CyberWire Daily - "Follow the money" the cybersecurity way. [Research Saturday]
Episode Date: February 6, 2021Guest Joe Slowik joins us from Domain Tools to share their research "Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity" where they examined technical artifacts emergin...g around the 2020 conflict between Armenia and Azerbaijan in the Caucasus region. Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a “follow the money” approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events —either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes. Based on precedent, analysts can identify developments in adversary operations and technical capabilities by tracking identifiers related to major events and conflict zones. Identifying capabilities deployed to take advantage of such items can yield insights into fundamental attacker tradecraft and behaviors, and enable defense and response for incidents which may strike far closer to home at a later date. The research can be found here: Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We were able to identify some phishing messages with very specific themes related to that
conflict.
That's Joe Slowik.
He's a senior security researcher at Domain Tools.
The research we're discussing today is titled Current Events to Widespread Campaigns, Pivoting from Samples to Identify Activity. Thank you. from our sponsor Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever
with AI tools.
It's time to rethink your security.
Zscaler Zero Trust
plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to
specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
There was a, it's since ended now in a somewhat tenuous peace at the moment, but conflict in the Caucasus region
between Armenia and Azerbaijan was a significant issue going back into the late summer, early
fall period.
So as part of that activity, just looking through various data sets of, you know, what's
going on in that region, or can we identify things of interest that are happening that reflect
themes related to that conflict or that appear to be coming out of or located in that region?
And based upon that, we were able to identify some phishing messages with very specific themes
related to that conflict, such as the allegedration or the alleged infiltration of PKK,
Kurdistan Workers' Party militants or fighters into Armenia. There's a document proposing to
be a news article about that that contains some interesting functionality that, once we started
to analyze that a bit further, showed the outlines of a campaign that further research showed went back to December of 2019. So activity
that was almost a year across multiple geographic regions, all as a result of just looking at this
one area to start with. Well, let's walk through it together. I mean, in your research here, you
outline what you describe as your initial discovery, which is this conflict in the Caucasus region.
What was going on here?
What was the initial thing that caught your eye?
So the initial thing that caught my eye was a document reflecting very specific themes
related to that conflict.
So in this case, something that appeared to show up in Azerbaijan during hostilities as part of that conflict.
And then with some interesting external reference activity within the document itself that's not common.
It was not really an exploit, but a code execution mechanism that is not often seen.
It's not quite template injection, and it's certainly not the use of macros,
but really referencing an external object in order to try to gain follow-on code execution on the victim environment. So there were a couple of things that seemed interesting about this.
So one, just where this was showing up, like, oh, this looks like it's related to an ongoing war.
And then the somewhat unique nature of the document itself, which isn't typically reflected in more generic or more general sort of malicious document activity.
This document was masquerading as a news article.
This document was masquerading as a news article, so you could imagine how folks who are interested in this conflict, this would attract their attention. Exactly. And we see that sort of theme often enough across multiple actors, and it's really at that point where we certainly have to perform a little bit of educated guessing or conjecture at this point as far as who the
likely or intended audience would be based upon the themes of the item in question if we don't
have the actual phishing messages, which we didn't in this specific case, although we were able to
recover some for a couple of other examples for related activity. But again, given timing,
activity. But again, given timing,
theming, and some other items, it seemed very tightly correlated with that specific conflict.
And this document attempts to communicate with a specific
domain? Yes. So we were able to identify
within the document an attempt to communicate with a
domain masquerading as or spoofing Microsoft Office or Microsoft
Office-related items. And it was really from there that we were
able to really expand our investigation.
Domain tools, what's our primary focus? Investigating network infrastructure
primarily. I mean, I look at malware too, but network infrastructure is kind of our bread
and butter. And based but network infrastructure is kind of our bread and butter.
And based on that,
and kind of related to some other things that I've published recently,
we were able to identify characteristics of the domain
in terms of registration patterns, hosting activity,
as well as just the sort of naming theme behind it
that uncovered additional related infrastructure
that included links to further phishing messages,
which allowed us to start really scoping out a longer-term campaign.
Well, walk us through that.
What were some of the details you uncovered and what was the process by which you uncovered them?
Sure.
So one of the things that I like to emphasize for security researchers in general is that there's a misconception around domains and IP addresses, for that matter, that these are atomic indicators.
That there's not too much more to them other than just I have the domain or I have the IP. That's a misconception because if we look into the characteristics of these network items,
that we actually have a plethora of details that give rise to the specific instances.
So if we're talking about domains, I have the registrar through which it was created,
the registration details, even if it's privacy protected or some other masking service is used,
there's commonalities in what
service is being used by certain actors, where it's hosted and who it's hosted by, what services
that particular piece of infrastructure may be exposing. And we can use all of these observations
to try to find similarly structured items within large data sets, which is one thing that we have
pretty good advantage of here at Domain Tools. And that's, again is one thing that we have pretty good advantage of
here at Domain Tools.
And that's, again, kind of what we focus on.
So with that in mind, looking at the office masquerading item, and I can't remember exactly
which one it was.
It was like MS Office Update or Office Update, something along those lines, that we were
then able to identify similarly structured items, multiple similarly structured items,
that further analysis indicated there were documents
that had communicated to them or were set up to communicate to them as well.
And that's when, not alarm bells,
but certainly the excitement starts to build that,
ooh, wait a minute, we found something here.
This is kind of cool.
And what was really interesting about it, too,
is that certainly we already had the pattern of life
behind the network infrastructure.
Like, okay, we have an entity that's largely spoofing office themes
and using similar hosting patterns for standing up this infrastructure.
And then looking at the documents that were linked to this infrastructure, we started seeing a set of themes there as well.
So we already had the activity targeting Azerbaijan, and we were able to identify a couple of other items, like something that masqueraded as a press release with respect to the Azeri foreign minister and some similar items. But then we were also uncovering documents that were very focused on either mimicking or appearing as things like semi-official documents from the breakaway republics in eastern Ukraine,
the Donetsk and Luhansk People's Republics, which are not internationally recognized, but backed by Russian interests and so forth.
And so now we started seeing the outlines of like, oh, this starts looking very interesting as sort of, you know, with just the isolated Azerbaijan document.
Like, well, this could be a lot of different things we don't really know. And now it starts resembling like, oh, this seems APT-like, a very loose definition of APT, I guess, because advanced is always kind of a weasel word of sorts, but certainly something that seems more state-aligned than what you would expect for business email compromise or something along those lines.
So we got pretty excited in looking at this and timelining it out. It looked like there were sequences of events that roughly aligned with other sorts of tensions, whether in terms of ongoing tensions in eastern Ukraine, the conflict in the Caucasus region, as well as some activity in the Balkans within NATO, which was quite interesting as well.
So just looking at all those outlines, it really became pretty interesting.
And following up with that, communicating with some other researchers and doing some
additional historical analysis into the technique, we were able to not establish a link, because
I don't know if this is definitive at this point, but there are certainly echoes of a named entity behind this activity, a group referred to by Symantec as Inception and as Cloud Atlas by Kaspersky.
So maybe those are not quite one-to-one matches, but certainly overlapping activity.
matches, but certainly overlapping activity. And that was curious because that's an entity that has conducted some interesting operations, but has never really entered the limelight, so to speak,
like some other threats like your APT28 or 29 or some other entities. So the totality of evidence
at this point, you know, walking through from domains to documents, themes to links with historical activity, really showed the
outline or the image of a likely state sponsor or state-directed actor operating in Eastern
Europe along conflict and political themes, which was pretty interesting, starting just
with one little fishing document.
Yeah.
It's fascinating to me, as I read through this research
to see the, as you say,
the connecting of the dots,
you know, and I can sense
as that happens,
you know, the excitement builds
with you and your team
that, hey, there's really
something going on here.
Yeah, exactly.
And that's why I love
the work that I do
is a little dopamine hit every time that you make another good connection.
Right.
There's an interesting aspect here that you point out that the functionality of some of these files is dependent on getting a response to a request that the file makes.
a response to a request that the file makes.
And you did not get that response to the request,
which limited your ability to see into some aspects of what was going on. Yes, and that was the unfortunate bit,
is given the time elapsed between when some of these items were active
and then when they were discovered,
as well as possible or quite likely adversary
operational security and gating of certain resources that not only were we not able to
pull the second stage that these documents were referencing, but working with a couple of partners,
especially the Black Lotus team over at Lumen, formerly CenturyLink,
we weren't able to identify what that second stage would be, which was very frustrating.
We hypothesize or assess, given that link to the Cloud Atlas actor or similarity with the Cloud
Atlas actor, that that follow-on would be some sort of PowerShell framework for execution on the victim machine.
Can't prove that, but based on historical activity, that seems like the most likely next step,
even if we can't confirm that at this time. So what are your conclusions in terms of the
motivations and attribution here? So the attribution here is a little sticky. I'll get back to that in
just a second. Motivations in looking at the campaign, so without having that second stage,
we can't really differentiate or determine
is this an espionage framework or the preliminary steps towards
delivering some sort of espionage framework.
It is possible, I suppose, that this could just be a very elaborate
ransomware scheme, although I think the evidence is not very supportive of that.
But the combination of targeting, theming, or specificity behind the documents in question and links to historical adversaries really seem to highlight the most likely motivation as being espionage for likely state-directed purposes.
You could argue that without having the second stage, you can't make that as a high-confidence assessment.
I would argue instead that, well, given the limited scope and lack of obvious monetization relationship behind these items,
that that's the most likely explanation, which then gets us on to, okay,
this is espionage, who's doing it? And that's where things get really interesting, because if you look at historical reporting by Semantic and Kaspersky on the Inception Cloud Atlas actor,
that it's a little murky. One thing you may assume looking at some of the preliminary targeting is,
oh, it's targeting Azerbaijan and Ukraine, areas of the former Soviet Union.
It's probably Russian, right?
Well, not so fast.
So if you look in Kaspersky's historical reporting,
Cloud Atlas activity has certainly operated typically within the former Soviet republics
and the near abroad in Eastern Europe and Central Asia,
but has also included significant
targeting within Russia itself. And if we start diving in a little bit deeper beyond just saying,
oh, this involves Ukraine or this involves Azerbaijan, that we see some other interesting
characteristics that, for example, the Ukrainian elements in question weren't the legitimate Ukrainian government or elements thereof in Kiev, but rather the Russian-backed entities in the eastern part of the country, as well as other areas of strategic interest targeting, is that maybe this is some adversary of or entity that's interested in collecting on Russian strategic interests, which could be quite interesting.
And this is where we can really definitively say.
And I think the main takeaway from this isn't that attribution is impossible.
I mean, it's not.
People could do it.
do it. And especially if you have access to really good collection or if we've been able to gather further evidence, such as that second and potentially even third stage of this attack
sequence, we might be able to do something more effective. But it does highlight how this is not
easy and very much dependent upon the data at hand and where it would be dangerous to try to make
an assessment in a situation like this
because there are a couple of legitimate possibilities
and possibilities that are quite distinct or conflicting in nature
that this could be associated with.
Can you give us some insights as to what goes on with you and your team when it comes to deciding when and how you're going
to publish research like this. Because to a certain degree, when you put this out there
in the world, kind of, you know, the jig is up. They know that you know. When you publish
something like this, is it at a point where you're pretty sure they already know that you know?
Yes.
So in this particular case, through some conversations with other researchers as well as some items in social media, it already appeared that there were elements of this campaign that had been in the public realm to a certain extent, not the entire element or entire range of things, but certainly parts of it. So it already looked
like this was getting some attention. And given the
sunsetting of certain events and then what appeared to be a
drop-off in activity from September, October
into early November, and then this was published in mid-November,
it looked like this had sort of
passed, or we had gotten beyond a sort of expiration date for this particular activity.
After that, though, I mean, you're right. There is a certain once upon a time I used to work in the
U.S. military intelligence community circles, and there's always that question of intelligence gain
versus intelligence loss as a result of acting on or publicizing certain things.
And that's always a consideration that we have to keep in mind.
So just simply yeeting out indicators and adversary behaviors into the public can be very irresponsible my professional opinion and judgment was that there was a greater benefit in publicizing this than in sitting on it at this point, given that this activity had been taking place for a while.
And we were even able to contact one of the victims in question, and this was approximately several weeks after it looked like the activity had impacted them. And they were completely unaware of this activity,
which we made sure we made that connection before we went live with the publication
so that they were able to, one, they weren't surprised.
I mean, it always stinks to read about like, hey, you got fished in here.
The way you found out about it was via a tweet or something.
But also so that they could take proper defensive measures
and investigative
steps on their end.
I could see some people coming out and
say, oh, someone's just going
after clicks here and publishing this stuff.
It's like, yeah, maybe.
At Domain Tools, we don't sell a threat intelligence
feed or anything, so there's really not that much
of a gain that we have. I just look
at this as being a way
to try to benefit the community and
to highlight two entities that might not have access to very good but very expensive threat
intelligence feeds to highlight some of the activity that's going out there. And this is a
very long way of saying that I think the benefit here outweighed the potential risk in tipping an adversary off. Yeah. And so what happens now? Again, for you and your team,
to what degree are you monitoring further activity for these folks? If they go quiet,
if they reboot, or how does that process work going forward?
Sure. And I think this is something that all analysts can take into consideration,
Sure, and I think this is something that all analysts can take into consideration, that adversary behavioral changes are seldom revolutionary, but typically evolutionary. of looking at things or a diamond model or a MITRE ATT&CK way of conceptualizing how an adversary
operates, that there are many aspects or many elements of an intrusion event that an attacker
has to develop and deploy to be successful, from what kind of network infrastructure they're
creating, what sort of capabilities they're deploying, and then follow on tools and techniques that are used in victim environments. And we could look at this example
as being a pretty good case study of how adversaries will change certain aspects of their behavior.
So for example, if we take the assessment that this is most likely related to Cloud Atlas or
more likely Cloud Atlas than any other tracked threat group
that's out there in terms of what this might be linked to.
Well, in that case, we see a significant change
in network infrastructure characteristics,
but not a very significant change in dropper document
or initial infection document capabilities
in terms of how remote resources
are accessed and then used for potential follow-on execution. So what I'm trying to say here is that
from a defender's standpoint, by understanding how attackers operate across the entire sort of
attacker lifecycle, that we can gain insight into different stages of how adversaries operate
and the likelihood that an adversary will completely revolutionize their activity across
all phases of that lifecycle are not impossible, but that's very costly.
And if we have a thorough understanding of what an adversary looks like across each phase
of their operations, yeah, they might change how they stand
up network infrastructure, or they might change how they set up initial stage delivery documents
or initial code execution, but the likelihood that they change everything is somewhat small.
So if we can keep track of or try to monitor for each of those phases and each of those sets of behaviors related to stages of the intrusion lifecycle,
we can identify adversaries maybe not as early as we'd like to if we're looking at this from a network defender standpoint,
but from a CTI perspective, we'll have an opportunity to detect these adversaries at some level.
detect these adversaries at some level, and then from that detection point, begin to build out,
okay, what changed from previously to fill in those gaps for what an adversary has done to sort of shift their operations and response to defenders
from previous reporting or being caught in other environments.
Our thanks to Joe Slowik for joining us.
The research is titled Current Events to Widespread Campaigns,
Pivoting from Samples to Identify Activity.
We'll have a link in the show notes.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.