CyberWire Daily - Leveraging for a bigger objective. [Research Saturday]
Episode Date: October 31, 2020The U.S. government has charged seven men in relation to hundreds of cyber attacks against organizations in the U.S. and multiple other countries in Asia and Europe. Two of the men, who were based in ...Malaysia, were arrested and their extradition to the U.S. has been requested. The other five are based in China and remain at large. The attacks were attributed to a China-linked organization dubbed APT41 and involved a combination of intellectual property theft and financially motivated cyber crime. While some of our peers monitor APT41 as a single operation, Symantec regards it as two distinct actors: Grayfly and Blackfly. Joining us in this week's Research Saturday to discuss the research from Symantec's Threat Hunter Team is Jon DiMaggio. The research can be found here: APT41: Indictments Put Chinese Espionage Group in the Spotlight Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Well, APT41 is a longstanding group that's been around since, according to the recent
diamond, 2011. We at Symantec have actually been tracking them since 2012. So shortly
after they popped up, we kind up, they got on our radar.
That's John DiMaggio from Symantec's Threat Hunter team. The research we're discussing
today is titled APT41, Indictments Put Chinese Espionage Group in the Spotlight.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs that are
exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context, simplifying security management with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com security.
I guess what their biggest claim to fame or what they were known for is they're one of the early adapters that really got into leveraging attacks for what they call supply chain attacks,
leveraging victims for attacks for a later stage of a bigger objective. So they would get into all these other companies
in order to use them to sort of traverse
by those trusted relationships
into what their actual target was.
And they were one of the groups
that sort of created that and started doing that.
We really didn't see much of that
and now it's much more common,
but these guys were doing it starting back in 2012.
But it's also one of the most confusing groups because most of the attackers that you see,
while in the espionage game especially, if they're a group that is involved in espionage,
you generally don't see cybercrime.
So that really confused a lot of researchers.
And so the reason I'm sort of throwing that in is, you know, when we look and we track activity and you try to identify motivation, it really throws you off when you start to see very different types of attacks where you're looking for a complete different end result.
So you don't usually see financial gain involved with an operation that is trying to steal information that's clearly going to be used for political or military purposes.
So this group really is interesting because of that. So you have all these pockets of activity.
You'd see things involving clearly very custom-developed, sophisticated espionage malware that steals
information. And then you see other attacks where they're leveraging that and using it for financial
gain. And really, you know, one of the biggest differences, you know, in that was looking in
what the times of use of when these types of attacks were doing. But we can talk about that a little bit more in detail.
But yeah, we've been tracking them since 2011,
and they have quite a tool set of their own malware that they use for these attacks.
We assessed that they were a small group.
They clearly had ties back to the China region,
and they clearly had the resources to have custom tools, custom malware, and they appeared to be very long-term, objective-oriented attackers, meaning they'd have all these different phases of an attack before you could figure out what the actual real true objective was. Can you give us some insights as a researcher? What is the process like for you
and your colleagues for sort of connecting the dots, for determining as time goes by,
what do you include with this group? What do you exclude? How do you make that circle smaller and
smaller over time to know exactly who you're dealing with and likely what they're up to?
Yeah, so that's a great question.
So the normal process of how we apply that against any sort of targeted attack is to not just look at the first attack.
So usually you begin because of one event or one attack.
But what you need to do when it comes to these sophisticated attackers is expand that pivot and identify other infrastructure, other malware, other victims, and then do a rearview mirror look to see, okay, are there other campaigns?
Maybe there's a different vertical, a different sector that's been targeting that you're not seeing, but you can learn about the tactics from that group. So you really need to pivot and look back, rear view mirror, collect all that
information, reanalyze everything that you have, and sort of come up with a bigger picture hypothesis
of what that attacker is doing, what is their motivation, and what is, you know, all these smaller attacks lead up to.
This group, however, made that very difficult. And the reason I say that is what I alluded to
before. We looked at the pocket of activity. And when you have custom malware that you believe is
unique to an attacker, especially something that you think is resource-backed to a nation.
That attacker is, you know, it's for those military government purposes. Therefore,
you don't usually see that very sophisticated malware used for financial gain attacks.
And the reason why is, you know, they spend all this time developing this malware. You don't want
to take the chance that it's going to get identified and then researchers and antivirus and defenders can now write signatures to detect
it. And your advanced operation that you spent all this time and money on is a major component
of it is no longer usable. So that's what was so weird about this is, you know, we were seeing what
was clearly espionage operations. And then shortly after, we began to see these financial gain-motivated attacks.
One of the things that we did, I sort of alluded to earlier,
that really helped us to figure this out was timeboxing the activity.
So taking longer-range time periods of the activity
and plotting the hours of actual human on victim network time.
So when a human was actually logged in doing things as part of the attack.
So those high fidelity timestamps, if you will, of events.
And then you plot those over time and you sort of look for what would fit in a workday.
This is really relevant for nation state attacks because usually your A-game
guys are working a day shift. That's just the trend that we often see. You have different teams.
Usually your A-game guys will be working during the day. So anyway, you look for that to try to
come up with time zones that fit a possible workday, and then you apply that to regions of
the world. Well, what we noticed when we did that is there were very distinctive patterns between,
while using the same malware and tools, there were very distinctive patterns between the espionage-geared attacks
versus the cybercrime, financial gain-motivated attacks.
And what we saw was the financial gain-motivated attacks against many of the video game companies that we saw were actually taking place between 10 p.m. and 1 a.m. in the same time zone that we had leveraged from the cybercrime. So applying, though, that same time zone to those attacks, assuming that because the malware is so unique that the people using it must be – at least have a relationship with those who are doing the espionage attack, allowed us to sort of make that assumption.
Okay, well, these guys are using it at night.
And what's the first thing you think of as I say this?
Moonlighting.
Yeah, that's what I was going to say.
Yeah, exactly, which makes it so interesting. think of as i say this moonlighting so that's what i was gonna say exactly right right interesting
you know that's right so when do you ever see like espionage operators that you know what i got a
few hours here tonight let's go make some money guys i mean you just don't see that and that we
saw that back then and that made this so interesting and um you know we did some collaboration with
some of the analysts at FireEye.
Actually, we talked about this at RSA this year, myself and some FireEye guys.
We did a panel.
We actually did a use case on this exact group.
And the reason we did it is we at Symantec track them as two different groups.
We believe that just like FireEye, they're the same individuals behind the activity.
However, the actual buckets of activity, what they're doing was different.
So we track it by the activity, not the people.
FireEye tracks it more by the people, not the activity.
So neither is wrong, but we track them very different.
So that's one of the things that we discussed.
Point being, though, that's what makes this so interesting is you have these operators, moonlighting, using the same weapons essentially to come up with different outcomes
for different types of attacks.
Yeah, I mean, it strikes me as kind of like,
hey boss, you mind if I run off?
Can I use the photocopier after hours or something?
That sort of thing.
Because I can't imagine that these guys
would be doing this without permission.
Well, so yeah, exactly. I don't believe for a
second that, I agree with you, you wouldn't expect them to, but I don't believe for a second that,
I'll just refer to it as their handlers. We know from the indictment that there was relationships
with some of the operators, with the Ministry of Security and the National Security Bureau in
Chengdu, that that was an indictment. So we don't know that that's who's behind the espionage
attacks, but we know that some of the operators had working relationships with those organizations.
But let's just call it the handlers behind the attacks, the ones paying for planning that are
benefiting from the attacks. Whoever that is, I cannot imagine that they
would be okay, though, with these guys using their, again, their military-grade weapons,
if you will, in their, you know, the secret sauce with their custom malware to steal,
you know, something basically as dumb as video game currency. You know, that just seems like
such a waste of your resources.
Because like I said, the more you expose your malware to the internet, to the world,
the higher likelihood it's going to be identified, signatures written,
and now it is no longer effective.
So I just don't believe that they were on board or okay with that.
I truly think that they probably did this on their own to make a buck
and didn't think they would get caught.
And then the fact that they worked with these guys in Malaysia
and they created what I'll just call a shell company,
the SEA Gamer Mall, that they essentially created that entity
simply to sell the virtual currency that they had obtained
in their theft campaign.
So the whole thing is these are all smart guys, clearly, but I think it's a bad day for them.
Whether the indictments can touch them or not, I think it's a bad day for them in China when that indictment came out.
I really don't think that, like I said, any government entity would be okay with you using that for your own financial purposes.
And it's not like China
is some poor nation that's going to benefit from financial theft attacks. You know, we see that
sometimes with, you know, North Korea is the best example. We don't really see that with China. So
it really doesn't fit their model. Do we have any insights as to what the culture is among the elite
hackers in China.
And I come at the question from this direction,
which is that, you know, I have heard here in the United States,
you know, I've heard about people with high technical abilities
being referred to as, you know, rock stars or national treasures
or, you know, those sorts of things.
And so those people are well taken care of,
to the point of sometimes being coddled
or they may have peculiarities in their personality
that are overlooked because their technical skills are so high.
Do we have any insights into that,
what may go on culturally in China?
Yeah, so I do actually have an opinion based off
of experience from all the
research and observing these groups
for a number of years. So previously,
like up to, say,
maybe 2010, so from
2002 through 2010,
one of the
really
useful pieces of
research that we could do was if you had any sort of a handle or any sort of unique piece of identifiable information and malware that you could use to find the developer.
One of the things that used to take placeested for putting his handle within his malware. And that malware eventually was seen in some of these groups that we track in espionage attacks.
you to go search and identify, all right, well, this guy has this handle and he did a paper for a technical university in China with an email address with that same handle. You could piece
these things together. They got, bear with me here and answer your question, but they have become
much better at their operational security. It is rare now that you get things like that that you
can use to pivot on. And the reason
that that's important is because I think the government really cracked down on that and said,
hey, operators, you need to have discipline or hackers, whatever word you want to use,
you need to have discipline here. This isn't we're paying you. You're giving away our operations.
You're giving away to identify us and attribute us. You need to stop doing that. And the reason I believe that they took a stance to do that is because it tailored off so quickly.
And it's so rare now that we get that sort of open source piece that we can really go dig and find the guys behind the keyboards.
So we do.
We have to rely so much more on either mistakes and operations or things in the malware or other things.
They're human-based patterns of
what they do when they're on their network. They've made it much more difficult. But I don't
think, though, that it's something that's condoned. I do think they do treat their operators, like you
said, that rock star mentality. Absolutely. The guys that I think that are good at what they do,
they're probably, you know, they are probably well-paid and treated decently in their home
country. But there's the one thing that I
think is important to always remember, you know, human greed, especially when it comes to money,
it's something that can get the best of anyone. And I think that's really what you saw here.
Interesting. Well, let's dig into the indictments. Mid-September, the U.S. Department of Justice comes out and charges seven people, including some folks with APT 41, with a variety of crimes here.
How did this impact you? What was your reaction to this? is whenever we have an indictment come out, it's exciting because the indictments provide
so much information and intelligence, not just on the attacks, but the people behind it.
So we literally, when they come out, my team and I, we all sit down and read the entire,
not just the blog that talks about the high level stuff. We should get down and we read into the weeds because it's so interesting to
take that and then compare it to our research and see what did we get right?
And what did we get wrong? And, you know,
a lot of times the things that you just,
you couldn't possibly know as a defender only, you know,
government type intelligence agencies could figure out in, in that, you know,
so these indictments really shed light on that.
Doing that process with APT41, I'll be honest, we got this one, it was pretty good.
Obviously, we didn't have operator names, but as far as the way we tracked it,
the way we broke up the malware, the operations, the way we separated them at Symantec,
we actually had this pretty good.
What I did find extremely interesting, though, was that human aspect.
So the fact that you mentioned there are seven individuals, well, there's only two of them that they specifically called out that worked both the espionage and the cybercrime operations.
the espionage and the cybercrime operations. Now, obviously, we can infer that all of them have relationships in some way with one another, but the actual indictment itself only actually
calls out two that did cybercrime and espionage, which to me says, you know, the others might have
been involved in cross-operations, but these are the two that we have black and white evidence to
support that claim since it's in the indictment itself. So I think that's really interesting.
I think that the sort of – it wasn't really finger-pointing, but it subtly was at some of the government agencies that they mentioned in the indictment that had relationships with the operators.
I thought that was very interesting.
Again, that's something that unless there is a mishap in their operations where they make a mistake and we get to see an IP, like, you know, let's say forget to turn on a proxy and they originate from one of those entities.
Unless things like that happen, we don't usually get the government piece behind it.
So that was really interesting.
The Chengdu 4.4 network technology piece, you know, we had heard about, we've heard of that organization before.
They didn't have evidence that it was necessarily bad, but there was a lot of suspicious things that were around that.
So that was at least on our radar.
And then the SEA gamer mall that was selling this fraudulent stuff, we had not heard of that before at all.
But that was based out of Malaysia.
That wasn't exactly our prime area of research in this. But adding all of it together, like I said,
I just sort of named the interesting pieces that we may not have necessarily ever known about. But putting it all together, it really tells us we're doing a good job in the way that we're
tracking and doing our analysis. It isn't always like this where we get it, you know, all these things line up, but it's usually pretty good. But this one, we had a real win out of.
Now, do you suspect that the folks behind APT41 will change some of their tactics as the result
of this indictment? I do believe that. So the reason I think that that's definitely going to happen is we've seen it in the past.
I mean, the most high-level example is APT1. When that happened, they burned infrastructure.
They shut down operations for several months. They rebuilt. That was a China-based group as well.
But it's not just even China you see. You can use Russia for another example. Let's talk about them. Completely different nation. But when Dragonfly, the U.S. energy infrastructure attacks that took place, that was one where we wrote a blog on that, and we put information on that, and they shut down operations temporarily, they burned infrastructure, they retooled, and they came back with a different
style of attack. So I think despite the nation, I think that is generally what happens with
espionage attackers. Lesser attackers don't necessarily have the resources to stop, retool,
recreate new malware, come up with new creative ideas to attack and start again once they've
been identified.
But governments certainly do.
So I think that trend will continue here.
But I don't think they'll go away.
I think they'll slow down and we'll see a gap in activity.
And then they'll come back with some new creative way to attack and to continue their operations with the same end results.
Our thanks to John DiMaggio from Symantec's Threat Hunter team.
The research is titled APT41, Indictments Put Chinese Espionage Group in the Spotlight.
We'll have a link in the show notes. Thank you. Learn more at blackcloak.io. And I'm Dave Bittner.
Thanks for listening.