CyberWire Daily - Compromised military tech? [Research Saturday]
Episode Date: May 28, 2022Dick O'Brien from Symantec's threat hunter team, joins Dave to discuss their work on "Stonefly: North Korea-linked spying operation continues to hit high-value targets." Stonefly specializes in mounti...ng highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors. Symantec found that The attackers breached an engineering firm in February 2022, most likely by exploiting the Log4j vulnerability, Their research describes who these high value targets are and ways to prevent this malware from breaching any more companies as well as indications that you could be compromised. The research can be found here: Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down threats and vulnerabilities, solving some of
the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Stonefly has initially caught our eyes because, in our view,
it is probably the most interesting of the North Korean-sponsored espionage groups.
That's Dick O'Brien. He's principal editor at Symantec. The research we're discussing today is titled Stonefly.
North Korea-linked
spying operation continues to hit high-value targets.
And now, a message from our sponsor Zscaler, the leader in cloud security.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So yeah, they're interesting for a few reasons.
They've been around for a good while.
I think they first appeared around 2009.
And at the start, they were like, you know,
what was at the time your prototypical North Korean-sponsored group.
So they were involved in sort of lots of noisy,
you know, not terribly sophisticated attacks.
So they started out doing distributed denial of service attacks against targets in South Korea and the US.
And, you know, they kind of pop up every couple of years with DDoS attacks.
Then they introduced a backdoor Trojan.
They were obviously stealing some information.
They were involved in some disk wiping attacks in, I think, 2013. But something interesting happened to them along the way. Sometime either in 2019 or probably sometime before that, they completely pivoted into something very, very different.
into something very, very different.
And since that time, they have been focused on a very small number of espionage attacks, and they're very tightly focused on what we believe to be acquiring
kind of a sensitive or classified or advanced intellectual property.
So they seem to be like this really super focused specialist team
who are just kind of going after this type of information.
So every time we see a stonefly attack, the victim is always really, really interesting.
What makes you believe that this is the same group that we'd seen previously, you know,
since 2009?
If they updated their techniques and indeed headed in a different direction, are there
things that point to it still being a continuation of the same group?
There's definitely a continuation in terms of the tool set used.
So you can kind of, you know, obviously the tools they use today are of no resemblance There's definitely a continuation in terms of the tool set used.
So you can kind of, you know, obviously the tools they use today are of no resemblance to what the tools they started out with,
but there is a kind of a daisy chain or an overlap of tools used all along the way.
So these days they use a custom backdoor Trojan that we call Preft.
I think some other vendors call it D-Track or Vale4.
And that's kind of, from our perspective, the calling
card because they're the only group who use that particular backdoor.
So yeah, we've been able to kind of follow them through the years
and through overlapping of tool sets.
Well, let's go through together this latest target
that you all analyzed here in the research.
Can you walk us through step by step
what exactly did you all witness?
What we came across,
it was kind of an interesting attack from our perspective
because initially we thought it might be ransomware because we were doing a
ransomware investigation again that was another customer on you know completely different
geographic investigation and a completely different geographic location and we found
a tool there that we thought was linked to the ransomware and
then we saw it on this particular organization and we were you know we were giving them the
heads up that there may be some ransomware actors on their network and then it turned out that the
tool wasn't linked to the ransomware attackers at all that it was actually a stonefly tool
so then of course you know we spun up our investigation on it,
and what we found was a long-term intrusion against this organization.
Well, let's go through it, I mean, step by step.
But when you all initially started the investigation,
what sort of things caught your eye?
The means of entry was interesting enough.
We believe it was an exploitation of the log4j vulnerability,
which I guess most people would be familiar with.
It really hit the news back in December.
I say we believe that's because an exploit was run for this vulnerability
against a VMware Vue server that was publicly facing.
And the exploit ran.
And then within 24 hours, I think it was 17 hours, we saw our first evidence of what was
definitely stonefly activity on the computer.
So given the timeframe there, it seems that this was their way into the network.
you know, it seems that this was their way into the network.
So they got onto this server and they did a lot of groundwork, I guess, in terms of establishing a persistent presence.
So they put the backdoor there.
They got some communications back to their command and control server.
There was evidence of them dumping credentials and things like that.
And then once they kind of got all the information that they needed,
they began moving laterally across the network.
I think it was about 18 computers in total that they got onto.
So, you know, a good opportunity for them to kind of look around
and see if they can find anything interesting.
Let's talk about that prepped backdoor itself.
You all pointed out that it seemed to be that they'd updated it
in this particular campaign.
Yeah, yeah.
I mean, this is not uncommon for an actor like Stonefly.
They'll continuously develop their malware.
At the very least, they'll adopt different obfuscation techniques
to try and avoid triggering any security alerts.
And in this case, they added a couple of additional bits of functionality.
And I think it was an ability, in this case,
to support a wider range of plugins.
So I think the previous versions we'd seen
could only handle two different types of plugins,
and this one could handle four,
executable, VBS, batch files, and shellcode.
Well, walk me through exactly, sort of step-by-step,
what Pref does when it kicks into action.
It is, it's essentially, it's a backdoor Trojan.
So you have a persistent presence on the victim's machine.
So it does have the kind of functionality
that allows you to perform certain actions on the computer, take
information identified for exfiltration.
Was there any sense for exactly what they were after here?
Was there any pattern in
the types of things they seem to be interested in exfiltrating?
What I would say is that I would say this company, I can't say too much about them,
but they're a very specialized engineering company.
So they work in the energy sector, particularly energy offshore type of energy extraction.
And they also work with the military.
So presumably they're kind of looking for information about, you know, and they also work with the military. So presumably, they're kind of looking
for information about, you know, how they do things or how they work with the potential to
kind of leverage that intellectual property and whatever they wanted to do themselves.
You know, you mentioned at the outset that sort of historically, North Korea kind of came on the
scene and had a reputation for being noisy and not especially nuanced.
Where do they stand today? How do they rate on the global stage?
It's an interesting country to look at from an espionage perspective.
I guess, first of all, the whole North Korean cyber espionage scene it's quite opaque um i mean like
you know as espionage tends to be i mean you don't know about every every country's espionage
operations in detail but in north korea it's particularly so uh so we we have very little
visibility or insights into the overall structure of it you you know. And indeed, you know, lots of people just tend to refer
to North Korean espionage operations under just one umbrella name,
which is Lazarus, and then the US government call it Hidden Cobra.
But we've seen several kind of distinct patterns of activity,
which suggests that there are at least
several distinct teams operating there.
So they're unusual, too, in that they carry out
a lot of financially motivated attacks,
which isn't really within the remit
of other countries' intelligence services.
You know, anytime you do see it happening with other state-sponsored actors,
we usually suspect it's some contractor doing it,
earning some money on the side.
But with North Korea, it's definitely part of their core goals
is to acquire foreign currency.
So we've seen them do everything
from kind of stealing multimillion dollar amounts
from banks.
We've seen them being involved in ATM type fraud.
They're quite interested in cryptocurrencies
and that sort of thing.
So I think the regime there sees it
as one way of getting foreign currency.
So that's quite unusual.
But yeah, there are some teams that are very specialized
that would be kind of, you know, would be comparable
to other state-sponsored actors on this front.
So there's an ongoing campaign called Operation Dream Job, which tends to target
different industry sectors at a time, usually probably in pursuit of technology or intellectual
property. And that would be up there with the kind of most second tier nation state sponsored
espionage actors. And then there's people like Stonefly who seem to be super focused
on a very small number of selective targets.
Can you give us some insights
into what happens with an incident like this
when it comes to incident response?
I mean, something like this gets discovered.
How do you kick into action here?
What sort of things go into play?
For us ourselves, I guess it usually starts with a little bit of fragmentary evidence we find.
We uncover one tool or something the attacker does that generates an alert, and we follow it up.
And then it's really kind of a case of following the breadcrumbs,
realizing and trying to figure out where this tool came from,
what was used to install it,
and really trying to trace the attack back to the origin
and then forward to the ultimate payload
and map it out in that way.
And then once we kind of have a reasonably good understanding
of what we're dealing with, we'd often, you know,
obviously, you know, we'd update our product to, you know,
make sure it doesn't happen again.
But we'd also notify the customer, which can be anything from an email
to maybe a phone call or something like that to explain
what we discovered
on their network and the significance of this you know um it's you know in the case of something
like stonefly all right we would do uh we'd make an effort to um have a conversation with them
about it right right i suppose if you're on stonefly's uh radar it is undoubtedly a serious situation for you. Yeah, it is. It is because
a lot of their targets are dealing with
highly classified stuff and everything
they go after tends to have either a civilian or military application.
So I think any organization that has
been targeted by Stonefly
would want to know about it and would be very worried about
what they're trying to get going by what we've seen from their attacks.
So what are your recommendations then in terms of organizations protecting themselves?
What are your words of wisdom there?
The words of wisdom, I mean for Stonefly, the words of wisdom are
as they would apply for any espionage operation,
which is to kind of, you know, educate yourself about how these attacks typically unfold
and then try and implement, I guess, a multi-layered approach to your security
so that you don't really have any single point of failure.
In this case, the means of access appeared to be log4j. So that server was unpatched for some
reason. So, you know, obviously we don't know why organizations have different patching policies
and what have you, but it does go to show the importance of patching vulnerabilities in as timely a manner as you can, especially on public facing servers, because if that wasn't there, the attackers may have found it much harder to get in, if not impossible.
Our thanks to Dick O'Brien from Symantec for joining us. The research is titled Stonefly.
North Korea-linked spying operation continues to hit high-value targets.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Rachel Gelfand, Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karpf, Eliana White,
Puru Prakash, Justin Sebi, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening. We'll see you back here next week.