Research Saturday 2.6.21
Ep 169 | 2.6.21

"Follow the money" the cybersecurity way.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Joe Slowik: We were able to identify some phishing messages with very specific themes related to that conflict.

Dave Bittner: That's Joe Slowik. He's a Senior Security Researcher at DomainTools. The research we're discussing today is titled, "Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity.

Joe Slowik: There was a – it's since ended now in a somewhat tenuous peace at the moment – but conflict in the Caucasus region between Armenia and Azerbaijan was a significant issue going back into the late summer, early fall period. So, as part of that activity, just looking through various data sets of what's going on in that region, or can we identify things of interest that are happening that reflect themes related to that conflict, or that appear to be coming out of or located in that region?

Joe Slowik: And based upon that, we were able to identify some phishing messages with very specific themes related to that conflict, such as the infiltration – or the alleged infiltration of PKK, Kurdistan Workers Party militants or fighters into Armenia, just a document proposing to be a news article about that that contains some interesting functionality that, once we started to analyze that a bit further, showed the outlines of a campaign that further research showed went back to December of 2019. So, activity that was almost a year across multiple geographic regions, all the result of just looking at this one area to start with.

Dave Bittner: Well, let's walk through it together. I mean, in your research here, you outline what you describe as your initial discovery, which is this conflict in the Caucasus region was going on here. What was the initial thing that caught your eye?

Joe Slowik: So, the initial thing that caught my eye was a document reflecting very specific themes related to that conflict. So, in this case, something that appeared to show up in Azerbaijan during hostilities as part of that conflict, and then with some interesting external reference activity within the document itself that's not common. It was a – not really an exploit, but a code execution mechanism that is not often seen. It's not quite template injection and it's certainly not the use of macros, but really referencing an external object in order to try to gain follow-on code execution on the victim environment.

Joe Slowik: So, there were a couple of things that seemed interesting about this. One, just where this was showing up, like, oh, this looks like it's related to an ongoing war, and then the somewhat unique nature of the document itself, which isn't typically reflected in more generic or more general sort of malicious document activity.

Dave Bittner: Mm-hmm. This document was masquerading as a news article, so you could imagine how folks who are interested in this conflict, this would attract their attention.

Joe Slowik: Exactly. And we see that sort of theme often enough across multiple actors, and it's really at that point where we certainly have to perform a little bit of educated guessing or conjecture at this point as far as who the likely or intended audience would be, based upon the themes of the item in question if we don't have the actual phishing messages, which we didn't in this specific case, although we were able to recover some for a couple of other examples for related activity. But again, given timing, theming, and some other items, it seemed very tightly correlated with that specific conflict.

Dave Bittner: And this document attempts to communicate with a specific domain?

Joe Slowik: Yes. So, we were able to identify, within the document, an attempt to communicate with a domain masquerading as or spoofing Microsoft Office or Microsoft-Office-related items. And it was really from there that we were able to really expand our investigation. You know, at DomainTools, what's our primary focus? Investigating network infrastructure – primarily, I mean, I look at malware, too, but network infrastructure is kind of our bread and butter.

Dave Bittner: Right.

Joe Slowik: And based on that, and kind of related to some other things that I've published recently, we were able to identify characteristics of the domain in terms of registration patterns, hosting activity, as well as just the sort of naming theme behind it, that uncovered additional related infrastructure that included links to further phishing messages, which allowed us to start really scoping out a longer term campaign.

Dave Bittner: Well, walk us through that. What were some of the details you uncovered and what was the process by which you uncovered them?

Joe Slowik: Sure. So, one of the things that I like to emphasize for security researchers in general is that there's a misconception around domains and IP addresses, for that matter, that these are atomic indicators, that there's not too much more to them other than just, I have the domain or I have the IP. And really, that's a misconception, because if we look into the characteristics of these network items, we actually have a plethora of details that give rise to the specific instances. So if we're talking about domains, I have the registrar through which it was created, the registration details, even if it's privacy-protected or some other masking service is used, there's commonalities in what service is being used by certain actors, where it's hosted and who it's hosted by, what services that particular piece of infrastructure may be exposing. And we can use all of these observations to try to find similarly structured items within large datasets, which is one thing that we have a pretty good advantage of here at DomainTools. And that's, again, kind of what we focus on.

Joe Slowik: So with that in mind, looking at the Office-masquerading item – and I can't remember exactly which one it was, "msofficeupdate" or "officeupdate," something along those lines – that we were then able to identify similarly structured items, multiple similarly structured items, that further analysis indicated there were documents that had communicated to them or were set up to communicate to them as well. And that's when alarm bells, but certainly the excitement starts to build that, ooh, wait a minute, we found something here, this is kind of cool.

Joe Slowik: And, you know, what was really interesting about it, too, is that, you know, certainly we already had the pattern-of-life behind the network infrastructure, like, OK, we have an entity that is largely spoofing Office themes and using similar hosting patterns for standing up this infrastructure, and then looking at the documents that were linked to this infrastructure, we started seeing a set of themes there as well. So, we already had the activity targeting Azerbaijan and we were able to identify a couple of other items, something that masqueraded as a press release with respect to the Azeri foreign minister and some similar items. But we were also uncovering documents that were very focused on either mimicking or appearing as things like semi-official documents from the breakaway republics in eastern Ukraine, the Donetsk and Luhansk People's Republics, which are not internationally recognized, but backed by Russian interests and so forth.

Joe Slowik: And so, now we started seeing the outlines of, like, oh, this starts looking very interesting as sort of, with just the isolated Azerbaijan document, like, well, as could be a lot of different things, we don't really know. And now it starts with something like, oh, this seems APT-like – very loose definition of APT, I guess, because "advanced" is always kind of a weasel word of sorts... 

Dave Bittner: (Laughs)

Joe Slowik: ...But certainly something that seems more state-aligned than what you would expect for business email compromise or something along those lines. 

Dave Bittner: Right.

Joe Slowik: So we got pretty excited in looking at this and timelining it out. It looked like there were sequences of events that roughly aligned with other sorts of tensions, whether in terms of ongoing tensions in eastern Ukraine, the conflict in the Caucasus region, as well as some activity in the Balkans, within NATO, which was quite interesting as well. So, just looking at all those outlines, it really became pretty interesting. 

Joe Slowik: And following up with that, communicating with some of the researchers and doing some additional historical analysis to the technique, we were able to – not establish a link, because I don't know if this is definitive at this point – but there are certainly echoes of a named entity behind this activity, a group referred to by Symantec as "Inception" and as "Cloud Atlas" by Kaspersky. So, maybe those are not quite one-to-one matches, but certainly overlapping activity. And that was curious because that's an entity that has conducted some interesting operations but has never really entered the limelight, so to speak, like some other threats, like your APT28 or 29 or some other entities.

Joe Slowik: So, the totality of evidence at this point, you know, walking through from domains to documents to themes to links with historical activity, really showed the outline or the image of a likely state-sponsored or state-directed actor operating in Eastern Europe along conflict and political themes, which was pretty interesting, starting just with one little phishing document.

Dave Bittner: Yeah. It's fascinating to me to want to, as I read through this research, to see the, as you say, the connecting of the dots. And I can I can sense the – as that happens, the excitement builds with you and your team that, hey, there's really something going on here.

Joe Slowik: Yeah, exactly. And that's why I love the work that I do, it's a little dopamine hit every time that you make another good connection.

Dave Bittner: (Laughs) Right. There's an interesting aspect here that – you point out that the functionality of some of these files is dependent on getting a response to a request that the file makes. And you did not get that response to the request which limited your ability to see into some aspects of what was going on.

Joe Slowik: Yes. And that was the unfortunate bit, is given the time elapsed between when some of these items were active and then when they were discovered, as well as possible or quite likely adversary operational security and gating of certain resources, that not only were we not able to pull the second stage that these documents were referencing, but working with a couple of partners, especially the Black Lotus team over at Lumen, formerly CenturyLink, we weren't able to identify what that second stage would be, which was very frustrating.

Joe Slowik: We hypothesize or assess, give them that link to the Cloud Atlas actor or similarity with the Cloud Atlas actor that that follow on would be some sort of PowerShell framework for execution on the victim machine. Can't prove that, but based on historical activity, that seems like the most likely next step, even if we can't confirm that at this time.

Joe Slowik: So, what are your conclusions in terms of the motivations and attribution here?

Joe Slowik: So the attribution here is a little sticky, and I'll get back to that in just a second. Motivations, in looking at the campaign – so, without having that second stage, we can't really differentiate or determine, you know, is this an espionage framework or the preliminary steps towards delivering some sort of espionage framework? It is possible, I suppose, that this could just be a very elaborate ransomware scheme, although I think the evidence is not very supportive of that. But the combination of targeting, theming, or specificity behind the documents in question, and links to historical adversaries, really seem to highlight the most likely motivation as being espionage for likely state-directed purposes. You could argue that without having the second stage, you can't make that as a high-confidence assessment. I would argue instead that, well, given the limited scope and lack of obvious monetization relationship behind these items, that that's the most likely explanation. 

Joe Slowik: Which then gets us on to, OK, this is espionage, who's doing it? And that's where things get really interesting, because if you look at historical reporting by Symantec and Kaspersky on the Inception/Cloud Atlas actor, that it's a little murky. That one thing you may assume looking at some of the preliminary targeting is, oh, it's targeting Azerbaijan and Ukraine, areas of the former Soviet Union. It's probably Russian, right? Well, not so fast. So, if you look at Kaspersky's historical reporting, Cloud Atlas activity has certainly operated typically within the former Soviet republics in the near abroad and Eastern Europe and Central Asia, but it's also included significant targeting within Russia itself.

Joe Slowik: And if we start diving in a little bit deeper beyond just saying, oh, this involves Ukraine or this involves Azerbaijan, that we see some other interesting characteristics that, for example, the Ukrainian elements in question weren't the legitimate Ukrainian government or elements thereof in Kiev, but rather the Russian-backed entities in the eastern part of the country, as well as other areas of strategic interest, such as NATO entities and then the conflict in the Caucasus. So the possibility, especially when we include that Russian-related targeting, is that maybe this is some adversary of or entity that's interested in collecting on Russian strategic interests, which could be quite interesting.

Joe Slowik: And this is where we can start really chasing our tails over and over again with different hypotheses for what this might be, and without getting too wrapped up into very esoteric detail, tried outlining some of those possibilities within the blog, but really, absent additional evidence, there's no way we can really definitively say. And I think the main takeaway from this isn't that attribution is impossible. I mean, it's not, people do it, and especially if you have access to really good collection or if we've been able to gather further evidence such as that second and potentially even third stage of this attack sequence, we might be able to do something more effective.

Joe Slowik: But it does highlight how this is not easy and very much dependent upon the data at hand and where it would be dangerous to try to make an assessment in a situation like this, because there are a couple of legitimate possibilities, and possibilities that are quite distinct or conflicting in nature that this could be associated with.

Dave Bittner: Can you give us some insight as to what goes on with you and your team when it comes to deciding when and how you're going to publish research like this? Because, to a certain degree, when you put this out there in the world, kind of, you know, the jig is up. They know that you know. When you publish something like this, is it at a point where you're pretty sure they already know that you know?

Joe Slowik: Yes. So in this particular case, through some conversations with other researchers, as well as some items in social media, it already appeared that there were elements of this campaign that had been in the public realm to a certain extent – not the entire element or an entire range of things, but certainly parts of it. So it already looked like this was getting some attention, and given the sunsetting of certain events and then what appeared to be a drop off in activity from September, October into early November, and then this was published in mid-November, it looked like this had sort of passed, or we had gotten beyond a sort of expiration date for this particular activity.

Joe Slowik: After that, though, I mean, you're right. There is a certain – once upon a time I used to work in the US military intelligence community circles, and there's always that question of intelligence gain versus intelligence loss as a result of acting on or publicizing certain things. That's always a consideration that we have to keep in mind. So just simply yeeting out indicators and adversary behaviors into the public can be very irresponsible at times, and I acknowledge that. 

Joe Slowik: In this case, though, at least my professional opinion and judgment was that there was a greater benefit in publicizing this than in sitting on it at this point, given that this activity had been taking place for a while and we were even able to contact one of the victims in question – and this was approximately several weeks after it looked like the activity had impacted them – and they were completely unaware of this activity, which, you know, we made sure we made that connection before we went live with the publication, so that they were able to – one, they weren't surprised. I mean, it always stinks to read about, like, hey, you got phished and you're...

Dave Bittner: (Laughs) Right.

Joe Slowik: ...But also the way you found out about it was via a tweet or something. But also so that they could take proper defensive measures and investigative steps on their end. So, yeah, I mean, I could see some people coming out and saying, like, oh, you know, someone's just going after clicks here and publishing this stuff. It's like, yeah, maybe, I mean, at DomainTools we don't sell a threat intelligence feed or anything, so there's really not that much of a game that we have. I just look at this as being a way to try to benefit the community and to highlight to entities that might not have access to very good but very expensive threat intelligence feeds, to highlight some of the activity that's going out there. And this is a very long way of saying that I think the benefit here outweighed the potential risk in tipping an adversary off.

Dave Bittner: Yeah. And so what happens now? Again, for you and your team, what sort of – to what degree are you monitoring further activity for these folks? If they go quiet, if they reboot or how does that process work going forward?

Joe Slowik: Sure. And I think this is something that all analysts can take into consideration, that adversary behavioral changes are seldom revolutionary, but typically evolutionary. And when I say that, what I mean is, you know, whether you want to take a kill-chain way of looking at things or a diamond model or a MITRE attack way of conceptualizing how an adversary operates, that there are many aspects or many elements of a intrusion event that an attacker has to develop and deploy to be successful. From what kind of network infrastructure they're creating, what sort of capabilities they're deploying, and then follow-on tools and techniques that are used in victim environments.

Joe Slowik: And we could look at this example as being a pretty good case study of how adversaries will change certain aspects of their behavior. So, for example, if we take the assessment that this is most likely related to Cloud Atlas or more likely Cloud Atlas than any other tracked threat group that's out there in terms of what this might be linked to, well, in that case, we see a significant change in network infrastructure characteristics, but not a very significant change in dropper document or initial infection document capabilities in terms of how remote resources are accessed and then used for potential follow-on execution.

Joe Slowik: So, what I'm trying to say here is that from a defender standpoint, by understanding how attackers operate across the entire sort of attacker lifecycle, that we can gain insight into different stages of how adversaries operate, and the likelihood that an adversary will completely revolutionize their activity across all phases of that life cycle are not impossible, but that's very costly. And if we have a thorough understanding of what an adversary looks like across each phase of their operations, yeah, they might change how they stand up network infrastructure or they might change how they set up initial stage delivery documents for additional code execution, but the likelihood that they change everything is somewhat small.

Joe Slowik: So, if we can keep track of or try to monitor for each of those phases and each of those sets of behaviors related to stages of the intrusion lifecycle, we can identify adversaries, maybe not as early as we'd like to if we're looking at this from a network defender standpoint, but from a CTI perspective, we'll have an opportunity to detect these adversaries at some level and then from that detection point begin to build out, okay, what changed from previously to fill in those gaps for what an adversary has done to sort of shift their operations in response to defenders from previous reporting or being caught in other environments.

Dave Bittner: Our thanks to Joe Slowik for joining us. The research is titled "Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing. CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.