CyberWire Daily - Blackfly flies back again. [Research Saturday]
Episode Date: April 1, 2023Dick O'Brien from Symantec’s Threat Hunter team discusses their research on "Blackfly - Espionage Group Targets Materials Technology." Researchers say the Blackfly espionage group (aka APT41), has... been mounting attacks against Asian materials and composite organizations in attempts to steal intellectual property. This group has been known as one of the longest known Chinese advanced persistent threat (APT) groups since at least 2010. The research shares that "early attacks were distinguished by the use of the PlugX/Fast (Backdoor.Korplug), Winnti/Pasteboy (Backdoor.Winnti), and Shadowpad (Backdoor.Shadowpad) malware families." The research can be found here: Blackfly: Espionage Group Targets Materials Technology Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
So in about 2020, the U.S. government indicted a number of members of Blackfly
and a related group that we call Grayfly.
That's Dick O'Brien.
He's a principal intelligence analyst with Symantec's Threat Hunter team.
The research we're discussing today is titled
Blackfly, Espionage Group Targets Materials Technology.
These are charges and these people have yet to appear in court, but the indictment does appear to kind of put this group in the spotlight a little bit and give some kind of insights into how these Chinese sponsored groups work.
And what exactly do we know here?
What we know here is that Blackfly and Greyfly,
they were often considered to be kind of related groups.
And indeed, a lot of vendors considered it to be one group and they referred to them under the umbrella name of APT41.
And it seems that a number of these people
who used to work for Greyfly at the time were supposedly working in a technology company in Chengdu in China.
But they also had links with the Chinese Ministry of Public Security.
And then a number of these people also worked with some people in Malaysia and seemed to be involved initially in attacks for financial gain,
but they seemed to have branched out into more commoner garden espionage.
And this is the group that's known as Blackfly.
That's an interesting element there that I don't think I was familiar with,
the kind of crossover to Malaysia.
I have to say,
I guess I'm a little surprised that the Chinese government would tolerate that.
I think from what it would seem, certainly going by these indictments anyway,
there's a lot of uses made of third-party contractors. So these people may do some work on behalf of the Chinese government,
but they also may do some work on behalf of themselves. And it's a very different way of working to maybe other nations who tend to keep everything in-house and closely tied with their
own intelligence agencies. But we have seen other countries work in a similar fashion,
most notably Iran.
So in this set of research that you all have released here, you're saying that they're targeting some materials
technology companies. Can you flesh that out for us? Who are they going after
here? I can't really give you too much
detail beyond what we say in the blog, except that
they're two subsidiaries of one conglomerate,
an Asian company, both of which are in, I guess, what you could broadly describe as
the materials and composite sector.
So reading between the lines, you would probably think in this case they're looking for intellectual
property.
I see.
And is that the typical playbook for BlackFly? I mean, what's the spectrum that they're looking for intellectual property. I see. And is that the typical playbook for
BlackFly? I mean, what's the spectrum that they're known for? Yeah, I would say so, all right.
Back when this group first kind of came on the scene and began making a name for itself,
it was known for just attacking gaming companies. And then when the indictment came out,
just attacking gaming companies and then when the indictment came out um it sort of made sense in that um these people were using some of the tools they use um for espionage attacks to make some
money on the side by attacking the gaming sector but now black fly i it's very it's it's hard to
say but they seem to have kind of moved more into the orbit of traditional espionage so we've seen
them going after semiconductor companies, telecoms firms,
pharmaceutical, media, advertising, you name it, really for a very broad range of sectors.
Now, whether that is at the behest of somebody else or whether they're acquiring this intellectual
property to sell it to the highest bidder, who knows? But we do know that there are confirmed
links with the Chinese security services there.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars
on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And what's the distinction between BlackFly and GrayFly?
There's some shared personnel between the two groups,
but there are, I guess,
there probably are distinct teams,
for want is the best way to describe it.
So some people work for both,
but they are distinct operations.
And Greyfly is probably more closely tied in with the state-sponsored espionage.
I suppose, you know, touching on the indictment, I mean, that's primarily, I guess, a political
statement more than anything else? It is, in the sense that the suspects, it's probably unlikely that they will get to a courtroom in the United States.
But it does kind of lay down a marker really of we know who you are.
We know what you're doing.
And if you ever, if we ever have the opportunity to arrest you, we will.
So, yeah, I mean, it is a political statement in that sense.
But it's also, I guess, you know, a move in the power plays that go on between nation states.
Right. Be careful where you vacation.
Right. Be careful where you vacation. They're based in a country that doesn't have an extradition treaty with them, and they decide to travel.
And it turns out that authorities have been watching them, and they're arrested in that jurisdiction and extradited.
What are your recommendations here for organizations to best protect themselves against this sort of thing?
I think the general recommendations about targeted attacks do tend to apply to Blackfly.
And so it's lots of different recommendations, really.
It's about kind of adopting a defense in depth security posture.
So, number one, be aware of how these groups tend to compromise your organization.
Spear phishing emails are very popular.
The other big one we're seeing at the moment is the exploitation of vulnerabilities in public facing applications.
The attackers increasingly are staying on top of when new vulnerabilities are found in enterprise applications and looking
for organizations that are slow in patching them.
The other thing then, I guess, is to be aware of how these attacks tend to unfold.
The next step, once they get access to a machine on the network, stealing credentials, administrative credentials are particularly
valuable. So you have to kind of think about how you lock down them, like changing them
regularly, adding two-factor authentication. And then they tend to use those stolen credentials
to move laterally across the network and exploit data know, it's not just about having the best breed security software
that always helps,
but there's all of these
best practices as well to adopt.
Our thanks to Dick O'Brien
from Symantec's Threat Hunter team for joining us.
The research is titled Blackfly, Espionage Group Targets Materials Technology.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Thank you.