih degenerated to identify the computer and also it will send the process list some information i'm just a bill number which is halted in a binary.

and then send this encrypted through the networking that was previously established is rather us more rippled but it is poverty nobel to federal security result shows an automated some boxes.

the finals that is retreating a configuration five from the since to sell here are all different values controlled by the last question of said the polypill will not go through them they're quite explicit but the main purpose is to don't know of another binary and to execute it.

first of all ideal.

i know that's got to watch and accidents well still they won and such computer is infected with said the problem.

same day that image fatal brought all know sure that soldiers that the results show said rieko is done noted on such complete all by said the problem so this is a classic by go with numbers come and interesting lead has the ability to extend its behavior by loading external plugins.

it is usually deployed after a successful infection it in such cases and will just component maybe old we know for a fact that it is still in use today. so we could arrive on the stem and didn't drop on which usually install the payload and its configuration it would draw the configuration at two places and that this the fells place will be in a fine name and is due.

and it will also could be the exact same data in the windows registry. of course since the configuration is installed by the bill should only have the privilege of will be able to determine the configuration used with its. no let's talk about the configuration can see here the encrypted addition it comes with a small head on and the data is dissolved with the six but key located at the beginning of the head of an it is randomly generated by the drop out following the key you have twenty bites its bite representing the size of a field in.

the data everything else is the encrypted data. now we have the company wants decrypted an here is the better representation of the expected fields so those values all those values time outside when i don't find them really interesting. here is seldom should own name. here you have to fly to his face with helm of the killer get should be enabled. he'll of the three years since the cells the filth one is the main one that all those awful backs. here is what could be to be an operation name of that we have phone so phone several them during the investigation some of them all shown on the screen.

and as i mentioned before said recall has the ability to load external plugins when loading one plugging it was told the us have displayed in the end of the configuration the there was room for them plug ins and in the initial comfort configuration all those fields of them to because the bill does drop without any plugins.

so don't know let's have a look at this bill it comes with twenty six governance and its companies identified by a unique number was among the richest i'm registered during the run ten using exported function name register new come and. and you can see here the original version of the few gems like for example so we can read write and you find on the discs can also list all running process is it down menu should the registry also it can update itself it's configuration all note on no external clinton.

speaking of plug ins they come as yellow and that will be loaded in the same address based on the pillow and thanks to that they can use and function of the main bill so as shown in the picture and here's what happens when the bills initial as a plug in its goals the plane in its export buzzing some function and this is as argument. claude provides the addresses of the function hunting the output fomenting and also the common registration so the plug in can register and in additional committed and here's an example of a plug in use and thought it was said rieko this wouldn't was just registering you come on this time opening image to be gentle distance to sell.

and also won't suddenly cost of meeting its rules and no every platoon by calling the and in exports in this case the exposed only dilutes the previous year just don't come and.

that's good to alternate you don't know well still they won and silica was deployed thirty minutes of tone that initially fiction.

same the four holes lado.

cells meets its agent which was demoted base of the belt light said rick will stage it is in law by bill written simplest list. for which there is a tryst windows linux and the us and hundred russian exchange and is deflected by bill the senate go they used it in most of the our operation of the us to use an unusual left all the rican instance phase light in selfridges. we dated exigent the ocean around the bubble november two thousand and twelve and it is still in use. so this point i just points might expect some supplies but for the elton's knowing and usage and diners right except that drumstick from the operators we recently got access to the source code of ethics agent.

and his ex-wife of this extract of the source files we found it is a fully working superstars project course been to the limits of russian objects agent and it was completed in july two thousand and just in which we know because there is a boon for though with a binary in it which was created a date. and this was good contains around age and feelings of those among just an anxious is so it is pretty big we believe this its source code derives from the windows addition to fix it on because i several places they that the locals just come into though some with thirty two uk calls to replace them to replace them by. linux a poke holes like disgraceful treat domination. and then there are all serve all dust in the pics agent the source code is a measure of action to and the shown to just buy a result doesn't three but it's still much as the call object of the victory binaries.

as you would expect in such a big project the source code is heavily come to the commons our make suffer but the reason lists of with some russian sometimes some as g.l. to describe district chills. but with that being said let's look at the communication more people.

so here we go to simplify view of the commission will flow in exception to give you an idea on the exchange and infected computer other come to run method is an infinite loop. which fetches the messages from the module that is that the channel is its itself from a job. those messages all an encrypted supply space objects which also realized and uncorrupted by the kennel and then given to the tune of control. the general control is the under fight interface to come to distance itself well and four was the messages to the since itself.

in the other direction that in the control you all he asks the sensible for an encrypted messages message from its model and the miss a age is then given to the channel which and say allies and the crips it and then gives it to the into the module. one of the beauty behind the simple design is that the china can follow is unaware of the current actual implementation of the network channel which can be based on his to be all e-mails. and in fact that you know when the second floor will switch but i'm a kid to different to know if the phone to use one is not working. and all his dig a little bit into the emotional was watching.

so the walk foot walk was quite simple. one that's under control i just described as miss age for the since his cell that nelson no sense and e-mail with the miss said as an attachment to an inbox depending on the simple in buxton be a female address the senate address all hacked e-mail address. and in this instance at all then retrieved the mail from in books and processes that at this moment. in the other direction distances of a has a message for one he said it might do it sends a message as an attachment in an e-mail to a different and books from which he said don't mention the rich was the mail. so some of the rights but the thing is when you use e-mails to implement to come and control channel fortunate to have a way to distinguish your e-mail from an unrelated e-mails late spawn all legitimate e-mails in the inbox and second unit by bus from fuel bills on your way to the inbox. and for those reasons the synod the locals implemented with it called the scheme which they describe as a little too protocol.

this political defines whole week's agent in my own style boats and here's an example of an e-mail following the political so protocol defines the subject of the e-mail as the base sixty four and putting up a value following this format which thought with a random key then about you could called such token was all.

with the key and finally the urgent agent id dealt with the sinking. the such talk is known by both the since he said on the stage and and that's how they can distinguish their e-mails from and hillary to e-mails. because the subject and checked the subsequent is here in practice in many excision some polls such token is a seven by the values that tends to become things the street chain. peter protocol also defines the body of the males and the at this month name remember all that that's been contained a tool miss age so those are simply the basic the functioning of some random but use. so the political but actually in all it's also the locals replaced the protocol with some have to use we call it the judge and political because those dilute the use all wars in the judgment language the for example the e-mail subject is set to judge in a merry which refers to a national.

the numbers in georgia. an the body is set to get much about which means hello and that's when name begins with the tell you right which mean detail indulgence followed by the time some. that is what this was probably don't know to attract attention in the judge and infrastructural is already in a hike judgment inbox.

and the country than the stage and no and has a bonus i just want to so few walls on the session since some first the chills because once again we get access to some source code and this was good this time was left in an open directory and the senate cell phone and it was index by google says that we funded by some where his.

for the appropriate to describe. the closest has actually approach to sell fallback instances silva and you can see from so files here that it is developed and by tim and was used between april and june two thousand just in which we know because they also looked fine with that with time some senate.

it contains around twelve k. lines of code because this is actually more than a simple really. what it does is it will translate the e-mail protocol from its agent infected computers.

into request of l h it's difficult for the back instances sell this to be request follow a specific four months call the to three protocol level three protocol. and by the way we believe that used the same kind of set up for the egyptian know rather than the emotional if any of this particular proxies just for the main channel.

so enough with its asian know let's come back to the chin if you don't we all still they won so the mission fiction cyclical was deployed excision for deployed and at this point said in a good to spying buckles on the dog at the same time so that if one of them is detected they don't lose access to the computer. and the next day's all going to be the time for information exploration and natural movements.

so during the next three three days.

the senate is going to drop and sells compute also bus while expected to lose they often use a set of tools called security exploded that off a livable on the internet. and those who can extract possible from a by itself software and such like bros all e-mails science the problem is that all that well known and they often depicted by and service so senate develop their own political tools in particular there is one for windows live meant that his drugs on cells from show. it has been compiled specifically for him as its such as the for the best for them to help the buff that only exists on such computer.

of course the hurdles for to retrieve the windows possible incest comes to go for that they got some custom tools to them when those bust walls from registry hives and without surprise they use money to its new gets lots and the which is often stalled unified them by the clock. all this all these tools may be deployed with the lp exports depending on the target configuration.

cells may also made this can show which is a small custom to be made to take screenshots when it is executed it takes just as could shut in rapid succession when the most movies and it does that just in times in a row.

and finally cells from its external which is a custom that what puts a tool to come to computer calls that not all money and richer or from intimate using the infected computer out as a pivot this component appeared in may two thousand until ten and it is still in use.

so how does pork exactly hear the initials attrition the senate since his cell phone is an intimate such computer so is in its organization report and is infected with external computer i am comfortable going to say network but down its rich of all from and done it and on it and those under control. but the average of four from cells can show six to know begins in corruption hence eight with those since his cell and the book was of this concept is to share of all supported to include the conditions between the two of them to do so it's no under since several both have a copy of the. the table filled with random looking bites that's called a stable to. then its to no company picks and those that will in the table to and the thirty two by road starting at this have said all is the key that extent wants to share with it since to sell but external does not send the key of course it sends the most of all this approach that it's not really know the table to. this book is another or road to look at the fixed have said this team and encrypted with the wasn't. the since his adult six the proof if it's correct that is if it gives the expected voter wants the curtain. i don't cells ok and said it's also for key to the footage would bite row starting in the us at all. so this point all that the data exchange between the since is set on external it will be also for entrusted with the chosen to. but is that sending that offset some of the key prevent the destruction of the traffic by his problem. also since two thousand and fourteen is this encrypted link is anticipated in to tell us which not about idea except that it's to know doesn't refer to such budget of the since his cellphone. and no the next that once the encrypted link has been established this instead of going on ice and to open its no with a target computer using an ip address all the money and that is a double that number. it's a no then opens its be connection with the target computer to computer a. i'm still feeling data between competing under since its level in both directions that is that the link between external and computer it was not encrypted so that any kind of tissue that i can before had to get computer we don't know exactly what kind of traffic data on the open top usually some through the external but. it has been reported to be used with us exact like tools old there's a cushion of come on the remote computer without having an agent running on this computer. finally it's to those identified by an aide says that external can management several of them. and so for example of up to know can be open with the comfortably and the snow will take care of the wording of the traffic in the collection all. to summarize the senate since itself can no risk computer a and computer or be about to simply using cells computer opposite.

and if with it's a known as good a caution of students we just had three days of information is frustration and instruments that action from the hurdle during this filth we could be to set up an additional assistance method on such complete all for long term monitoring.

so frightened around eleven a.m..

the longtime persistence myth that consists in a special excision binary could buy it in the microsoft office for go under the name them aside to develop this operation is done by another binary thought and emotion you can sit here and to write in the office faldo and is going or in is to have a nice for the rights and followed it felt like a pretty. the escalation exploit and then it could is the oxygen banner in an inside the jail in the of his fault.

to understand what will happen next fall soon to know that there is a legitimate when those dealer named inside the jail stored in the system started to fall bill does this joe is really used by office a petition in particular. and also need to know that they said didn't buy only exposed execs infection names and is legitimate develop so does this bunch of something that just what happened next.

this time so start of this accident and decided to lower the slow to and of the legitimate them aside the gel because it is in the local for the office and us this film before the system funded by. usage and then lows the real an insider deal from the system to forgo and feels its own exposed to all with the addresses of the from some of the damage on such that it's called to exigent baseball to actually go to the bridge to a general and the petition one crush. i know it's thought its missions logic in other words it's so simple sell sort of hydrogen based on the fact that they can write and to get off his father and by the way we have also seen recently it is such all the hydrogen technique with those lincoln for the jet have gotten through the windows fold.

so that countries the story of cells these things but cases of what happened to the sun targets during the field of infection.

no we have a pretty good radio for the senate accustomed look like. let's have a look at the wheel case we phone last year.

some day in september two thousand just in we received the unusual simple it was a vocal could produce to use by senate and it was showing this document as a decoy. you can see it is illegitimate invitation for geopolitics conference and this document is actually publicly available on doughnuts.

suddenly the bill is just to the lowdown and even lost it is written into a fully and since will get naming things going into don't tell. the walk was simple though we don't know the configuration file and base in this configuration it to the exit shoots and of the bill. just a myth that was just the run with its riches so nothing really exciting so far except that's we found another don't have the climate in two thousand thought in this time and in this golf describes the deployment of the time you can see we have done well and bit the same although and this time with a small help on the bucket in style.

so even if this would you don't infect m.b.o. based system this instead it will infect multiple russian of windows running an x. eighty six process all.

so here all the farcical the just after a successful infection.

the fastest all weird is the new malicious and your the second six saw is the origin not empty are called sold with the one by eighty and starting of the toxic door we have the core of the which is code old also be sold at last we have also for him to drive on and the. but also hired to gel in the registry but i would come to us later.

so is described her simplified version of this walk from. frost the militias n.p.r. is executive.

if the richest equate will cook the answer voice cotton which handles all only go read and write operations and by doing that which it is able to intercept every bite read from the just during the road.

thanks to that the with such as the memory for some specific bites in order to watch them those by it's been to get them jobs which is the next step into the boot chain has explained before.

so this point with enjoys bust.

and then the drug could face control again this is and this time the tour but the function or sell ostensible to channel look at it in willow that sixty which is the next day in the kitchen like to know and like the name suggests this function will call become the entry point.

so when there's no botched and the with the base control of these a cushion before the company's executive at this point the camera and all its basic dr all's well mapped into the best for memory and the integrated checks already performed.

so what this but does not only is it will look at the function and them up space and it will set the russell section of the disappeared dr bell to executive will be for hiding some code and it would also hope to a citadel entry point to execute this code.

the budget need to save all those in both interest is somewhat because the with a physical address will be accessible to the canon insulation so it will save everything in the canon head on you can see hit it hill we have the british base the rest of us have the function and them up by all space and also the original bites of the is. the entry point.

and no by buys bust and when the boy was loaded the hook with big picture.

so fast that could hidden in the russell section will write but the origin of entry point instructions to avoid being detected by the cannabis protection and this is where the which room up it's a physical address into the ritual other space by calling the function and them up space and that's all that it will be able to the crypt the hidden rival.

so there was three components involved the just moment the but to drive a will to create a fellow named to use almost component by the locals and to manually might get in to explore that sticks then this use almost component will decrease and load on the of itself hidden in the registry as well.

but this was kind of odd because the bible could have loaded on the other direction. and looking at the use all the components we have found evidence is that on the force in the interim that people used with this because it felt more precisely.

when injected on the elf it sets this specific exported by up to two. but the viable doesn't exist in any known some polls have been golf so than the fourth polling of the original pale we believe that the budget or at his drive on is connected to the economic model well. because we have found some soro several shelf to choose between the two families that is almost component is manually medicine to exploit his memory and all this code is shared between don't the elf on some of these symbols of like analogy to do so those three exports used in the tribal to abuse of a component respectively entry. the data and them in those exports also present in brecon a g. and used in the exact same way. so this might indicate that the rebels have access to look analogy source code all however we are not aware of any british are coming with black in a toolkit. anyway. and if with it let's go back to don't tell.

looking at some of the symbols of them though we have found another deployment in two thousand and fourteen and this time than the game with a common mode which it.

so the report bill poses to and show them the assistance on the system by injecting it into its products dixon and also to hide everything related to don't build to use on to the system so you can see anything on the disc thanks to the rebel they just left all kind of the big information in the samples so here's the exact the building up with during the drive alone.

when we can see the full the on the registry to hide the driver to road and the deal to inject.

we have to buy into this with it the fells vision the rich it was targeting windows xp computer else and was doing some simple as city hawking and the other of us aneurysm indifferent to drive though it was targeting more recent version of windows and it is based on an open source example main made by microsoft.

also we have phone or sixty four bit simple in the wild but we obviously the group also we don't really know how we manage to bite us the right assigning policy. an interesting really it looks like some development fall specific configuration light in this thing just one public targeting a computer running just just into insecurity.

so to summarise we only found a few samples of them don't use during the past three years which is not the lots. they were very careful with maybe the only news did for some specific targets the senses of all those samples were reporting on was like to bring to yells twenty though another rather for quite a long time. an they used the budget working on expedia in more recent best in the from those they made a multiple rooted for the same operating system best ones. in salt they walked very hall on the bus and smith those which is unusual in such cases and finally we know them that was used to download so rico x. and the and excitements mentioned only also this is different he connected to senate.

so it is no time to conclude with some speculative members because after looking at so many senate by air is the temptation is big to grow some general conclusions and i am that talking about the software than that talking about the tradition the more about the software in particular all the.

was a question we were often again between us as we tried to shoo in this position the diversity of the city software is quite impressive should think about it there is a deal for them although computer when those but it emerged last just as back door and there is an expert to infrastructure was that have just written custom exploits and the list goes on.

so is the diversity is good for them as it makes tracking and detection harder but the question is how did they come up with this bust of an ecosystem. they develop themselves all do they also development and we have a few hints forgotten that question.

just this and buyers often compiled specifically for target and after it has been infected the basic example of that is this fixation simple company the logging and bus for the employees in the ministry of internal affairs of georgia and their well used in the mail channel this simple was made specific trip to be.

run inside dismiss run it for. and motion only sit metal well in constant evolution in particular on external so the prado and exigent changed a lot since the fastest in another world the locals are part of a two minute outside of paid for one time job.

also among the voyage of the senate software they're all some shell techniques like building a also for key as the continuation of a hot could value and around them but you are using how could a tokens not what messages this is all too just just to example of techniques present insults. in its software developed in different languages so this is not the complete basic code but mall likelihood of the implementation of the same idea so. this may indicate that the same the locals are behind all this soft wells.

another remark on the development process it but they also in basic programming mistakes in the senate software for example here in linux takes agent a thread and all named handle get back it is terminated with betrayed exists but it should be handled sent back it as you can see from the condition before and. the coveted when this code so cold room could be based in the intervention.

also there is a hero in external there is a report message was built for the census of all wanted to know has been open with a target computer the ip address and the book number will have the target all written in the six bite before except that the memory point out is not an increment to between the two rights and. thus the portable right the political rights the ip address and we can assume the since it does not even should be repulsed so the mistake as going unnoticed and there's just too quick example of mistakes you can find in the senate code soul the rebel does not have the courage to process an overall cynical often. and feels really had much.

following the site in this is up to us and sometimes inspired by excessive problem crime well for example set up with a reduced assistance smith goes from climb well and shells some code with called up while don't know which is code bell some similarities with but some only a symbol of the country. we may be tempted to conclude that the drop off connected in some way with some trust the crime what communities.

and finally the exploited the look on his family names like photo and low fortunate dogs all mr the show with his which is a cycle plato for the better to demote from an exploit its so if they'll able to use those name in production. we can get that down to fourteen of the reform own environments to say the least.

so to summarise the speculation we believe that senate has some in how still the lapels walking with little supervision and those guys have ties with crime were on the ground. which is not so common for this kind of hope. and you shouldn't really would be good to discuss about that.

speculation and it's time to compute. senate activity increased a lot during the last two wheels they are being targeted attacks on the lots of different targets no and up to a kid is in constant evolution so that was different to the finish him off and to come for model itself cells.

so thank you very much for your attention no. let's see. you left or right there is a lot of time for hocks we don't have unfortunately a microphone say we can pass.

around in the audience please go to the micro found microphone stand there were already here. ok let's start with the internet's do we have questions from the internet. but. so. so a one question is this russian state now where.

i want to answer this question. i can just about that. we don't do any sort of a tradition because this is very difficult to the. another question from the internet. but no more serious questions from internet just know why. please when you exit least be quiet respect that there is some people here who just want to know a little bit more. there is one question over there to the right guy for question india it's a double were period that you found a little for literally us nowhere or as a morris found you see a development in code that is based upon the idea is that they get from these mall where.

and this is that have been made in those periods i would say yes items talk about it the indisposition but expect for example its to no wasn't up for skated befall at some point and then they started to oppose get some more recent simple so i was serious. thanks. more questions yet there is one question over there. i will have liked may be obvious question may be speculative the do you have been in this group has some high school like russian government or russian secret services or something. i already told you want as i want to answer this question because like where they can use russian language but that doesn't mean anything right.

they are. i. sorry i didn't understand the. the.

we didn't finish ok so sorry story a neat i need to repeat the question as to your question was what there are any reaction of your research on their site that right ok. like has said before of when we started to and the lies they still receive since some a position to mix of implemented in the in the six wells have also the result is quite showing its we pollute with published it's like a few months ago so i would wait until the way too. little to see they all actively switching things up on. but they'll definition be reading the papers that would say things on. there is one question that back over there have you found many parents in the target stay intact. sorry it didn't have you found any patterns in the targets they attacked at the reactor to sum up the. the charts probably they was the first question the second is have they reacted to to any off the reactions of the targets. with the union while half a foot had did they have fall off and hacks on one different targets because they found some some information on the first ones. well let go because this against those bubbles all isn't the drugs before the recovery since phase if the delegates isn't interesting you won't see them on the computer and so this is what you want to know now i mean they have targeted amount to a head that some attacks on specific targets yellows. and so you've probably talk to the target i don't know why not because wall some targets as it once it's like to and us is so that's not the specific people so we can try to resist them but they don't have to stay and saw us every time something people or try to recess and i'll do my show. the main the money in the middle i would say but i never saw him about anything from the targets like when i give them the ripple toll. read one question of your back and i want more i'm doing the work you are doing are you concerned about your personal safety and.

i'm in i started this fortnight one year ago so well said.

i. more questions. internet. so what more from internet of what do you think of the cord strike report to people or us going which one them into poll rippled the one of all the democratic national committee. i have no further information right now i first noticed. they made quite a few. we still got enough time for questions so of yet here we i want to do find any one of the winner abilities when the new investigated the cult of i think my colleagues did foam some. a low but he also won the gold but the most system really is the abuse or is about flush on the window of his case i phone the some polls show right up till that they won't want to public but some although some of the company. his of publish something about so sometimes you can find on the bodies is relevant to confine them and a follow up did you find anyone with the tees in the in communication to the amount of control so overall anything something else we looked about about likes to play this. i mean they made some plumbing mistakes and their clients items such as well as but they don't know about this and seven everything. more questions yet one from the internet. are there any patterns to the fun aims to use and i don't think so. it's an interesting question. anything more from the internet. i. could you could be used to make the microphone place or would be great thanks. so. the believe that the u.s. agencies that have done some sort of at the be shunned that they have more information than you. that means more information than we were more than the present day so paulo religious a at the beginning we might be missing part of the picture on this is why some of the company's a publishing very good reports so deflation. but there is a question of whether a game say microphone. this might be a dumb question but you said the targets don't usually contact you so how do you know about the targets well we have to the metro system this third for i don't like at once five delegates like i know we have hits we have buyer is we have some polls we on the lies in them. can we help and finds something still it is with the one he's told me about delegates i was thinking about the key lists we fall on this is why we didn't come back to the e-mails and like us that if you think you ought to get it you can come see me and i will look into the. is this huge that was laid some till does that make interest to. welcome. more questions. internet your place. many mass deployments of this type of mao wearers it's only very individual tax it's very targeted there is not like of widespread infection song anything. anything more. internet. what we certain that the certification on the previous question and wrist specifically interest in the report that attributes russia to the d.n.c. and then there's another related question and asking other differences between quite straight. supports and years. i don't believe all talking about the same things because when we see when we see something published by the exploits of all the recent exploits will not like doing this to the top it all since it's already on the internet soul well all white paper was a technical breakdown. solomon of death toll could light takes agent external and i don't think they talked about this one. more questions. the internet's audience. we still got time for him. all right to know that it's the younger internet go have a internet is asking if the the targets are any better protected night.

dell bit but like more protected while we are detecting the simple so if they already use its own security maybe but if.

the the goal of the white it was to provide the us is also for those assessments all people that all managing infrastructure those social looking for that you can don't know the weight but on the blog and there is a pretty pretty extensive list if you want to protect to all infrastructure on. all to incident response of course because we don't agree that's. i. i don't see questions in your still internet something they're no good in quiet. well then there's one more question of where i know it seemed that didn't have a text have focused on windows machines. does that make on like is said to have a second stage by door fall a stent the u.s. and droid limits and like the sort of its agents his own exhaustion. and we also have since it up with a simple as for west and i think if i recall correctly so they have like a big or small. welcome. ok that we can question of when there is no further questions as is my first visit to see she does anyone have a good fit for good bar in that had how guards. i think social life when we can discuss a little bit later so once again messy people who. you lie.