CyberWire Daily - Winnti Umbrella Chinese threat group. [Research Saturday]
Episode Date: June 9, 2018Researchers from ProtectWise's 401TRG team recently published research linking a variety of new and previously reported Chinese cyber threat groups. Tom Hegel is a Senior Threat Researcher with the 40...1TRG, and he joins us to share their findings. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We began encountering this attacking entity for our customers out in East Asia.
That's Tom Hagel. He's a senior threat researcher at ProtectWise 401 TRG.
The research we're discussing today concerns a threat group they call the Winty Umbrella. Just kind of seeing them evolve over time really attracted my attention towards
them, kind of seeing the targets they are going after and seeing how they've evolved over time,
in addition to just their, you know, their determination really kind of attracted me to
them. So I spent a good amount of time focusing on them over the last few months and then also
last year during multiple incidents. So set the table for us. What is the background here?
Who is this group and what's their history?
Yes, this group goes back quite a while.
So as you'll notice in the report,
we reference a lot of external reporting from other vendors and researchers out there.
Some of the first reporting on this particular entity
was done in 2013 and 2014 from Kaspersky Lab and then Novetta.
The interesting thing was a lot of the historical reports actually link even farther back to previous operations conducted by associated entities,
different attribution on like an actor name level.
But they have always kind of had an agenda of going after politically focused targets.
But they have always kind of had an agenda of going after politically focused targets. So in 2013, a lot of the attacks that Novetta actually documented were identifying pieces of malware signed with code signing certificates from additional victims of that entity.
So the ultimate goal kind of goes back a long history going after the government side of things as well, which is pretty interesting to say the least.
As you say, you're referencing work by some other groups here,
and this group goes by a variety of names depending on who's reporting on them.
Yeah, absolutely. And, you know, our report, we didn't try and take away from any of the
naming or attribution that the previous public reports have used. You know, if you look at Winty or Lead or Barium,
a lot of those names come from what the reporting entity,
the security vendor or the researcher,
identified based on their telemetry.
So, you know, we're not necessarily trying to negate any of their findings,
but rather kind of regroup and see how the greater picture is
that these are all closely linked together.
So we took the approach of really trying to understand the multiple viewpoints into the same entity,
which ended up being the Chinese intelligence apparatus, which we assess with high confidence,
kind of seeing those different pieces of this intelligence apparatus based on the public reports
and linking them all together is one of the more fascinating parts we found.
All right.
So let's dig in here.
Take us through, what are they up to?
What are their tactics, techniques, and procedures?
Absolutely.
So in 2017, when we began really heavily seeing this entity attack, primarily in East Asia,
one of the more notable differences that we saw over previous public reporting was a shift
towards open source and public tooling.
We began seeing this actor use penetration testing tools such as Beef and Meterpreter and a few others.
We saw them using Cobalt Strike internally to spread and propagate within the network and get their foothold in the environment.
So in 2017, that was really interesting.
We ended up encountering them in
multiple aspects, doing the same exact thing, going after their initial targets, which were
ended up being the gaming and software organizations. And then in 2018, later 2017 into
2018, we began seeing a shift. More recently, up until about two weeks prior to the release of our public report, we saw them shift more towards stepping away from open source tooling, going back to really heavy tactics of trying to live off the land.
This entity has a really strong discipline to try and limit the amount of detection capabilities that defenders would have.
So if it comes down to using legitimate tooling that is
approved by the organization to have command and control, we would see that. In some cases,
we actually use them, abuse organizations' VPN solutions to gain authenticated remote access
into their environment. So let's back up a little bit and walk us through how they go at things
here. According to your report, as with
many of these things, it starts with some phishing. Yeah, absolutely. That was the main kind of beach
head we've seen into the victim organizations. It always originally started with phishing.
And to go back into 2017, the phishing trends have shifted dramatically over the years. In 2017, the primary objective was to appear as
an HR or an applicant to a job, human resources applicants, and going after IT and security folks
for these job applicant positions. So they would have a phishing email that would say,
hey, I'm an individual looking for a job. Here's my resume. And you click the link,
and then it kind of kicks off the attack from there. In 2018, more recently, we ended up seeing that shift go towards trying to
just do generic phishing on common services such as Google, Office 365, and so forth. And based on
a lot of the infrastructure that we are able to link to this, which we have in the report,
we ended up seeing a lot of interesting associated potential phishing campaigns that were going after
internal business tooling, such as JIRA ticketing software or JIRA agile software
and ADP type solutions as well, which are pretty common for organizations.
Now, once they got in, what were they after?
The primary thing during
these initial attacks ended up being code signing certificates. We would see them once successfully
get into the network, either on their cloud infrastructure or their on-site enterprise
network or anything like that, we would see them immediately start to shift and seek out code
signing certificates, either locally on their shared drives or by scanning the internal
network looking for any sort of host to intranet, any sort of software developer tools or anything
like that. That was their primary focus was the code signing certificates. And the use for those
comes later. But the secondary objective, which we believe with pretty high confidence tends to be potential moonlighting
by the individual operator on the attacker end, tends to be financially motivated. So if we saw
them identify or if they were able to identify potential ways to manipulate software, either a
game or the actual software solution by the victim for financial gain, we would see the actor try and pursue that.
And that would include things like modifying or learning more about the back end of a virtual economy
or learning how to steal or mine virtual currency for that particular game.
And then they would take advantage of that at a later point.
So it was really kind of a primary mission and then an optional secondary objective by the individual operators, which we believe to be pretty standard for them.
So spell out for us their attraction to code signing certificates.
What's their goal there?
What are they good for once they get their hands on them?
Yeah, absolutely. So that was really interesting because we've kind of categorized the victims into initial targets and later stage targets where we see the initial targets being
sought after for the code signing certificates. And once the actor gets her hands on those,
they exfiltrate this information and then they code sign their malware with that certificate.
So it's approved and legitimate because the victims often don't know that those have been
stolen. so they're
still valid.
And then we would see that malware used against additional targets.
Span of that use is quite dramatic.
We saw cases where an individual software organization's code signing certificates were
used to sign malware to go after an online gaming organization.
And then we ended up seeing trends where those two certificates
were both used to sign malware going after political targets. So we believe the political
targets and the higher value tech organizations tend to be the later stage victims or later stage
targets, while the initial targets are really kind of seeking those code signing certificates.
And then there were also pretty interesting trends in terms of links to previous reporting. So Novetta and the Silence report that we referenced,
they did a lot of documentation and reporting on finding malware that was signed by other victims
similar to this exact same tactic. So this isn't a new approach for them. They've been using it for
quite a few years
at this point. Take us through your process for attribution, how you established who this was.
I understand they were pretty careful, but every now and then they got a little sloppy.
Absolutely. So, you know, the attribution side of the house is really interesting. We tend to
try and stick away from attribution. We know we didn't want to come up with a unique name of our own. We really kind of wanted to settle some dust in terms of confusion
around naming, around public reporting over the last decade. So when we ended up finding links to
the infrastructure that our victims were being targeted with or being used in command and control
or phishing, we ended up linking that to a lot of the previous reporting. So that added a lot of context around the historical documentation of this entity. And then we began to pretty much
assess that with, you know, maybe there's overlap, maybe there's some shared resources. But, you know,
just looking at infrastructure alone doesn't always provide you extremely high confidence.
So once we began getting our hands into a variety of
environments that had the same entity attacking them with the same linked infrastructure,
we're able to build a really clear picture of kind of the amount of resources they're sharing
and the links between all the different potential teams within this intelligence apparatus. So,
you know, the initial targets, we ended up seeing cases where they tend to be,
you know, more of a B team.
They have weaker operational security practices,
while the later stage targets tend to have,
you know, more discipline
in terms of covering their tracks and so forth.
So during a few engagements,
we ended up identifying cases
where a victim organization was compromised,
and then the attacker made mistakes where they were also identifying their potential true location.
So that kind of came when they were doing command and control,
and they were making mistakes every once in a while to forget to proxy all of their command and control
through their own proxy infrastructure.
They were coming from their true location.
And then they would quickly fix that.
They would back out really quickly. So it was very small snippets in network traffic that we were
able to identify them being linked to a potential true location. In this case, it ended up being
with fairly high confidence, the Zhejiang district of Beijing.
And someone sitting behind a terminal saying to themselves, oh, crap. Yeah, exactly. Yeah, that's kind of the view that we were able to kind of build
just based on seeing all the logs and the network traffic
and how fast it modified.
Typically, it was, hey, they've gained foothold into the network,
and then they come in manually, remote into the network,
and then they quickly back out and remote back in
through their proper proxy
infrastructure. So it was potential mistakes on the attacker end, and it only happened a handful
of times across multiple victims. So it was a pretty interesting trend to see, which led us to
help identify even more clues towards potential attribution. You saw a good bit of overlap among
this group and other groups, which helped you with your attribution. In terms of this being
state-sponsored or other groups, how much distinction is there? And is it a distinction
without a difference, perhaps? It's really tricky. The way that this entity is structured
isn't entirely clear. And that's the type of information that we can't always tell from
cyber-based threat intelligence. There's just a lot we just don't know.
cyber-based threat intelligence. There's just a lot we just don't know.
When we build the profile of this actor, we start to learn their tactics, who they're going after,
and then seeing the later stage going after the politically focused victims or targets.
When you put together this whole picture, you start to get an understanding of this greater mission that they're all working towards. So this is where
we start to step away from extremely high confidence statements. You know, we try and say,
you know, these guys are all working towards the same mission. However, there's multiple teams
associated with it, we believe. And then those teams each have their own objectives as well.
And those teams, based on previous reporting, you start to step into,
hey, these are likely government contractors. Some of these are likely actual team members.
And so that's where you get a little fuzzy, just because that depth of intelligence,
we just can't tell from the cyber realm or anything like that. So it gets a bit fuzzy.
know, the cyber realm or anything like that. So it gets a bit fuzzy, but linking that all to previous reporting and seeing this involved in multiple victim organizations, we're able to
build a rather high amount of confidence on those statements.
How can people use your findings here to inform their own defense against cyber attacks?
A big thing with the report, it's quite massive,
but the vast majority of the report is actually the indicators associated with the infrastructure.
And we released this report in a different approach than we see typically through our
industry. We didn't want to just go out and completely burn the indicators with no head start to any defenders.
So when we wrote this report, we ended up releasing it early to our customers
and a variety of other security vendors out there, trusted third parties.
Even if we don't have partnerships, just other researchers that we respect in the industry
and that we know will handle it properly.
We got this report to them early to see if they can help defend their organizations,
identify this for their customers before we go and publish it.
So we tried to approach it with a bit of a head start for Defenders.
But the indicators that are in the report are all the infrastructure that we've linked
to this single entity.
Defenders can take those indicators and historically look at any sort of
logs or traffic or any sort of detection mechanisms they have internally and then add them to their
own type of blacklist. This actor group tends to reuse infrastructure over the last decade,
so we don't believe this is going to completely burn down and they're going to rebuild from
scratch. I do believe they are going to come back and keep using this in the future. And then also,
more importantly than indicators and just real-time detections like that,
is we try to provide this report an accurate actor profile. So a defender can read this report
and then get an understanding of the types of tactics that are currently in use from state-sponsored attackers and, you know, more determined and advanced groups out there. So, you know, if you read this as a
defender, you can take these tactics that this entity uses and ensure you have coverage in your
environments, you know, start to question your tooling and your detection and response capability.
You know, if this happened to you, would you be able to respond and find it inside your network? So multiple approaches there,
to say the least. Yeah. What's your estimation of the sophistication of this group?
Definitely varies. Like I mentioned, the initial attacks, some of them tend to be more of like the
B team. So it spans. This group tends to have, just based on the variety of attacks and the breadth
of their victim targets, they tend to have a variety of different skill sets internally.
Each team, a part of this entity, tends to have those different skill sets. So we have the more
advanced side of things, which tend to be the politically focused attackers. And then we have
the initial attacks, which tend to be more of that B team. So generally, they're pretty sophisticated. If
anything, I would say they're extremely patient and determined. They will tend to go after the
same organization years down the road. It's a mix, to say the least. There's quite a variety,
depending on the type of attack they're doing at that time.
A big piece of this is we're not trying to take attribution to the next level or come up with some new name. I think this is the way our team is approaching public reporting on any sort of
threat intelligence. We don't want to add more haze to the industry and that type of stuff. So we really want to try and, you know, add clarity to
profiles of actors and attackers. So I think this type of approach is something that other
defenders and researchers should try and follow if they can. Yeah, that's an interesting insight.
I mean, when it comes to sharing information across the industry, you know, I understand that
a lot of researchers from different companies, you know, I understand that a lot of researchers
from different companies, you know, you all, you have Slack groups that you share in common and
various ways to communicate with each other to share. I mean, is there that general sense of
community of sharing among researchers across the industry? Yeah, absolutely. There definitely is.
The kind of the black eye of the industry, in my opinion,
tends to be the vendors out there that will take and repurpose it for, you know, they'll try and
take other people's research and monetize it for themselves. You know, similar to how we see,
you know, the big reports based around the large viruses or malware that's spreading like
WannaCry or something like that. You know jumps on it. It's kind of an
interesting topic to say the least. There's a handful of people that we
really trust as our team that we share information with pretty openly and
they're not partners or customers or anything like that but we just trust
they'll take it and use it appropriately rather than trying to turn it around and
monetize it for their own gain. so it's a matter of identifying those trusted closed groups and when it comes to sharing to
the more public groups out there we tend to wait until later stages before we get to that point
because they can't all be trusted unfortunately it's the nature of the business right yeah absolutely Absolutely. Our thanks to Tom Hagel from ProtectWise401TRG for joining us.
You can find the Burning Umbrella report on their website.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.