CyberWire Daily - Thrip espionage group lives off the land. [Research Saturday]
Episode Date: August 11, 2018Researchers at Symantec have been tracking a wide-ranging espionage operation that's targeting satellite, telecom and defense companies. Jon DiMaggio is a senior cyber intelligence analyst at Symant...ec, and he takes us through what they've discovered. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
It first came over our radar through a tool that my team has been using for years.
That's John DiMaggio. He's a senior cyber intelligence analyst at Symantec.
The research we're discussing today is titled Thrip.
Espionage group hits satellite, telecoms and defense companies.
Targeted attack analytics is what it's called publicly now.
But for years, my team has used it and it's just recently something that is publicly available.
But anyway, the main point of that, or what was exciting about it, is
it flagged something that was very boring that actually turned into a thread that unwinded this
whole investigation. It was just what appeared to be an administrator running a legitimate tool
called PSExec. And what was interesting about it is the tool flagged this for us, and it was simply
using this PSExec to install a binary. Well, that was an unknown binary. this for us, and it was simply using this ps-exec to install
a binary. Well, that was an unknown binary. We didn't know what it was. It wasn't detected as
malicious, but it was flagged as suspicious. And the reason when I say flagged as suspicious is,
you know, there are binaries that have attributes to them or hooks, for example, if it's a key
logger or something like that. There's specific things or libraries that they might use or pieces of code that are similar.
It doesn't always mean that it is something malicious.
It could just be that whatever the legitimate tool is, use some aspect of that.
So we wanted to take a look and to see what that is.
And that's when it really got interesting.
When we did our analysis on this unknown binary, not only did it capture keystrokes from web browsers, but these
were updated web browsers. So for example, Firefox recently, for all intents and purposes,
redesigned their code completely to try to make it quicker and more effective. Well, a lot of old
tools because of that were now ineffective. Chrome is always updating and that's something bad guys
have issues with is how it handles their activity. So this tool, being able to capture credentials from both of those updated versions of the browsers
was interesting because the timestamp on it showed it from 2016. However, that can be forged.
It was very interesting, but here's where it gets even better. Outside of that,
it also took screenshots. So there is no legitimate administrator that's going to need to capture your credentials and take screenshots of your computer.
And the third piece that was interesting is the name of the file was something close to this, inetview.exe, and they spelled it wrong.
They switched a couple of the letters accidentally, I guess while typing it.
So that also stuck out, that if it was legitimate that the chances that it'd be, I mean, you
can name anything you want.
You can change the names.
But it just, again, all these little things together was like, okay, something's going
on here.
Yeah, it's an interesting mismatch to have software that has a certain amount of sophistication
or is at least being kept up to date and then some sloppiness in the naming.
Yes, correct.
And like I said, it was interesting because the compile time of this thing was 2016, but this new version
of Firefox that's come out in the past couple months, again, I'm not a browser expert, but from
what I've read on their webpage, it's been completely updated and rewritten to be more
effective and fast. So my point is that the fact that it's working with that tells me that these
guys are at a minimum that they had this in mind when they were designing it to make sure that it would work
with recent browsers. Yeah. Well, let's back up a little bit. One of the things you describe in
the research is this notion of groups adopting a living off the land tactic. Can you describe
for us what do you mean there? Before I answer that, if I can, let me just explain to you what
we've traditionally seen by cyber espionage groups. And then when I explain the living off the land part, it'll explain why it's important and what
the impact is and why it is significant as opposed to just talking about living off the land.
So essentially, I've been tracking cyber espionage groups now since 2008. So I've seen a lot come and
go and I've seen a lot of the activity. So this particular group, we believe, originated from China.
So I'm going to reference some of the historical China-based attacks, or the tactics from them anyway.
What we used to see a lot of is these groups would develop their own custom malware.
Now, they would do that for a couple reasons.
One, to suit the capability of whatever it was that their operation was to fit their target.
The other, though, was to avoid detection.
Well, it made it very hard to detect, but once we found it,
it was a great high-fidelity indicator to where we could really then pull
all of the activity out of our telemetry.
We've got an unbelievable amount of telemetry,
so it would make it much easier once we found this custom malware,
since it was custom, to just sort of pull out and give us a map of the attack lifecycle.
Well, what we're seeing in this particular case, which is a drastic change from that, where we have not seen, at least here at Symantec, very much of coming out of espionage groups from China, is this living off the land technique.
And what that means is the adversary, in this case, they do
have a custom info stealer and a custom backdoor. However, they're using them very sparingly. And
I'm going to say that's by design. So it takes a little bit more discipline to use that only when
you absolutely have to, as opposed to relying on those tools because it makes their life easier.
Instead, though, what they're doing is once they get on the network, they're looking at tools that are already in the environment, legitimate tools that are in the environment that
will allow them to still compromise their target. So, for example, most Microsoft computers of today
are running PowerShell, for example, and that's something that's a normal, everyday thing in an
environment. So when an adversary is using that to run commands
or schedule tasks, it blends in with the legitimate traffic. And of course, it is a legitimate tool,
so it's not going to get flagged necessarily by defenders. Same with this PSExec tool that we saw.
That's a Microsoft tool. So it being present on a system that is running a Microsoft operating
system is something that's normal that we would see, not on every system, but at least for administrators and maybe help desk folks and
things like that. So again, by itself, it just sort of blends in. Would it be likely that when
the bad guys gained access to a machine that some of these tools would already be there so
they wouldn't have to do the installation? Correct. Yes. That takes the whole downloading
and connecting to their infrastructure piece out of it for those tools. They're already there.
They're legitimate. There's other legitimate users likely using this, and it allows them to blend in
with legitimate traffic. And unless you really go look way down in the weeds to see what commands
were run with this installed and look at the timeframes to see what commands were run with this, installed, and look at the time
frames and see what else was happening when this legitimate tool was being used, you'd probably
completely miss it. It's really difficult when they start doing this. I'm not saying it's impossible.
I'm just saying it has to really change the approach that companies and defenders are taking
today. And what I mean by that is you can no longer just rely on looking at the bad stuff. You can't just wait for your defenses through automation to flag,
hey, this is malicious. Now you need to be proactive and you need to monitor any of these
type of tools that have a capability to have any sort of administrative or technical attributes
that could affect the environment. So like PS exec, there's a whole list of them that are out
there. But the point is, is that they now have to look at that legitimate traffic as well,
if they want to catch this stuff. And while this is a very targeted attack, and all the espionage
stuff is, let's say it's less than 10% of the activity that's out there that we see worldwide.
Well, just because it's a smaller percent, that doesn't relate to impact. The impact of what these
smaller targeted
groups do is devastating. I mean, just look at some of the past things we've had. Let's look at
the healthcare industry. For example, you had a couple of years ago, the whole, the Aetna,
I think it was the compromise and things like that, where they lost the 800 million records
or something to that effect. My point is, is that you really now have to be on it with these guys
because the impact of these groups of what they're doing is significant to companies.
And it is so small and minute, the activity.
I'm not trying to, you know, saying things to scare people.
I'm just being honest.
This tactic, it's going to require a proactive approach from defenders in order to identify it.
Now, one of the things that caught my eye in the research, you discussed how it was really the activity that caught your eye. The tools you
were using were able to spot the patterns of malicious activity, even though they were using
legitimate tools that regularly wouldn't draw attention to themselves. This sentence caught
my eye in particular. You said, in short, Thrip's attempts at camouflage blew its cover.
Let's dig into that a little bit. That's an interesting insight.
Sure. So to explain that,
first, let me talk about the tools that my team use that finds things like this. And I think we
can kind of go from there just to give you an understanding. So I mentioned that we are using
a tool that now carries the name Targeted Attack Analytics. As I mentioned before, our team's been
using that now for quite a bit. The way that we've been using it and the way that that works is over
the past couple of years, all of our investigations that we have, we would work with our sort of sister component,
which is, so I'm on the attack investigation team. We have a team called TA and it's not just a tool
and we would work with them when they develop that tool. After our investigations, whenever
there was something interesting, whether it's commands run or something interesting from a binary, anything that would not normally be flagged, whether it's a behavior or an attribute of a hack tool or malware, we would share with them so that they could build that logic into this tool.
Essentially, what it is, is it's an AI that goes through huge amounts of data and looks for these sort of anomalies and patterns that we've sort of programmed it by over
the years through our espionage and targeted attack investigations. So I'll be honest, you know, when
we first talked about this before we actually started implementing it, I wasn't so sure that
it was going to really work because, you know, lots of companies come out and say, oh, we've got
this stuff. It'll make your analyst's workflow easier. And it's not always the case, but, you
know, I've got no sales angle. I'm a pure
analyst, but I love this tool. It's something that we use in all of our investigations.
But what it does is, like I said, it's got an AI that comes through all of our telemetry,
and it'll pull out anything that fits these anomalies. And it uses machine learning and
things of that nature. So it just makes it much easier for us to see things. Now, granted,
there's always going to be some false positives,
but the time spent going through false positives is still much shorter than the time it would take by going through all of our telemetry as an analyst trying to find this needle in the haystack,
which, like in this investigation with Thrip, where they were downloading that binary with PSExec.
We don't even know how they got on the environment.
Usually we see it either at the beginning of the attack phase when they're attempting to get that initial exploit, whether it's through spear phishing or a watering hole.
Or, you know, we get alerted and brought in after the fact, in which case things are being exfilmed.
You know, in this case, we got flagged and they were already on the network.
So we came in at a different time frame than we normally do in investigations.
And that sort of gave us not only a different view, but we had to kind of take a different approach in how we investigated this.
But this tool made it much easier for me and my fellow analysts to sort of find the initial thread again to pull that sort of unraveled all of this.
So let's move on and talk about who they were going after.
You say this is an
espionage operation. Who were they targeting? Yeah, so that's the most interesting to me.
That's the most interesting part of this. So the first thing that we did is once we had that binary
that initially started this is we created a signature for it. We were able to then go back
and do a rear view look to see if there was previous
times where this binary was seen, and then look at our current telemetry of what was actively going
on. Doing so, it connected the dots and pulled a relevant traffic out of our telemetry. So the
first target that we looked at was, we didn't know what it was at first, but it was a satellite
communications company. And one of the things that we do, we need to know motivation, okay?
You don't know right off the bat that it's a cyber espionage group or it's financial crime or whatever the case might be.
But what we do is we start looking at what systems the adversary is on, what tools and malware were used on each of those systems, and how long they spent on each of those systems.
What that sort of does is it gives us a path to follow.
And when we get to the end of that path, it's usually showing us the high-value system or systems of interest to the adversary.
In this particular case, they were systems that were running command and control software for these satellites,
that were running command and control software for these satellites, as well as having access to a database that facilitated information and data about the data that traversed through those
satellites. So that was the first target. That was obviously very alarming when we saw that.
So at that time, if you were just to look at one target and not look at the entire operation in
whole, you might say, okay, command and control,
you know, these guys are going to start making, you know, satellites drop out of the sky,
worst case scenario or something like that. Well, we continue to look at the targets and that's why it's so important to never just look at one incident when you're profiling an actor or
looking at it because it doesn't usually tell you the full story. Our next victim shed some
light on that, however. Our next victim that we found was in the
geospatial imagery and analysis business. Well, let's kind of think about this. This geospatial
imagery organization, their prime functionality is to analyze the type of data that's going through
the satellites. So these two together, it makes it safe to say, to put a theory together, they're
probably not going to try and make satellites drop from the sky, or they wouldn't have spent their time on this other company that does analysis of that type of imagery.
change data that's associated with them, or they just want to learn about, you know,
different orbit patterns and sort of customers might be going through, or they might have associated with these satellites. But the point is, is that they looked at both the analysis
software and the satellite. And again, that just, that gives us a little bit better picture.
And then when we continue to look at victims, we found two other interesting victims, a telecom provider in Southeast Asia and another
organization that had some sort of a defense contractor implementation there.
One reason I word it like that is we know that that's one of the things that this organization
does.
They do other things.
They do like research and development and stuff like that.
But big picture, putting it all together, you know, when you have all these things with
the exception of the defense contractor, the theme that we have here, these are all means of communication.
Satellites, understanding the data from the satellites, and then these large telecommunication companies.
The telecommunications company, however, we see that frequently in cyber espionage, but it's usually the customers of that telecommunication company that they're
interested in. And this, similar to the satellite and the geospatial companies, they were interested
in the operational side of the house. So again, all of this sort of fit together way too nicely
to be targets of opportunity. So that sort of told us with high confidence, we can say that these were
specific targets of a planned operation.
This wasn't by chance. So that kind of started to piece together the espionage angle that we
believe is what motivates the Thrip attacker. Now, when you have a situation like this,
where you discover someone doing these sorts of things in the systems, do you ever find yourself
sort of stepping back and now that you know what they're
doing, rather than simply removing them, keeping an eye on them for a while, you know what they're
doing, you know, maybe feeding them some data. Do you get where I'm going with this?
I do get where you're going with this. And so to answer your question, there's a very small window
that we have where we can try and learn what they're doing versus stopping the activity.
So at the end of the day, as much as I have an Intel background, as much as I love digging and
learning more about the groups, at the end of the day, as a company, our first priority has got to
be to protecting a customer. So there is a small window when we're working, once we identify this
and working with a customer, that we do have to do things where we can sort of learn that. But to be honest with you, that's not always even
necessary because once we have a way to pull the telemetry associated with these tacks out of our
data lake, we can then kind of do a reverse look and we can see everything that they did before we
detected them. So that gives us, in this case, let's say it was a four-month window of activity,
but where no one knew what they were doing, where we could see all their tactics,
we could see how they were maneuvering on networks, what they liked to do, what tools they liked to use.
And this is a great example of where we wouldn't have to have a lot of time moving forward to have some intel gathering.
a lot of time moving forward to have some intel gathering. We have the historical records because we capture that if our software was on the system when they were doing these activities. Does that
make sense? Yeah, it absolutely does. How often does it happen that in the work that you do,
the bad guys will be on to you and pivot afterwards? It doesn't happen often where they know.
So prior to us creating a signature
that just right out blocks their activity,
prior to that, when we're looking into these investigations,
and let's say we're working with a customer,
we don't really know exactly the motivation yet,
and they're okay to do some of this more
intel gathering, monitoring phases,
and we have a handle
on the attacker they generally again from my experience anyway since the investigations that
i've done in the um four and a half years that i've been at semantec anyway that's not been the
case there's not been evidence that they were on to us now what does happen however and this is
pretty common usually like in this example we've created these signatures and let's say it was a few weeks prior to or even a month prior to writing this. Between creating the signatures,
that's going to automatically bring a decrease in activity because you're no longer going to
have those new successful infections that are going to be effective or work because we're
going to stop it now that we've got these signatures. And then if you write a blog about it, which we don't do all the time, but when we do,
that's the second stage of also, you know, where we really see a decline in activity
because now you've got the signatures and then you've got everybody, you know, publicly,
it's now known.
So those two combinations generally will signify a large decrease in activity.
Now, the interesting aspect that we see with espionage groups is it
might take time, but we'll see them come back again. You know, like the Dragonfly report that
we did, I think it was last September or last year, maybe it was 2017. But anyway, we written
about them in 2014 and they went away for like a year and then eventually they retooled and came
back. So it's important to us that not just during the investigation, we track these groups, but when it's something like this, where it's a cyber
espionage campaign, and it's this aggressive, we need to follow them moving forward and keep an eye
and monitoring them and try to not lose track of them because it's important because history tells
us they're going to eventually come back. Now, from your point of view, when you get an indicator
like this, it must be fun to get this and sort of set down that path that the game is afoot.
You have something to chase after.
It absolutely is.
I mean, this was my hobby, actually, before I did it for a living.
I was a network engineer by trade when I started out, and this was just a hobby before I was able to do it for a living.
But, yes, it is extremely, for me anyway, it's extremely exciting.
I love the hunt. I love the chase. You know, you always got to keep in mind it's extremely exciting i love the hunt i love the
chase you know you always got to keep in mind it's not fun for the victim so you can't let that
excitement you know transcend into you know your conversations and things with the victims but from
a pure technical scientific aspect of it it is a very exciting job it's it's chasing bad guys you
know so when we do get you know a new investigation new indicator, we don't know what it is. It looks very suspicious. And, you
know, as you connect each dot and you get more and more, it is very exciting. And it's very
interesting to piece together to get that big picture. Now, with the sophistication of these
sorts of things that you're seeing and the evolution of them, what are your recommendations for people to effectively protect themselves?
Obviously, the standard that already exists needs to continue.
The basics, your network defenses, your host-based defenses, endpoint protection, all that still stays in place.
That does not change because that's going to still capture 90%, 95% of all the malicious activity.
not change because that's going to still capture 90, 95% of all the malicious activity. Now,
these well-funded, objective-oriented attackers like Thrip are a little bit different. And that's kind of what I was alluding to earlier with this whole living off the land aspect that we're seeing,
not just with groups originating from China, but we're seeing that globally as a change that we're
starting to see in many advanced groups. So to do that,
as I mentioned before, you need to start taking a proactive approach. So you have to now look at
the legitimate activity that tools of privilege, like PSExec and PowerShell and any sort of
administrative tool that's in the environment, you have to watch. You have to watch who's using it,
what's the commands that are running,
times that they're being run. I mean, all of those things. Because if you don't look at that legitimate traffic now, especially if you're in one of these industries that would be a prime
target for an espionage group, you really need to do a proactive approach and look at the legitimate
traffic to find this stuff. Now, sure, the automated defenses will flag on, like in this
case, the InfoStealer and the backdoor that Thrip used that were both custom.
But in most of these cases, they used each one of those once, maybe twice at most.
So it would look like a very small activity, and you would miss the whole meat of it, of them escalating their privileges, traversing the network, searching through directories and, you know, going after something specific, you would just miss all that. So it's just a whole
different mindset that needs to happen for defenders moving forward as the attackers are
evolving with these new techniques. One of the things in this instance that I think is relevant
or important is, you know, there are also publicly available tools that the bad guys are using. It's
not all just living off the land, but even by using publicly available tools that the bad guys are using. It's not all just living off the land,
but even by using publicly available tools now,
instead of using a custom hack tool,
though it's still malicious, like Mimikatz, for example,
which we saw with Thrip,
that's only used for nefarious purposes for the most part.
But I mean, it's been around forever.
It was made by a French developer.
It by itself is not significant of any one group,
but things like that that are publicly available make attribution very hard.
So even when we're not seeing just the living off the land,
we are also seeing instead of using these custom hack tools now,
they're using publicly available hack tools.
So it's not just living off the land.
It's the whole mindset that attackers are now changing of doing everything they can to deceive and have deception and avoid detection. And this is just the latest technique. So the only message, I guess, like I said, from that is just we've got to change our mindset, proactive defense, look at the good, not just the bad.
Our thanks to John DiMaggio from Symantec for joining us.
The research is titled Thrip.
Espionage group hits satellite telecoms and defense companies.
You can find it on the Symantec website.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly
produced in Maryland out of the startup studios
of Data Tribe, where they're co-building
the next generation of cybersecurity
teams and technologies. Our amazing
Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben
Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.