Podcasts
The Microsoft Threat Intelligence Podcast
Ep 44
The Microsoft Threat Intelligence Podcast 5.14.25
Ep 44 | 5.14.25

BadPilot: Inside Seashell Blizzard’s (AKA Sandworm) Global Cyber Espionage Campaign

Show Notes
Transcript

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry. I'm your guide to the back alleys of the threat landscape. Hello, everyone, and welcome to the "Microsoft Threat Intelligence Podcast." I am Sherrod DeGrippo, director of Threat Intelligence Strategy here at Microsoft, and I am joined by two fantastic security researchers, Anna Seitz. You may be familiar with her. She's been on the podcast quite a few times. Welcome, Anna.

Anna Seitz: Thank you very much.

Sherrod DeGrippo: And we've also got Megan Stalling, security researcher at Microsoft. Megan, thank you for joining us.

Megan Stalling: Thank you. I'm happy to be here.

Sherrod DeGrippo: So I know that we recently released a blog on a subset of activity from the threat actor, Seashell Blizzard. This one was a little bit hard to understand, the way that it gets into like these really deep nuances of a subgroup within a threat actor group. And working in threat intelligence over the past several years, I have come to learn that level of detail and specificity we don't normally get to see. But in this case, there is that subgroup within Seashell Blizzard. So, Anna, tell us about, one, let's start with what this subgroup does. Like what's the point of this subgroup? And then we'll talk a little bit about the BadPilot Campaign.

Anna Seitz: Perfect. Yeah. So basically, this is a subgroup of Seashell Blizzard. Like you just said, we typically don't talk about groups at this granularity, and it can get a little complicated. But what we're about to talk about is the activity from this subgroup that Microsoft tracks as the BadPilot Campaign. So hopefully that clears it up a little bit. Maybe we can talk a little bit about Seashell Blizzard as a whole, and that might help, and kind of work top-down.

Sherrod DeGrippo: Let's talk about Seashell Blizzard, but, really quickly, for those of you who have not had the Microsoft Threat Actor Naming Convention tattooed on your wrist like I have, you can see that at aka.ms/threatactors. That'll give you a rundown of how we do naming. And in this case, quick quiz, everyone, blizzards, where are they typically associated? Russia. So let's talk Seashell Blizzard.

Anna Seitz: So Seashell Blizzard has been active since 2013. They're primarily interested in targeting industrial control systems. They've also had operations consisting of espionage and targeting information operations and cyber-enabled disruptions. So some of their most famous or infamous campaigns include KillDisk back in 2015. Also FoxBlade, the M.E.Doc campaign, NotPetya, and Prestige. So those are some pretty well-known campaigns. They are usually focused on operations that are military, and they conduct operations that complement Russian military objectives.

Sherrod DeGrippo: For those of you who are in the industry, I'm going to give you the AKAs really quickly. So Microsoft used to track Seashell Blizzard as Iridium. You've also probably heard of them referred to as APT-44 or the infamous Sandworm, which is, for those of you who follow John Holtquist, this is his favorite threat actor.

Anna Seitz: Yes, there's some good books about Sandworm out there --

Sherrod DeGrippo: Yeah.

Anna Seitz: -- in the wild as well.

Sherrod DeGrippo: I want to say Andy Greenberg wrote the Sandworm sort of definitive piece, that book. Seashell Blizzard has a long history, as you said, Anna, going back to 2013. What else do we need to know about them?

Anna Seitz: So I think probably the most important thing is that industrial control system component. They're probably one of the only high-profile threat actors that we track that's super targeting ICS at this point in time, and that's been their bread and butter since like 2013. So I would say when I think of Seashell Blizzard, I'm predominantly thinking ICS.

Sherrod DeGrippo: Okay, so that's Seashell Blizzard, also known as APT-44, Iridium, Sandworm, etc. But now we've picked up activity that seems to be coming from a subgroup of Seashell Blizzard. Tell us what that's all about, right?

Anna Seitz: So this subgroup within Seashell Blizzard has been active since 2021, and they leverage opportunistic access techniques and different forms of persistence to collect credentials, achieve command execution, and then also support lateral movement that has sometimes led to substantial network compromises.

Sherrod DeGrippo: So something I want to mention too here is that this group loves to use remote management monitoring software, meaning so we've seen that quite a bit. We've seen that both from threat actors who are looking to do living off the land, meaning that they come in. Those remote management software suites are already installed on the machines, and they use them from there, or they can bring their own. And in this particular case, this subgroup of Seashell Blizzard is doing some of that. It looks like they're focused on leveraging that remote management and monitoring, or RMMs, to do some of the data exfiltration and do some of the further control within the host that they compromised.

Anna Seitz: Correct. And also, those -- that abuse of RMM suites originally was a new technique used by Seashell Blizzard, and so now we're seeing it kind of spider down into this subgroup as well. And it was actually first observed when the subgroup exploited vulnerabilities in ConnectWise ScreenConnect and also the Fortinet FortiClient EMS.

Sherrod DeGrippo: Okay, so they're leveraging vulnerabilities in these other appliances that they can then use for the RMM capability. So something that was interesting to me, for those of you listening, we have a full blog on the Microsoft Threat Intelligence Blog about this if you would want to absorb this media via reading instead of listening to us, but we're better. Let's face it. I found interesting about it is that it really seemed to me, from what I could tell, that this subgroup is focused on getting that initial access and then potentially handing it off. We don't know what qualifies you to be in this group, what kind of training or background or whatever it may be that gets you into this subgroup of Seashell Blizzard, but it looks like they are sort of singularly purposed in getting that initial breach foothold, getting the initial access, almost similarly to how we see, in the crime space, in the financially motivated space, the initial access broker landscape operating. There's an entire ecosystem where, threat actor groups, all they really do is get that initial access and then they broker it out. It looks like here there's almost a similar relationship there, where this subgroup within Seashell Blizzard is just tasked with getting that initial access, and then, from what we can tell, holding it. And we don't necessarily have the second piece of that puzzle today. We see them getting that access. That's really the point of something like this BadPilot Campaign.

Anna Seitz: Totally and also in this campaign, there were three distinct exploitation patterns that were linked to this subgroup and helped kind of differentiate the subgroup. And those are the deployment of the RMM suites for that persistence and C2, also web shell deployment for persistence in C2, and the last one is the modification of infrastructure to expand network influence through that credential collection.

Sherrod DeGrippo: For a threat actor group like Sandworm, APT-44, Iridium, Seashell Blizzard, deploying RMMs to Internet-facing systems, it seems kind of ordinary. So, Anna, do you have any -- the same threat actor group that does something like NotPetya is now doing what might be considered kind of basic. Is there any kind of inference that we can take from that? Is there any logic behind that?

Anna Seitz: It's a good question. I think we're seeing this more and more in the threat landscape are the exploitation of existing vulnerabilities. So even though they went after some pretty well-known vulnerabilities, this subgroup has leveraged at least eight other vulnerabilities with specific categories like the small office, home office, SoHo, and enterprise networks.

Sherrod DeGrippo: Okay, so speaking of SoHo devices and exploiting those, that's something that we've also seen significantly leveraged by China. And the question kind of comes up, chicken or the egg? Do we think China is influencing the way that Russia might be doing their operations? Are they learning from them? Obviously, we can't know for sure, but typically, exploiting those edge vulnerabilities is associated with China-based threat actors. They've cornered the market, you might say on that. So do you think there's anything to be learned here from Russia now having a subgroup kind of dedicated to that?

Anna Seitz: Yeah, I think this is showing the expansion of the Seashell Blizzard ecosystem. Obviously, you know, having a subgroup that's now conducting operations similarly to tactics that we've seen come out of China threat actors is a very interesting point, although, yeah, you're right. We can't quantify it back per se to say that that's exactly what is happening or that's exactly the direction this is going. Either way, it's wildly interesting. Also, there's another threat actor group, Mango Sandstorm, that uses similar TTPs, such as using the specific techniques that we were considering distinct for the Seashell Blizzard threat actor.

Sherrod DeGrippo: And just a quick update on Mango Sandstorm, they are based out of Iran. We used to track them as Mercury, also known as Static Kitten, and the very infamous MuddyWater. So I guess it's probably pretty obvious that I follow fashion because I like that kind of stuff, and I'm into cultural things. I do feel like there is a bit of the concept of dupes. Are you guys familiar with this concept of like there's the designer one. There's the original. There's the Haute Couture version. And then we see that trickle down into a bin at a big box retailer, for example. This is a very famous sort of soliloquy from The Devil Wears Prada, where she talks about how those influences work. And I do think that's something in threat intelligence that we are constantly sort of evaluating and thinking about. Did this group learn from this -- just by watching the news, just by looking at indictments, just by reading threat intelligence briefs? Because the threat actors absolutely do read those blogs. Are they getting ideas from each other? And I'm interested, Anna, Megan, do you think that, for example, the Russia-based threat actor groups are watching the TTPs and attack chains that are being reported on coming out of China, Iran, North Korea, even crime as well, and implementing some of those techniques as their own sort of dupes concept?

Anna Seitz: Yes, I totally believe that. You know, what do they say? The best the best artists steal or whoever.

Sherrod DeGrippo: Yeah, like great art -- good artists borrow. Great artists steal.

Anna Seitz: Right. I totally see that, and that's something, you know, as we're tracking, especially things like Seashell Blizzard, that's been around for a very long time. It's starting to pop up where everybody's just borrowing and trading and potentially stealing or maybe selling all of their different tactics and all of their different, I guess, tools and all kinds of weird stuff. So it's become this big ball of yarn, trying to unravel what belongs to whom, and where does it go from there? So that's our jobs. That's what we like to do best.

Sherrod DeGrippo: Megan, what about you? How do you see this evolving over like probably the past several years?

Megan Stalling: So I completely agree. I think as we see these trends kind of diffuse, you know, they become more popular across the entire threat actor landscape. Like as right now, I think you could even look in the threat actor portal on Defender and see that we have several different threat actors conducting ClickFix attacks. You know, this is very popular, not just in North Korea or Russia, but it's just across the board.

Sherrod DeGrippo: I think a lot of times, too, people will say to me, Sherrod, you've been doing this for so long, which I have, and why haven't we fixed it yet? Why haven't we stopped all these threat actors from doing all these things? Why isn't security solved? And the reality is it might not be solved, but we have made a lot of progress, and I think that those security success progress points influence the threat actor trends and changes. As an example, when is the last time you saw a big exploit kit on the landscape? We don't see those anymore, but 2015, 2016, they were everywhere. When is the last time you saw malware just straight up attached to email? You don't see that anymore because what you do see now are these really complicated attack chains where it's like a link that you click. You download a PDF. There's a link in the PDF. Then you -- that goes to a landing page. You log into that landing page, all these things. Attack chains have gotten more complicated because we have been successful in some directions. Browser vulnerabilities. Despite the use of browser vulnerabilities by North Korea this year, other than that, Megan is like, no, North Korea is owning the browser vuln space because they did have two Chromium zero days. Other than that, we don't see a lot of browser vulns. So I think when we talk about trends of threat actor activity, a lot of it is driven by or is influencing where we're having security wins. So I think what really, as a security industry, a threat intelligence industry, what we really should be looking at are when you are seeing the same TTPs over and over again. That is the low-hanging fruit that the threat actors are choosing, and that is where we as a security industry and security practitioners need to start putting resources. Because as an example with this Seashell Blizzard subset, specifically, some of these tactics are just things that have been happening for years and years and years. Using CVEs against Internet-facing devices. Vulns against Internet facing devices are something that we've been dealing with for over 20 years. So that, to me, is an indicator that we have work to do. When we see threat actors doing novel techniques, that's an indicator that we've been successful. And there really are some successes, but we don't always embrace them. And instead, we talk about the problems, which is important because we're going to solve them all. So something else I want to mention really quickly, Anna, and we'll talk just a little bit more about the BadPilot Campaign and Seashell Blizzard here. Something interesting is that this group seemed to have focused particularly on the US, UK, Canada, and Australia. And that is an interesting case because these are really focused on countries that are considered Western, but we didn't see a lot of European targeting in there, despite the fact that Seashell Blizzard obviously has a significant association with the Russian invasion of Ukraine since 2022. What else should we know, Anna? Is there anything that we didn't touch on that is important to talk about with BadPilot and Seashell Blizzard?

Anna Seitz: Yes, just one more thing is the ShadowLink component to all of this.

Sherrod DeGrippo: Okay, tell us about that.

Anna Seitz: Right, so this is that unique post compromise activity we're seeing coming out of this subgroup. And ShadowLink is used for persistent remote access, and it facilitates this access by configuring a compromised system to be registered as a Tor hidden service. So once again, we're not seeing like anything super I would say -- I would hate to use the word mature -- sophisticated. You know, once again, these are all things that we've seen similarly before in the past, but just used in a different way. So this particular ShadowLink activity is what you say. It starts with remote access, and then it's using combination of Tor service binaries and also this unique defined Tor configuration file, configuring the system for that remote access. And then systems compromised with ShadowLink receive a unique.onion address, which makes them remotely accessible through the Tor network.

Sherrod DeGrippo: So Seashell Blizzard via this subset of initial access, threat actors within a threat actor that we're talking about here, the tactic here is to use ShadowLink to get Tor on that machine and then turn it into a Tor node, essentially, that is remotely accessible. That's really interesting because there's a lot of ways beyond Tor to get remote access to machines, right? The RMM landscape is huge. There's a variety of tools that can be used. I mean, you could just start opening ports and turning on services if you wanted to. But in this case, they're using ShadowLink to turn it into a Tor node. Anna, what does that get them? Is it advantageous, or is it just kind of a method that they're using?

Anna Seitz: It's actually really interesting because they're using this capability to bypass those common exploit patterns of deploying a RAT which would commonly leverage some form of C2 to the actor control infrastructure, but these are easily audited and identified by network administrators. So by relying on these Tor hidden services, the compromised system creates a persistent circuit to that Tor network and then acts as a covert tunnel. And that tunnel is cloaking all the inbound connections to the affected device and then limits exposures from the actor and victim environment.

Sherrod DeGrippo: Okay, so I want to take a minute and just really, just really make a pitch for my cult of network detection. I really think that the higher up we can get in that stack, the better we're going to be as detection engineers. And this is a great example of detection engineering, as we were talking before. When threat actors change their tactics, it's because something that we have done generally, as security practitioners, has worked, and this is a great example. Setting up this Tor node as your remote access capability is likely directly because network detection finds connections going through other types of connectivity, like a RAT or a Remote Access Trojan that Anna mentioned, or the variety of other options that threat actors have for setting up that remote access. So I think it's a good indicator of a win for network detection engineering, detection engineering overall, but network specifically because most everything on your computer, it got there over a network at some point. Network connectivity is a fact of life in 2025 and beyond. The network really is, to me, the final gatekeep. It is where things happen. Yes, there are remote exploits, but at that point, just get into a fist-fight with the person. I mean, it's going over the network, and I think that's why I have always viewed the network as the final decision-maker of whether or not something is breached, whether or not something is exfilt, whether or not malware is on a machine, whether or not social engineering can occur. That all goes over a network. So I think it's interesting that this threat actor is now sort of in a situation where they're putting these hosts in Tor. They're making them Tor nodes.

Anna Seitz: Totally, and we've also seen, speaking of borrowing tactics, there's another Russian threat actor, Forest Blizzard, that's also leveraged the similar Tor-based operations in their campaigns as well.

Sherrod DeGrippo: Forest Blizzard you might also know as Strontium, Sofacy, and Fancy Bear, APT-28. All right, Anna, that was fascinating. For those of you, again, that want to learn more, we have an in-depth threat intelligence blog on the Microsoft Threat Intelligence Blog site website called the BadPilot Campaign: Seashell Blizzard Subgroup Conducts Multi-Year Global Access Operations, and it is a great in-depth blog written by the threat research analyst here at Microsoft. And it has full details with lots of code snippets, a variety of hunting suggestions looking for the ScreenConnect configuration, what the logs look like coming out of FortiClient. It is really nice and in-depth, and it also gives you some queries to use within Microsoft Sentinel as well as, of course, IOCs. So go ahead and check that out. That's the BadPilot Campaign Seashell Blizzard Subgroup blog. So let's talk now about Sapphire Sleet, which is a North Korea-based threat actor group that Microsoft's been tracking since January of this year. Megan, what are we seeing on the landscape from Sapphire Sleet?

Megan Stalling: Well, we have an interesting update on activity from Sapphire Sleet. So for a little bit of background, Sapphire Sleet is known to conduct these spear-phishing campaigns where they masquerade as venture capitalist organizations, you know, with an interest in -- they'll reach out to invest in a target user's company or as job recruiters. And in this, they're trying to primarily target organizations in the cryptocurrency sector, but they've also expanded their focus to banks within the financial services sector as well.

Sherrod DeGrippo: So for those of you that don't keep track of the North Korea threat landscape or the North Korea-based threat actor landscape, they are robbing the global cryptocurrency coffers blind. They are getting all of it. There was recently an indictment for a $3 billion total capture from these North Korea threat actors. They are dominating the capability to steal cryptocurrency. Quickly, I want to mention, again, for those of you who have not memorized all of the threat actors and their AKAs, this is Copernicium, Genie, Spider, or BlueNoroff, as many of you probably are familiar with it. So, Megan, they're using social engineering against cryptocurrency and venture capitalist orgs. What do you think they're doing there, in the end? Like what's the rest of the attack chain?

Megan Stalling: Historically, they're kind of reaching out in order to create this engagement with the threat actor so that they can, in the end, you know, deliver malware to the victim's machines.

Sherrod DeGrippo: These techniques, and I'm not sure if it was Sapphire, so it was definitely a North Korea threat actor group. James Elliot at CyberWarCon 2024, if you want to go search up that recording, those are available on the CyberWarCon site. James Elliot talked quite a bit about this with the social engineering that this group is doing.

Megan Stalling: Yes, absolutely. And James Elliott is actually the same researcher who uncovered this recent activity.

Sherrod DeGrippo: James Elliott is, for those of you that are aware of the man, he is quite a legend around here. You'll often see groups of new analysts just following him around, like he's created some sort of cult. I don't know why cults keep coming up in this episode.

Megan Stalling: I love it.

Sherrod DeGrippo: So something that I've seen before and that they've been doing for several years now because I spent a lot of my time looking at email threat, and this is one of the attack chains where they deliver the fake meeting invites, and then you get the fake meeting invite, right? And it causes you to like call them or email them and then ask them like, oh, what can we do? And the threat actor is like, okay, well, we can use this other platform, or if the meeting invite I sent you isn't working, then we can get on Zoom, and then they get a fake -- another fake message, right? Like it's just fake stuff all the way down, but they're preying on the fact that the user, from my understanding, a lot of them are either job interview premises, like I want to interview for a job, or they are I want to do business with you, or I want to do -- like I want to invest with your company. I'm a venture capitalist. Or I want you to invest in my company, and you're a venture capitalist. So they're using these social engineering premises that are really believable and that people have an urgency around.

Megan Stalling: Yeah, absolutely. And that's kind of something we're continuing to see from Sapphire Sleet. They're just, like we mentioned earlier, just evolving a little bit to add an extra step. So it's not necessarily more sophisticated than in the past, but just adds an extra step to make it more complicated, you know? So in this recent activity, Sapphire Sleet is shifting tactics to use fraudulent Zoom domains as a part of their spear-phishing activities. And like we said, in the past, they use those fake meeting invitation links and then would direct users to a fake error message. But now these fake meeting invitation links are directing users to a fraudulent Zoom sign-in page. So like you said, just more fake stuff.

Sherrod DeGrippo: And is that Zoom, that fake Zoom sign-on page, is that intended to harvest credentials, or is that intended to trick them again into saying like the page isn't working, help me download a script onto my machine kind of thing?

Megan Stalling: Yep, it is just another trick up their sleeve. So once they try and access that fake Zoom, it uses kind of this fake Zoom sign-in page image as well. So they're trying to get into it. They'll have an error, just like in the past, and then they'll need to reach out for assistance as well. So just another strategy to really encourage that engagement with the actor directly.

Sherrod DeGrippo: And that also results in the threat actor getting their target to be more susceptible to installing stuff. And I know in the overview that James Elliot did at that CyberWarCon talk, the whole point was to get a script on their machine. And I believe those scripts were custom-made. They were not commodity, and they had only been seen from that particular threat actor.

Megan Stalling: Yes, that is true. Also James Elliott, what he uncovered, what is kind of kind of interesting in this specific campaign, was the way in which it kind of unfolded. So James discovered that the original Sapphire Sleet domain that they had registered on January 17 -- so I'm not sure if I mentioned previously, but this all kind of began around mid-January, and then is still ongoing today, the registration and creation of these fake Zoom domains overall. So when James identified that Sapphire Sleet, their known IP addresses, and I add, were registering these fake Zoom domains, he did some further research and was able to identify that the threat actor was also using that fake Zoom image with the domains, and this also just visually masqueraded as a legitimate Zoom sign-in page. So it really added another element there to trick users into thinking this is legit. So our researchers were able to then use this fake Zoom sign-in image to create a query to search for the additional domains using the image hash. And this query was used on urlscan. And then I should add that you do have to have a pro account, though, to use this query. But yeah, using this they were, in the following days, our researchers found many more of these fake Zoom domains and subdomains registered to the Sapphire Sleet IP addresses and also using that fake image. So we uncovered that the threat actor was also creating domains that masqueraded as those legitimate private investment firms as well.

Anna Seitz: Wow. Yeah.

Sherrod DeGrippo: I think it's really interesting that they're able to do such effective and authentic-looking social engineering. We've had a couple of episodes focused on threat actors based in North Korea, and I urge you to go back and check out the episode Between Two Gregs, which is with Greg Schloemer of Microsoft and Greg Lesnewich of Proofpoint, two fantastic North Korea experts. And really, I think something that's important to acknowledge about North Korea is that if you had asked me three years ago where DPRK was on the nation-sponsored threat actor stage, I would say they were like the opening band of the opening band of the opening band. Like if you look at like posters like for Coachella, and it's like Green Day is in like super -- Lady Gaga is like in huge font. And then it gets smaller and smaller and smaller. I would see Russia and China in the big Lady Gaga font, and then I would see like, you know, North Korea, Iran, Lebanon, you know, Malaysia, Vietnam like getting smaller and smaller, but I really think and, Megan, I'd love to have your opinion here as somebody working North Korean threat actors. The past two years, they have turned it out. They have stolen so much cryptocurrency, it is unbelievable. I can only imagine that the amount of cryptocurrency that they have stolen has made a significant impact on the cryptocurrency landscape itself, has made a significant impact on the North Korean regime's ability to operate overall. They've done that. They've produced two zero-day browser vulns, which is incredible. We don't know, obviously, where they got those. There's a lot of coverage on that. You can check that out on the Microsoft Threat Intelligence Blog. We have a write-up on that. And I did a talk on LinkedIn with Tom Gallagher from MSRC, talking about the Microsoft Security Response Center, talking about the blog and talking about North Korea getting these vulns. So I guess my point really is that North Korea really went from like a C player to an A player in a very short time.

Megan Stalling: I totally agree with you. Just in the last year in my role, so I primarily focus on producing content, you know, for the North Korea V team. So there is never a shortage of activity to produce about. Like there's -- it's just fascinating overall the amount of evolutions across each threat actor group in North Korea. The smaller groups, you know, are evolving day by day. Even Sapphire Sleet, we have an additional evolution for their TTPs are coming out this next week, so they're just constantly upping the game. So, specifically, I think looking back into this research today, before we talked, that 2024 CyberWarCon 2024, I think, blog that you mentioned, Sapphire Sleet was mentioned in there stealing, I think, a total of over $10 million in a six-month span from the cryptocurrency market. So it is truly insane the amount of stuff they've been able to accomplish in such a short time.

Sherrod DeGrippo: Yeah, I think that's what really sticks out about it, to me, is that I don't think most people would have bet money on North Korea-based threat actors getting to this level this quickly. It's not just about the increase in volume, which is really important, but it's really about the technique increase, the capability increase. And certainly, I think there's an evolution in the social engineering capability that we're seeing there. I don't think that we've really seen this level of social engineering out of North Korea ever before. And in the past year to two years, the capability with social engineering has really increased. As many of you are aware, there is the North Korean IT worker situation where North Korean threat actors or individuals, whatever, it's kind of almost hard to say what they are, will go get jobs as remote IT employees, and they will do software engineering. They'll do IT support. They'll do a variety of things, legitimate jobs that I also never predicted they would do. But they are not going to be able to do that effectively without some level of social engineering capability that's very effective.

Megan Stalling: I completely agree with you. There is, like you said, it's remarkable what they've been able to accomplish in social engineering, but it should kind of just make everyone else be a little more -- a little more skeptical, you know, when you come across something that seems a little off. Or overall, you know, it's -- I don't want to fearmonger, but it does make you want to be more vigilant in your everyday interactions, especially on LinkedIn or anything of that sort.

Sherrod DeGrippo: Absolutely. I think that's one of the things that's the hardest to solve with technology from a security practitioner standpoint. What I always tell people is there are three red flags when it comes to social engineering: urgency, emotion, and habit. If someone's trying to get you to do something immediately, using the word now, using the word hurry, telling you there's going to be a consequence if you don't do it soon, that's a red flag. Emotion, they're trying to put you in an emotional state that you weren't before. In this particular Sapphire Sleet example, they are putting you in this state of anxiety, this state of concern, the state of worry because they had planned to have an interview with you. They had planned to possibly ask for investment from you, all of these things where you feel it's very important and things are on the line. They're trying to put you in that emotional state so that you make different choices than you would if you were in a more stable emotional state. The third red flag is habit. They get you in a behavioral mode where you're doing something that you do all the time. I click on Calendar invitations and open up Teams -- not Zoom. I work at Microsoft -- and open up Teams, I swear, 10 or 15 times a day, maybe more. I do so many meetings. I know a lot of people listening do so many meetings. I know Megan and Anna do so many meetings. You are in that habit, that comfort of open the calendar invite, click on the link. The Teams pops up. The Zoom, if you are using Zoom, the Zoom pops up, and you're just used to that. That's just how you operate your day-to-day. So again, look for those three red flags: urgency, trying to get you to get you to something quickly; emotion, trying to put you in an emotional state that you weren't a few minutes ago; and habit, getting you in a behavioral path that you're always in, getting you in that funnel and getting you to just mindlessly do the same things that you've always done by habit. So North Korea seems like they have really mastered the social engineering capability to get people to do things. I aspire to also get people to do the things I want them to do, but they're not criminal things or espionage.

Megan Stalling: Same here.

Sherrod DeGrippo: It's more like, you know, give me free dessert. Okay, so anything else, Megan, that we need to know about Sapphire Sleet, this campaign, or what's going on there?

Megan Stalling: Mostly just for researchers if they're wanting to do any of their own research to check back into that activity profile. You can check out those IOCs. Use that query. Look for more domains. I'm sure it's continuing to grow.

Sherrod DeGrippo: So Megan is telling everyone to go hunting or threat hunting, thrunting, whatever words you might use for that. Well, Anna, Megan, thank you so much for joining me. This was fantastic, learning about Secret Blizzard and learning about Sapphire Sleet. I appreciate hearing from you, and I imagine you'll be back on soon as the landscape continues to evolve.

Anna Seitz: Thanks so much for having us.

Megan Stalling: Thank you so much for having me, Sherrod, it was great to be here to talk with you all today. [ Music ]

Sherrod DeGrippo: Thanks for listening to the "Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out msthreatintelpodcast.com for more and subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft