CyberWire Daily - Taking a closer look at UNC1151. [Research Saturday]
Episode Date: October 9, 2021Matt Stafford, Senior Threat Intelligence Researcher, from Prevailion joins Dave to talk about their work on "Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond." Prevailion’s Adver...sarial Counterintelligence Team (PACT) used advanced infrastructure hunting techniques and Prevailion’s visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign. UNC1151 is likely a state-backed threat actor waging an ongoing and far-reaching influence campaign that has targeted numerous countries across Europe. Their operations typically display messaging in general alignment with the security interests of the Russian Federation; their hallmarks include anti-NATO messaging, intimate knowledge of regional culture and politics, and strategic influence operations (such as hack-and-leak operations used in conjunction with fabricated messaging and/or forged documents). PACT assesses with varying degrees of confidence that there are 81 additional, unreported domains clustered with the activity that FireEye and ThreatConnect detailed in their respective reports. PACT also assesses with High Confidence that UNC1151 has targeted additional European entities outside of the Baltics, Poland, Ukraine and Germany, for which no previous public reporting exists. The research can be found here: Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So we had been following some of the open source reporting about this particular influence campaign ever since FireEye came out with it in 2020.
That's Matt Stafford. He's a senior threat intelligence researcher at Prevalient.
The research we're discussing today is titled Diving Deep into UNC-1151's Infrastructure, Ghostwriter, and Beyond.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, simplifying security management with AI-powered automation, and detecting
threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
It was interesting to us for a number of reasons,
least of which being that it is ongoing.
So we wanted to ensure that the community and the industry at large had as much information as it needed to kind of proactively take care of
whatever issues that this campaign was causing.
Can you give us some of the background on the players here?
I mean, we're sort of highlighting UNC-1151,
and also I suppose Ghost Rider is, I don't know, hitched their wagon to that name or is a subset.
How would you describe it?
Sure. Ghost Rider is a large, broad influence campaign that started years ago.
It's been years in the running. Some of the
reporting suggests it goes back to 2014, 2015, but FireEye released their report in 2020 saying
it went back to 2017. And then in 2021, they released another report actually attributing
parts of Ghostwriter, the influence campaign, to a certain threat actor, Unc-1151. They,
along with some other vendors in the industry, released some indicators of compromise,
which really was a list of domains and infrastructure that Unc-51 had used for parts of the Ghostwriter campaign.
That is where we started pulling on the threads with our unique visibility into
web-based infrastructure to kind of illuminate more of the Ghostwriter infrastructure.
Well, let's walk through that together. I mean, first of all, can infrastructure data sets as input. And
then we have kind of a bespoke data analysis pipeline that correlates all of that with
several different threat exchange feeds. And what that does for us is it shrinks the haystack
to a manageable size, which then allows our human analysts to come in and chase down the resultant
leads at the end of that. So we boil the ocean down to a more manageable size, maybe a large pond,
so then we can effectively expend our limited time and resources on leads that have been
pre-identified. Well, let's walk through it together then, how you apply your tools to this data set that, as you say, you know, FireEye's Mandiant group had sort of blazed the pathway here, and then you picked it up and applied your own techniques to it.
Can you walk us through how that works?
Sure. So we used previous public reporting. FireEye was among the vendors that had released reporting on this. And we used that as
our starting point. We were able to identify some patterns and overlap with web infrastructure
creation. So that being historical domain registration data, TLS certificate data,
DNS records, and hosting data, which allowed us to kind of identify additional domains that had been used by Uncle M51 during the Ghostwriter campaign.
So we identified an additional 83 domains, which had not been previously reported, which kind of contributed to a threefold increase in Unc-1151's known
infrastructure.
Now, are there patterns here?
I mean, anything that stands out with these domains in terms of their tradecraft?
Yes.
We identified overlapping TTPs throughout the investigation.
Yes, we identified overlapping TTPs throughout the investigation.
Domain naming themes that likely enabled phishing across both official government and personal accounts.
Recurring Polish and Ukrainian words that formed additional naming themes that we could then identify and use to further our investigation. Domain naming structures,
how they actually created the naming structure
for their domains and subdomains
was something that we were able to pivot on
and use as overlapping behavior.
And they also had a regional focus.
You could tell from the subdomains
that they were using who their targets were.
So that also helped us identify where they were operating and what they were focusing on.
And what can we gather there in terms of who this is likely and who they're targeting?
So according to the previous open source reporting, this group is a cyber espionage group, a state-backed cyber espionage group that engages in targeted spear phishing.
So they're not blasting out huge amounts of phishing emails.
They are picking their targets carefully, which overlaps with the domain naming themes we've seen. They will create kind of a generic, legitimate-sounding root domain,
such as net-account.online,
and then they will include a prefix to that for a subdomain
that will allow them to target specific audiences.
So we've seen prefixes to those.
We've seen subdomains to those root domains for regional email providers, such as UKRnet or GMX, which are Eastern European Ukrainian email providers. And we've also, we've seen all that all the way to official Polish and Ukrainian military and government accounts.
Polish and Ukrainian military and government accounts.
Now, some of the results that you gathered here, you assessed with high confidence and some with moderate confidence.
What goes into you determining the amount of confidence that you have in a conclusion
here?
So because Prevalent is focused on web infrastructure, we can't see anything that
occurred on the endpoint and we don't have any visibility into the web servers of the
threat actor or the victim. So all we can see is historical hosting data, historical DNS data.
So that is one part of why we have to assess things with moderate confidence. The other part of
it is sometimes the personas that the threat actor used or the age of the evidence we're looking at
will prevent us from assessing something with high confidence. There's just too much time has passed
or there isn't enough overlapping infrastructure or facts to support a assessment of high confidence.
So what are the conclusions here? I mean, based on the research that you all did, what did you learn?
I think the biggest takeaway was that this activity is ongoing.
I mean, we have domain registrations as current as this month, September of 2021.
So despite the fact that the security community continues to track this, both within private industry as well as various governments, it has not caused an observable slowdown in this actor's operations.
The weekend after we published this blog post, the German government attributed publicly
phishing attempts on members of German parliament to this threat actor. And as recently as this week, there have been additional
threat intelligence reports from other vendors that this campaign is still ongoing.
It's interesting to me the sort of community effort that's going on here. I mean,
as you mentioned, you built off of some open source information from other organizations,
open source information from other organizations, information coming from various places around the world. Why is it important for you at Prevalient to take a part in this, to publish your own
information here, to build on what's already been gathered? I think the most important reason to keep working at this problem as a community is because this activity
is very hard to defend against. It's hard to get counter-messaging out there, especially in the
case of tainted leaks, where there's a tree of disinformation in a forest of fact, it makes it really difficult to identify and counteract
some of these damaging narratives. When you have a threat actor that has such an enhanced ability to
identify and take advantage of sociocultural fissures in the target environment, it becomes incumbent on everybody in
the industry with visibility to shine a light on this activity. You know, you mentioned that
these folks, you know, the Ghostwriter campaign is primarily spearfishing. And so, as you mentioned,
you know, targeted. Is it likely that the folks that they are after are aware that they are at a heightened risk of being targeted for something like this?
I guess what I'm asking is, you know, this isn't a broad campaign where, you know, standard sorts of suggestions for, you know, endpoint protection, those sorts of things would necessarily fit the bill.
Right. I think that the targets of the Ghostwriter campaign probably run the gamut from very informed to not informed.
makes this campaign so dangerous is that they are targeting both official government accounts, which have security built into them for the most part, but they're also targeting
personal accounts, iCloud, Twitter, social media accounts. This allows them to
take those pre-established personas with built-in followers as well as implied credibility
and then broadcast disinformation without people being able to fact check it.
Our thanks to Matt Stafford from Prevalient for joining us.
The research is titled Diving Deep into UNC 1151's Infrastructure, Ghostwriter and Beyond.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
The Cyber Wireire Research Saturday
is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman,
Trey Hester,
Brandon Karp,
Puru Prakash,
Justin Sabey,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here next week.