Cyber Espionage Reloaded by Derek Middlemiss

what i wanted to talk about today was some research that was done by our um by the checkpoint by the checkpoint research department now what checkpoint research is is obviously people know checkpoint for security vendor firewalls and this kind of stuff but what we have is a completely separate department that um that goes with um hold on a second i just realized i haven't um shared my screen which is rather unfortunate we have a completely separate department now it's absolutely nothing to do with our day-to-day business doesn't get involved in firewalls or coding or anything like that they are purely and simply there to try and figure out threats on the internet so what they've done is everything from

figuring out how to break into the site using fax machines how to hack into your digital cameras but one of the major things we do is we look at what's out there we try and um identify threat actors so as they have complete autonomy to go out and do whatever it is that they wish to do look at whatever they wish to look at then it gives us the ability to track people down that's what i wanted to talk about today so i wanted to take you through some uh some siberia cyber espionage that we found this was actually kind of found and rooted out last year but i still think it's relevant now although this is um the

largely based around the uh the far east i think the techniques used and what we can what we can actually get from this is pertinent across the world indeed this attack is actually moving closer and closer as well as we see as we're kind of uh moving through so it stands at the moment we're seeing lots and lots of attacks against all sections so certainly um government political organizations have always been a favorite target um industry but recently we've seen a lot more against education and health care as well a lot of it due to the uh the kovind 19 if a hot hospital is really heavily overcrowded then they're more likely to pay if you've done something

from iran so uh cyber criminals tend to be an opportunistic bunch of the uh at the best of times so that's that's a really good way that you can actually leverage what you're doing so we're not actually talking about that today today we're going with um cyber espionage okay so this is what we're going to talk about we'll have a chat about the the target we'll look into the infection chain uh the infrastructure based around the uh the thres actor uh we'll have a look at the tools they're using how we contribute to them and who's behind it the company we're talking about today or the threats we're talking about today is um is uh nikon so we want to look at

a couple of the tools they use how they do it some of the um i've been in this industry as was mentioned quite a long time indeed i did an apprenticeship with the texas instruments way way way way back so i've been doing this quite a long time and uh and sadly a lot of the tools that are used there actually haven't changed in the interceding years you know things have pretty much remained the same and the first in you get with any kind of threat you could be as technical as you like but if it's not for users doing something clicking on something downloading something then you get you probably knock them it's going to be

very very difficult to penetrate an organization and this one is um really really interesting because we kind of stumbled across this a little bit we've been doing some work for somebody else another another organization and what we found was uh was a malicious email that was sent from an embassy to a government and it was that then set us on the trail so to figure out to have a look at what we're doing so what we tried to do with our research was have a look at the threat taxes behind it and figure out um what they were doing and we had to track back over a period of time because these um this group was first

came to note with um in 2015 so how they developed and how they've kind of hardly moved on from there okay so let's have a quick look then at what uh what countries this um this group has uh has targeted so if we go way back to 2000 2014 and 15. this was where they first came on the radar there was a report from kaspersky that did it originally what we can see is they were targeting vietnam miramar philippines singapore so everything over in the in the far east however at that point most of the the tools that were being used by this group were considered to be a pretty low tech so uh they weren't considered to be

advanced and most of it was fairly easily uh blocked by tools and endpoint security that was available at that time so really um as i say very very low level came around for a little while then they uh then they disappeared until they reappeared for a while now what we've seen when we go back and we track back then we can see in 2016 rather than disappearing as we thought they were actually active in ukraine rush from belalu belarus we then saw evidence of a campaign against the mongolian public sector in 2020 and then later on the campaign against australia indonesia and the philippines so what's interesting about this group is they actually never went away

what they did was they disappeared they went under the radar so we didn't actually see them working however once we found them once we discovered them and traced back then we could see the history of what had been happening so what happened was our instant response team was was actually engaged by another government in uh in asia for a completely different unconnected incident while we were looking at that investigation um the team was having a look through the logs and we had a look we found a malicious email the strange thing about this email though being sent from uh from within the network so from um from an embassy abroad to the actual uh one of the state governments

in uh in australia so once we saw this and this was how the investigation started and this would have been um actually in uh 2020 when we started looking into it so what we found when we went back was we found this threat actor who's been um actively targeting governments in uh in apac so um this uh this group were targeting government sentences they were looking at ministries of foreign affairs science and technology government-owned companies anything to do with the governments of the uh of the countries indicated that's what they were really uh interested in now um one of the uh one of the tactics actually to avoid um protection was to put a commander

control server actually within the network so the computers that have been compromised as part of this ongoing process one of those was turned into a commander control server which means the traffic's never actually leaving the attack network so what that does it gives you a much lower scope to be able to find them because you've not got the chat and the noise out there on the internet that companies like checkpoint can pick up um we can then track down so that did actually make it uh make it quite difficult to track them down for a long time this was one of the reasons why they were actually able to kind of stay under the radar for such a

long period of time now what we can see here from on from this slide is we've also seen now the list of targets has grown so it does include places like india and turkey so it's slowly kind of moving westwards um across so who knows maybe we'll maybe we'll see more of them sometime pretty soon so let's have a look at the infection chain uh what this organization did uh and how they actually were successful in uh in breaching these networks so the goal infection chain like anything um is to get some form of um remote access or remote control since the uh the days when i do penetration testing way before i joined checkpoint

that was what i wanted to do i wanted to get some form of control so the best way to do this is you deliver a back door now what we found with this group there's several ways of that they have delivering a back door but what we've got illustrated here are kind of a sort of three of them that we'll focus on and talk about um a little bit so from our research we found that the back door that was used was um called area body so um this is basically the name of the kind of remote actions uh remote access trojan that opens the back door that allows them to connect into the network um at will so this is

what's used to deliver the payload now to actually get it there it was that old uh old special technique of fishing or spearfishing depending on how you want to call it or what tag you want to give it now this is one of the oldest techniques that that i can remember i remember years and years and years ago you know a company called rsa were penetrated what did they use spear phishing attack because at the end of the day people are curious people want to know about things if you look at what's in the news and you take what's in the news and you present it to somebody that makes in a way that makes it look

legitimate then people are going to click on these emails and this is always the first step in the in the infection chain and it was actually brought home to me yesterday because i was uh i finished my day's work a whole bunch of um zoom calls as we all seem to do these days and uh i've gone downstairs to get myself what i thought was a well-earned coffee and my my phone blades i looked at it and it was a text and it said um you've been um would you like to book in for uh for a covered vaccine tomorrow i thought well that sounds about as as fake as it possibly could be you know why would they be asking me

on a friday if i want to go and have a vaccine on a saturday so i nearly ignored it because you know i know there's so many of these scams around but then i kind of looked at it again and gave a little click and went upstairs and spent some time researching you know i thought actually this looks uh this looks valid and i went through and i booked myself an appointment but the key thing is there's so much kind of junk that comes out it's so difficult to actually see between the quality of the work done by the attackers and legitimate emails it did take me quite some time for me to confirm so i was happy

that this was a legitimate uh message and then i i booked the appointment but it does show how difficult it is for a typical user uh within a network to actually know or understand what's malicious and what isn't because it's very very hard to do i had another one recently i had unfortunately had one of my one of my dogs passed on and we were looking to uh to get a puppy now i like really big dogs i like mastiffs huge great dogs not many of them around so while i was looking i found an advert and i kind of looked into it and thought this looks a little bit dodgy and the more i looked at it the worse

this advert looked but what i found was my head was telling me no come on this is this is this is a this is this is bad this is a scam you know the dog doesn't exist there's stock pictures on the internet you know they're saying they've just been born but these are clearly summer flowers in the background so that that can't be the case but even though my head was telling me that my heart was telling me that no i want the puppy you know i want to go and get this so you know i consider myself to be a bit of a hard-nosed person on this but even i kind of felt that tanks you can

see why attacks like fishing and spearfishing can be quite as effective and successful as they as they are but anyway that small small diversion um aside so focusing on the three um uh infection methods that you can uh see on the left-hand side there we just bought a couple of them because most of them were uh the others were kind of variations on a theme so what happened was was um a document was uh created so the india indiansway. that was put on um an email that was sent out to various specific people within the government organizations uh this was what it was called in this case it could be anything else whatever actually makes it attractive to the

person you're you're sending it to so they get it entitled to try and open it so once that email was uh was opened then uh what we had was a weaponized exploit in there which was called a royal road which actually was what we've seen before the chinese organization vicious panda which was another apt uh outfit from slightly earlier in uh 2020 so the beginning of 2020 about a year ago now i think it was so it was one that we'd seen before it wasn't uh wasn't necessarily um a new one from there so once we um get that and we get that put in then what that does it puts um intel uh dot wl into the word

startup folder so uh once that's in there then basically every time the uh the person we're attacking launches word then this dll is going to run and it's going to be loaded so it's not set they're not loading all the time as soon as you run word then you're going to see this in there so you're going to see exactly what decided to do and some of the other infection chains we can see there we had um like a zip file that was sent out that had legitimate xe and a weaponized dll loader that came with it as well uh there was a an xc as well that attached and side loaded uh area body and then the the rtf is the

one that we've been we've been talking about here so either way what happened was as soon as it goes in we connect to the commander control server then we download the area we then um we do some requests from there we have a look at what we've got what we can see and then we download our toolkit to do whatever it is we decide we wish to do with this uh with this particular user now i mentioned we've seen railroad before so this was one that we'd uh we'd seen before and in this particular case when it was used it was used with a front end of uh coded 19 on the emails to try and get people interested now

this is obviously is extremely powerful uh powerful message at the moment uh for what i've missed mentioned we've got things about uh vaccines you know we've got uh passports as well the dark the dynamic itself darwin itself is completely saturated with people offering um you know vaccine certificates and vaccines as well although quite how you can buy a fisa vaccine that needs to be stored at minus 70. expect to get that and it works is it's a little bit low on me and i think my general advice would be anything out on the downhill if you if you buy it probably best to uh probably best to leave it alone but uh but certainly kobe 19 is a very very

powerful medium for delivery and it's it's very easy to say kind of send this email to get people to pick it up and to and to actually yeah to actually use it from there so what we then do is uh what the load will do we'll communicate with the commander control server so this is the uh the commander control server that was used in this particular instance and this basically is uh owned by the attackers most of them um out there on the on the internet somewhere well in this occasion as well we did find command and control servers that were actually coated on people's sites which is a slightly disturbing disturbing thing so that's how we did it

so that's how the uh that's how it was uh packed up that was how the uh the threat was actually sent out there but what about the infrastructure that exists behind it because having a good infrastructure behind what you're trying to achieve here is really really important when you're putting these putting these attacks together so when we have a look at the infrastructure we can see that obviously they've had um a cloud project in there because everything was uh was out to uh alibaba cloud and then we can the domains themselves were registered with uh with godaddy which is normally pretty benign i know my my wife's a virtual gallery she has is also done with

with godaddy and i promise you she's not attacking asian governments or at least as far as i know so one of the interesting things here we can see is that if we look on the uh the right hand side what we've got in that in blue are the domains that are being used and then in gold we've got the ip addresses so you can see there from the uh from the arrows that we've got that we've got multiple ip addresses being reused across domains so this is slightly lazy and and is from the attacker it's kind of good for us because what it helps us to do is this cross-referencing helps us to build up and confirm the

information that we know so the more things that are repeated and done again again and again and again the easier it actually is for our researchers to be able to track through so it gives us a better idea of just how big and how broad the um the actual threat is so taking a look to try and better understand um how the attackers operated their infrastructure over the years what we've done is we've taken the malicious domains on the left-hand side we've got the year across the bottom and then we've had a look and we've we've mapped uh the the asms and the autonomous system numbers um across there now when we look um over on the left hand side over here

then what we can see is that a couple of demands there that have actually been up since 2016. so they've been up and working for a long period of time but also as well if you're further to the right they're actually still there available and running at the moment so some of the infrastructure is new and expanded but some of the infrastructure there has been there for a long time which kind of uh kind of hints just how long they've been there they've been potentially active in in some of the networks that they're actually in so if we don't move across 2019 then we can see we've actually concentrated most of the infrastructure has gone down

to the autonomous system number 45102 which is actually located on alibaba so that's from the previous slide that's how we can say with some confidence that the uh that the infrastructure is cloud-based and uh the cloud of choice is um alibaba so one of the more interesting observations we can see in here is the use as i mentioned previously i've alluded to perhaps government infrastructure uh that's being used to house one of the backup command and control servers and the reason we know this is because the ip address of the command and control server we can see actually belong to the philippine department of science and technology so it was actually one of the systems

within their network that was acting as a backup command and crop control so it is quite a fascinating step but that's something i've really seen um that often but what was really concerning at the time is we could actually see evidence of the malware that was hard-coded to access this address so it was out there and it was actually being you so it wasn't just an accidental thing that somebody had done or somebody left behind it was genuinely being used so you know a little bit worrying because at the end of the day if it's not passing out to the internet you know we're never going to see this stuff so it makes it a lot harder to pin down the thread

actor okay you know so we'll just take a couple of minutes now to have a quick look at the tools to do some a little bit tall used by this group so we'll do some uh some analysis in here so uh one of the tricks that was used to kind of hide uh the activity and make it uh pretty difficult for us to um to study them um was to use an algorithm that that randomized when their cnc servers would be available so if something's available constantly it's a lot easier to look at it to figure it out but if these things are up for a short period of time they go down again goes up in another place goes down

again it's very very difficult to track it and this is one of the reasons why they were able to stay hidden uh for so long from uh from 2015 onwards so what we can see uh what we can actually see here is um is the the algorithm that's being used so the uh the dmg method on the on the left-hand side that's the yeah that's the algorithm that actually works out which commander control server is going to be available at any given time of the day uh the day the year so whatever it is uh the actual malware itself is fully aware of um of which commander control center to to access but obviously anyone else from

the outside wouldn't necessarily know that so uh the middle bit here is actually the payload you can see there that's the uh the area body uh dll which we discussed um earlier this is basically the uh custom remote access trojan back door that will allow us to actually get in the network from there so um what then happens is once we do that then uh the malware starts to gather data on the victim's machine so it'll go off and you can see here it's got a check ip amazon aws.com so it's going to have a look and try and work out what country it's in where it's located it will get the host name username domain name

all this reconnaissance kind of stuff that you want to be able to identify the system now what you can do from there is once you identify the systems you can decide how useful it is what do i want to do with it so we take this uh this basic information all of that's put out it's then um zipped up uh the malware then protects the file with a password because you they wouldn't want just anybody accessing their uh their malware files and those files are then sent back to the attackers to be looked at uh we can then decide what we want to do so with this particular malware one of the things that have

changed hugely when we looked at the tools just the amount of functions that it could do so if you think about it we've got lots of government institutions across many many different countries and all of them would have different things to be able to do so it's very important to have a really really good flexible tool and this is what they have so we could create processes and we can inject ourselves into it uh we can delete files we can find files create directory we can get more information we can do usb monitor mode zip directories up so this is just a few of the functions they have but it really gives you an insight into the choices that you've

got once you've broken in these are all the different things that you can do now these aren't all of them many many more that we can do we can do key loggers we could get screen grabs so we can do whatever what this shows is just how much over kind of the last five years since we initially saw this organization just how much better they've got just how much more professional and how much more dangerous they've got as well and i think these are the key things so attribution so how do we know who it was um so malware tends to be some of them highway writers tend to be a little bit lazy something works you use it you go with

it but for us that's kind of a good thing because it enables us to to be able to to look at and build a set of rules to try and identify um sort of characteristics of different malware has in common so what we've got here is a comparison between what kaspersky found back in 2015 and then what checkpoint discovered later so if you see the points mark one two and three they're consistent they're exactly the same and what we've then done what we've not done what the group's done is they've increased them the number of functions that they have so they've increased their code so what we're able to do as a checkpoint is we have a malware

dna engine so what we can do is we can feed it in and um although some people like to say ai of course it's not artificial intelligence as it doesn't really exist it uses machine learning then to be able to crunch all this malware and show us where we get consistencies between other types and what this helps us to do is to fingerprint it and really track what the uh the different organizations and the different groups have been up to at different points in time so it's a really really important use of ai and one of the one of the key technologies that we have in our battles against um against these people so there were some other code

similarities that uh came out as well so on the left we've got the area body information gathering and then we've got the older excess function information gathering on the right so what we can see here when we look at it is some of the functions are absolutely identical to the old back door that kaspersky found so in here we can see the function there on basically how it's looking at the install software on the machine so uh using the tried on honest tested thing if it isn't broke then don't fix it we can see what we've done here is it has been reused so we're able to then be more and more certain that we're dealing with the same

actors uh now as we have been uh back in previously the other thing as well that gives us the distribution is a number of the domains are the same so we saw that on the slide earlier that there's been the consistency on a couple of the domains running through so some of them are exactly the same as they were previous back in 2015. so when we take all these things together that gives us a picture and an image of who they are so who is um an acorn apt so this is what we found out about them based on all the evidence and everything that we have and all this is available if you want to go to the czech

research website you could go take a look at it but given um given the complexity and the advanced nature of the tools used uh we're pretty sure it's a state-sponsored operation uh there is overlapping infrastructure with other identified state-sponsored groups as well uh the target which as we've seen through it is various government exercises in apac although that's now uh certainly moving across and there was a lot of um code similarity as well with um other apts uh within this region so we'll be able to say this with um some measure of um of confidence so how do we threat them well what we do with uh checkpoint is we get a whole bunch of indicators of

compromise which uh which are what these are so you can see look at uh we can see there if you've got any of these um the area body loaders then you've probably got something of an issue a problem there and we further identified as well uh delivery uh mechanisms the body payload the loaders so if you see any of this stuff kicking around on your system then you've got something of a serious problem or if you can see anyone accessing any of these cnc servers then potentially you know you've got um you've got a little bit of a serious problem there one of the things you've got to remember i think with cyber security generally

i think it was in the film shrek they said that ogres are like onions but cyber defense is also like onions it's got to have layers and if you haven't got those layers and you cannot hope to stop also as well it's okay to have the layers but one thing we've been banging on at checkpoint for a long time is you can no longer do detect because by the time you do a detector by the time you realize that something's happened it's too late it's gone it's moved on or it's been cleared away so by the time we're detecting it's just too late you know we've gone and moved and we've got to change his parents we

want to prevent because when you've got web access with web services that are spinning up for a couple of seconds then spinning down and disappearing then prevent just makes no sense anymore so we've really got to look at this and we've got to move to to deter from detect mode to prevent mode and then you have more chance given whoever your um your active vendor is so uh that's me uh about done um hopefully i didn't quite go over which is uh which over should be okay so thank you very much for your time and for your attention that's brilliant thanks very much derek um there's been no questions that came true um i think i'll just double check

um no there was just a couple of comments i think on the tools that you're using um but it's just incredible to see that i can't hear you okay i can hear you again now that they've gone undetected for so long when you were showing the infrastructure earlier like my mind was blown that this were going as far back as 2016 at some stage and this is the thing you know it's all about being quiet and we see it with some of the other you know the really big attacks the dns problems the exchange problems with uh and obviously solar winds as well you know it's it's a lot of things to go on for a long

long time you know low and slow and under the radar and it can be very difficult and sometimes you trip on something and find them but uh yeah a lot of these organizations are staying out the way but if you're an espionage the last thing you want is to be able to find you which is why we try to do just that absolutely um we've gotten to the end of our time here so very well timed derek thank you so much for taking the time to talk to us there was a very interesting there's some good feedback on the chat here and thank you very much and enjoy the rest of your day thank you you too cheers everyone

bye-bye