CyberWire Daily - Encore: What malicious campaign is lurking under the surface? [Research Saturday]
Episode Date: December 30, 2023Israel Barak, CISO from Cybereason, sits down with Dave to discuss their research, "Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation." Cybereason researc...hers recently found an attack lurking beneath the surface which was assessed to be the work of Chinese APT Winnti. Cybereason briefed the FBI and the DOJ on the investigation into the malicious campaign. The research states, "For years, the campaign had operated undetected, siphoning intellectual property and sensitive data." The team quickly made two reports on the campaign, one sharing an examination on the tactics and techniques. The second gives a detailed analysis of the malware and exploits used. The research can be found here: Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts, tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
The research was exposed during an instant response in 2021. It was super interesting for us because as we did a number of different IR engagements across manufacturing, healthcare organizations, and a couple of other verticals, we noticed similarities in the patterns of behavior.
and a couple of other verticals, we notice similarities in the patterns of behavior.
That's Israel Barak. He's chief information security officer at Cyber Reason. The research we're discussing today is titled Operation Cuckoo Bees.
Cyber Reason uncovers massive Chinese intellectual property theft operation. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI to Thank you. Well, let's walk through it together.
Can we go through step-by-step of exactly who these folks are and the methods that they use to do the things they do?
So, absolutely.
The data that we have basically shows that this campaign that we dubbed Cuckoobies and we're attributing to a Chinese state-sponsored actor that is called Winti or APT41 started at least on 2019.
2019 and specifically targeted manufacturers in the United States, in Europe, and in Asia,
and specifically in the defense and aerospace, energy, biotech, and pharma sectors, where the operational goal of the campaign was basically stealing sensitive documents, blueprints,
formulas, manufacturing-related proprietary data.
Some examples that we've seen during the incident response and the investigations include
design and manufacturing information related to specific engine parts and airplane parts.
So that was the overarching goal of the operation.
Well, can we walk through some of the techniques that they're using to get
into systems? The first thing that we identified as we sort of untangled the process here is that
the initial access that was done into these target networks was typically through the exploitation of vulnerabilities in a popular ERP solution.
Some of these vulnerabilities at the time
were known vulnerabilities that were just unpatched
by the users of the ERP solution.
Some of them were unknown
or zero-day vulnerabilities at the time.
When they were able to compromise that ERP system, they were able to gain that
initial access into the ERP system. The next stage was usually to establish some sort of
persistence or mechanism that would allow them to kind of keep coming back in and out.
The most common technique that we observed was the use of a JSP web shell that they basically embedded
in the ERP web application server.
So they created the facade
of them communicating from an external network
with a legitimate web application, the ERP.
But basically, they were able to send commands
to those systems
that that system then executed for them in the targets
environment. That was the way to get back to get in and out. That was the interesting thing for us.
I think it's, you know, we often think about the different ways attackers like Wendy, right, or APT41
are able to find that initial access.
And sometimes it's targeting individuals.
Sometimes it's targeting the supply chain.
And here I think we see another common example
of how an adversary like that,
that is a state-sponsored adversary,
is developing proprietary zero-day software vulnerabilities
that enable them to gain that initial access into organizations
where that software is being used.
Can you give us a little bit of the background on Winti themselves?
I mean, does this align with what we're used to seeing from them?
And what sort of tools do they have in their arsenal?
It does align with the overarching method of operation
that we're used to seeing
from wenty wenty is uh is as a group existed uh or at least have documented a record uh since at
least 20 uh 2010 and they believe to be operating on behalf of of chinese state interests and they
specialize specifically in cyber espionage and intellectual property theft.
They're known in the industry as sort of the princes of technology secret thefts.
The techniques that they used in this operation, some of them were known techniques.
The use of supply chain attacks, software vulnerabilities, web shells, etc.
for this group, some of the more lesser known techniques.
So, for example, one of the things that they used to sort of fly under the radar inside the target's network
and to stay or evade detection for a long period of time.
This operation continued in some of those target networks for almost three years.
And so one of the techniques that they used to sort of fly under the radar and evade detection,
which we haven't seen from them before, is a rare abuse of the Windows CLFS,
which is a common log file system feature.
Basically, it's a feature in Windows that is primarily designed to hold system logging
and application logging information, and they use that mechanism to store the payload of
the attack, the different pieces of malware that they were using, in a way that most security technologies,
or in an area where most security technologies actually don't really scan or don't really look into.
Oh, interesting.
So this is an area where the system keeps some logs,
and so by putting their own stuff there to the scanners, there was nothing to see here.
Exactly.
Exactly.
stuff there to the scanners that was nothing to see here.
Exactly.
Exactly.
And that's a fairly rare technique to see.
It's certainly something that we haven't seen from this particular group in the past.
But I think there was enough similarity between some of the techniques that they used and operations that they ran in the past for us to be able to attribute that operation to that group
with a fairly high level of confidence.
You mentioned that this group was able to stay within networks
for multiple years in some cases.
What ultimately led to their discovery in this case?
And so in some of these engagements that we got called into, some of these instant responses,
one of the things that ultimately triggered the suspicion of the organization was the amount of
data that was being exfiltrated from the system. And so over the years, this adversary was able to collect from some of these organizations hundreds of gigabytes and sometimes more of intellectual property, design documents, manufacturing procedures, blueprints, et cetera, et cetera.
And in some cases, it raised the suspicion that something is happening that the organization or the defender was just
not aware of. We got called into these engagements and were able to sort of unravel that whole
chain of events that led to it. What are your recommendations then? I mean, for organizations
to best protect themselves from an ATP group like Winty, what sort of things should they have in place?
So it's a great question because on the one hand,
the first thing that we recommend, you know, is always,
we always all need to get better, right, in doing the basics right,
in making sure that we know our networks
and we understand what assets we have,
what the status of security or hygiene is in our networks.
And we do the best we can to maintain good security posture and good security hygiene.
And it's always, I think, the best practice regardless of what type of threat or risk you're trying to mitigate.
But at the end of the day, when you're dealing with a threat actor like this, which is a far more sophisticated adversary than what you would typically find
in the ecosystem, they always have a way to find initial access into an organization,
right? Whether it is compromising an individual that has access to the network, whether it's
compromising the supply chain, this is a type of adversary that spends weeks, months, sometimes years, trying to get initial access to their targets.
Eventually, they make it in,
despite our best efforts in security posture and security hygiene.
One of those things that we need to really get better in
is proactively hunting for these threats.
This is a low and slow operation.
And so we need to adopt this proactive threat hunting approach, right?
We need to be able to look across the data, right?
Across the data in our enterprises, right?
Endpoint data, network data, identity and access, and other types of security data,
and proactively look for patterns of behaviors, chains of behaviors that may in and of themselves
look legitimate. But when you look at the chain of events over time, they expose a chain of events
that is indicative of a malicious activity. And that's something that
oftentimes evade real-time detection or prevention mechanisms. But when you adopt a threat hunting
mindset and you analyze data and patterns over time, specifically looking at those chains of
behaviors, you're able to expose those low and slow operations relatively early in the attack lifecycle and avoid the
majority of the impact of them. Is that something that is available to those small and medium-sized
businesses out there who are dealing with limited budgets? Are there ways that they can
use those kinds of approaches? There is. I think today there are a number of segments in the market
that offer these type of capabilities
when you look at detection and response technologies
in the EDR space or the endpoint detection and response space
or in the XDR space, the extended detection and response.
I think you're seeing a growing number of technologies and solutions
that are focused on
automating the vast majority of this proactive threat hunting process and augmenting it with
people that are experts in analyzing that data and understanding what it means from a threat
perspective. I think the other resource that is becoming very, very accessible for enterprises of all sizes is an analysis done
by the MITRE organization. So on an annual basis, basically the MITRE organization,
which is a non-for-profit organization, primarily a DOD contractor, they basically run an annual exercise that is emulating very sophisticated
adversaries and is evaluating different approaches and technologies in the market
and their ability to detect those minute changes in behaviors and change of behaviors and expose
that type of malicious operation in progress. And so all that information is publicly available on the MITRE website
that essentially describes what their observations are
and what technologies and capabilities can enable enterprises,
really of all sizes, to adopt this type of approach.
It really is an interesting situation we find ourselves, isn't it?
I mean, a group like Winty, they're not going
anywhere. They're well-funded, you know, globally insulated. It's something that we're going to have
to deal with for the foreseeable future. I agree. You know, one of the things that I think is
interesting in this incident that we reported on is,
and we briefed the FBI and the DOJ on the investigation.
And if you recall, the FBI in their China 2025 report from 2019,
they called out the Chinese aggressive state-sponsored intellectual property infringement strategy.
And I think one aspect of the Cuckoo Bee's incident
is that it shows that despite that diplomatic
and other efforts to curb that behavior,
exactly as you say, right,
at least as it pertains to our domestic economy,
that aggressive intellectual property theft
and infringement strategy
may have not really changed much.
The other thing I think is interesting to note about these type of adversaries is that we need to reframe what a win strategy is as defenders against these adversaries.
Because, and I think you hit the nail on the head,
this type of adversary will not stop
trying to get into a particular target's network
just because that target has good security in place.
The reason is that they have no motive to stop doing it.
The target has something that they want.
There's really no price or no risk for them to pay for trying again and again and again.
So there's no reason why they wouldn't continue to try until they make it.
And the interesting thing when you try to counter the operation from a defender's point of view,
when you try to counter that type of adversary,
is that the win strategy is not to make sure that they never come back,
but the win strategy is to make sure
that you increase the time intervals
in which they come back.
So instead of after you push them out the first time,
usually what you'll see is that they come back after a couple weeks and try again. And you push them out the first time, usually what you'll see is that they come back after a couple weeks and try again.
And you push them out a second time, they'll usually try to come back after a couple weeks.
But if you operate the right program and the right strategy, what you'll see is that you can dramatically increase those time intervals.
And then instead of coming back every couple weeks, they'll come back every couple months or every year.
coming back every couple of weeks,
they'll come back every couple of months or every year.
The reason is when you get very, very good at exposing what they're doing in your network,
you create a price for them to pay.
Because when you expose their method of operation,
by the way, that's part of the rationale
behind us making this information public.
When you expose the method of operation,
you dramatically increase their price because now
they need to rebuild things in order to start executing again. And that is expensive, right?
It's something that they do. Every threat actor does it. But there's an expensive price to pay
for targeting a target that is a sophisticated target that can expose that operation, that impacts other operations that they have in flight.
And so when you run an effective operation for detection response investigation,
you're able to create a certain form of deterrence against a threat actor like that
that will manifest itself in the increase in the time intervals in which they will come back. They'll make sure to
build, be very meticulous in what they build before they come back and try to target the network.
Our thanks to Israel Barak from Cyber Reason for joining us.
The research is titled Operation Cuckoo Bees.
Cyber Reason uncovers massive Chinese intellectual property theft operation.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.