CyberWire Daily - Energetic Dragonfly and DYMALLOY Bear 2.0. [Research Saturday]
Episode Date: April 14, 2018Researchers at Cylance recently uncovered the malicious use of a core router in a campaign aimed at critical infrastructure around the world. Kevin Levelli is Director of Threat Intelligence at Cyl...ance, and he takes us through what they've discovered. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your
attack surface with public-facing IPs that are exploited by bad actors more easily than ever
with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by
hiding your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Like security researchers at a number of other firms and some government agencies,
we have been following this threat actor, which has been called many things by many different security firms.
That's Kevin Lovelli. He's the director of threat intelligence at Cylance.
He and his team recently published research on Energetic Dragonfly and DY Malloy bear 2.0.
It's one of those research subjects that we always keep an eye on because it has been evolving for several years now.
You know, one of the reasons why we published when we did was because on March 15th,
the U.S. government announced a bunch of sanctions against Russian cyber actors, what
they called Russian cyber actors, that was directed towards the folks involved in the
NotPetya attack. But in the same breath, they also acknowledged that Russian cyber actors were
targeting U.S. government entities and U.S. critical infrastructure sectors. And that announcement
about sanctions was followed by a new DHS-FBI joint analysis report with more indicators of
compromise about that campaign that was referred to there. What was new was that for the first time, the government was attributing the activity that was associated with that campaign targeting the energy sector
with the Russian government. And so given the fact that there was news there, and we had this
rather small piece of research that we thought had greater significance, we thought it was an
appropriate time to write a blog posting
about it while everyone's attention was focused on this campaign again. This is a threat actor
that has been active for the last five years at least and has been written about by my counterparts
at other security firms for years, right? Therefore, we get a bunch of different names, Dragonfly 2.0,
Energetic Bear, Crouching Yeti, Group 24. There are others, but sort of DHS and the FBI did us
a favor, I guess, in helping encapsulate all of those into the phrase Russian government actor.
So that's very creative of them. Right. But it's something that everybody's been following. Right. And and it's something that lots of researchers have been interested
in because, well, in part because the targets are so sensitive. And that's something that
everybody kind of wants to, I think, stay abreast of. We've been doing this kind of research for
for several years now. We thought it was the right time to publish on this subject because, well,
this was something new and interesting. A bit of color, if you were, that kind of fills in a part
of the picture that had previously been told by both government agencies and other security firms.
These operations initially came to light around 2013 and 2014.
And then you all at Cylance noticed that they went dark for a period of time.
What do you think was going on there?
We think that we, well, we don't really know, of course.
We're making an assessment based on just the big picture and having followed this group for a while.
But we think they were probably retooling during that year. They came across the radar screen, as you said, five years ago,
were active for a bit, and then went away. And then they popped up again in 2015. And there were
news reports and some security firm reports that talked about targeting the same industry in European countries, in Ireland and
in Turkey. Some of this stuff has only come out recently, but sort of harkens back to that time
period. And indeed, when we were following up on that research, we noticed that there were
organizations in Kazakhstan, so not a European or Western nation, but in Kazakhstan
that were also compromised and targeted by this same threat actor. And then I think if you're
following the TikTok here, the next time this sort of came to public attention was over the summer in June and July of 2017, there was another series of technical alerts
released by the United States government and the British government. And the United States
government issued a joint analysis with the FBI and DHS authoring it in July that talked about, again,
the same group targeting the U.S. critical infrastructure sector, the nuclear sector,
the energy sector in particular. And in the U.K., the alert, I think, was private,
but eventually leaked to the press and was reported on, principally by Motherboard,
in July.
And that talked about, again, the same threat actor, but in the context of targeting UK
power sector companies.
And so these revelations sort of aligned with what you all were tracking in your own research.
That's right. Every time we see a report by another security firm
or a release of some analysis by a government agency,
we recognize that, oh, this is a threat actor,
that this is the same threat actor
that we've been following for a while.
And it sometimes leads us to some new research findings,
right, and that was the case here.
So in looking at some of the new malware samples that were referred to in some of these government
reports over the summer, and following that thread, wherever it led, we discovered that as
part of the attack vector, there was this new thing, right, that we hadn't
seen before in the context of the UK campaign, which was that the threat actor was incorporating
the use of a compromised core infrastructure router into its attack. And so when we saw that,
we thought two things. Number one, this is new,
and we haven't seen this before in the context of this campaign and this threat actor.
And secondly, we thought that it was particularly worrisome because routers are a piece of
networking infrastructure. They operate differently and are more challenging for the average security
researcher to investigate or a forensic investigator to investigate
because they don't operate like a PC, right?
They're not, this is not something that is running an operating system software like a PC is, right?
That you can more easily investigate.
So we certainly perked up when we saw this and thought it was important to share our findings widely.
There was a factor in this that involved a phishing operation, which was targeting
the energy sector in the UK. Can you take us through what was going on there?
Right. So, you know, as was the case with this threat actor targeting energy sector organizations previously. In this case, a phishing lure in
the form of a resume, like a curriculum vitae, was sent to some energy sector organizations in the UK.
And the way this particular attack would work is that when that was opened, it would fetch this remote
template and attempt to automatically authenticate an SMB server. Okay, so this SMB authentication
is something that has been known for a long time as a way of harvesting credentials as part of a malware campaign, including by this actor.
But instead of it redirecting to another IP, another ordinary IP, it was redirecting to this router.
And so the router was involved, we think, not necessarily to collect data, but as a hop.
hop. You'd click on this document and there would be an attempt to authenticate via SMB that would redirect to this router and then on somewhere else. And in that way, the target's
credentials were, we think, being harvested without his or her knowledge.
And just for clarity, this was one specific router.
This is one specific router. So this is a router that was belonging to a Vietnamese oil rig
manufacturer. So obviously something of concern for those guys. You know, theoretically, the attack
would continue after the credentials hit that router, right? Because once you have the credentials, then they could be used to go back in to those UK companies that you were targeting
originally with those phishing documents. And indeed, we saw some of that context sort of
affirmed for us in one of the alerts that I mentioned previously that had been issued by
the UK government in the form of its National Cyber Security Center,
which is a branch of its GCHQ, its Signals Intelligence Organization,
in a motherboard article that had been published several months prior, again, in the summer.
According to that report, they said, in quoting this document,
that the infrastructure in organizations, meaning UK energy organizations, was connecting to a set of malicious IP addresses using SMB.
Okay, that's something we had here.
And the report suggested that the hackers were trying to capture victims' passwords.
And that's what we saw happening too. So what our finding sort of reveals is how they were collecting those credentials.
And they were collecting those credentials via the use of this compromised router.
And in terms of the router itself, one of the things you pointed out in the research was that this was an end-of-life product.
was that this was an end-of-life product.
So in terms of general cyber hygiene,
this maybe should have had a bullseye on it.
I guess, but it's really difficult to criticize, in this case,
criticize the manufacturer or the organization that was using this router because routers, by their very nature,
and this is part of the significance, I think, of this finding,
is that routers are, by nature, and this is part of the significance, I think, of this finding, is that routers are by nature not only difficult to forensically investigate, but they're also difficult to patch and remediate and to keep up to date. I'm sorry to say we don't
have too much knowledge of what was going on with this router, how it was compromised, or
whether its firmware was updated more recently or when it was updated, right?
We just get like a small glimpse of, A, that this was a Cisco router, and B, that it was likely compromised as a result of, you know, some conclusions that we're drawing from analyzing
what the malware was doing. I see. So in terms of take-homes from this and recommendations for
folks to protect themselves, What can you offer there?
Well, I think that there are a lot, you know,
this is going to impact a number of different people.
And again, it's one of the reasons why we thought it was important
to share our finding publicly.
First of all, this provides better situational awareness
for folks inside the energy sector, both in the U.S. and the U.K., obviously, to be aware of the fact that this is part of the attack vector that is being used in targeting them.
Right. This is also helpful, presumably, for government agencies in the U.K. and the U.S. and elsewhere who have have threat hunting teams whose job it is to follow
this campaign. This is also going to be of interest to not only that company in Vietnam
that was employing this router, but anybody that's using this router, and for Cisco,
right, to sort of be aware of the fact that this technique has been folded into a campaign used by what we now know, according to the U.S.
government, is another government's operation, right? So not something that's likely to go away.
So in terms of mitigating against it, boy, that's the perennial question, isn't it, right? The first
thing I think you want to do is try to educate yourself about what's going on in an attempt to prevent a compromise to begin with.
That's sort of how we think about it at Silence. And I think that's good advice for everybody.
Beyond that, I think that folks should be following this research, particularly if you're
in this sector closely. You know, obviously, this kind of research and this subject in general has implications for policymakers and folks in the
wider cybersecurity community as well, right? Because it speaks to the specific actions that
are being taken by, allegedly, by another nation state against our nation state, obviously, and other nations in the West.
Yeah, it's interesting that as is so often the case, it begins with a phishing operation.
Right. And that's sort of one of the dirty secrets here of the cyber business, right,
is that these advanced persistent threats, as they've been come to known, aren't always very
advanced. They don't have to be, right? Clicking on phishing lures is
one of the most sort of simple and well-known and well-publicized ways of initiating a compromise
out there. And yet it happens. It happens all the time. So again, that's why I mentioned that
educating folks at all levels of an organization, from leadership down to the folks
that are plugging away at their desks every day, everybody has to be aware of that threat,
particularly if you're working in this industry, one of these industries that we know is being
actively targeted. For all of the cybersecurity solutions that are out there. You know, if this is indeed
a Russian intelligence operation, those guys aren't just going to go away. There's no patch
for the GRU. Those guys are just going to find another way to get their campaigns launched and
going, right? If one road is blocked, they're going to find another one.
So educating yourself about what they're doing and understanding that, and then obviously
maintaining basic hygiene will go a long way, I think, to helping mitigate these risks.
And the final thing that I think that probably should be said here, Dave, is that while this
is very concerning for all of the reasons that I enumerated earlier,
the fact that a router is difficult to forensically investigate,
compromised routers are difficult to patch and remediate,
beyond the specifics of this one incident,
the fact that the U.S. government believes that the Russians are targeting the critical infrastructure sectors of the United States and the UK should be concerning,
but not necessarily to the extent that we need to pull the fire alarm and start to panic.
Because I think the likelihood that this activity could turn into something that would interrupt service at this stage is relatively low. I don't
think anybody expects that having read this, that the lights are about to flicker off at any moment.
This is one of those situations where because of the target and because of the methods of attack
that are being used, everybody should be paying attention, but nobody necessarily
should be panicking yet. Our thanks to Kevin Lavelli from Cylance for joining us. You can
read the complete report on Energetic Dragonfly and DY Malloy Bear 2.0 on the Cylance website.
It's in their ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. Thank you.