CyberWire Daily - Elfin APT group targets Middle East energy sector. [Research Saturday]
Episode Date: May 18, 2019Researchers at Symantec have been tracking an espionage group known as Elfin (aka APT 33) that has targeted dozens of organizations over the past three years, primarily focusing on Saudi Arabia and th...e United States. Alan Neville is a principal threat intelligence analyst at Symantec, and he joins us to share their findings. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Elfin are actually a group that we've been tracking for a number of years.
That's Alan Neville. He's a principal threat intelligence analyst at Symantec.
The research we're discussing
today is titled Elfin. Relentless espionage group targets multiple organizations in Saudi Arabia
and US. They kind of first popped up onto our radar around 2015. They've reportedly been active
even longer than this, maybe even back to 2013. It was interesting when we first came across them,
just based on some of the targets, which we
had seen them go after in the past. We've seen them mainly kind of hitting the energy sector in
the Middle East, which was kind of something of great interest for us. We didn't see a lot of
groups at that time kind of being active in the area, but it has since exploded, particularly
after attacks with the Shemoon and kind of other similar groups that are active in that region.
Now, they also go by the name APT33. And as you were saying, the Middle East seems to be
where they're focused a lot of their attention. Your research starts with a chart here,
and Saudi Arabia is their number one target.
Yeah. So the majority of the organizations we've seen Elfin actually go after have all kind of
been situated in Saudi Arabia, which kind of made up like 42% of all the organizations we've seen them go after. We've also seen a number of organizations
in the last couple of years, so like around 2016 and again 2017, where they've started targeting
organizations in the US. When we start digging deeper into some of those organizations, we could
see they had a lot of affiliations or kind of ties to other organizations that also operate in the
Middle East, so like subsidiaries or kind of co-owned organizations. affiliations or kind of ties to other organizations that also operate in the Middle East,
so like subsidiaries or kind of co-owned organizations. So that was kind of interesting as well. So it kind of suggests that not only are they heavily focused on Saudi Arabia, but even
some of the organizations that they go after in other countries also have ties to Saudi Arabia as
well. And in terms of the verticals they're going after, what are you seeing there?
So the main ones that Elfin generally have targeted have been mainly related to petrochemical
organizations. Again, mainly all in the energy sector. We also see like technology organizations
that provide IT services to organizations who operate within the energy sector in the Middle
East, and similar with engineering and defense and even some financial organizations, among others.
similar with engineering and defense and even some financial organizations, among others.
Hmm. Well, let's dig in to what exactly they're up to here.
What was the initial vulnerability that you all were tracking?
More recently, the group have started using, well, they've always really used these spear phishing emails to send off the targets to be able to gain initial access into some of
these organizations. And while that technique isn't very sophisticated,
it worked very well for them.
They've since kind of upped the ante a little bit where they're not just relying on social engineering tactics.
They're now kind of using vulnerabilities and exploits
to be able to gain access to these organizations.
So more recently, we've seen them leveraging WinRAR vulnerability,
which was CV 2018-2250.
Essentially, this allows you to construct an archive and you
can modify it after it's being created to then change the path where the file would be extracted
to and essentially if you extract it to like a location such as your startup folder it essentially
gives you kind of arbitrary code execution so they can extract the payload put it into your start
directory and then when you restart your system then it essentially executes that piece of malware that they've embedded within the archive.
And they've been using this more recently, only over the last couple of months, to be able to gain access to some of these organizations.
And using what would look like benign file names, you point out one of them was jobdetails.rar, you know, the kind of thing that an HR person might open routinely.
Yes. Traditionally, what they've done and what they continue to do even now,
they look at organizations similar to the organizations they want to target.
So other organizations either operating within the same regions or similar regions and in the same verticals.
And they'll look at those job postings that they might have on their websites.
And then they'll essentially set up some infrastructure and mimic those legitimate job postings. So then they'll send a spear phishing
email. It'll have some information about some available job at a similar organization, at a
similar role, and they'll have a link embedded within the email. So users are kind of tricked
then essentially to click this link. And the link is controlled by the attackers themselves. And it
looks like a legitimate job posting website. And once they click on one of those roles or one of those job postings
it essentially downloads kind of like an executable html file so as you view that page
it'll execute some power shell in the background to download a backdoor now there's a possible
connection here with shamoon yeah so shamoon were a group that, again, have been heavily
targeting kind of the energy sector in the Middle East. They kind of first popped up around 2012,
and they have basically destructive capabilities. They use wiping malware to
wipe systems and basically stop operations for these organizations. Back in 2012, they had wiped
over, I think, 30,000 machines at that time. And they had planted images of
a burning US flag. And that kind of spoke to their intentions as such. They struck again in the same
year at a later stage. And it was clear from some of the tools they were using and how they moved
across the network before they found the systems of interest to wipe. And they had clear knowledge
and kind of understanding of the network itself. They even had some of the credentials that were
hard-coded into the malware itself.
So it was able to wipe the system very effectively
and spread very quickly.
What we've seen is some organizations
where we've seen Elfin activity,
we've later seen them being hit by Shamoon.
It kind of raised the question was,
is there any connections between the group?
Perhaps Elfin are doing kind of some intelligence gathering
where they're collecting credentials
and then maybe sharing it with other groups, such as Shamoon, where they can create malware
to then run kind of disruption operations.
We've only seen it in one case so far.
And then other organizations where we've seen Elfin and Shamoon both active, it's essentially
been quite a time difference between them.
So it's not really clear if Elfin have just remained active on the network for long periods
of time, collecting credentials and collecting other information, and then later share this, or if they're actually working kind of more closely together than we realize.
But that's what we've seen so far on it.
Now, one of the things that you list out here in your research is the variety of tools that they use.
It's quite a collection of both custom and off-the-shelf elements.
Can you take us through what sort of things are they using here?
Yeah, so traditionally they used to use a lot of kind of custom malware.
So malware they would either build themselves for specific operations and things.
We've seen kind of a change or a shift more recently where they have started using more off-the-shelf tools.
So these are tools that you can download either from like GitHub repos or they're available for download essentially, where you can then build them yourself, customize them to what you want them to do and have them interact with whatever infrastructure you want to point it at.
This is kind of a commonality that we've seen across a number of these advanced persistent track groups.
kind of switching over to using these freely available tools, which one makes it somewhat a little bit more difficult to track in terms of if they were using something custom, and when you see
that tool pop up somewhere, you could reliably kind of attribute it to that group, or it's probably
that group that have been active. Now by switching over to these kind of more common tools, these
freely available tools, it makes it a little bit more difficult to kind of separate some of the
activities and attribute it back to that group for tracking purposes.
It also kind of benefits them in a way where by being able to download these type of tools, they don't necessarily have to waste time on doing development.
They can just grab these tools.
They can just customize it to what they want, build them and then start distributing them.
What's the thread with the tools that they're using?
What's the type of information they're going after?
So it seems to be mainly an intelligence gathering operation.
So we can see them once they get onto the networks, they'll start dumping credentials and they'll use that
information to start basically moving across the networks, basically finding information of
interest. We do know that they have destructive capabilities as well. There has been malware
associated with this group called Stone Drill, which essentially again wipes systems similar to
what we've seen with like what we've seen with Shemoon and kind of other destructive groups. So we know they have the ability to do that.
And we know they traditionally used to create their own malware as well. But
essentially using these kind of off the shelf tools as well makes it a little bit more difficult
to be able to even see what their intentions are. But it's essentially an intelligence
gathering operation from the data that we can see.
Well, let's walk through what happens when someone finds themselves attacked by Elfin. Take us through step by step what occurs.
Yeah, so essentially, kind of similar to what we were describing before, where
the attackers would create an email, they'll set up some infrastructure. The infrastructure is
generally named after either the targets or the job hosting portal they're trying to mimic.
They'll create these emails and send them off to some of their targets.
So essentially, they'll probably or likely look for individuals that have specific roles
that they may have an interest in the type of information that they would have access to.
And they'll send these emails to them with these job kind of vacancies.
Once they gain access, so essentially once the user has been tricked into
clicking the link and looking at the job post, it'll run some PowerShell in the background. And that basically will create a scheduled task, which will run every
several hours on that machine. And it'll reach out to the attacker's infrastructure to download
backdoor tools. And this essentially gives them kind of access into the network. And then they
can start downloading additional tools, such as mini cats to be able to dump some of the credentials.
They'll also push down some additional malware, either to give them kind of more capabilities moving across the network. And then they'll
start downloading tools either to collect information and then exfiltrate it off to
their own infrastructure. How would you rate these activities in terms of their stealthiness?
Are they fairly easy to detect or are they staying under the radar?
Again, because they're moving to all
these kind of tools that are freely available, again, it makes it a little bit more difficult to
attribute some of the activity. But it's not impossible. It's still easy enough to be able
to track some of the activities based on network infrastructure that they're putting in place.
As I kind of mentioned before, they're naming a lot of this infrastructure after some of the
job portals or the targets they're going after, which makes it easy to kind of see the organizations that they have an interest in.
And like that, when you kind of pool it together, you can kind of see a commonality there where
a lot of it's all based in energy sector. It's all based in mainly in Saudi and again,
in the US more recently.
Do you have any sense where they're coming from? Who's behind this?
There's been lots of publications about the activities of the group themselves.
There has been researchers who've come out with some bits and pieces which kind of attributes it back to some nation states or likely nation states in the Middle Eastern region. We have seen
indications there where there was, let's say, for example, when we looked at how the group actually
operates. So, for example, when we see them active on a network, you can kind of map some of the
timings back to kind of a standard nine to five,
but it would all kind of sit nicely
into a specific time zone
that originated from that region as well.
Generally, we don't really care
about the attribution side.
And while it kind of helps
in adding some context to our investigations,
our main kind of mandate
has always been around protection of our customers.
So while we can see some of the activities,
we'll figure out the tools that they're using, what they're going after, how they're doing it,
and then we'll just use that information to protect our customers. So it's not something
that we need to do or put a lot of effort into to be able to kind of get a better understanding
of the group and the context behind their activities. Now, in terms of protection,
what are your recommendations? So recommendations are always to have your antivirus clients installed, make sure it's up to date,
ensure that you have the latest Windows patches applied to your system as well.
But it's also very useful to have system-wide logging enabled.
So if you were to see some of these, like, let's say, scheduled tasks being created,
or you're starting to see, let's say, PowerShell commands being run on your machines,
that kind of look a bit suspicious, then obviously it's going to be a good indication that
there's a further investigation that's required. So looking at the information you've gathered
here, what are the take-homes? What can people take away from this research?
I suppose some of the takeaways from this research is essentially Elphin is a very active group,
particularly in the Middle Eastern region. For organizations or people who have business in that region,
it's good to be well aware of the type of information that they're going after,
the industries that they're targeting,
so like energy and the type of tools that they're using.
And the fact that we can see them moving or kind of just shift
from custom tools into more off-the-shelf tools,
it kind of gives, I suppose, credence to the fact
that just by seeing some of the custom stuff, it's not necessarily just criminal activity,
that it likely could be something that's related to espionage operations or intelligence gathering.
Our thanks to Alan Neville from Symantec for joining us.
The research is titled Elfin, Relentless espionage group targets multiple
organizations in Saudi Arabia and U.S. We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter
Kilby, and I'm Dave Bittner. Thanks for listening.