CyberWire Daily - Monitoring the growing sophistication of PKPLUG. [Research Saturday]
Episode Date: November 9, 2019Researchers from Palo Alto Networks' Unit 42 have been tracking a Chinese cyber espionage group they've named PKPLUG. The group mainly targets victims in the Southeast Asia region. Ryan Olson is VP of... threat intelligence at Palo Alto Networks, and he joins us to share their findings. The original research is here: https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
PK Plug is sort of an interesting one for us. That's Ryan Olson. He's vice president of threat
intelligence for Palo Alto Networks, and he leads their Unit 42 team.
The research we're discussing today is titled PK Plug, Chinese cyber espionage group attacking Asia. The author of this research is Alex Hinchleff, and he's one of our analysts over in the UK.
And over the last few years, he's done some research that's resulted in some interesting reports for us.
One that was about some android malware that we called Henbox.
Another one about a Windows backdoor
called Farseer.
And as Alex was looking at this,
he started working on
what we call an adversary playbook.
These playbooks are things that we assemble
to describe how an adversary
launches their attacks.
And what Alex was looking to do
is build one for the group
who was responsible
for those two pieces of malware.
He knew that they were connected
to each other. They started doing this sort of backward look at previous
attacks, mostly that had been published by other security vendors. And he realized there was
connective tissue between all them, overlaps and infrastructure and tools used and techniques that
were used. As he was building out this playbook, he realized he really had a lot more, more like
six or seven campaigns rather than the two or three campaigns that he'd already published on. Let's start with who they're targeting here. Who does
it appear that they're going after? PK Plug, all of the attacks that we've seen so far, both from
our research and others, have been against organizations and individuals across Asia,
a lot in Southeast Asia. But we also saw attacks in Mongolia, attacks inside of China, attacks in
countries surrounding China. So it's really been a broad set. And this leads back all the way to
2013. So it's a long series of attacks, not just a few of them that we've seen over the last few
months. And there seems to be alignment with Beijing's Belt and Road Initiative.
Yeah, looking at the countries who are targeted, and it's a big list, so I won't name them all.
I think we had seven or eight different countries, all these countries who were targeted, and it's a big list, so I won't name them all. I think we had seven or eight different countries.
All these countries who were being impacted and the targeting that we were seeing had alignment with that initiative, the people who were sort of across that initiative.
Well, let's walk through the timeline together.
The research that you published shows that things got started back in 2013.
That's right.
So the first campaign that we investigated as we were going back in time,
so 2013 is quite a while ago. It's before we actually formed Unit 42. So this was research
that we were looking at using a really common Trojan called Plug X. It's a Chinese Trojan.
Gets used by lots of actors. It's not exclusive to one organization, one government or another,
one attacker or another. Intimate attacks against Mongolia. And it's actually PlugX is sort of where part of the name PK Plug came from.
When we were first using that moniker for this adversary, they were using PlugX and
we pulled the plug from PlugX.
And then they were deploying it by including the files in zip files, basically.
And if you're familiar with the zip format, the first two characters of a zip file, the
magic numbers effectively are the letters PK.
So Alex sort of assembled that together because he needed a name for it.
Whenever we're building one of these adversary playbooks, and we call them that because they are formed around an adversary.
And that doesn't mean a person or a government or a hacker group necessarily.
But it is our moniker of a way to tie all the attacks that we've seen that are connected to one or a small set of groups into one component.
We've published a whole bunch of these so far.
I think PK Plug was the 22nd playbook that we've published so far.
So things get started in November 2013.
And then the next sort of spike in your timeline is from 2016.
Yep.
So 2016 was the next report that we were able to connect to this.
In that case, they were using another common commodity kind of Trojan called poison ivy.
In this case, the attacks were using phishing emails and the phishing emails included lures.
Basically, they were trying to trick people into clicking and opening a file that were related to ASEAN economic initiatives and democracy related themes in the country of Myanmar.
In this case, they were using Poison Ivy.
Like I said, once again, really commodity.
We can't use Poison Ivy or PlugX to directly attach attacks to a certain group.
But in this case, we saw infrastructure overlap again, domains, IP addresses, the things that
are used for the command and control.
And then only a few months later, some Trojans being used through Google Drive in July of 2016.
Yep. And this is one that we published on.
The Trojan that was used in this case is widely referred to as 9002.
And this came from the date 2009 that was embedded at some point, but it was embedded sort of in reverse.
Once again, a Trojan that's got a lot of association with Chinese actors, but not one particular one because it
has been used by a lot of different groups. And this one was, again, being delivered through
phishing emails with these zip files that started with PK, but in this case, installing a different
Trojan than the ones that we'd seen before. And again, it seemed like most of the attacks in this
case were targeting activists inside of Myanmar, or not necessarily the activists themselves,
but using the content
that's interesting to them in their lures. Also, in that case, we saw lures that related to
the sort of themes around Taiwan and the PRC and sort of the relationships between them.
The next spike on your timeline here is from March 2017.
Yep. And this one was the one that we called the FAPI campaign or was dubbed the FAPI campaign,
which is a sort of strange name, which I actually don't know the origin. Now I need to go and look
that one up. This one was, again, phishing emails. And once again, using the same kinds of lures
that related to governments from around that area, related in one way or another to sort of
Chinese interests in the area. The phishing emails were actually hosted on Geo Cities Japan, which is a blast from the past, but Geo Cities has survived in Japan much longer than
it did in the United States. In this case, the Trojan being used was once again, poison ivy.
So same Trojan, but a variant of poison ivy that continues the theme of using poison ivy from
earlier. But once again, these sort of tools that are out there freely available for lots of people,
maybe from earlier, but once again, these sort of tools that are out there freely available for lots of people, nothing super custom at this point. Looking over these few years here,
the connecting thread is the infrastructure, not the tools?
Yeah, it's the infrastructure. Sometimes it's a little bit of overlap in the ways the tools
were used as well. And this is one of the things when Alex put this research together,
he was using a tool that we use called Maltgo, which is a common link analysis tool in the threat intel world, so that you can lay out
all of what you know about an attack basically into a perform what we call nodal analysis,
you lay out all the little nodes. So you say, I have a piece of malware talks to this IP that IP
or excuse me talks to this domain, that domain resolves to this IP address. Maybe the domain
was registered with
a certain email address as well. And you get all these things laid out into a map, and then you
identify connections between them. And in this case, the map was very, very large. We actually
published the whole map in the report. And Alex sort of identified each of the reports that we
talked about in this sort of summary, and showed how they overlap from one to another.
And then he summarized it a little bit smaller into a multi-year diagram you can actually read by removing the extraneous information and just sort of showing the links. And across each of
the links, they're not always the same. In some cases, you have links that are a domain that was
being used as a command and control server, you know, twice in two different attacks. In some
cases, it's two domains that were used that resolved the same IP. And I'll say, you know, across all this activity, like this is six years. Six years is not a
timeline where you go, this is one individual operating this whole time because it's just too
long. And we don't have that kind of detail. But we saw these overlaps that allowed us to make
enough connection that we think they're all related to each other, roll them all up into
one playbook. And so continuing along the timeline, the next incident of note is in March of 2018.
Yeah.
So when we published the Henbox report, that was when we started seeing them using custom
malware, and in this case, changing to target instead of Windows systems, which all the
previous attacks had been targeting Android machines or Android phone devices.
And this one was custom.
Once again, the elements
of who was targeted were again related to the interests of the PRC, but didn't seem to be
against other governments that did have sort of an activist theme, though, targeting Uyghurs,
the Turkic ethnic group that's largely in north sort of eastern China, northwestern China.
The themes that we were seeing around how they were tricking people into install this on their Android phone were related to Uyghur messages,
as well as we saw an element inside of the malware. It would only steal data from the
phones, basically, when it saw that they had a prefix code on them that was the Chinese prefix
code. So they weren't looking to target people outside of China. They were looking to target
Uyghurs, and they were using Islamic themes to identify them when sending these out and then only trying to steal from their phones, which is this is a pretty significant jump from the kinds of activity that we'd seen in the past. But we were able to connect it through the infrastructure that was used, the infrastructure and some of the other tactics to say that these were related attacks. What are your insights or speculation on the shift
from using off the shelf tools to having the resources to custom build their own tools?
We can't say for sure, but I would say any time if you've been given a directive of this group,
PK Plug, however they're organized, has been told, you know, you've targeted a bunch of activists in
the past and we've got access to them. But suddenly the population you want to target, the individuals no longer use Windows
at all. You really have to go and find a new route. And if like the large population of the
world that is on Android, they're your biggest base. And Android's very popular, especially
outside, I think somewhere north of 80% for smartphone usage. And definitely in lots of areas around the world, outside the US, Android is really popular.
This is the way that you're going to get access to the data from these individuals.
You're not going to get it through a Windows device.
So you need to go and do something new.
And Android development, I wouldn't say the folks who were launching these in tech in
the past had no technical capability.
They're using off-the-shelf tools, but they still have to be able to set up the infrastructure and run it. They likely just
needed to find someone who had some Android development background to be able to go and
deploy these. The timeline for the research concludes in February of 2019. What did you
publish there? In that case, we were back to Windows with some malware that we called Farseer
that once again had connections, both infrastructure as well as tactical, back to the earlier attacks that we'd seen.
And Farseer was being used, once again, decoy documents targeting political news,
all related to the politics of Asian countries, in this case, related to Myanmar, using some similar techniques as well.
We'd seen some of the earlier versions of Poison Ivy using this technique, Poison Ivy employed by PK Plug using this technique called DLL sideloading, where you put a DLL with a name that's related to an actual, it's an actual Windows name or a name that's used by a common application installed on the system.
And you replace that DLL basically in the directory with your piece of malware so it can load into a legitimate process.
That's what we'd seen with the Poison Ivy in 2016.
And that's what we saw with Varsir as well. DLL side loading, once again, not an exclusive technique to Chinese
actors, but certainly one that they very commonly use, you know, in this kind of timeframe, not just
PK Plug, but others. And it was a new tool, a tool that hadn't really been published on in the past.
So when they're developing their own tool, in this case for Windows, you can sort of see a
sophistication increase from just sort of pulling things off the shelf.
And this group is still on your radar, yes?
Certainly still watching them.
And this is an it's interesting for any group that's been around this long and obviously over six years to have six ish or I think we have a seventh now that we're also investigating attack.
It's not high volume.
These are relatively small.
also investigating attack, it's not high volume. These are relatively small. We aren't going to claim we have perfect visibility, especially into some of these groups where Paladin Networks,
our primary customers are enterprises. So we wouldn't necessarily be in the place to go and
monitor for attacks against activists, which a lot of these have been. But we are definitely
keeping an eye on them because actors like this, they may go for other organizations in an effort to go and attack an activist in some way, or it could be newspapers or others who have the information
that they're interested in. Now, you and your team at Unit 42, you make use of what you describe as
adversary playbooks. Can you describe to us what is that and how do you use them and what's the
broader usefulness of them to the community?
The concept of the playbook started as, I'd say, a discussion, which was rather heated between me and my boss about three years ago.
He had said, we all in the threat intel community get frustrated when we're just sharing a bunch
of indicators.
You know, you share a list of hashes and say, these are bad or here's bad domains.
And what we're saying was the context around these is really important.
Why are they bad is important, but also what are they connected to?
Who's using them?
How are they using them?
Because if you just share a big list of indicators, you lose a lot of that context.
So he was saying we should be able to find a way to take everything we know about a bad
guy, an adversary, take the indicators that they're related to them, but also say, how
do they work across the kill chain? What are the steps that they take to be successful
in exfiltrating data, stealing money, whatever their ultimate goal is? So when we were building
out the, and I didn't disagree with that, but I did disagree about names and things like that.
We had lots of discussions about, should we call it a playbook? I'm not a sports guy. So I'm like,
I'm not sure exactly what the right metaphor is. Is it a blueprint? Is it something else? And playbook gets used in lots of ways in our industry.
But we settled on adversary playbook because we wanted to think of it as the adversary is sitting
down. If they were launching their attack, because they're humans, that's the thing we really want to
make sure people think about. This is a human being who's trying to do a job. What are the
steps that they would go through to achieve their ultimate goal? What's their playbook look like?
So we wrapped together really three sort of concepts and technologies to build the playbook.
The first was MITRE's ATT&CK framework.
We started doing this when ATT&CK wasn't quite as popular as it is now, but I'm glad it's
gained in popularity because ATT&CK gives you this common terminology for describing
the techniques.
I'm sure you've had Katie Nichols or someone else from MITRE on the CyberWire at some point
to talk about it.
It's a great framework
so that we can use common terminology
between us and other vendors
to describe how was an attack launched.
We map attack over to the CyberKill chain
so we can say, OK,
we're looking at these different phases
of the attack they're trying to accomplish.
Which technique were they employing
in each one of those?
And then the third one is STIX 2.0. So STIX 2 is a JSON format for sharing structured threat intelligence information. STIX
1 was an XML framework. STIX 2 is JSON. We basically rolled all these together to say,
let's take an adversary, look at all the campaigns they've launched, look at the techniques that they
employed in each of those campaigns and see what indicators, not just individual hashes or domains,
but are there patterns that we'd see in those domains
or are there command line executions
that we might see on a host
and roll that all up into one bundle
that could be machine readable in JSON
that a machine can go in and work with
in a standard like Stix.
We made the first one for a group we call OilRig,
I think a little over two years ago now.
And the team got together and they worked on it and they handed it to me.
And it's a big blob of JSON.
And I went, oh, man, no one is ever going to look at this because it's a big blob of JSON.
So we really quickly at that point said, let's build a little viewer for it.
Let's build just some simple CSS, JavaScript, some HTML to be able to take that JSON and break it
out. So you could actually basically explore it, say, show me this adversary, and then click into
each of the campaigns, and sort of see a table of how all of the techniques were used. So we built
the viewer really quickly. It's open source, it's on GitHub, actually, all of the playbooks,
the 22 we published are all free, and they're all on GitHub. If you Google unit 42 playbook viewer, it should be the first hit. And, you know, people have liked them. And
because of that, we've started adding more features to them over time. We're also making
more playbooks. Like I said, we've published 22 adversaries. I think we're at 50 campaigns now.
And we're not saying these are all inclusive, but we want other people to use the same kind
of format. That's why it's open source and why we used all these standards. We want other people to do it in the same way, because
if people have different vantage points on the same actor that we can combine that and say,
hey, look, we suddenly know more about how this actor works. The most recent updates to the
Playbook viewer were just last week. We added the ability to see the targeted both country and
industries for the campaigns. So now when you go and click into a campaign, you'll see the targeted both country and industries for the campaigns. So now when you go and click
into a campaign, you'll see the little flags of the country pop up as well as little icons for
the industries that were targeted. And now that we have so many campaigns, you can also filter
them and say, show me all the attacks that have impacted Saudi Arabia, let's say. And it'll just
show you the campaigns that we've seen there. And like I said, they're not all inclusive of
everything Palta Networks knows. These are finished products basically after we've published there. And like I said, they're not all inclusive of everything Palo Alto Networks knows. These are finished products, basically, after we've published a report. But it's a great
structure to be able to understand more about an adversary and sort of keep that adversary in mind
when you're looking at intelligence related to them.
Looking at PK Plug, what are the take homes for you? What's the message you want to get out about
this particular adversary group?
I think the key with PK Plug is that a series of attacks that over the last six years definitely What's the message you want to get out about this particular adversary group? tissue, and there's likely one adversary or group who's responsible for them. And if you can sit
down and look at how their tactics have evolved over time, it can give you some insight into,
are they becoming more sophisticated, which we think they are? And are they learning from each
of their previous attacks? Are they able to add new capabilities? Are they able to employ new
techniques? And how quickly do they need to do that? Certain populations are more secure than
others. And if you have a really secure target you're trying to hit or a series of targets,
you might have to evolve really quickly. In their case, they evolve relatively slowly,
but they still continue to evolve. And we can only see that if we can track them all together
and think of them as an adversary.
Our thanks to Ryan Olson from Palo Alto Network's Unit 42 for joining us.
The research is titled PK Plug, Chinese Cyber Espionage Group Attacking Asia.
We'll have a link in the show notes.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.