At a glance.
- FBI and MI-5 warn of Chinese industrial espionage.
- Trickbot's privateering.
- Cozy Bear sighting.
- Chinese APTs target Russian organizations in a cyberespionage effort.
FBI and MI-5 warn of Chinese industrial espionage.
In a joint appearance yesterday at the London headquarters of MI-5, the British counterintelligence organization, the directors of MI-5 and the US FBI issued an unusually direct and bluntly worded warning about the threat of Chinese industrial espionage, much of it cyberespionage. The effort is extensive, focused, and marked by both close attention to detail and an unusually wide net. “The Chinese government is set on stealing your technology—whatever it is that makes your industry tick—and using it to undercut your business and dominate your market,” FBI Director Wray told an audience the Wall Street Journal described as composed of "business people." “They’re set on using every tool at their disposal to do it.” China disagrees. A representative of Beijing's embassy in Washington, Liu Pengyu, complained of “U.S. politicians who have been tarnishing China’s image and painting China as a threat with false accusations.”
IBM's Security X-Force this morning published an account of Trickbot's recent activity, the well-known Russian cybercriminal gang, and its new interest in Ukraine. "Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate “Trickbot group” has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine." There's some overlap with other criminal gangs, including the perhaps retired but probably quietly returned Conti operation. "Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider, DEV-0193, and the Conti group, has conducted at least six campaigns — two of which have been discovered by X-Force — against Ukraine, during which they deployed IcedID, CobaltStrike, AnchorMail, and Meterpreter." Ukraine is no longer on a Near Abroad do-not-touch list. "Prior to the Russian invasion, ITG23 had not been known to target Ukraine, and much of the group’s malware was even configured to not execute on systems if the Ukrainian language was detected."
Thus TrickBot, hitherto known for its straightforwardly mercenary interest in banking Trojans and the like, appears to be a Russian privateer after all, an instrument of state power that's permitted to realize a profit from its operations. X-Force elaborates:
"The observed activities reported in this blog highlight a trend of this group choosing targets that align with Russian state interests against the backdrop of the ongoing conflict. In addition to an announcement by the Conti Ransomware group (which IBM tracks as part of ITG23) that they would act in support of Russian state interests at the beginning of the invasion of Ukraine, leaked chats between ITG23 members indicated that two senior individuals within the group had previously discussed in mid-April 2021 the targeting of entities that “work against the Russian Federation” and agreed that they were (Russian) “patriots.” Additionally, the Executive Director of Bellingcat claimed to have received a tip that a cybercriminal group was in communication with Russia’s Federal Security Service (FSB)."
The six campaigns X-Force has tracked show evidence of more precise targeting than Trickbot has typically shown, and that targeting aligns closely with Russian state interests. The payloads recently dropped against Ukrainian targets include CobaltStrike, Meterpreter, AnchorMail, the eponymous Trickbot, Emotet, IcedID, and "ITG23’s Tron, Hexa, or Forest crypters."
Establishing identity conditions for threat groups is notoriously difficult. They're protean, shifting, and their name is usually Legion. The Washington Post, for one, takes particular notice of some Conti veterans, either current gang members or alumni, who seem to be working for Trickbot.
Cozy Bear sighting.
CobaltStrike is often mentioned in dispatches as a penetration testing tool that threat actors often turn to malign use. Other such tools are also susceptible to abuse. Palo Alto Networks' Unit 42 reports that Cozy Bear, generally regarded as a unit of Russia's SVR, is deploying Brute Ratel C4, a pentesting tool in use since December 2020, in a range of cyberespionage campaigns. Unit 42 doesn't formally attribute the campaign to Cozy Bear or even Russia, but it does offer circumstantial evidence that points in that direction:
"This unique sample was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications. Specifically, this sample was packaged as a self-contained ISO. Included in the ISO was a Windows shortcut (LNK) file, a malicious payload DLL and a legitimate copy of Microsoft OneDrive Updater. Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking. However, while packaging techniques alone are not enough to definitively attribute this sample to APT29, these techniques demonstrate that users of the tool are now applying nation-state tradecraft to deploy BRc4."
The tools used in the campaign are regarded as unusually evasive and difficult to detect.
Chinese APTs target Russian organizations in a cyberespionage effort.
SentinetLabs reports noticeably increased Chinese cyberespionage activity directed against Russian targets. In this SentinelLabs independently confirms recent reports by Ukraine's CERT of Beijing's interest in its sometime friends in Moscow. (The relationship, again, is complicated.) "On June 22nd 2022, CERT-UA publicly released Alert #4860, which contains a collection of documents built with the Royal Road malicious document builder, themed around Russian government interests," the report says. "SentinelLabs has conducted further analysis of CERT-UA’s findings and has identified supplemental Chinese threat activity." And of course a de facto alliance or, better, collaboration of convienience against common adversaries in no way obviates the need for mutually suspicious partners to collect against one another. "China’s recent intelligence objectives against Russia can be observed in multiple campaigns following the invasion of Ukraine, such as Scarab, Mustang Panda, ‘Space Pirates’, and now the findings here. Our analysis indicates this is a separate Chinese campaign, but specific actor attribution is unclear at this time."
It's a phishing expedition. The report concludes, "We assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations. Overall, the objectives of these attacks appear espionage-related, but the broader context remains unavailable from our standpoint of external visibility."
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.