CyberWire Daily - A fresh look at GOSSIPGIRL and the Supra Threat Actors. [Research Saturday]
Episode Date: May 25, 2019Chronicle researchers Juan Andres Guerrero Saade and Silas Cutler recently published research tracking the development of the Stuxnet family of malware, which ultimately led them to the GOSSIPGIRL Sup...ra Group of threat actors. Juan Andres Guerrero Saade joins us to share their findings. The research can be found here: https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We had this upcoming conference called SAS, and the Security Analyst Summit is where a lot of researchers kind of come together to show off some of the stuff they found and try to release original content.
That's Juan Andres Guerrero Sade.
His research czar at Chronicle.
The report we're discussing today is titled, Who is Gossip Girl?
And as we were building up to this, there was an itch that I wanted to scratch.
There was a certain dissatisfaction with how we as an industry had gone about covering a cluster of very interesting operations.
Essentially, between 2010 and 2012, malware analysts discovered some of the most interesting threat actors and malware-based operations that we know about today.
It essentially birthed most of the private sector threat intelligence industry that we
think of these days.
But if you look back, we essentially found these things.
Researchers at Symantec and Kaspersky and all these different places discovered these different pieces.
They researched them in depth and then we moved on and never looked back.
And that was something that didn't quite sit right with me.
I mean, we've done other historical research.
I had focused on Moonlight Maze with Kostan Ryu and Danny Moore and Thomas Ridd.
We worked on this a couple of years back. And
what we realized was that no matter how old the operation, taking that retrospective look allows
you to discover entirely new things and tie all these different things together you would have
never imagined. So we wanted to do the same with this cluster. We wanted to say, you know, what's
there that folks missed that they weren't able to see or they didn't have the context to see or the
tools to see? So that was the primary question that drove us.
And you mentioned the tools. Can you give us some perspective? When we're talking back to that era,
what did we and did we not have back then?
The change is very stark. For those that are familiar with some of the threat intelligence
and malware analysis tools that folks are using these days, most of the tools that we think of as
standard weren't really around. And by that, I mean Yara, which is the primary signature engine
that most folks use. It's like the universal signature language that most malware analysts
and threat intelligence companies use in order to share rules and provide rules for customers.
That wasn't really in wide
adoption. We didn't have access to things like VirusTotal's RetroHunt, which is what most
companies rely on to be able to do retrospective searches. We didn't have access to a lot of
sort of the beefier metadata-based databases that we might use, like what's exposed by VirusTotal and what my team has
access to. There's a lot of different things that we would rely on for even the simplest of malware
analysis cases or threat intelligence investigations these days that, you know, we're talking seven
years ago, were just not available to researchers. And to exemplify that, I mean, if you go back to
some of the best reports that were written about Stuxnet, about Flame or Dooku or Gauss, there are no YARA rules available.
Most of the hits and most of the samples that were discovered were discovered using the antivirus
company's sort of proprietary technology to cluster things or to make signatures for things.
And it was very good. I mean, they were able to discover these things and to track them. But there's something inherently
proprietary by the very nature of what that is, that is inaccessible to anybody trying to recreate
this research from the outside. So you decide you're going to take a look back. Where did you
target your efforts? Well, to be honest, you know, we cast a very wide net. The idea was really to track down this name, right? So that was kind of the funny narrative that we set writ large does counter CNE, which is
their name for essentially threat intelligence in the intelligence space. And, you know, you're
always very curious about, you know, what threat actors do they know about? What things do they
see that we haven't seen? And one of the things that caught our attention was a name, which was
Gossip Girl. Now, before we dig too far in, when you're talking about a
slide deck, which slide deck are we talking about and how did it come to light? So this is one of
the many documents that got released with the Snowden sort of leak of classified documents.
And that's why I say, you know, some people get very squirrely about looking at these things.
Thankfully, you know, I don't have a security clearance. I don't have to worry about that.
I don't think I'll ever have a security clearance. But more importantly, it allows you
to have a more comprehensive view and take everything into account. I mean, we can get
into some complex discussions of what to do with this information. But from the perspective of an
independent threat intelligence researcher, I think it's better to have a wider view of everything
that's at play. So looking at some of these decks, I think that some of to have a wider view of everything that's at play.
So looking at some of these decks, I think that some of the most interesting decks for researchers trying to recreate some of this information are some that have been leaked out of CSEC, the Canadian Signals Intelligence Agency.
And if I remember correctly, the name of this particular slide deck is Pay Attention to the man behind the curtain. And it details some of their efforts to,
and this is probably as early as 2010, if I remember correctly, the details, their efforts
to track different threat actors at a time when most of the private sector anti-malware industry
wasn't really thinking about any espionage actors. They were just about to come
on board that train. So there's a lot of institutional knowledge to learn from there,
from whatever can be gleaned from little bullet points on slide decks.
So, I mean, is it fair to say that at this stage of the game,
these government organizations had a bit of a head start over folks in private industry?
Oh, absolutely. And in some ways, they probably still do. I mean, we've gotten a lot better on the private sector. I think we have
now developed techniques and have repositories of information that in some ways rival the
intelligence community and hopefully complement the needs of the intelligence community.
But they definitely have a much greater understanding of the intelligence community, but they definitely have a much greater understanding of
the institutions involved, of all source information that they're able to piece together.
I mean, that's another thing you have to keep in mind. Threat intelligence researchers,
for the most part, focus on the technical artifacts that they're able to discern.
We don't have access to human assets or the kind of political analysts and
folks that understand regions and get access to privileged information about these regions that
they can put together with the incidents that we're looking at. That's actually one of the
reasons that in previous research, I've argued pretty vociferously for getting away from
institutional attribution because the government sector and the intelligence
community are in a fantastic position to put together clues from different sources of
information. But in the private sector, we're really not. And many times it tends to kind of
lead us down the wrong path. So you decide that you're going to chase after this gossip girl.
Where does it lead you? Well, it takes us down a very, very thin,
narrow, speculative path of one other screenshot that essentially connects the name Gossip Girl
to a known malware family, which is Flame. So for those listeners that might not know Flame,
Flame was a fascinating discovery that comes along around 2012 when the, if I remember correctly,
along around 2012, when the, if I remember correctly, the Iranian CERT, in cooperation with researchers from Crisis Lab in Hungary, with Kaspersky Lab, and some other folks,
discovered this unbelievable modular espionage platform that was infecting not just Iran,
but other institutions in the Middle East. And what was interesting about it was you're talking about
very big files. They contain a Lua virtual machine that the attackers were using in order to
expand their malware to whatever espionage requirements they had. So that might sound
standard in 2019 when we get a different APT by a different vendor every other
week. But in 2012, it was sort of this harbinger of things to come. It was this amazing example of
what an espionage toolkit should look like, would look like, had looked like for sort of the big
players in the game. Very forward looking. Oh, absolutely. And moreover, it had been operating
for at least
four years before it was discovered. So you make this connection with flame.
And where does that leave you? We knew that a lot of the research had already been done into flame.
I mean, we don't disparage. And when I say we, I mean, you know, Silas Cutler and I, my partner
in crime here at Chronicle, we knew that a lot of the research had already been done, that there was
a lot of amazing work already. Symantec researchers, Crisis Lab researchers, Kaspersky researchers had all published extensively on Flame. But our thinking was, you know, at the time, they didn't have some of the tools that we do. They didn't have access to the repositories that we do. They didn't have access to, for example, some of the greatest developments in threat intel tooling, like code similarity analysis,
didn't really exist at the time, not at scale the way that we use it now. So why don't we just take
another look? Why don't we just go back and pull some of the samples and see what we can find?
You never know. We start going down this path of looking at Flame. And that took us to a series of
related malware families. So things like mini flame and Gauss that were
discovered at the time as related to flame. And then when you look at that, you realize, well,
actually at the time researchers discovered that a flame component actually connects flame to the
development of Stuxnet. And that actually the development of Stuxnet connects to the equation
platform and the development of Stuxnet connects to the Dooku platform. And essentially, it just started building out this tree where, you know,
we were pulling on one very thin thread, and we actually had a very wide wool sweater to make our
way through. And to be clear, no one had made these connections before? Well, they had made
some of the connections before. So what allowed us to do this work was that we were building,
you know, we were standing on the shoulders of giants. A lot of these discoveries had been made
back in the day, but some discoveries were not. So what we were able to do is standing on top
of this research, taking it as both competent and authoritative, we then set out to say, well,
what have they missed? So in that process, we make a series of small discoveries.
And I think we make one big ontological reorganization or I won't say discovery, but we essentially
decided that what Gossip Girl, you know, taking a little creative license, what Gossip Girl
would mean to us was what we would begin to call a supra threat actor, not to get too
in the weeds of threat
intelligence methodology and things that people might find to be too inside baseball. Essentially,
in threat intelligence, we tend to focus on threat actors, the idea that there's a
cluster of activity that we can associate with a single entity, whether that's a criminal
organization or maybe an intelligence institution or a group of mercenaries, just a single organization.
There's a deficiency there as we start to do more complex research, which is what happens when we start to find different threat actors playing together?
What happens when you see several independent threat actors with their own storied past and their own malware platforms and
their own TTPs, their own ways of acting, clearly coming together for a common goal.
We're not talking about somebody stealing somebody else's source code or reusing,
you know, open source tools or things like that that might get folks confused. We're talking about,
you know, very complex platforms, obviously being leveraged to
play along. So for us, that essentially required us to expand our lexicon and required us to,
to kind of shift our thinking and say, okay, let's create this other category where we're going to
say, look, we know there was a collaboration. We know that many folks were in this room creating
this very complex thing. And what can we know
about them based on that collaboration? What can we understand about what they created on the basis
of the fact that it was multiple people playing along? Perhaps to strain the analogy to the
breaking point, but would it be fair to say that you have your threat actors, those are your
superheroes, and the super threat actor would be like the Avengers.
Yes. Yeah. Essentially, we wanted to look at the the Avengers.
My partner in crime, Silas, likened it to looking at the Led Zeppelin of threat.
We were looking at a super group. Right. I see. OK. Right. Sure.
So, you know, you've got multiple traveling with the traveling Wilburys. Yeah.
OK. You have many good analogies for that, but yeah, it's essentially that, right? You,
when you have a difficult mission and some would have likened it to trying to save the world,
you know, you get the best folks in a room with a shared mission and you use everyone's
particular skillset towards advancing that goal. So it's a good analogy in a sense.
Yeah. And so ultimately, where does this lead you?
There was a series of discoveries.
One of the more interesting ones among them was that there was, in fact, one more team
involved in the development of Stuxnet.
So not to give you the convoluted timeline, because there's a lot of sort of weird things
that come along as folks research Stuxnet.
You know, the older versions were discovered after the
newest versions. And so there's a lot of confusing things there. But when we started to look at some
of the code similarity analysis from some of the oldest versions of Stuxnet that were ever
discovered, we actually found connections to an entirely different threat actor that had never
been linked to Stuxnet before. It's a threat actor called Flower Shop. It's also known as Cheshire Cat. It maps on for anybody that's following along at home.
If you ever look at the territorial dispute research that Crisis Lab released in 2018,
it maps on to Signature 17, Signature 18. So this is one of these players with a lot of longevity
and a lot of expertise, but that has gone largely underreported and had not been tied into some of the more interesting events that came along from, you know, 2010 and so on.
Explain to me, what is the significance of that, of connecting those dots?
Well, for us, it expands sort of the supergroup, right?
So we it puts another person in the room.
It gives us greater context as well.
It puts another person in the room.
It gives us greater context as well.
If you read through Symantec's research when they discovered Stuxnet and they were first publishing on it, they speculated as to a couple of things.
First, they speculated that Stuxnet was probably in development as early as 2005, but they couldn't necessarily prove that.
It was just sort of a hunch based on a lot of different indicators that they'd seen. They also speculated that based on the specificity of some of the Stuxnet tooling,
that there must have been a previous intelligence gathering platform that was utilized predating Stuxnet in order to gather some of the information they would need in order to design Stuxnet's
components. So for us, it starts to fill some of those gaps.
We discovered a component embedded within Stuxnet.
The early Stuxnet module 231, resource 231,
is something that we call Stuxshop.
We call it that because it is built with code
from the FlowerShop platform,
but it's specifically built to be a Stuxnet module.
So, you know, a bit of
overlap there. And what's very interesting about it is it's clearly designed using an older platform.
For example, it has code to handle things like dial-up windows. You know, if you remember back
in the day of dial-up, if you ever tried to, back in prehistoric ages of dial-up. If your machine tried to do
something internet related and you weren't connected to the internet, it would pop up
that annoying little dial-up box. It would say, you know, would you like to dial up? You're trying
to do something related to internet connectivity. Now, if you're trying to infect machines that are
air-gapped and are almost certainly not connected to the internet. And every time you try to reach out
to a command and control server, the person using that computer gets a little dial-up window.
That's suspicious.
Shooting up a little bit of a flare there.
Right. So you get that message 300 times a day and you're not doing anything internet related,
a little suspicious. So one of the many things that the Stuck Shop module does is it does
command and control communication in a way that subverts some of those things.
So like that window would be hooked and suppressed, so it would never show up.
And it would be a little more cognizant of the sort of system that it was embedded in.
But that functionality all comes from this Flower Shop platform, which was actually active as early as 2002. This is a very old platform. Marian Marshall did some fantastic
reverse engineering of what she called Cheshire Cat, which were a handful of samples of Flower
Shop. And the things that she found, the malware was targeting Windows NT. We were talking about,
if I remember correctly, 95, 98, 2000, versions of Windows that are exceedingly old and that you
have to design specifically for.
So this is clearly, let's put it this way, the earliest versions of Stuxnet essentially delegated their command and control module to this team. That's how command and control was handled
until the later version of Stuxnet, the one that the researchers first ever discovered,
the more aggressive version, which had taken over a lot of
that functionality and dumped the flower shop code, which is why nobody found it back in those days.
Now, one of the things that you dug into here was this sort of resurrection of flame. Walk us
through that because there's an interesting story there.
Oh, yeah, absolutely. I'll admit something. This is, apart from fanboying over the amazing work that the folks at Kaspersky, the folks at Symantec and Crisis Lab got to do in these days, you know, when you come in as a younger malware researcher, you look at those days and go, you know, maybe I missed the boat. Maybe I missed, like, all the exciting stuff that was happening back in those days. And I always had an admiration for Flame, mostly over how advanced it was, over how visionary it was, and how early on it was acting.
And I was a little sad to have missed the main research boat on that. So it was very exciting
as we were going through this. Flame was our original entry point with the Gossip Girl
threat actor before we started taking the liberty of expanding what that term would go on to me.
And as we were closing the research, and I'll admit this was two weeks before we were going
to give this talk, I was a little upset that Flame hadn't really yielded any results.
So the operations that we knew were connected to Flame, which are Mini Flame and Gauss,
each kind of famous in its own right, when we look back at both of those, they died alongside
Flame. It looks like Mini Flame was an older version that predated Flame. So of course,
it goes out of fashion. Flame takes over for a period of years. Gauss is some kind of reengineering
of Flame that is operative for a couple of years. And then, you know, when Flame gets discovered, the people running Flame essentially burn down all of the infrastructure. They issue a suicide
module that cleans up all of the infections that were still out in the field. And everybody thought,
you know, May 2012 is the day that Flame died. And what was Flame's functionality?
Flame was essentially an espionage Swiss army knife.
So Flame would, you know, you would infect the machine with Flame.
And from that point forward, you had access to about 30 modules to do interesting things like being able to beacon to nearby Bluetooth devices so module actually was one of the most interesting old school supply chain
attacks. So the gadget module in Flame actually uses this cryptographic MD5 collision attack in order to fake legitimate Windows certificates, Microsoft certificates.
So they do this. They use these fake certificates and essentially are able to subvert the Windows
update functionality inside of an enterprise in order to spread. So from a supply chain attack
perspective, you're basically turning Windows Update into your entry vector for lateral movement into the rest of an enterprise.
Supply chain is all the rage now, and we're looking at all these fascinating attacks like Shadowhammer and CCleaner.
But people forget.
I mean, back in 2010, 2012, Flame was already doing this and doing it in a more hardcore way than we've seen so far.
Yeah. So people think that Flame is gone, but not necessarily the case.
Not necessarily the case. The impression that we get is that the attackers thought that they could lay low, pretend to be dead, and wait until folks moved on. And it turns out that that was the case. In May 2012, there's a suicide
module. Everything gets burned down. The threat intelligence industry moves on. They start to
discover other things. They move on to other things. And then we discover that as early as 2014,
new samples of a slightly retooled version of FLAME started to be compiled, something that we call flame 2.0. So what's very
interesting about this is that those samples were re-engineered in order to be harder to analyze,
in order to not be detected by obviously by the same detections that discovered the original flame
components. And more importantly, they were also faking all the timestamps to look like they were old flame samples just in case.
So if somebody was looking back, they could say, oh, this is something people have already discovered.
Move on.
Wow.
There was an error.
As early as the original version of Flame, there was a sort of a little bug that would embed the real compilation time of one of the underlying libraries.
So they use a PuTTY library in order to do a lot of their network connections for, you know, SSH and Telnet and so on.
And that library, when you don't put a version number, actually spits out the time that it's compiled.
So even though the flame sample might say, oh, I was compiled in 1997, which is obviously fake,
the putty string would still say, hey, I was compiled in March 2012 or March 2014.
So when we started to map those strings, we realized, oh my God, we've been sitting
on samples that were compiled two years after the flame suicide module. And that's what led us down the line.
Why do you suppose you were able to connect these dots and other folks had missed it?
There's a couple of different things there, right? So one of them is perspective. Obviously,
seven years down the line, with a lot of other APT investigations under our belt in an ecosystem
that has the benefits of so much information
sharing of so many folks working openly on threat intelligence. We come to this with very different
perspectives. But also, I honestly believe that most folks moved on from these operations and
never really looked back. There's obviously a certain reticence to going back to some of these
campaigns. There's also a reticence to going back to some of these campaigns. There's also a reticence to
going back to things that have already been researched, right? Like we all want to work
on something new, something exciting from a PR standpoint. You seldom get to call up a reporter
and say, hey, I redid the work that this other company did six months ago. Would you like a
story? Right. So some of the incentives are misaligned with
going back and doing due diligence on things that have already been investigated in the past.
What do you think the take-home lesson is then? With what you've gathered here,
by taking that look into the past, how does it inform what you're going to do going forward?
I think there's several lessons in there, mostly for researchers, really. I mean,
this is some of the take home is
essentially trying to urge researchers to eat their vegetables and not just move on to the
newest, hottest thing, but rather do go back, take the time, look at some of the older operations,
apply new tooling, apply new perspective. Don't assume that you know what's happening with a
threat actor or with a campaign just because somebody already published on it, whether that was three months ago or five years ago. I also hope some
of the lesson is also shared with folks that are trying to get into this industry. I meet a lot of
students and different people that want to get into malware analysis. They want to get into
threat intelligence. It's a largely undocumented field. It's hard to find what feels like a good entry point unless
you find somebody to essentially mentor you through it. And they always ask, you know,
well, what can I work on? And honestly, some of the best work you can do is just go back and
take a second look at what's already been done. This isn't the only case of going back and
discovering entirely new things. And from a defender standpoint, I mean,
I think Flame, the Dooku 1.5 module, which we didn't really get to touch on, and Flame 2.0,
I think that they're clear indications that just because something seems old doesn't mean that the
threat has passed. There's nothing that says that because somebody published a blog that a threat actor closed shop.
So as defenders, we definitely have a remit to and a responsibility to make sure that we keep our tracking ongoing of these threat actors, particularly some of these apex threat actors, and make sure that we know where they are.
Even if we've got to keep them in our peripheral vision, just to say, you know, we have this threat under monitoring, under control.
We're tracking it. We know what to expect.
And that, you know, something that we've considered dead,
it won't just come back into play 18 months later and blindside us.
Our thanks to Juan Andres Guerrero Sade for joining us.
The research is titled Who is Gossip Girl?
It's on the Chronicle blog.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.