Research Saturday 10.31.20
Ep 158 | 10.31.20

Leveraging for a bigger objective.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Jon DiMaggio: Well, APT41 is a long-standing group that's been around since, according to the recent indictment, 2011. We at Symantec have actually been tracking them since 2012. So, shortly after they popped up, we kind of – they got on our radar.

Dave Bittner: That's Jon DiMaggio from Symantec's Threat Hunter Team. The research we're discussing today is titled, "APT41: Indictments Put Chinese Espionage Group in the Spotlight."

Jon DiMaggio: I guess what their biggest claim to fame or what they were known for is they're one of the early adapters that really got into leveraging attacks for what they call supply-chain attacks – leveraging victims for attacks for a later stage of a bigger objective. So they would get into all these other companies in order to use them to sort of traverse by those trusted relationships into what their actual target was.

Jon DiMaggio: And, you know, they were one of the groups that sort of created that and started doing that. We really didn't see much of that, and now it's much more common, but these guys were doing it starting back in 2012. But it's also one of the most confusing groups because, you know, most of the attackers that you see – while in the espionage game especially – if they're a group that is involved in espionage, you generally don't see cybercrime. So that really confused a lot of researchers.

Jon DiMaggio: And so, the reason I'm sort of throwing that in is when we look and we track activity and you try to identify motivation, it really throws you off when you start to see very different types of attacks where you're looking for a complete different end result. You don't usually see financial gain involved with an operation that is trying to steal information that's clearly going to be used for political or military purposes. So this group really is interesting because of that.

Jon DiMaggio: So, you would have all these pockets of activity, you'd see things involving clearly very custom-developed, sophisticated espionage malware that steals information, and then you'd see other attacks where they're leveraging that and using it for financial gain. And really, one of the biggest differences in that was looking in what the times of use of when these types of attacks were doing. But we can talk about that a little bit more in detail.

Jon DiMaggio: But yeah, we've been tracking them since 2011, and they have quite a toolset of their own malware that they use for these attacks. We assessed that they were a small group. They clearly had ties back to the China region. And they clearly had the resources to have custom tools, custom malware. And they appeared to be very long-term, objective-oriented attackers, meaning they'd have all these different phases of an attack before you could figure out what the actual real true objective was.

Dave Bittner: Can you give us some insights, as a researcher, what is the process like for you and your colleagues for sort of connecting the dots? For determining, as time goes by, what do you include with this group? What do you exclude? How do you make that circle smaller and smaller over time to know exactly who you're dealing with and likely what they're up to?

Jon DiMaggio: Yeah, so that's a great question. So, the normal process of how we apply that against any sort of targeted attack is to not just look at the first attack. So, usually you begin because of one event or one attack. But what you need to do when it comes to these sophisticated attackers is to expand that, pivot, and identify other infrastructure, other malware, other victims. And then do a rearview mirror look to see, OK, are there other campaigns? Maybe there's a different vertical, a different sector that it's been targeting that you're not seeing, but you can learn about the tactics from that group. So you really need to pivot and look back, rearview mirror, collect all that information, reanalyze everything that you have, and sort of come up with a bigger picture hypothesis of what that attacker is doing, what is their motivation, and what does all of these smaller attacks lead up to.

Jon DiMaggio: This group, however, made that very difficult. And the reason I say that is what I alluded to before. We looked at the pocket of activity, and when you have custom malware that you believe is unique to an attacker, especially something that you think is resourced back to a nation, that attacker is – you know, it's for those military government purposes. Therefore, you don't usually see that very sophisticated malware used for financial-gain attacks. And the reason why is, you know, they spend all this time developing this malware. You don't want to take the chance that it's going to get identified, and then researchers and antivirus and defenders can now write signatures to detect it, and your advanced operation that you spent all this time and money on is – a major component of it is no longer usable.

Jon DiMaggio: So that's what was so weird about this is, you know, we were seeing what was clearly espionage operations, and then shortly after, we began to see these financial-gain-motivated attacks. One of the things that we did – I sort of alluded to earlier – that really helped us to figure this out was time-boxing the activity. So, taking longer-range time periods of the activity and plotting the hours of actual human-on-victim-network time. So, when a human was actually logged in doing things as part of the attack. So those high-fidelity timestamps, if you will, of events. And then you plot those over time and you sort of look for what would fit in a workday. This is really relevant for nation-state attacks, because usually your A-game guys are working in day shifts. That's just the trend that we often see. You have different teams – usually your A-game guys will be working during the day.

Jon DiMaggio: So anyway, you look for that to try to come up with time zones that fit a possible workday and then you apply that to regions of the world. Well, what we noticed when we did that is there were very distinctive patterns between – while using the same malware and tools, there were very distinctive patterns between the espionage-geared attacks versus the cybercrime, financial-gain-motivated attacks. And what we saw was the financial-gain-motivated attacks against many of the video game companies that we saw were actually taking place between 10:00 p.m. and 1:00 a.m. in the same time zone that we had leveraged from the time-zone analysis of the espionage attacks. So, by applying that – because we had less data for the cybercrime – so applying, though, that same time zone to those attacks, assuming that, because the malware is so unique, that the people using it must be at least have a relationship with those who are doing the espionage attack, allowed us to sort of make that assumption, OK, well, these guys are using it at night. And what's the first thing you think of as I say this – moonlighting.

Dave Bittner: (Laughs) Yeah, that's what I was gonna say.

Jon DiMaggio: Exactly. Which makes it so interesting.

Dave Bittner: Right. Right. Yeah.

Jon DiMaggio: When do you ever see, like, espionage operators, like, eh, I got a few hours here tonight, let's go make some money, guys. I mean, you just don't see that. And that – we saw that back then and that made this so interesting. And, you know, we did some collaboration with some of the analysts at FireEye – we talked about this at RSA this year, myself and some FireEye guys, we did a panel. We actually did a use-case on this exact group. And the reason we did it is, we at Symantec track them as two different groups. We believe that, just like FireEye, they're the same individuals behind the activity. However, the actual buckets of activity – what they're doing – was different. So we track it by the activity, not the people. FireEye tracks it more by the people, not the activity. So, neither is wrong, but we track them very different. So that's one of the things that we discussed. Point being, though, that's what makes this so interesting, is you have these, you know, operators moonlighting, using the same weapons essentially to come up with different outcomes for different types of attacks.

Dave Bittner: Yeah, I mean, it strikes me as kind of like, hey, boss, you mind if I run off, you know, can I use the photocopier after-hours or something? You know, that sort of thing. Because I can't imagine that these guys would be doing this without permission.

Jon DiMaggio: So, yeah, exactly. That's – I don't believe for a second that – I agree with you, you wouldn't expect them to – but I don't believe for a second that – I'll just refer to it as their handlers. We know from the indictment that there was relationships with some of the operators with the Ministry of Security and the National Security Bureau in Chengdu – that was in the indictment. So, we don't know that that's who's behind the espionage attacks, but we know that some of the operators had working relationships with those organizations.

Jon DiMaggio: But let's just call it the handlers behind the attacks, the ones paying for, planning, that are the benefiting from the attacks. Whoever that is, I cannot imagine that they would be OK, though, with these guys using their, again, their military-grade weapons, if you will, in their, you know, the secret sauce with their custom malware to steal something basically as dumb as video game currency. You know, that just seems like such a waste of your resources, because like I said, the more you expose your malware to the Internet, to the world, the higher likelihood it's going to be identified, have signatures written, and now it is no longer effective. So I just don't believe that they were on board or OK with that. I truly think that they probably did this on their own to make a buck and didn't think they would get caught.

Jon DiMaggio: And then the fact that they worked with these guys in Malaysia and they created what I call a shell company, the Sea Gamer Mall, that they essentially created that entity simply to sell the virtual currency that they had obtained in their theft campaign. So, the whole thing is – these are all smart guys, clearly – but, you know, I think it's a bad day for them, whether the indictments can touch them or not, I think it's a bad day for them in China when that indictment came out, because I really don't think that, like I said, any government entity would be OK with you using that for your own financial purposes. And it's not like China is some poor nation that's going to benefit from financial-theft attacks. You know, we see that sometimes with North Korea as the best example. We don't really see that with China. So it really doesn't fit their model.

Dave Bittner: Do we have any insights as to what the culture is among the elite hackers in China? And I come at the question from this direction, which is that, you know, I have heard, here in the United States, I've heard about people with high technical abilities being referred to as rock stars or national treasures or those sorts of things. And so those people are well taken care of, to the point of sometimes being coddled, or they may have peculiarities in their personality that are overlooked because their technical skills are so high. Do we have any insights into that – what may go on culturally in China?

Jon DiMaggio: Yeah, so, I do actually have an opinion based off of experience from all the research and observing these groups for a number of years. So, previously, like, up to, say, maybe 2010. So, from 2002 through 2010, one of the really useful pieces of research that we could do was if you had any sort of a handle or any sort of unique piece of identifiable information in malware that you could use to find the developer, one of the things that used to take place was guys would leave a handle in malware. So there was a malware guy based out of China who used the alias "YYT Hacker" who was just notorious for putting his handle within his malware. And that malware was eventually seen in some of these groups that we track, you know, in espionage attacks.

Jon DiMaggio: And so, things like that allowed you to go search and identify, all right, well, this guy, you know, has this handle and he did a paper for a technical university in China with an email address with that same handle. You know, you could piece these things together. They got – bear with me here, I'll answer your question – but they got – they have become much better at their operational security. It is rare now that you get things like that that you can use to pivot on. And the reason that that's important is because I think the government really cracked down on that and said, hey, operators, you need to have discipline – or hackers, whatever word you want to use – you need to have discipline here. This isn't – we're paying you, you know, you're giving away our operations, you're giving away to identify us and attribute to us, you need to stop doing that. And the reason, I believe that they took a stance to do that is because it tapered off so quickly, and it's so rare now that we get that sort of open-source piece that we can really go dig and find the guys behind the keyboards.

Jon DiMaggio: So we have to rely so much more on either mistakes in operations or things in the malware or the things that are human-based patterns of what they do when they're on our network. They've made it much more difficult. But I don't think, though, that it's something that's condoned. I do think they do treat their operators, like you said, that rock star mentality – absolutely. The guys that I think that are good at what they do, they probably, you know, they are probably well-paid and treated decently in their home country. But there's the one thing that I think is important to always remember, you know, human greed, especially when it comes to money, it's something they can get the best of anyone. And I think that's really what you saw here.

Dave Bittner: Interesting. Well, let's dig into the indictments. Mid-September, the US Department of Justice comes out and charges seven people, including some folks with APT41, with a variety of crimes here. How did this impact you? What was your reaction to this?

Jon DiMaggio: Well, reaction is – whenever we have an indictment come out, you know, it's exciting because the indictments provide so much information and intelligence, not just on the attacks, but the people behind it. So we literally, when they come out, you know, my team and I, we all sit down and read the entire – not just the blog that talks about the high-level stuff – we actually get down and we read into the weeds, because it's so interesting to take that and then compare it to our research and see what did we get right and what did we get wrong? And, you know, a lot of times the things that you just – you couldn't possibly know as a defender – only government-type intelligence agencies could figure out. So these indictments really shed light on that.

Jon DiMaggio: Doing that process with APT41, I'll be honest, we got this one – it was pretty good. We had – obviously we didn't have operator names, but as far as the way we tracked it, the way we broke up the malware, the operations, the way we separated them – at Symantec we actually had this pretty good. What I did find extremely interesting, though, was that human aspect. So, the fact that, as you mentioned, there's seven individuals, well, there's only two of them that they specifically called out that you worked both the espionage and cybercrime operations. Now, obviously, we can infer that all of them have relationships in some way with one another. But the actual indictment itself only actually calls out two that did cybercrime and espionage, which to me says, you know, the others might have been involved in cross-operations, but these are the two that we have black-and-white evidence to support that claim, since it's in the indictment itself.

Jon DiMaggio: So I think that's really interesting. I think that the sort of – it wasn't really finger-pointing, but it subtly was – at some of the government agencies that they mentioned in the indictment that had relationships with the operators. I thought that was very interesting. Again, that's something that, unless there is a mishap in their operations where they make a mistake and we get to see an IP – like, let's say they forget to turn on a proxy and they originate from one of those entities – unless things like that happen, we don't usually get the government piece behind it. So that was really interesting.

Jon DiMaggio: The Chengdu 404 Network Technology piece, you know, we had heard of that organization before. We didn't have evidence that it was necessarily bad, but there was a lot of suspicious things that were around that. So that was at least on our radar. And then the Sea Gamer Mall that was selling this fraudulent stuff – we had not heard of that before at all. But that was based out of Malaysia – that wasn't exactly our prime area of research in this. But adding all it had been together, like I said, I just sort of named the interesting pieces that we may not have necessarily ever known about. But putting it all together, you know, it really tells us we're doing a good job in the way that we're tracking and doing our analysis. You know, it isn't always like this where all these things line up, but it's usually pretty good. But this one we had a real win out of.

Dave Bittner: Now, do you suspect that the folks behind APT41 will change some of their tactics as a result of this indictment?

Jon DiMaggio: I do believe that. So, the reason I think that that's definitely going to happen is we've seen it in the past. You know, I mean, the most high-level example is APT1. You know, when that happened, they burned infrastructure, they shut down operations for several months, they rebuilt. You know, that was a China-based group as well. But it's not just even China you see, though. You can use Russia for another example. Let's talk about them. Completely different nation. But when, like, Dragonfly, the US energy infrastructure attacks that took place. That was one where we wrote a blog on that and we put information on that, and they shut down operations temporarily, they burned infrastructure, they retooled, and they came back with a different style of attack.

Jon DiMaggio: So, I think, despite the nation, I think that is generally what happens with espionage attackers. You know, lesser attackers don't necessarily have the resources to, you know, to stop, retool, recreate new malware, come up with new creative ideas to attack, and start again once they've been identified. But governments certainly do. So I think that trend will continue here. But I don't think they'll go away. I think they'll slow down and we'll see a gap in activity, and then they'll come back with some new creative way to attack and to continue their operations with the same end result.

Dave Bittner: Our thanks to Jon DiMaggio from Symantec's Threat Hunter team. The research is titled, "APT41: Indictments Put Chinese Espionage Group in the Spotlight." We'll have a link in the show notes. 

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing. CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.