CyberWire Daily - Phishing campaign takes the energy out of Chinese nuclear industry. [Research Saturday]
Episode Date: May 6, 2023Ryan Robinson from Intezer to discuss his team's work on "Phishing Campaign Targets Chinese Nuclear Energy Industry." The research team discovered activity targeting the nuclear energy industry in Chi...na. Researchers attributed the activity to Bitter APT, a South Asian APT that is known to target the energy, manufacturing and government sectors, mainly in Pakistan, China, Bangladesh, and Saudi Arabia. The article states "We identified seven emails pretending to be from the Embassy of Kyrgyzstan, being sent to recipients in the nuclear energy industry in China. In some emails, people and entities in academia are also targeted, also related to nuclear energy." By luring recipients in, invites them to join conferences on subjects that are relevant to them, they are then able to social engineer the victims. The research can be found here: Phishing Campaign Targets Chinese Nuclear Energy Industry Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly
evolving cyberspace.
Thanks for joining us.
Instead of targeting an embassy in this case, it was communication, pretending to be from
an embassy.
And then that's how we got kind of down the rabbit hole to where we are now.
That's Ryan Robinson. embassy and then that's how we got kind of down the rabbit hole to where we are now that's ryan robinson he's a security researcher at inteser the research we're discussing today is titled
fishing campaign targets chinese nuclear energy industry
well let's go through it together here.
Exactly what's going on with this campaign?
From a high level, this campaign is that better APT or targeting organizations in China,
which is normal.
But what's slightly different about this one is that we actually have the emails that were sent to the victims.
So we have essentially the social engineering lawyers and then also who the potential victims are.
This allowed us to sort of analyze the social engineering tactics that were used and obviously the payloads and stuff.
What this campaign tried to do was better APT pretended to be an attaché from the embassy of Kyrgyzstan.
It invited the recipients to join some sort of conference or roundtable relating to their field or topic,
and then along with an attachment that starts the malware chain of the faction.
attachment that starts the malware chain of infection. And you mentioned that this
seems to align with the Bitter APT. What do we
know about them? So as we say on the blog, they're a South Asian
frat group and commonly they target
energy and sort of government sectors, particularly
Chinese government departments
and scientific research institutions.
But they've also been known to target Pakistan
and Bangladesh and Saudi Arabia,
quite a few countries.
To be more specific than South Asian,
other organizations, not us,
have attributed them to be from India.
So we have.
The biggest clue of this comes from is that
a couple of years ago,
Kaspersky researchers had
noticed that in some
code that was created
by Better APT,
they noticed an
exploit that was...
It essentially came from an exploit broker
from a taxes-based company called
Exodus Intelligence.
And then Forbes went in and done an investigation
on this and started speaking to a few people.
From that, they found out that essentially someone
from either an Indian government
personnel or contractor
was able to take this code and somehow that made its way.
And that made its way into Bitter APT code.
Bitter APT is much better documented in Chinese sources
than I would say in kind of Western English-based sources.
Interesting.
Well, let's dig into the actual phishing lures here.
How are they coming at these people?
Okay, so we can divide it up into a few topics.
So we can first talk about who they were specifically targeting
and then go into who they chose to impersonate and then what kind of lures they were specifically targeting and then who they chose to impersonate
and then what kind of layers they were doing.
So when it comes to who they were choosing to target,
it was mainly after specific people and institutions.
And so the email that we show in the blog,
it targets multiple people inside what is a consortium
of Chinese nuclear institutions,
mainly for sort of research and development
and then to get this into applied nuclear technology.
But what I think they specifically really wanted to target for
was the Institute of Nuclear Safety Technology.
And there's a big overlap between this sort of semi-government institute
and academia as well.
So what you notice in some of the emails is that some of the people
that they target are in both institutions. and it's kind of like they will
target both the institutions a bit more broadly but then also specific people inside them of which
some of those people are in both so they are so i can't quite tell whether you know like the chicken
or the egg that shows the people then the institutions first or the egg. They chose the people, then the institutions first, or the institutions, then the people.
But what I would say about some of the people
is that they're quite prestigious.
Their own Wikipedia pages and all,
and they'd be quite well-known in their respective fields
internationally, not just in China.
When it came to how they tried to bring them on board,
kind of social engineer them, learn them and stuff,
the learners are basically based around invitations to conferences
and kind of roundtables, that sort of thing.
So the basic structure of the lure would be,
you've got an email, it comes to your inbox.
It pretends to be from what it just says, embassy in China,
but more specifically, the embassy of Kyrgyzstan.
In the body of the email, it sort of throws in a few terms like, hey, you're invited to
this conference and it's along with the embassy and other kind of think tanks and stuff like,
oh, the China Institute of International Studies in Banyu and we want to talk about maybe nuclear doctrine or the International Atomic Energy Agency,
the IAEA.
I'll also point out that some of the people targeted
have either worked in the IAEA or they've worked kind of with them.
So it would be quite a familiar sort of topic for them.
And from that kind of social engineering there,
it says, hey, like check out the invite or the attachment
and that there's an invitation in there.
And, you know, that's the start of the malware chain.
When it comes to other layers,
the kind of we've solved is that some of the layers kind of have it comes to other layers, the kind of work style is that
some of the layers kind of have additional decoys in them.
So when you do download and open them,
some of them kind of have nothing inside them.
But then other sort of more updated layers,
they put kind of a decoy.
So you're not just kind of left with nothing and confused.
So yeah, they'll put sort of more kind of details when you
open that up um one thing also kind of say is that when the emails are they're signed off they're
kind of in a open-ended fashion so it kind of leaves it that if you want to reply to them you
can't and you know maybe in that case if they get one of their specific targets to them like, hey, I wasn't able to open that file and stuff.
They're able to further engage with them, maybe send them a few more things and all.
But then what's also interesting, kind of the last part of this social engineering lure type of thing is that they also impersonate specific people.
Like I said, they're pretending to be the embassy in Kyrgyzstan.
impersonate specific people. Like I said, they're pretending to be the embassy in Kyrgyzstan.
So they've signed off the email at the bottom with the name of an actual attache in the embassy.
But I want to point out, they're not using this person's email or anything. The email is being created anew. And so what I think they've done is that it's very easy to find this information online.
You know, if you go to the Ministry of Foreign Affairs website for Kyrgyzstan, you can find the names of these attachés and what their jobs are.
Even through LinkedIn, you can find their profiles.
So what I think the group have been doing is that, you know, I wouldn't really call this sophisticated, but it's very, very far. So they've managed to choose who they want to target,
who they want to pretend to be in sending these.
And you can get all that through open source information
just by using search engines, Google, LinkedIn, what have we?
And now a message from our sponsor Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Let's talk about the actual payloads and how they're delivered.
How are they choosing to go about that?
So, as I sort of said before,
they're an attachment within the body of the email. And first of all, they're in a RAR attachment.
And a RAR is kind of like a zip file, so just a way of compressing the payload.
What's nice about a RAR file is that since it compresses the payload,
for some static-based malware defenses, it's not able to analyze that without taking
extra steps, i.e. with taking the attachment and then decompressing and then grabbing the
payload out of there and then continuing.
And so inside that RAR attachment, there are a couple of routes which you could take.
There is either an Excel file, and that Excel file has what is quite a common exploit inside it.
And then that exploit creates a scheduled task, which can start from the next stage.
If I go the other route, instead of an Excel file, what they really commonly use is what's called a Microsoft Compiled HTML Help file or a CHM file.
It's kind of something that's not really used that much anymore,
like kind of legitimately,
but it's something that you might remember
if you were using kind of Windows back in the day of XP or Windows 95 or 98 or something,
when you click on the help button, it sometimes brought up what kind of looks like a web page,
but it's not a proper web browser.
Those types of files, you can still execute code on them.
And again, that creates the scheduled task.
So those scheduled tasks,
they're either going to do one of a few things depending on what sort of route the payload has got.
Very commonly, it uses MSI exec
to basically download a remote MSI file
and then execute that.
And that one's very, very common.
That's kind of been documented in other blogs
and it's like techniques that they've been using for years.
In other cases, it uses curl.
So quite a common sort of like command line based
sort of HTTP client.
So you can essentially make kind of basic web requests and then do what you want with the downloaded data.
Or in the later versions, if we said there's something kind of new,
we've noticed that they've moved over to using PowerShell
instead after that. And then
once the scheduled tasks that use these kind of living off the land
techniques downloaded, that's where you'll use these kind of living off the land techniques downloaded.
That's where you'll get a kind of downloader sort of module and then from there, extra payloads are sent over
depending on what the task kind of needs.
They're known to use a vast kind of tool set.
After that, it really depends.
How do you recommend that folks best protect themselves against this?
As I maybe said before, that it's not what I would call sophisticated,
but they were quite thorough, so they were.
So I would honestly recommend this at basic levels,
that if you're an employee inside a company, energy company, essentially any
org, is that you should probably have a good standard of security
awareness around phishing
emails. And the reason why I said for this is that
the learners themselves can be quite convincing. Like I said, they're referencing
organizations that are highly related to the people
or that they've even worked in before or that they'll be familiar working with.
And then they sign off in names of real people.
So if you were to say the name of that person, you go,
oh yeah, that person's real, that's fine.
But it's not from that person.
So just because the email says something doesn't
mean it's true therefore security awareness is good and when it comes to after not protecting
your computer so say you know your first stage of awareness fails after that i'd probably recommend
just a good sort of edr xdrDR kind of endpoint security for your computer.
So if the first stage fails and then you go on the click on one of those files,
you're going to want to hope that the next levels of security
are going to then capture that for you.
So if one of the scheduled tasks is created,
the security products will realize that maybe that's not a normal
scheduled task. It's pretending
to be something else that can masquerade
that it might detect that and block it.
So basically, I would say awareness
first of all, and then
don't get hit. But if you do get hit,
make sure you have extra levels
at defense and death
strategy.
Your blog post mentions that Bitter APT
have been around for a while now, for a few years.
What's your sense in terms of their sophistication?
In this case, the activity that we've seen here
isn't particularly sophisticated.
It's not hard to understand what's going on
and what the chains are all.
And honestly, in this case, maybe they don't have to be
since it's the first stage.
You know, they only have to be lucky once,
whereas if you're being targeted, you have to be lucky each time.
So I don't think maybe they care too much about
getting caught in that regards. But where they have been more sophisticated is that
in other attacks we've seen like kernel level zero day exploits being used. That would suggest
quite a bit of sophistication being able to use that.
But like we said before,
it's that they haven't managed
to develop these
exploits themselves. They managed
to get them off a broker that sells
exploits. So while sometimes
the skills themselves
might not be too sophisticated,
they can still get their hands on essentially a sophisticated toolkit
because essentially that's just a money problem.
So it is.
So yeah, I would say they are being less sophisticated,
but I wouldn't underestimate them.
They can pull out something that hasn't been seen before
just because they can pull out something that hasn't been seen before just because they can buy it.
Our thanks to Ryan Robinson from Intezer for joining us.
The research is titled Fishing Campaign Targets Chinese Nuclear Energy Industry.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
The CyberWire Research Saturday podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening.