ASEAN and BRICS: Long-Running PRC Espionage Operations

I want to introduce Devin Kerr he's elastics director of threat research and the founder of elasc security Labs a team of researchers with expertise in the malware intelligence vulnerability research incident response and security engineering expertise in addition to monitoring Global Telemetry to identify and disrupt adversaries he and his team develop mitigations and capabilities for elastic Security Solutions and its users discover previously unknown threats track groups and campaigns and coordinate security research across elastic security to help democratize access to knowledge and resources Devon formerly led the endgame response applied research team and held technical roles at fireye and mandant leading incident response and eviction efforts across practically all industry verticals and regions and I want to make

sure that we thank him for being one of our speakers so thank you very much and take it away so this is actually super cool because it's been 10 years almost exactly since I've been at besides Rochester talking to a group of folks just like this and nothing gets me in a better mood than Nostalgia um so today we're going to talk about some long running PRC campaigns that my team's identified um and the reason we're talking about them is not because they're capable of impacting half a billion people who live in the region um it's not because there's conventional and like novel threat stuff that they did that's super cool they did those things you're going

to hear about it you can read more about it online um the most important parts of this are not what they did and why but usually I agree that's the most interesting part of the story instead I want you throughout this to think about your environment the one that you spend the most time in the one that you're responsible for and uh what you might need to do in order to shape that terrain to your advantage and I'm going to give you a whole bunch of case studies about people who failed that lesson and we can all we can all learn from this um so time is tight I'm not as interesting as this topic if you want to

talk to me I will be here I live here I operate businesses here so it's very active um this is one of those topics that I spend a lot of time on but are there any fans of like cognitive science in the room awesome I wanted to see hands and I'm glad I got them um cognitive science plays a really big role in intelligence analysis and there's a fact about your brain you may not realize you can't read and listen effectively at the same time so what I've got for you in terms of slides is actually a bunch of really interesting reference images uh I can thank Google Gemini for creating a lot of them but they provide an interesting

backdrop that I think they got it wrong a lot but for me actually that was one of the more fun parts of putting this together so I'm going to try and give you absolute Basics uh China's Ambitions include seizing the South China Sea it's a region where a lot of people live um it is a place that has considerable resources of pretty much all kinds both mundane as well as unique um China has really few options for Continental expansion and that's a concept that people think about in geopolitics it pertains to their ability to move back into the continent what do they run into well they run into India they run into Russia they run into folks who are not

going to give up their ground um and all China is a key member of a lot of intergovernmental groups with like a global Focus um they often use this along with both diplomatic and maybe less healthy undiplomatic Tools in order to gain advantage in those relationships um China also has a really impressive Navy and so we might think of them as a maritime power but the definition of that according to geopolitics they can't really defend themselves primarily from the sea so they're a continental power just like Russia like a lot of countries um and this is relevant to how they prioritize threats and how they decision make and we'll we'll touch on a couple of these things I'm going to warn you a

few times that there's generalizations here um so I think that Sarah Payne who's a famous historian probably has the best and most nuanced take on this uh but essentially a lot of the Continental Ambitions of China are to help pacify the Han demographic which makes up really the core of that country um Western consensus right now suggests that their Ambitions towards China and the South China Sea are really about keeping this faction together in United um this also makes up the largest economic faction in the country um and this is really important because the party of ma knows what happens when a social Revolution breaks out uh the last time it happened about 100 years ago it

didn't end very well and the short version is really unpleasant but millions and millions of deaths usually due to famine um and it's also important when we look at this map realize that a lot of the demographics that they take advantage of that they oppress live in buffers these are places terrains between them and their neighbors and so they will always you know as a continental power interpret that as a place where maybe unrest will come from uh these are all super important very high level Concepts about why this is happening uh and although we think about China as a continental power it doesn't mean it doesn't try and touch every corner of the world

uh you could see in this map uh which is a little hard to see actually due to the white out but this is a map of the globe with places where China is establishing Naval outposts uh they've already basically taken over large parts of the world Africa uh southeast Asia South America they've got Naval outposts everywhere um and sometimes they use checkbook book diplomacy which is essentially like financial leverage to get these things built uh but they extend their reconnaissance abilities these are places where they've got got sonar and radar now they've got visual line of sight um these are places where they can refuel that Navy that they really want to project power with um this is also a

place that gives them a pretense to be active in these regions which is important for us when we start to think about this in the cyber security context uh in Africa just as one example belt and Road initiative which is how China sort of funds all this uh has built mines roads schools military bases airfields all kinds of stuff uh and there's a whole subculture of people who track all this uh if this is the first time you're hearing about it I'm sure it sounds very shocking uh it's not the most shocking thing you're going hear today so buckle up um I did want to point out that there's two places that we care right now about China's

Ambitions and so one of those is at the straight of Malika it's between Indonesia and Malaysia this is one of the biggest shipping lanes in the world I think roughly a third of all Goods travel through this narrow body of water um and then the other is the Panama Canal China's the second most uh common user of the Panama Canal after to the United States so those are again very big economic pressures that are active in the world super relevant to this topic um let's talk about intergovernmental organizations very briefly I'm not going to bore everybody um I think a lot of this stuff uh just provides just an interesting backdrop for you know this threat phenomenon uh

so bricks Brazil Russia India China South Africa uh since then uh 2010 uh UAE Saudi Arabia Indonesia just joined this year uh and really this is about being able to form policies that have economic uh benefits to them when we think about the very highlevel parts of why there are conflicts for China and Bricks uh Russia and China really are pursuing a new world order um they're trying to seek a new world order at least one where they are dominant or co-equal players in it uh they perer perceive that current world order to be an issue to them and for folks whove been following history uh the modern economic World Order is believe be founded after World War II uh we can

still carry that forward and it's starting to shift uh but through government agencies like bricks and Aon um some of these world powers are trying to shake things up for their advantage uh this is one of the causes of strife between members because some members want to play nice and others want to upend the apple cart uh and that's why even these groups that look really monolithic they look like groups of allies are actually really fragmented uh and they're kind of pissy about it um one of the most popular goals here right now is to destabilize US currency uh brics has voted to change that uh we'll talk a little bit about why um first up labor costs labor costs

in Central and South America are really close to what they are in China that means China has no longer got leverage as a manufacturer uh that's not great because Economic Security is is really National Security when we think about strategic expansion of navies especially those with blue water capability that let you force project across an ocean well there are not many of them but China's got one the United States has one um Indonesia actually has the fourth largest Navy in the world and they built it faster than anyone so if you're China that's probably a concern they happen to be in Southeast Asia um and of course India India has massively reinforced its Navy folks who've been paying attention might

have noticed uh they just put a secret naval base in the Bay of Bengal which happens to be right where that straight of Mala empties out which again huge shipping Lane there's some other stuff there with Vietnamese canals they're trying to improve their ability to get stuff around that part of the world um and that's all about economic and Military safety Rare Earth mining uh metal Commodities probably one of the most important topics right now all over South America mines are being built to extract these all over Africa being extracted southeast Asia being extracted um everybody's fighting for the same stuff uh neodymium turum uh Brazil is one of the largest producers of rare earth metals sells everywhere um

and so when we think about these Commodities it makes sense that China would invest in those regions I might have mentioned food security is also National Security um in Asia significant populations rely on agriculture uh not just for their livelihoods but also for trade uh climate change is one of the biggest impacts to this right now um famine drought um two of the biggest factors and as climate change continues to kind of rip through the world uh these pressures will get more acute which will motivate world powers to act on them so again these things are all kind of related uh directly and indirectly just kind of works against China's control over that Han population uh and with the addition of

UAE and Saudi Arabia bricks controls 40 to 50% the world's oil now uh this is really relevant to destabilizing US currency because what is oil traded in US currency since when since the end of World War II we've kind of circled back a little bit on this idea but because the US dollar is tied to Commodities it's one of the reasons some of those world powers are opposed to it moving on Aon um this is the association of Southeast Asian Nations uh there's uh about a dozen member states several ascendant States uh really founded in ' 67 to help with economic and security issues in the region which was very fraught at that time you have to remember the backdrop

to this was the Vietnam War um lots of conflict highlights here but I think a lot of these will will be a little bit more straightforward than South America um we see that uh there are you know tensions in the South China Sea um I'll go into all of these a little bit more more explicitly with some fun Maps I hope you guys like Maps um but really it's because aon's a non- interven interventionist State um this has allowed stuff like the coup and myamar to go on for a couple years um they try and use economic control to encourage their neighbors and fellow members to behave themselves uh but unfortunately it's a little Toothless

and so geopolitically there's not a lot of options and that means uh that they're very easy to pick off um it's very easy to Target a member um and we'll we'll talk about some of these campaigns and how they have done that um it is unfortunate how much white space is in this map um for decades Chinese Maps described the Imperial uh dynasty of China with nine dashes and this is a really important idea but it's one that's poorly understood um in 2023 they leaked a new map this map had a tenth Dash and it represented their Ambitions for 2 30 um you see that Taiwan and a few other islands in the South China Sea are part of What's

called the first island chain by 2030 China intends to have full control of this for reasons I will go into those reasons trust me um but also if we look at what they're trying to achieve with that 10th Dash it is really an obvious process they're pushing even further out remember they're a continental power which means they're anticipating resistance from the water in fact if you think back to that demographic map they have an entire Coastal population that is itself a buffer to that Han demographic from Western influence so all of these things are really carefully engineered um the reason this is really important is the second island chain includes Japan and it includes all of

micro Asia so it their goal is to be there by 2050 uh and things are heating up fast and again this is all backdrop to the work that we do and the expressions of this sovereignity that we see uh there are actually kind of a lot of issues with China's plans here but um one of the big motivators here is microprocessor competition um Singapore Taiwan some of the biggest places manufacturing chips uh new plants in Malaysia and Thailand all competing and of course uh there is a belief that things like Ai and Quantum Computing will really be decided by the these hard Technologies these Hardware Technologies um China believes that and they've been working against the

microprocessor industry at least in in my exposure since about 2010 uh this will be a thing that's part of their you know their you know kind of foreign uh you know adversary approach uh they also like buffers China really needs buffers with its neighbors and so things like the Himalayas that's a nice buffer to India which is another competing power it's got the Euro mountains which doesn't NE necessarily serve as a buffer to all of Russia but the mobilized part of it it certainly does and we should be really careful as their economy falters because China only has so many places they can go and Russia is being less than a great friend right now so we've talked about all of the

background on this hopefully this will give a little bit of context for this piece which is details about Espionage campaigns that we're actually talking about uh a little bit of background here every organization has their own nomenclature I'm not going to tell you our cryptonym because there's no public interest but when we talk about naming threat activity um we name our activities group refs RF and then a four to six-digit number um these collapse these fracture um but essentially these represent obser you know observances of a threat during a campaign so we've got all the pieces we've got malware we've got infrastructure we've got victims we've got actions on objectives Etc uh this is just the language we'll use and

it will come up a couple of times so ref 2924 the one that started it all um so this was a compromise of a Southeast Asian Foreign government Ministry by PRC um using a couple of different novel capabilities one that we called CEST graph along time alongside nap listener andom record implants uh typically installed on web servers or email infrastructure uh commands and responses in this case were hidden inside of Microsoft's graph API so there was no real way to detect cesta graph in the environment um these malware families basically masqueraded as other Network Services uh in a place where that is the default form of detection where they're not end points to detect these things that'll also come up in a

moment when we think about victimology um this threat group singled out a single foreign Ministry of a single government um um they also touched one utility in southern Asia um historical evidence though of this campaign suggests that they had successfully targeted and compromised at least three other members of asan um I want to emphasize that threats don't just steal money or intellectual property and that sometimes what they take is life because this threat group told us what they cared about they always do and this is where cogn science plays kind of a double role for us as intelligence analysts because what they try and Achieve informs their objectives with that data so you can imagine my

surprise when we're monitoring this threat and they're dumping the email inboxes of hundreds of Foreign Service Personnel these are Foreign Service officers more specifically so we can think of them as clandestine personnel and they were not looking for them under their real names they were actually looking for them under aliases so imagine the prize you would get if the thread actor found your name in your address in your travel itinerary because they had dumped your inbox sometimes what's waiting for the threat actor is a multi-part WinRAR archive and sometimes it's something else and this is one of those cases where we got as close to Jason Bourne as any of us get to get the real job is

usually very mundane this was crazy exciting uh we were actually able to work with that government to recall all of those personnel which is a story I will never tell um but yeah usually they'll tell you what they're trying to do they'll tell you why um and in this case it was it was pretty clear um folks operating under diplomatic cover definitely at risk this government seemed to agree um so in this environment we saw lots of malware uh we saw a cesta graph full featured back door it was installed on email servers it basically served as an inline forwarder it could read all email even the stuff that they'd encrypted with esim because they delegated that to

their on Prem Exchange Server that was a bad idea um and because all of this communication happened over the graph API well what could you possibly see very little and what's really cool about cestra for for folks who followed like us politics for a while uh there was a US general who communicated with his mistress via his Outlook drafts and he did this because he knew that when he sent and she received email it would be the content would be inspected so they just wrote it to drafts well guess what happens when you create a draft it never writes a thread into that buffer you never actually sending email and their entire C2 worked this way so the

exchange admins who were monitoring these accounts actually had no idea any of this happened um this is one of those things that's that was super covert and we were able to disrupt a little bit um but you know there are other families in the environment SNY record SNY record I love because it masquerades as a DNS client but it's not really DNS it uses these really uh obtuse txt strings that are crazy long and Bas 64 encoded to send and receive commands uh if you were caching that you might notice but in the region where this happened they weren't and then once they could well they still really couldn't do a whole lot about it

because they were looking on the network level for what was not DNS traffic it was https and so their really smart switches knew what kind of traffic it was and just hit it from them and so all of this happened it was very very hard for them to get their arms around um we saw a couple other things we saw dormy in this environment I'll talk about dormy in a second um dormy is another novel back door that functions sort of as an is module I'll talk about why that's bad um we also saw Shadow pad Shadow pad sort of like the default PRC toolkit right now um big picture stuff code stolen from GitHub appeared in every one of

these malware families um each of these implants was designed primarily to evade network based detections but actually on the host they were clown shoes it was the sort of stuff that like your entry-level sock analyst would say oh this very weird and unusual attributes of a binary it's doing some strange things on the network I don't know what it is but I know it's bad um and unfortunately they uh they just didn't have the experience to make that call um we also saw evidence of web shells and we think that this was all done through an initial web facing compromise we s some evidence of like proxy shell vulnerabilities being exploited and then shortly after that

webshell CEST graph Badness war crimes um this one I think the the victim tried to evict the bad guy several times uh we saw evidence of it at least twice we think that they had made an attempt much earlier that they were confident succeeded and then failed um Unfortunately they never really got their arms around it in fact all of this is still ongoing two years three years out as of as of this morning I checked um so ref 5961 this is another one of those campaigns um this involved a threat group that had compromised government and other websites to deliver a series of fun malare implants uh eager Be Blood Alchemy rud bird downtown uh these are

all custom implants that I'll talk a little bit about um you might notice you know some in some cases in the diagram they're kind of slinging malware on top of each other where they've got two or three implants on a single system um sofos did excellent Research into this they call their alpha bravo and um uh gamma groups um in a their Crimson Palace report that came out earlier this year um our intelligence analysts had a blast working with them to kind of understand two sides of this it's one of those cases where the vendors saw each other in the same customer environment and were able to make some magic happen uh super rare if you ever get the

opportunity to do it really recommend it uh all the victims of ref 5961 were employees of foreign Ministries in asan member states multiple in multiple um although chairmanship rotates every year um we think that the group's responsible for this particular campaign Target all members and again historical evidence does support most of that there probably two or three ascented states that we haven't seen targeted yet but give it time when they pick up the chairmanship I'm sure it'll happen um we did not feel even though we know who was targeted what their real goal was um when we look at what the adversary tried to do they were really just deploying a lot of malware maintaining persistence testing

multiple payloads iteratively so version one how did that react did that get detected okay stomp it with version two version three um in some cases we saw them trying different configurations like different persistence mechanisms or even concurrent persistence and then disrupting a system obviously environments where they knew they were not going to get caught even doing these kind of YOLO Cowboy things um big takeaways uh eager be was really lightweight it retrieved almost all of its functionality from C too so think about the maare very simple loader reaches out to a benign Cloud flare protected you know Outpost um pulls down two or three bytes really small amounts of data reassembles Shell Code and that

might be you know uh credential harvesting Tool uh they moved low and slow uh they didn't seem particularly concerned about detection um but they did use Dynamic import tables for anti-analysis that was kind of cool um rud bird in downtown also very modular these two had sort of like function Registries that they loaded up so if you were doing in memory introspection you wouldn't have seen those until they were called up and actually used and even in some of those cases um they were using encryption and obus to hide strings um it kind of implies that they were testing security visibility but we never really confirmed that um blood Alchemy was super cool it actually Sid loaded

itself with a benign application that was vulnerable to search order hijacking um they must have done a lot lot of research to find something that was like native to the environment um and of course eager be in downtown we know that's a positive connection because they share a tlser um we saw those two different victims two different times um you know with concurrent implants like blood Alchemy in downtown so uh made it a little bit easier for us to connect those two groups finally ref 7707 we just talked about this one a little while in public um this was initially focused on the investigation of a single govern Ministry in South America um in which we discovered

malware capabilities like path loader and guid loader um which load this implant final draft which is a lot of fun um it appeared at least at first like we were watching a really Junior operator using somebody else's toolkit because they were testing a lot of things and also making choices I would not make um and it showed us that the initial compromise was probably a web server uh collocated in this environment where it should not have been right next to oh geez file shares full of diplomatic letters and all kinds of great stuff um we found that a shared local admin password was really the root cause here and so if you're feeling like well no

one would ever make that mistake and this sounds like it's 1995 all over again yeah yeah it does um but that's the real world like that is the real world we could talk about how like EDR is dead and all that like bovd is made it it like impossible to secure stuff but all this stuff still works um evidence uh also told us this was a monthlong intrusion during which they didn't steal any data they just tested stuff which is really a great Hallmark of Espionage so we were dialed into the fact that this was probably an Espionage group but we didn't know who we weren't sure we had not seen them do the thing

that told us what their objective was and everything kind of broke open when we realized that they let domain registration of one of their C two domains lapse so for the first half of the investigation our understanding was an Espionage motivated threat actor had targeted this particular Ministry it wasn't a complete story we didn't have data theft we didn't know why but it did kind of tell us parts of a compelling story so we kept digging and um you know when we were looking at their you know intelligence you know doing intelligence analysis of their infrastructure saw this domain and you we bought it and look we thought in good faith that we might see implants call back from that

victim that we hadn't identified maybe unmanaged systems or maybe even just in the region we did not expect all the beacons to come from Southeast Asia that was a surprise surprises are fantastic because as I sat there with the intelligence analysts we looked at all the evidence we had and then we see these beacons coming out of well all of the Telecommunications infrastructure of an Aon member that would be opposed to China's Ambitions in the South China Sea and what's really crazy is this this group of victims included the number one cellular traffic router for that country it also included all Mari time Communications that's navies and ships so all of this stuff had military and

civilian as well as general governance implications and that that tells a much more compelling Espionage story if I'm totally honest um these different piece of malware you can read about I would say remember you know path loader and guid loader very similar um windows-based loaders U these are under active development like we saw we saw daily builds of these being tested and deployed um all three of these families use the same C2 all shared infrastructure um all use the same graph API communication the exact same version we found in CEST graph identical implementation um and we saw that final draft is kind of neat because it looks like those other modular back doors that retrieves most of its functionality from

C2 um we saw in a number of cases this can generally load any Shell Code but they really seem to like power pick sharp pick um credential harvesting those tools tend to be detected um based on like you know ioc's in the binaries so being able to load them this way which is strictly in memory final draft never touches disc um often allows them to bypass a lot of those policies but wait there's more um I gotta really I gotta tell Google Gemini did a great job with this graphic because you will not believe the insane prompt that I gave it and it it dropped me this image um um so ref 7707 was also

really important because in that exact same environment we saw a different novel back door a couple months earlier we called it bit sloth now bits sloth is really cool because not only does it demonstrate again years of development uh it also demonstrates an objective for Network evasion um and in this case you know it resembles the kind of um you know inprocess redirection that we see in like root bird in downtown there's a lot of inspiration shared between these different malware families it's not enough that we're concluding that they're all developed by the same folks or even used by the same folks but OG gee coincidences I don't like coincidences and in this case all of

these campaigns have multiple coincidences that sort of Stack so this is like sort of the final lap you've B you've bore with me for for quite a long way so I everybody give yourself a round of applause um you know what happened you have a sense for why maybe uh but neither of those are actually the thing I want you to take away from this I I think um the decisions these adversaries made kind of told us what they wanted to do uh overwhelmingly they invest they invested in defense evasions of different kinds um and they told us they didn't want to get caught they told us how they expected to get caught and they also

indirectly told us how they expected not to and unfortunately they had even less of a full picture than I did which is remarkable given how we stitched all of these different campaign narratives together and it's important to note these have also been entirely ongoing none of these engagements none of these campaigns you've heard about have been stopped um we're working with folks all over the world particularly in South South America and Southeast Asia to keep visibility um but there's reasons for that and I'll talk about those two um I don't have time to go into every defensive agent so I kind of chose the ones I think people will see the most um you can read all about the published

materials on the elastic security Labs website I was supposed to point at the logo earlier I missed my stage Direction um but those those are things that we've already talked about and if you want artifacts ioc's all that stuff's out there um but this piece Isn't So defense EV asion generalized concept again Google Gemini oh man we're best friends um I'm not going to make everybody go to miter and read about like the defense EV asan tactic category I think we kind of understand what it means um you know masquerading is a legitimate process Opus skating functions and code leveraging trust at third parties for C2 um deploying as a benign server module these are all examples of

defensive Asians these campaigns employed everything from pretending to be like a Google updater to dropping a vulnerable driver to unhook the EDR visibility like all of that is in this category we only saw some of it and some of that stuff's exotic now I broke this up by data type because I have a lot of love for detection Engineers like myself so those who think that way uh this slide's for you and those who don't uh have some empathy um so during ref 2924 uh we saw the dormy implant installed as an i module um these are essentially just dlls that the server loads and how many old school offensive researchers do I have nobody awesome there was a thing

that preceded this called an isapp filter which was one of my favorite persistence mechanisms you basically just told the web server anybody sends you a file with a weird extension like this load this random dll I once saw one of those sit persistent for 14 years never touched yeah that's old school persistence well Microsoft got wise to that and they modified it and so now there's another version of it that's just as cool is modules um don't have to be signed don't have to be verified get loaded by the web server the web server is probably going to be privileged on Prem is just scary so um this is one of those cases where you know we we think what the

adversary knew was that the analyst would miss this they would look at the I module and say oh there's a lot of these ERS in there they're probably all good I don't want to go through 150 dlls and figure out which of these came from Microsoft which ones didn't I don't have a tool for that so they didn't do that and they didn't detect it and when we told them about it they explained that they didn't have a way now this impacted multiple organizations who all responded that way and that is why I will close that Loop in a minute um now the only way to really detect dormy is if you have inra process

visibility specifically if you can monitor and process memory that DLS are being loaded now yeah sure etw might record that you loaded a dll from a place at a time but it won't tell you what it is um in a lot of cases we found that endpoint visibility would have just precluded all or most of this um and almost immediately because the malware is super low prevalence but also it does incredibly sketchy and rare stuff so the host base piece is kind of over um from a host based perspective they didn't try very hard they didn't put a lot of effort in from my perspective and they didn't need to in none of these environments did they encounter

resistance so none of these places had an endpoint that could have seen any of this they would have only been able to you know retroactively go look for it with things like Powers shell and maybe osquery um we tried talking them through that they didn't seem very confident in using osquery but you got to remember it's public sector government folks have a lot on their mind right now um and so I think there's a group of folks who will look at an adversary that uses a clumsy technique or maybe something that superficially looks unsophisticated and say like oh man these guys are clowns well they're minimalists they're brutalists they only bring out what they need to so turn that same snark on their

victims actually because all of this was enabled because victims had not done what we would all consider pretty basic stuff um Sarah asked the question earlier uh I think or I think the question earlier was like how many folks are using an EDR tool and there were only a couple hands went up well in this environment there were no people using any tools there was not even Enterprise antivirus and it's 2025 so because they will use a minimum capability um sometimes that allows them to essentially Escape um when organizations aren't prepared um these went largely unnoticed uh in large part because they did have Network visibility they had Network metadata collection they had some net flow stuff they were

collecting most of the inbound and outbound traffic based on major protocols um unfortunately that really didn't work because all of the network traffic was encrypted and a lot of it was The Trusted places and first I'll talk about encryption everybody likes encryption um for the most part this threat group likees https um they would install on web servers and fun thing about web servers they often remotely retrieve content for their for their own applications so having them Reach Out And beac into a cloud flare https IP was not that weird um and unfortunately a lot of network analysts responsible for this missed it um we also saw that it went hand inand with the fact that they chose IAS

modules for their operational persistence that combination was really targeted against the socks of their specific victims which we think they had been there before we think that they've been playing cat and mouse because they seem to really understand those patterns in in in a way that's more than intuitive um in a way that suggests that they've been there before um we also saw that they deployed web shells everywhere but they almost never used them they would often deploy a webshell that we've never seen them use they'd test it go through four or five functions we think they had a script for this and then they would just leave it because they were waiting until we dimed out the next

payload and booted that one and then they would just come in through a webshell and drop another one and this was a game that we think they've been playing for a couple years um they're really good at it but they're actually not better than that game and that's another Dynamic I'll talk about in a minute um we saw a lot of cases that web and script content that was deployed did not get introspected by antivirus on those few systems it was present on and they also knew this so we saw them testing different rting languages at times sometimes even converting stuff that they previously had working in another language to another language that broke so that they could make sure

what was really possible in this environment again they were setting up shop to live there I promise I will stop saying this but I'm going to come back to that later um and this diagram from aami I think does a good job of like generalized DNS name resolution their back doors that resembled DNS essentially uh you know made these requests outbound that were not captured um so they knew that although DNS was being cached in those victim environments they weren't catching requests for certain types of DNS records so a txt lookup or maybe like try to look up a dkim filter or something maybe that got a little too noisy so they decided to filter out that

particular part of the stack we never got a good answer um but we also saw that in the case of final draft um typo squatting was frequently used um you know essentially taking the names of very popular security and it products and turning them into C2 I don't know if it was them winking and nodding at security companies like checkpoint or if it was them just trying to blend into the noise or 5050 um but these were things that actually none of the analysts thought were weird when they saw a bungled like VSS spere domain they just thought someone fat fingered it moved on with their lives there was no followup that was Sonny record so um Esa graph uh

final draft these all used the graph API for C2 um this had a couple impacts really worth noting so first you know Microsoft provided the code used for this actually one of the guys who wrote the graph API itself wrote some demo code that they just put into cestra and final draft they just modified it in some very subtle subtle ways and got working C2 out of that um we saw that this basically neutralized them to the victim you got an exchange server that's talking to the graph API six or seven times every time a user does anything in their inbox well this did the same thing and so it went to the noise they never

saw it um it doesn't look like beaconing because if there is no draft command for the you know for the implant to download um it just checks in it gets that count and then exits and so there's really very little visibility here there's not a lot of huge data transfers um and we also saw they didn't use this tool for data theft they would often move stuff to a web server and then just download it which is super helpful because that's exactly how people interact with down with web servers right you just download stuff well the analysts at this particular victim thought so too it's totally normal and that was great um because these use the drafts capability

they don't send any email obviously it's much harder to analyze without some serious consideration so if you're an Enterprise and you can actually like look at people's email drafts that is a huge privacy implication very few security teams are going to be able to do that or write Logic for it in this case it would look like gibberish um because it was all encoded um and of course in the in the case of 7707 we saw them using Google Firebase as a way to distribute final draft so they would reach out to a Firebase protected domain that they'd previously set up pull down final draft execute it in memory and then move on uh this can be really challenging because

they're essentially using all these trusted SAS platforms to smuggle stuff in and the option is really to block those or have endpoint visibility um so 50ish minutes ago I kind of told you you were going to get an overview of these campaigns and operations and a bunch of capabilities and I I hope I upheld that part of the bargain I want to point out that denal is French for robot party um if you remember just one thing about this having control of your environment is the secret because none of these victims actually had control or understanding of their environment but if they did there are so many places where they could a achieve different opportunities um there's some lesser

takeaways here but I want you to embrace your role as active Defenders and that's really the call to action here um it isn't fast or free or easy because it can't be sorry um but owning your environment actually is really effective and if it's the right way that works works so if you've tried everything else and your Enterprise still doesn't have that squeaky clean feeling maybe it's time to try something else um first not everybody's going to be targeted by PRC that's not a reasonable assumption very few people in this room are going to work for orgs that are targeted by China for any reason um but this is a case where we absolutely can learn some

things like how Microsoft's graph API can be abused for C2 as a general purpose piece of knowledge that's super valuable they made us a little bit better um although a lot of Espionage groups move Edge word the conventional stuff still works like yeah all access attacks on Juniper stuff is going to keep happening but there will still be environments where you can drop an implant and rock and roll and so you will do that because it's about the most efficient way to succeed they don't care if it's cool they don't get internet points only we do visibility does not be capability but it's kind of a necessary prerequisite you got to be able to see stuff to stop

stuff I think you actually heard that this morning um many of the necessary Technologies to do this are free wink wink um please don't consider visibility the end it's the beginning because some of these operational groups they can wipe you out in less than an hour so if your meantime to remediate is more than that that is a strategic problem for you that is a thing to work against um also visibility and capability you know it may not always be possible they're kind of cable stakes in a lot of ways again my team develops these capabilities so use them um and finally you know we're kind of privileged if you look at this diagram and you don't know which ones are the

monsters that's kind of telling but um we're really privileged because there's things that we get to experience and see that nobody else in the world can understand and we get to translate it for them that's what a lot of this is I get to see a hundred billion Telemetry events a year and a lot of people don't and so what can I share this is some stuff that was really useful to us in protecting organizations and maybe it'll be useful for you this is where I would drop the mic but I feel like the vibe is a little too colorful how much time do I have do I have time to do a question all right I I guess I'll do

questions I didn't expect to who's got

them just a question when you were sharing some of the uh the methods of yeah when you were sharing some of the um methods and how they were deploying some of those implants were you finding anything uh like logic bombs as well not really um so in all of these environments where they were dropping implants they knew they wanted to drop an implant and the prim primary success criteria was do I get a call back to C2 we saw them drop multiple implants concurrently sometime we'd watch them drop in a series but multiple implants and in the case of web servers drop implants write a webshell test the webshell test the implant next system um

most of these were not mass casualty events very few of these places had more than like 50 or 60 compromised endpoints uh but all of them had the same kind of profile they talked to the internet and again all of these things going directly out to SAS platforms Cloud providers um the adversary really understood that terrain very well yeah we didn't see any language controls um I will say in some of the fishing lures we did see them constrain again to Foreign Service Personnel um both by uh Alias and by subject topic um I just had a quick question about the case you talked about where C2 was being done over DNS queries and the

attackers knew which queries were not being monitored do you have any idea if that's because they just simply never got blocked like those queries were never blocked or if they actually could see like what the sock Center was seeing like they had eyes into the same systems and this is this is a really good question because it's a question I didn't intend to answer um and I was going to try and avoid it so we know that they were monitoring members of the security and network monitoring teams they had their aliases bookmarked and so every time an email went across those threads they got a copy of it we know that they did specific searches for DNS

metadata like they would look for an example substring in the in their email searches because they wanted to know is anybody talking about weird DNS stuff and when they saw there was no chatter um a lot of those queries faded and then they moved on to other stuff for example um when they deployed nap listener which was an inline I module they started going and looking at the webin to see like oh is anybody talk about new dlls that have been created on the web servers because they were probably Distributing through a file share and trying to in you know put some of these things into backups and see can I worm these in more persistently um that

Playbook is pretty common anyone else a couple you go can I just say I love questions I feel like this is the part where I know that folks were pay paying attention so it's super exciting but also because I have no idea what is going to happen when that mic comes up so this is a lot like Russian Roulette so it's big dopamine hit for me um mine's about the the graph C2 stuff were they sending it so out of the attacked tenant or out of the attack Network to a tenant control a Microsoft tenant controlled by threat actor yeah so if that Network at the network the attack or at the victim's Network at the

network level if they had tenant restrictions enabled they would not have been able to authenticate to an attackers is that correct yeah so that would be true because they would not be able to allow the user's endpoint to authenticate to another tenant's platform but what they had done is they had hardcoded their malware to talk to a demo instance that they had registered so they were able to use a demo instance a 30-day instance and we think that something up was on the back end going on there where they must have been negotiating to extend that tenant because they didn't change it so all these all these years we've been observing this we have maintained

visibility of the backend infrastructure and some of it is still functioning um they did stop using pieces of it but the C2 server components those nodes are still available it's one of the reasons we have not shared that particular intelligence data with the public because uh connecting to that has risks thanks for sharing the uh research as you've gone through uh viewing these these campaigns I'm kind of intrigued what have you changed your mind on oh what do I change my mind on you know what when I came into this I I think my years as an IR consultant kind of like it scars you it's like a kind of shared trauma I'm sure inant responders

in the room are going to nod and feel this but all these environments that you have absolutely no agency to Define that you still have to go in and protect um I think coming into this process years ago when we first started to deal with cestra and ref 2924 was shock and feeling surprised that a victim would be caught so flat-footed with no Basics but we talked with them and we talked with other potential victims in the region and actually what we learned is that's really a western bias so there's a cultural phenomenon where you can't really assume blame for some of these things like it's nobody's fault but when you approach a victim who has been

compromised how you do that is a really delicate thing and it has a huge implication for whether they will receive what you have to say or not so we engaged these groups and we tried you know we tried our best to maintain that neutrality to always be helpful to realize that like for us it was just a Thursday for them it was like the end of their career and what we learned is that there's there was not a lot of folks in these orgs who were there long enough to implement institutional change you know some of them as careerists were trying to change roles every two years or 18 months and how much can you gamble in

those political business environments because that's what they are how much can you gamble in those environments to achieve outcomes at the expense of your own career and unfortunately culturally a lot of folks turn took the career route and I think that's one of the reasons some of this isn't done but that is still that's still not blame you know those are those are cultural choices too because there's Technologies available to solve those problems unfortunately that's also cultural because you have to trust the source of those things you know when somebody looks at your company and they don't see anyone who looks like them they don't feel like you are their Ally they don't think you're there to

help and so this is one of the most important things that's happening in Tech right now is how do you engage everybody how do you make sure that you understand them before you start talking um these are huge problems and the more you work out in the world the more you'll encounter it and the better you'll get at it um just there's not a Playbook that you could take there's no like top 10 list to make you good at dealing with all cultures um certainly not one I think that would be

effective thank cool all right