CyberWire Daily - What malicious campaign is lurking under the surface? [Research Saturday]
Episode Date: July 30, 2022Israel Barak, CISO from Cybereason, sits down with Dave to discuss their research, "Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation." Cybereason researc...hers recently found an attack lurking beneath the surface which was assessed to be the work of Chinese APT Winnti. Cybereason briefed the FBI and the DOJ on the investigation into the malicious campaign. The research states, "For years, the campaign had operated undetected, siphoning intellectual property and sensitive data." The team quickly made two reports on the campaign, one sharing an examination on the tactics and techniques. The second gives a detailed analysis of the malware and exploits used. The research can be found here: Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
The research was exposed during an incident response in 2021.
It was super interesting for us because as we did a number of different IR engagements across manufacturing, healthcare organizations, and a couple of other verticals, we noticed similarities in the patterns of behavior.
That's Israel Barak. He's Chief Information Security Officer at Cyber Reason. The research we're discussing today is titled Operation Cuckoo Bees. Cyber
Reason uncovers massive Chinese intellectual property theft operation.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI to
analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with
Zscaler Zero Trust and AI. Learn more at zscaler.com security.
Well, let's walk through it together. Can we go through, you know, step by step of exactly who these folks are and the methods that they use to do the things they do? and we're attributing to a Chinese state-sponsored actor that is called Winti or APT41,
started at least on 2019
and specifically targeted manufacturers
in the United States, in Europe, and in Asia,
and specifically in the defense and aerospace,
energy, biotech, and pharma sectors,
where the operational goal
of the campaign was basically stealing sensitive documents, blueprints, formulas,
manufacturing-related proprietary data. Some examples that we've seen during the incident
response and the investigations include design and manufacturing information related to
specific engine parts and airplane parts. So that was the overarching goal of the operation.
Well, can we walk through some of the techniques that they're using to get into systems?
The first thing that we identified as we sort of untangled the process here is that the initial access
that was done into these target networks
was typically through the exploitation of vulnerabilities
in a popular ERP solution.
Some of these vulnerabilities at the time
were known vulnerabilities that were just unpatched
by the users of the ERP solutions.
Some of them were unknown
or zero-day vulnerabilities at the time.
When they were able to compromise
that ERP system,
they were able to gain that initial access
into the ERP system,
the next stage was usually to establish
some sort of persistence
or mechanism that would allow them to kind of keep coming back in and out.
The most common technique that we observed was the use of a JSP network with a legitimate web application, the ERP.
But basically, they were able to send commands to those systems that that system then executed for them in the targets environment.
That was the way to get in and out.
That was the interesting thing for us.
I think it's, you know, we often think about the different ways
attackers like Wendt or APT41 are able to find that initial access.
And sometimes, you know, it's targeting individuals.
Sometimes it's targeting the supply chain.
And here I think we see another common example of how an adversary like that, that is a state-sponsored adversary, is developing proprietary zero-day software vulnerabilities that enable them to gain that initial access into organizations where that software is being used.
Can you give us a little bit of the background on Winti themselves? I mean,
does this align with what we're used to seeing from them and what sort of tools do they have
in their arsenal? It does align with the overarching method of operation that we're
used to seeing from Winti. Winti is, as a group, existed or at least have documented a record since at least 2010.
And they believe to be operating on behalf of Chinese state interests.
And they specialize specifically in cyber espionage
and in intellectual property theft.
That's sort of, they're known in the industry
as sort of the princes of technology secret thefts.
The techniques that they used in this operation, some of them were known techniques,
the use of supply chain attacks, software vulnerabilities, web shells, et cetera, for this group.
Some of them were lesserknown techniques. So, for example, one of the things that they used to sort of fly under
the radar inside the target's network and to stay or evade detection for a long period of time,
this operation continued in some of those target networks for almost three years. And so, one of
the techniques that they used to sort of fly under the radar and evade detection,
which we haven't seen from them before,
is a rare abuse of the Windows CLFS,
which is a common log file system feature.
Basically, it's a feature in Windows
that is primarily designed to hold system logging
and application logging information,
and they use that mechanism to store the payload of the attack,
the different pieces of malware that they were using,
in a way that most security technologies,
or in an area where most security technologies actually don't really scan
or don't really look into.
Oh, interesting.
So this is an area where the system keeps some logs,
and so by putting their own stuff there to the scanners,
there was nothing to see here.
Exactly, exactly. And that's a fairly rare technique to see.
It's certainly something that we haven't seen from the Claire group in the past.
But I think there was enough similarity between some of the techniques that they used and operations that they ran in the past for us to be able to attribute
that operation to that group with a fairly high level of confidence.
You mentioned that this group was able to stay within networks for multiple years
in some cases. What ultimately led to their discovery in this case? And so in some of these
engagements that we got called into, some of these instant responses, one of the things that
ultimately triggered the suspicion of the organization was the amount of data
that was being exfiltrated from the system. And so, over the years, this adversary was
able to collect from some of these organizations hundreds of gigabytes and sometimes more of
intellectual property, design documents, manufacturing procedures,
blueprints, et cetera, et cetera.
And in some cases, it raised the suspicion that something is happening that the organization
or the defender was just not aware of.
We got called into these engagements and were able to sort of unravel that whole chain of events that led to it.
What are your recommendations then?
I mean, for organizations to best protect themselves from an ATP group like Winty, what sort of things should they have in place?
So it's a great question because on the one hand, the first thing that we recommend is always, we always all need to get better in
doing the basics right, in making sure that we know our networks and we understand what
assets we have, what the status of security or hygiene is in our networks.
And we do the best we can to maintain good security posture and good security hygiene.
And it's always, I think, the best practice, regardless of what type of threat or risk you're trying to mitigate. But at the end of the day,
when you're dealing with a threat actor like this, which is a far more sophisticated adversary than
what you would typically find in the ecosystem, they always have a way to find initial access
into an organization, right? Whether it is compromising an individual
that has access to the network,
whether it's compromising the supply chain,
this is a type of adversary
that spends weeks, months, sometimes years
trying to get initial access to their targets.
Eventually they make it in,
despite our best efforts in security posture
and security hygiene.
One of those things that we need to really get better in is proactively hunting for these threats.
This is sort of a low and slow operation.
And so we need to adopt this proactive threat hunting approach.
We need to be able to look across the data,
across the data in our enterprises,
endpoint data, network data, identity and access,
and other types of security data,
and proactively look for patterns of behaviors,
chains of behaviors that may in and of themselves look legitimate. But when you look at Chains of behaviors that may, you know, in and of themselves look
legitimate. But when you look at the chain of events over time, they expose a chain of events
that is indicative of a malicious activity. And that's something that oftentimes evade real-time
detection or prevention mechanisms. But when you adopt a threat hunting mindset and you analyze data
and patterns over time, specifically looking at those chains of behaviors, you're able to expose
those low and slow operations relatively early in the attack life cycle and avoid the majority
of the impact of them. Is that something that is available to those small and medium-sized businesses out there who are dealing with limited budgets?
Are there ways that they can use those kinds of approaches?
There is.
I think today there are a number of segments in the market that offer these type of capabilities when you look at detection and response technologies in the EDR space or the endpoint
detection and response space or in the XDR space, the extended detection and response,
I think you're seeing a growing number of technologies and solutions that are focused
on automating the vast majority of this proactive threat hunting process and augmenting it with
people that are experts in analyzing that data
and understanding what it means from a threat perspective.
I think the other resource that is becoming very, very accessible for enterprises of all sizes
is an analysis done by the MITRE organization.
So on an annual basis, basically the MITRE organization. So on an annual basis, basically the MITRE organization,
which is a non-for-profit organization,
primarily a DOD contractor,
they basically run an annual exercise
that is emulating very sophisticated adversaries
and is evaluating different approaches
and technologies in the market
and their ability to detect those minute changes in behaviors
and change of behaviors and expose that type of malicious operation in progress.
And so all that information is publicly available on the MITRE website
that essentially describes what their observations are
and what technologies and capabilities can enable enterprises,
really of all sizes, to adopt this type of approach.
It really is an interesting situation we find ourselves, isn't it?
I mean, a group like Winty, they're not going anywhere.
They're well-funded, globally insulated.
It's something that we're going to have to deal with for the foreseeable future.
I agree.
You know, one of the things that I think is interesting
in this incident that we reported on is,
and we briefed the FBI and the DOJ on the investigation.
And if you recall, the FBI in their China 2025 report from 2019, they called out
the Chinese aggressive state-sponsored intellectual property infringement strategy.
And I think one aspect of the Cuckoo Bees incident is that it shows that despite
that diplomatic and other efforts to curb that behavior.
Exactly as you say, at least as it pertains to our domestic economy,
that aggressive intellectual property theft and infringement strategy
may have not really changed much.
The other thing I think is interesting to note about these type of adversaries
is that we need to reframe what a win strategy is
as defenders against these adversaries.
Because, and I think you hit the nail on the head,
this type of adversary will not stop
trying to get into a particular target's network just because that
target has good security in place, right? The reason is that they have no motive, right, to
stop doing it. The target has something that they want. There's really no price or no risk for them
to pay for trying again and again and again, right? So there's no reason why they wouldn't continue to try until they make it.
And the interesting thing,
when you try to counter the operation
from a defender's point of view,
when you try to counter that type of adversary,
is that the win strategy
is not to make sure that they never come back,
but the win strategy is to make sure that you increase the time intervals
in which they come back.
So instead of after you push them out the first time,
usually what you'll see is that they come back after a couple weeks and try again.
And you push them out a second time,
they'll usually try to come back after a couple weeks.
But if you operate the right program and the right strategy, what you'll see is that you can dramatically increase those time
intervals. And then instead of coming back every couple of weeks, they'll come back every couple
of months or every year. The reason is when you get very, very good at exposing what they're doing
in your network, you create a price for them to pay. Because when you expose
their method of operation, by the way, that's part of the rationale behind us making this
information public. When you expose the method of operation, you dramatically increase their price,
because now they need to rebuild things in order to start executing again. And that is expensive.
It's something that they do.
Every threat actor does it.
But there's an expensive price to pay
for targeting a target
that is a sophisticated target
that can expose that operation
that impacts other operations
that they have in flight.
And so when you run an effective operation
for detection response investigation,
you're able to create a certain form of deterrence against the threat actor like that, that will manifest itself in the increase in the time intervals in which they will come back.
They'll make sure to build, be very meticulous in what they build before they come back and try to target the network.
Our thanks to Israel Barak from Cyber Reason for joining us.
The research is titled Operation Cuckoo Bees.
Cyber Reason uncovers massive Chinese intellectual property theft operation.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you
back here next week.