CyberWire Daily - Rosneft suspicions shift from espionage to business email compromise. [Research Saturday]
Episode Date: February 23, 2019Researchers at security firm Cylance have been tracking a threat group targeting the Rosneft Russian oil company. As Cylance uncovered details, suspicions shifted from state-sponsored espionage to bus...iness email compromise. Kevin Livelli is director of threat intelligence at Cylance, and he joins us to share what they found. The original research can be found here: https://threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, this first came to our attention the way many research projects come to our attention.
You know, we're always sort of on the lookout for new and interesting malware or new and interesting attack methods.
That's Kevin Lovelli. He's director of threat intelligence at Cylance.
The research we're discussing today is titled Poking the Bear.
Three year campaign targets Russian critical infrastructure. The research we're discussing today is titled Poking the Bear, Three-Year Campaign Targets Russian Critical Infrastructure.
And we pay particular attention to targeted attacks.
Myself and another security researcher named John Gross spend a lot of time tracking the so-called APT groups, Advanced Persistent Threat Groups, or state or state-sponsored groups. And so we started out just by investigating some interesting
files we found in a common malware repository and thought, at least initially, that we were
on to another foreign espionage campaign. And a lot of this centers around this organization
called Rosneft. Can you give us some background here? Who are they and how did they get to be
at the center of this? Well, we found out that Rosneft was involved here. Who are they and how did they get to be at the center of this?
Well, we found out that Rosneft was involved here. Rosneft was actually just one of a number of state-owned Russian critical infrastructure companies whose names were invoked in the
infrastructure, the command and control infrastructure that was used to carry out this
attack, right? So we didn't see it at first, but when we started to look at the infrastructure that was used to carry out this attack, right? So we didn't see it at first,
but when we started to look at the infrastructure that was used here, we saw that name.
Rosneft is, well, they call themselves the largest publicly traded oil company in the world.
And they are a company whose name caught our eye because, first of all, where they're located. Second of all,
the fact that they're owned, at least in part, by the Russian government. But that name also
caught my attention because Rosneft was the subject of a rather mysterious deal a couple
of years ago that took a portion of the company private. And it was noteworthy for a number of
reasons. First of all, the amount of money involved. Secondly, the fact that anything
having to do with this oil company was going to potentially be of geopolitical significance,
because as has been reported in the New York Times and elsewhere, Russia often uses its state-owned
companies, particularly this one, as a tool of foreign policy. So that held our attention.
And the third reason was because there was a lot of intrigue surrounding how the deal to take it
private was being done. Who was involved? Who were the buyers? Who was
mediating the process? All of that led to reporters spilling quite a bit of ink, right, in the press.
And Rosneft even got a rather conspicuous mention in the now infamous Steele dossier,
which was that collection of raw intelligence that a former
British intelligence officer put together, and which was published, I think, by BuzzFeed a while
ago. The Rosneft deal and its potential intersection with the Trump administration
was mentioned in that report. So having seen all that, John and I thought
immediately that this was going to be worth investigating further. And indeed, because of
all these reasons, we thought that we were probably looking at a company that was the target of a
state or state-sponsored espionage campaign.
Right. I mean, that makes sense. Certainly, at first glance, all the stuff adds up to
that being a likely thing going on here. But then as you dug into it, it got a little more
interesting. Yeah, that's right. I mean, in fact, you know, so there were two interesting things
here regarding this research. One is the sort of tick-tock of uncovering what exactly was going on here and why were not just Rosneft, but why were
more than two dozen Russian state-owned critical infrastructure companies and even some financial
institutions, why were their names being invoked in the infrastructure of this attack? There's that.
And then at the higher level, there's the infrastructure of this attack? There's that.
And then at the higher level, there's the sort of onion that we just started peeling, which is a little bit about confirmation bias among security researchers who often follow
geopolitical developments and mentions of deals like this in the news and are looking
for sort of the evidence of some subrosa cyber
activity, right, that may accompany it. And so that's the road we were heading down.
But what did we learn? We learned when we started to investigate further, we learned that Rosneft
A wasn't alone. As I mentioned, this threat actor had created similar websites that mimicked lots of other state-owned oil, gas,
chemical, agricultural organizations, and that we discovered that this had been going on for a long
time. And that this threat actor was not changing the malware that was being used in this attack,
had not changed it in several years, which was also intriguing.
Well, let's go through some of the technical things that you found here. Can you walk us through
how would someone have found themselves infected here and then take a step by step what happened
after that? The files that we started with were phishing documents that we pulled out of a common
malware repository. That's one indicator of compromise.
And through our analysis of those documents,
we eventually got to the malware that was being used here,
which was, you know, and there were several stages of it.
But ultimately, sort of the piece of malware
worth talking about here was a keylogger.
So this was a piece of malware that did lots of things and
had the capacity to exfiltrate data, but its principal function and sort of its raison d'etre,
rather, was keylogging. And so we were a little bit confused at that point as to,
we understand what a keylogger does and why it might be helpful. But what we didn't understand until we read a report by another security
company was what the significance was of all of the mirrored Russian critical infrastructure
company names among the domains that were used as infrastructure. We didn't know why those names
were there. Many of those websites, if you tried to go to them, had been taken down by the time we came around to it. So we didn't quite understand what exactly we were looking at. We knew we had a keylogger and we knew we had a lot of this infrastructure that was designed to look very much like not just these websites of these organizations, but portions or subdomains of these companies'
websites that dealt with money. There was a Rosneft site that was invoked that if you went to it,
or the site that it was mimicking, it was the place where you would go if you were trying to
blow the whistle on corporate embezzlement. Another series of websites brought
you to the place where you would go if you were bidding for contracts for an oil or gas supplier.
So these are places where money was changing hands, which ultimately sort of made sense
once we read the research of this other, as it turns out, Russian security company,
and put the pieces together.
I guess I'm trying to understand how they were making money here.
They had stood up all of these sites that imitated the legitimate sites.
Yeah.
What was their game plan here?
Well, we're sort of reliant upon, as I said, I think sort of the excellent analysis that was published rather curiously as like paid content in Forbes of all
places, but in a, in a Russian version of Forbes magazine by group IB, right. Which is a Russian
infosec company and their founder and CEO released details of an attack that, well, it's the same attack.
Right.
Right.
We later figured out.
But we hadn't seen any sort of independently published research about it.
And again, we're reading it in translation.
But what they claimed in their report was that they had at least one, probably more of these companies as clients.
probably more of these companies as clients. And they had taken screenshots of some of these mirrored websites. And so what it looks like the purpose of those ended up being was to collect
credentials, right? So you had malware, what they didn't write about was the malware. That's what we
were writing about. The malware was probably collecting credentials. But then if you went to
these mirrored websites, these fake websites and entered your credentials, well, then there was another way in which they could harvest them. And putting all those pieces together, this looks like a business email compromise attack. criminals collect credentials so that they can later sign in as you, right? Sign in as the victim
into their email account, into their legitimate email account, and watch email traffic go back
and forth and attempt to insert themselves into the process and misdirect funds or direct funds
into their own accounts, right? So if they were signing in as a financial officer at Rosneft,
they could wait for the email that would come across, normally come through their inbox to say,
okay, pay this contractor, or here's an alert of some potential fraud happening and take advantage
of the knowledge that they gain from being in that position and try to direct the funds elsewhere.
Right. So the notion is that's why they're imitating specific parts of these websites
that deal with things like contracting. Yeah, that's our assessment. This is an
intelligence analysis to a certain extent here, right? So we're making a judgment. I don't know
exactly, but we're making a judgment here based on what Group IB wrote and based on
the function of the malware that we uncovered. So putting those pieces together, yes,
that's exactly what it looks like. This looks like a criminal attempt to steal money by inserting
yourself into the legitimate business process of these companies and misdirect funds.
the legitimate business process of these companies and misdirect funds.
Now, as part of your analysis, do you suspect that they were trying to look like an espionage group to throw people off the trail? Or was that deliberate? Or was that simply the path that you
all started on down? Do you follow where I'm going with that?
Yeah, that's, you know, the intent and the mindset
of the attacker is, is one of the hardest things to try to figure out when you're coming after the
fact. I think that it was an advantage, whether or not it was the intention of this guy to begin
with. Right. Right. So I think that in general, this was interesting to us because it sort of
fits a larger trend that we've been watching where,
okay, so there's been discussion for some time now about the overlap between criminal syndicates
and nation state hacking groups, right? Particularly in Russia and Eastern Europe.
And what we're starting to see increasingly is a blending of the attack styles. Okay, so forget the personnel,
I'm talking about the approach. So a typical criminal approach might have you taking a
scattershot approach and throwing malware, not just at your target, but at lots of other companies
that are tangential to your target that might be interacting with your target with the hope of getting in somewhere, right? Finding some chink in the armor.
Whereas a lot of traditional APT attacks or state-sponsored attacks are known to have the
flavor of just surgically targeting not just a particular organization, but even servers within that organization, right?
And so what we're seeing is our criminal groups that are taking that targeted approach,
and nation state groups that are known, you know, historically for using targeted attacks that are
taking that criminal approach, right? Of using that sort of broader scattershot attack method.
right, of using that sort of broader scattershot attack method. Here, you know, this seemed relatively targeted, right? I mean, he was this threat actor, we do believe it's either probably
an individual or small group of people. And we can talk about that in a minute. Yeah, we think
that they pick, there's certainly a flavor of their targets, right? They all have a common theme.
But it just happened to be a knock-on effect,
I think, that because they're targeting critical infrastructure companies at a time when some of
them are in the news and the subject of a lot of geopolitical intrigue, that it might also
lead investigators and security researchers like us to start to think that maybe this is an espionage
campaign and not an attempt to steal
money. They kind of hide in the noise, as it were. So it's a good lesson to researchers and
investigators that this fuzzing between these flavors of groups can make it harder to know for
sure where something's coming from. That's right. I mean, I think that in general, when you're doing analysis of a malware campaign or an attack, you know, you should
constantly be aware and sensitive to number one, what are your technical collection limitations?
Right? If you're going to make judgments about an attack, you have to be cognizant of what kind of
forensic evidence do you have access to? And what kind of forensic evidence do you have access to
and what kind of forensic evidence do you not have access to. How big is your window is another way
of saying that. The other piece of that is that once you collect all of this technical data and
are going to write it up, either for a client or for an executive or for a public audience like we're doing here,
you're engaging in some sort of level of intelligence analysis that must also take on
that idea that you might have some biases, right? And that you should check what those biases are.
Don't jump to conclusions about what this is because you'll end up writing about and drawing conclusions
that may be incorrect, right? If we had just kind of gone down this road and kept on looking for
evidence of a huge, well-resourced, state-sponsored espionage campaign, we'd still be sitting there
scratching our heads, right? Because it's not what it was, right? And so,
you know, we were able to assess that with some high level of confidence at the end of the day,
because, well, this threat actor made some operational security mistakes.
And when you do that, sometimes those things can be critical. And so we had a combination
of indicators at the end of the day that pointed towards this being a small group
or maybe even an individual effort to target these companies for financial gain and not a
multi-pronged, long-running, state-sponsored espionage campaign that's designed to siphon
intellectual property or something like that out of the company.
Right. I suspect too that you have to have a certain amount of humility to protect yourself against
the not invented here problem.
You mentioned how you sort of had an aha moment when you came across this research from Group
IB, which connected some of the dots for you.
And I could see internal groups having a bias against that just, you know, in a natural way.
Right. Well, this is part of the reason why we publish research like this.
Yeah. indicators of compromise that we had access to and that we developed and put them together with
what they have, and then try to fill in the picture a bit more, right? I mean,
it's actually kind of a nice thing, I think. I don't know the researchers at Group IB who
were responsible or the incident responders who were responsible for this particular attack.
But, you know, we don't even speak the same language. And here we were able to essentially arrive at the same conclusion and add to each other's body of knowledge.
Right. They helped us make sense of the malware that we found.
We found the malware and more of the infrastructure that they had a piece of.
Right. Yeah. So those two things, I think, go to go together very nicely.
Yeah. Now, you mentioned earlier that you had some reason to believe that this was an individual or a small group. What led you to that conclusion?
Well, the first thing was that in doing a little bit of malware archaeology, we discovered that this threat actor had reused malware and infrastructure previously in criminal efforts to steal from users of a video game platform.
It's escaping me which one it is.
Was it Steam, I think?
Oh, yeah. Steam.
Yeah.
And a lot of the tool set that was used there.
So I think that was used, again, to steal credentials of users
so that you could take money in-game, I think,
which then you could cash out,
presumably in some way. I'm not a big Steam user, sorry, for all of those listeners who might be.
Evidently, there are ways in which you can make some money if you can take over a number of
accounts. And so that's what had happened there. And so the tool set hadn't changed.
And we thought to ourselves, when we found that out, we said, wait a minute, this doesn't really sound like something that a government hacking group would be involved in.
And so, of course, there are people that do both things and wear both hats. And that's certainly a
possibility here too. But it was the first indicator to us that this was not a nation state group, right? That this is a criminal group and
the work of at least an individual or a small group of people whose track record we can uncover,
right? And whose lineage in their malware use and infrastructure use we could trace.
Silence does not feel that it is very helpful to network defenders and enterprises to go into great
granularity about who's behind an attack, right? We can have a whole other discussion, Dave,
about that another time if you like. So we tend not to put details like that in here.
But rest assured that those details exist, such that, you know, this threat group made enough mistakes that we could have a
pretty good idea of who they are, right? Where they live, what they're interested in, right?
The country that they're in, probably all of those things, which was further evidence, right? So put
that together with the video game attacking in the past, these operational security blunders.
And then the third piece was, again, the context that we got by reading the Group IB report
to see that this was likely a business email compromise type of attack designed to steal
money. And if you put those three things together, then you go, okay, this is very likely not a
nation state group, right? This is likely a couple of guys
who are trying to get rich. And I should add a couple of rather bold individuals, right?
Our feeling is that this person or group is located either in Russia or in that neighborhood.
And so to take on a Russian state-owned oil giant and financial exchange. And not just one or two, but more than
two dozen. I think it's closer to 30 of them. For three years where your OPSEC is not all that
great, it shows incredible chutzpah. Talk about poking the bear, literally, right?
Yeah. Talk about poking the bear literally, right?
That's kind of what we meant, right? So it's exactly the kind of thing that, again, when we came to that conclusion, we couldn't believe it. You know, we thought to ourselves, boy, this guy is probably going to end up in the gulag, right? Somewhere in short order. If folks in among the targets that in russia are reading threat vector which i hope they are now but you don't know yeah now do you have any sense or are
these folks still active are they still at it i think so the last bit of forensic evidence that
we looked at is now a month or so old right i haven't gone back to check it. But typically, when campaigns run
like this for some length of time, unchanged or largely unchanged, it's an indicator that it's
working, right? And it's an indicator that if some of this activity has been uncovered, right?
I think the Group IB report, well, obviously, it preceded our research, right? I don't remember
exactly by how many months,
but it didn't seem to have an effect because at the time that we were completing this research
and writing this analysis up, the activity was still ongoing, despite the fact that Group IB
had already published. You see what I mean? So Group IB exposed a piece of it, had beautiful screenshots of it, and had written about it not on their own website or not through sort of the InfoSec community's normal channels of disseminating this kind of thing, but in Forbes magazine, of all places, right?
Which presumably is going to get some wider readership out of the InfoSec community.
And it didn't deter this group, right?
This guy kept going. Right. So I suspect it it didn't deter this group, right? This guy kept going.
Right.
So I suspect it's probably likely still the case, right?
Yeah. It's interesting in itself. All those little details are fascinating on their own,
that this was placed in a paid-for way in Forbes. It itself makes you think.
Yeah. Well, they accept content from various corporations
and companies all the time. That part of it
is not unusual. But the fact that
we didn't see the research published
on GroupID's website
was a little strange.
And the fact that it read as a
narrative... I think they called
their thing Attack of the
Clones.
Believe it or not. It was the name of the article and they did mention Rosneft in there. Right.
So we knew enough,
they had enough technical detail in there for us to determine with certainty
that we were talking about the same thing, right?
It wasn't the typical kind of threat research where there were indicators of
compromise at the end of the report. And there wasn't,
there wasn't any kind of deep dive analysis
into how the malware worked and how you would decrypt different functions of it and what the
stages of it were and all those kinds of stuff, which is part of what we include here. We're
blending analysis and technical discussion in this blog post. They just kept it at the analysis level
and talked anecdotally about their own clients. But yeah, fascinating stuff,
right? I mean, it's unusual and unlikely. Yeah, lots of intrigue here.
Lots of pieces of this are unusual and unlikely, right? So that's why we decided that it would be
probably interesting for others to read about. I think that the important takeaway for researchers
and for those involved in network defense at the enterprise level is
don't always go with your first blush instinct, right? Don't always have that knee-jerk response
and jump to conclusions. What at first blush seems to be a clear indicator of nation-state activity
might just end up being a criminal attempt to steal money, right? And vice versa. And watch, I would say,
watch that space. I think that that blurring of that line between those two styles is something
we're going to see more of. Our thanks to Kevin Lovelli for joining us. The research is titled
Poking the Bear, Three-Year Campaign Targets Russian Critical Infrastructure.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.