Research Saturday 11.9.19
Ep 110 | 11.9.19

Monitoring the growing sophistication of PKPLUG.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word from our sponsor, Juniper Networks. Join Juniper at NXTWORK 2019 to learn, share, and collaborate with game changers from companies across the networking industry. This year's event features keynotes from Juniper executives, as well as special guest speaker Earvin "Magic" Johnson, along with over forty breakouts and master classes led by distinguished engineers, as well as various opportunities for certification testing and training. Visit for more information. That's And we thank Juniper for sponsoring our show.

Dave Bittner: [00:01:09] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Ryan Olson: [00:01:49] A plug is sort of an interesting one for us.

Dave Bittner: [00:01:51] That's Ryan Olson. He's vice president of threat intelligence for Palo Alto Networks, and he leads their Unit 42 team. The research we're discussing today is titled, "PKPLUG: Chinese Cyber Espionage Group Attacking Asia."

Ryan Olson: [00:02:04] The author of this research is Alex Hinchliffe. He's one of our analysts over in the UK. And over the last few years, he's done some research that results in some interesting reports for us. One that was about some Android power that we called "HenBox." Another one about a Windows backdoor called Farseer. And as Alex was looking at this, he started working on what we call an Adversary Playbook. These playbooks are things that we assemble to describe how an adversary launches their attacks. And what Alex was looking to do is build one for the group who is responsible for those two pieces of malware. He knew that they were connected to each other. He started doing this sort of backward look at previous attacks, mostly that had been published by other security vendors, and he realized there was connective tissue between all of them – overlaps in infrastructure and tools used, in techniques that were used. As he was building out this playbook, he realized he really had a lot more – more like six or seven campaigns, rather than the two or three campaigns that he'd already published on.

Dave Bittner: [00:03:00] Let's start with who they're targeting here. Who does it appear that they're going after?

Ryan Olson: [00:03:04] PKPLUG – all of the attacks that we've seen so far, both from our research and others, have been against organizations and individuals across Asia. A lot in Southeast Asia, but we also saw attacks in Mongolia, attacks inside of China, attacks in countries surrounding China. So it's really been a broad set. And this leads back all the way to 2013. So, it's a long series of attacks, not just a few of them that we've seen over the last few months.

Dave Bittner: [00:03:29] And there seems to be alignment with Beijing's Belt and Road Initiative?

Ryan Olson: [00:03:33] Yeah. Looking at the countries who were targeted – and it's a big list, so I won't name them all, I think we had seven or eight different countries – all these countries who were being impacted and the targeting that we were seeing had alignment with that initiative, the people who were sort of across that initiative.

Dave Bittner: [00:03:47] Well, let's walk through the timeline together. The research that you publish shows that things got started back in 2013.

Ryan Olson: [00:03:54] That's right. So, the first campaign that we investigated as we were going back in time. So, 2013 is quite a while ago. It's before we actually formed Unit 42. So this was research that were looking at using a really common Trojan called PlugX – it's a Chinese Trojan, it's used by lots of actors, it's not exclusive to one organization, one government or another, one hacker or another – in some attacks against Mongolia. And it's actually – PlugX is sort of where part of the name "PKPLUG" came from. When we were first using that moniker for this adversary. They were using PlugX and we pulled the "plug" from PlugX...

Dave Bittner: [00:04:27] (Laughs)

Ryan Olson: [00:04:28] ...And then they were deploying it by including the files in ZIP files basically. And if you're familiar with the ZIP format, the first two characters of a ZIP file – the magic numbers, effectively – are the letters "PK." So Alex sort of assembled that together because he needed a name for it. Whenever we're building one of these Adversary Playbooks – and we call them that because they are formed around an adversary, and that doesn't mean a person or a government or a, you know, a hacker group necessarily, but it is our moniker of a way to tie all the attacks that we've seen that are connected to one or a small set of groups into one component. We've published a whole bunch of these so far – I think PKPLUG was the twenty-second playbook that we've published so far.

Dave Bittner: [00:05:06] Hmm. So, things get started in November 2013 and then the next sort of spike in your timeline is from 2016.

Ryan Olson: [00:05:14] Yep. So, 2016 was the next report that we're able to connect to this. In that case, they were using another common, commodity kind of Trojan called "Poison Ivy." In this case, the attacks were using phishing emails, and the phishing emails included lures – basically they were trying to trick people into clicking and opening a file – that were related to ASEAN economic initiatives and democracy related themes in the country of Myanmar. In this case, they were using Poison Ivy, like I said. Once again, really commodity – we can't use Poison Ivy or PlugX to directly attach attacks to a certain group. But in this case, we saw infrastructure overlap again – domains, IP addresses, the things that are used for the command-and-control.

Dave Bittner: [00:05:51] And then only a few months later, some Trojans being used through Google Drive in July of 2016.

Ryan Olson: [00:05:59] Yep. And this is one that we published on. The Trojan that was used in this case is widely referred to as "9002," and this came from the date – 2009 – that was embedded in it some point, but it was embedded sort of in reverse. Once again, a Trojan that's got a lot of association with Chinese actors, but not one particular one, because it has been used by a lot of different groups. And this one was, again, being delivered through phishing emails with these ZIP files that started with "PK," but in this case, installing a different Trojan than the ones that we'd seen before. And again, it seemed like most of the attacks in this case were targeting activists inside of Myanmar, or not necessarily the activists themselves, but using the content that's interesting to them in their lures. Also, in that case, we saw lures that related to the sort of themes around Taiwan and the PRC and sort of the relationships between them.

Dave Bittner: [00:06:50] Hmm. The next spike on your timeline is from March 2017.

Ryan Olson: [00:06:54] Yep. And this one was the one that we called the Fabby (ph) campaign or was dubbed the Fabby Campaign, which is a sort of strange name, which I actually don't know the origin, and now I need to go and look that one up.

Dave Bittner: [00:07:04] (Laughs)

Ryan Olson: [00:07:04] This one was, again, phishing emails. And once again, using the same kinds of lures that related to governments from around that area, related in one way or another to sort of Chinese interests in the area. The phishing emails were actually hosted on GeoCities Japan, which is a blast from the past, but GeoCities has survived in Japan much longer than it did in the United States. In this case, the Trojan being used was once again Poison Ivy. So, same Trojan, a variant of Poison Ivy, that continues the theme of using Poison Ivy from earlier. But once again, these sort of tools that are out there freely available for lots of people, nothing super custom at this point.

Dave Bittner: [00:07:39] Looking over these few years here, the connecting thread is the infrastructure, not the tools?

Ryan Olson: [00:07:46] Yeah, it's the infrastructure, sometimes it's a little bit of overlap in the ways that tools were used as well. And this is one of the things when Alex put this research together, he was using a tool that we use called Maltego, which is a common link analysis tool in the threat intel world so that you can lay out all of what you know about an attack basically into an – to perform what we call nodal analysis. You'd lay out all the little nodes, and you'd say, I have a piece of malware, talks to this IP – or excuse me, talks to this domain, that domain resolves to this IP address. Maybe the domain was registered with a certain email address as well. And you get all these things laid out into a map and then you identify connections between them.

Ryan Olson: [00:08:24] And in this case, the map was very, very large. We actually published the whole map in the report, and Alex sort of identified each of the reports that we talked about and the sort of summary and showed how they overlap from one to another. And then he summarized it a little bit smaller into a Maltego diagram you can actually read, by removing the extraneous information and just sort of showing the links. And across each of the links – they're not always the same. In some cases, you have links that are a domain that was being used as a command-and-control server twice in two different attacks. Some cases it's two domains that were used that resolved to the same IP. And I'll say, you know, across all this activity, like, this is six years. Six years is not a timeline where you go, this is one individual operating this whole time, because it's just too long. And we don't have that kind of detail, but we saw these overlaps that allowed us to make enough connection that we think they're all related to each other, roll them all up into one playbook.

Dave Bittner: [00:09:15] And so continuing along the timeline, the next incident of note is in March of 2018.

Ryan Olson: [00:09:22] Yeah. So when we published the HenBox report, that was when we started seeing them using custom malware, and in this case, changing to target – instead of Windows systems, which all the previous attacks had been – targeting Android machines, or Android phone devices. And this one was custom. Once again, the elements of who was targeted were again related to the interests of the PRC, but didn't seem to be against other governments, that did have sort of an activist theme, though, targeting Uyghurs, the Turkic ethnic group that's largely in north, sort of, eastern China – excuse me, northwestern China.

Ryan Olson: [00:09:54] The themes that we were seeing around how they were tricking people into installing this on their Android phone were related to Uyghur messages, as well as we saw an element inside of the malware – it would only steal data from the phones basically when it saw that they had a prefix code on them that was the Chinese prefix code. So they weren't looking to target people outside of China. They were looking to target Uyghurs and they were using Islamic themes to identify them when sending these out, and then only trying to steal from their phones. Which is – this is a pretty significant jump from the kinds of activity that we'd seen in the past, but we were able to connect it through the infrastructure that was used, the infrastructure and some of the other tactics, to say that these were related attacks.

Dave Bittner: [00:10:35] What are your insights or speculation on the shift from using off-the-shelf tools to having the resources to custom-build their own tools?

Ryan Olson: [00:10:46] We can't say for sure, but I would say anytime – if you been given a directive of this group, PKPLUG, however they're organized, that's been told, you know, you've targeted a bunch of activists in the past and we've got access to them, but suddenly the population you want to target, the individuals no longer use Windows at all. You really have to go and find a new route. And if, like, the large population of the world that is on Android, they're your biggest base. And Android's very popular, especially outside, I think somewhere north of eighty percent for smartphone usage, and definitely in lots of areas around the world outside the US, Android is really popular. This is the way that you're going to get access to the data from these individuals. You're not going to get it through a Windows device, so you need to go and do something new.

Ryan Olson: [00:11:29] And Android development – I wouldn't say the folks who were launching these attacks in the past had no technical capability. They're using off-the-shelf tools, but they still have to be able to set up the infrastructure and run it. They likely just needed to find someone who had some Android development background to be able to go and deploy these.

Dave Bittner: [00:11:44] The timeline for the research concludes in February of 2019. What did you publish there?

Ryan Olson: [00:11:48] In that case, we were back to Windows with some malware that we called Farseer that once again had connections, both infrastructure as well as tactical, back to the earlier attacks that we'd seen. And Farseer was being used, once again, decoy documents targeting political news, all related to the politics of Asian countries – in this case, related to Myanmar – using some similar techniques as well. We've seen some of the earlier versions of Poison Ivy using this technique. Poison Ivy deployed by PKPLUG using this technique called DLL side-loading, where you put a DLL with a name that's related to an actual – it's an actual Windows name or a name that's used by a common application installed on the system. And you replace that DLL, basically, in the directory with your piece of malware so it can load into a legitimate process. That's what we'd seen with the Poison Ivy in 2016. And that's what we saw with Farseer as well.

Ryan Olson: [00:12:39] DLL side-loading once again, not an exclusive technique to Chinese actors, but certainly one that they very commonly use, you know, in this kind of timeframe, not just PKPLUG, but others. And it was a new tool, a tool that hadn't really been published on in the past. So, when they're developing their own tool – in this case, for Windows – you can sort of see a sophistication increase from just sort of pulling things off-the-shelf.

Dave Bittner: [00:12:59] And this group is still on your radar, yes?

Ryan Olson: [00:13:02] Certainly still watching them. And this is – it's interesting for any group that's been around this long and obviously over six years to have six-ish – or I think we have a seventh now that we're also investigating – attack. It's not high-volume. These are relatively small. We aren't going to claim we have perfect visibility, especially into some of these groups where, you know, Palo Alto Networks, our primary customers are enterprises, so we wouldn't necessarily be in the place to go and monitor for attacks against activists, which a lot of these have been. But we are definitely keeping an eye on them, because actors like this, they may go for other organizations in an effort to go and attack an activist in some way, or it could be newspapers or others who have the information that they're interested in.

Dave Bittner: [00:13:45] Now, you and your team at Unit 42, you make use of what you describe as Adversary Playbooks. Can you describe to us – what is that, and how do you use them, and what's the broader usefulness of them to the community?

Ryan Olson: [00:13:58] The concept of the playbook started, as a – I'd say, a discussion which was rather heated between me and my boss about three years ago. He had said, we all in the threat intel community get frustrated when we're just sharing a bunch of indicators. You know, you share a list of hashes and say, these are bad, or here's bad domains. And what we're saying was the context around these is really important. Why are they bad is important, but also what are they connected to? Who's using them? How are they using them? Because if you just share a big list of indicators, you lose a lot of that context.

Ryan Olson: [00:14:28] So he was saying we should be able to find a way to take everything we know about a bad guy, an adversary, take the indicators that they're related to them, but also say, how do they work across the kill chain? What are the steps that they take to be successful in exfiltrating data, stealing money, whatever their ultimate goal is. So when we were building out the – and I didn't disagree with that, but I did disagree about names and things like that. We had lots of discussions about should we call it a playbook? I'm not a sports guy... 

Dave Bittner: [00:14:53] (Laughs)

Ryan Olson: [00:14:53] ...So I'm like, I'm not sure exactly what the right metaphor is – is it a blueprint? Is it something else? And playbook gets used in lots of ways in our industry. But we settled on Adversary Playbook because we wanted to think of it as the adversary sitting down, if they were launching their attack – because they're humans, that's something we really want to make sure people think about, this is a human being who's trying to do a job – what are the steps that they would go through to achieve their ultimate goal? What's their playbook look like?

Ryan Olson: [00:15:17] So, we wrap together really three sort of concepts and technologies to build the playbook. The first was MITRE's ATT&CK framework. We started doing this when ATT&CK wasn't quite as popular. It is now, but I'm glad it's gained in popularity, because ATT&CK gives you this common terminology for describing the techniques. I'm sure you've had Katie Nickels or someone else from MITRE on the CyberWire at some point to talk about it. 

Dave Bittner: [00:15:38] Mm-hmm. Yeah.

Ryan Olson: [00:15:38] It's a great framework so that we can use common terminology between us and other vendors to describe, you know, how was an attack launched. We map ATT&CK over to the Cyber Kill Chain so we can say, okay, we're looking at these different phases of the attack they're trying to accomplish. Which technique were they employing in each one of those? And then the third one is STIX 2.0. So, STIX 2 is a JSON format for sharing structured threat intelligence information. STIX 1 was an XML framework, STIX 2 is JSON. We basically rolled all these together to say, let's take an adversary, look at all the campaigns they've launched, look at the techniques that they employed in each of those campaigns and see what indicators – not just individual hashes or domains, but are there patterns that we'd see in those domains, or there command-line executions that we might see on a host – and roll that all up into one bundle that could be machine readable in JSON that a machine can go in and work with in a standard like STIX.

Ryan Olson: [00:16:32] We made the first one for a group we call OilRig I think a little over two years ago now, and, you know, the team got together and they worked on it and they handed it to me, and it's a big blob of JSON, and I went, oh man, no one is ever going to look at this, because it's a big blob of JSON. 

Dave Bittner: [00:16:48] (Laughs)

Ryan Olson: [00:16:48] So we really quickly at that point said, let's build a little viewer for it. Let's build a, you know, just some simple CSS, JavaScript, some HTML, to be able to take that JSON and break it out so you could actually basically explore it, say, show me this adversary and then click into each of the campaigns and sort of see a table of how all of the techniques were used. So, we built the viewer really quickly. It's open-source. It's on GitHub. Actually, all of the playbooks, the twenty-two we published, are all free and they're all on GitHub. If you Google "Unit 42 Playbook Viewer," it should be the first hit. And you know, people have liked them, and because of that, we've started adding more features to them over time.

Ryan Olson: [00:17:25] We're also making more playbooks. Like I said, we published twenty-two adversaries. I think we're at fifty campaigns now. And we're not saying these are all inclusive, but we want other people to use the same kind of format. That's why it's open-source and why we used all these standards. We want other people to do it in the same way, because if people have different vantage points on the same actor, then we can combine them and say, hey, look, we suddenly know more about how this actor works.

Ryan Olson: [00:17:48] The most recent updates to the Playbook Viewer were just last week. We added the ability to see the targeted both country and industries for the campaigns. So now when you go and click into a campaign, you'll see the little flags of the country pop up as well as little icons for the industries that we're targeted. And now that we have so many campaigns, you can also filter them and say, show me all the attacks that have impacted Saudi Arabia, let's say, and it'll just show you the campaigns that we've seen there. And like I said, they're not all inclusive of everything Palo Alto Networks knows. These are finished products basically after we've published a report. But it's a great structure to be able to understand more about an adversary and sort of keep that adversary in mind when you're looking at intelligence related to them.

Dave Bittner: [00:18:29] Looking at PKPLUG, what are the take-homes for you? What's the message you want to get out about this particular adversary group?

Ryan Olson: [00:18:37] I think the key with PKPLUG is that a series of attacks that over the last six years definitely had some level impact for people in different countries in Asia, while they seemed isolated to us over the past few years. It's clear to us that there's a lot more connective tissue and there's likely one adversary or group who's responsible for them. And if you can sit down and look at how their tactics have evolved over time, it can give you some insight into are they becoming more sophisticated – which we think they are – and are they learning from each of their previous attacks? Are they able to add new capabilities? Are they able to employ new techniques? And how quickly do they need to do that? Certain populations are more secure than others. And if you have a really secure target, you're trying to hit, or a series of targets, you might have to evolve really quickly. In their case may evolve relatively slowly, but they still continue to evolve. And we can only see them if we can track them altogether and think of them as an adversary.

Dave Bittner: [00:19:37] Our thanks to Ryan Olson from Palo Alto Networks Unit 42 for joining us. The research is titled PKPLUG: Chinese Cyber Espionage Group Attacking Asia. We'll have a link in the show notes.

Dave Bittner: [00:19:50] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:19:59] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:20:07] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.