Targeting Olympic organizations.
Dave Bittner: [00:00:03] Hello everyone and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Raj Samani: [00:01:03] In this particular instance, we discovered the file that was being used, or really the file that was being disseminated.
Dave Bittner: [00:01:10] That's Raj Samani. He's chief scientist at McAfee and this week were discussing the campaign that he and the McAfee Advanced Threat Research team recently discovered, one that's targeting organizations involved with the upcoming PyeongChang Winter Olympics.
Raj Samani: [00:01:24] We actually picked it up a little later than the campaign actually began, because the campaign started on the 22nd of December and we found it on the 29th.
Raj Samani: [00:01:33] So we're about a week behind. You know when the campaign actually began, and actually one of the things that we realized was there were two campaigns, you know there was really the initial campaign which I guess was a little clunky, and then there was a modified campaign which was actually really quite clever. So you know a lot of the research that we published focused on that second campaign which was really impressive actually.
Dave Bittner: [00:02:00] Well let's go through it one by one then. The first one, can you describe to us what was going on?
Raj Samani: [00:02:05] Yes so the first one was fairly simple in terms of, you know, it was an e-mail. I mean, it's always an email, isn't it? And of course within that e-mail there was a PowerShell script.
Raj Samani: [00:02:18] But what we kind of began to witness was that you saw steganography which came about from the second campaign. And you know, I think the thing that really surprises us is, well it probably doesn't surprise us anymore, but the bad guys follow us, and not I'm saying me specifically, but they follow the industry. And you kind of saw this, I think it was around about November. We published research into APT28, and they were leveraging a technique or feature called DDE, dynamic data exchange. You know I think the vulnerability, or really the feature, was identified by Proofpoint just a few weeks earlier. And it kind of says to me that you're seeing threat actors not necessarily using zero-days because they don't need to. Because what they do is they follow the research that we're doing as an industry and they look to weaponize that as quickly as they can.
Raj Samani: [00:03:16] And you know this particular campaign on to the Olympics was doing something similar whereby there was research that was published, I think in the 20th of December. Anyway, it was about seven days before we actually saw it being used and weaponized in the wild. And so it shows a lot about the kind of disparity between, we get no visibility about what they do and yet they can follow people on Twitter, they can listen to our webcast, listen to our podcasts even, and learn the tips and techniques that can be used to infect systems across the globe.
Dave Bittner: [00:03:55] Yeah. So again in this first crack at it from them, what sorts of things were they up to?
Raj Samani: [00:04:02] Well so actually it was very similar in terms of the campaign itself. It was just the technique that differed. You know, so in the first attack, it was a Word document and within that was a PowerShell script. But the second time round was different in terms of, an email was sent and actually the first thing to add is the email that was sent actually was from info [at] nctc.go.kr. So it was actually the National Counter-Terrorism Center that they spoofed the e-mail from. And what was interesting was, the NCTC at the time were actually doing, like preparedness drills. So it wouldn't have been out of the norm for organizations to receive an email from NCTC.
Raj Samani: [00:04:52] What was different, and obviously the way that we were able to determine that it was different was, the IP address that was used is an IP address coming out of Singapore, it wasn't the mail server from NCTC. So look, it was it was using authority. But actually the timing of it was was pretty clever. You know it was they was sending the email and the Word attachment appeared to be, you know, in Korean it said organized by the Ministry of Agriculture and Forestry, PyeongChang Winter Olympics, and apologies if I mispronounced that. But what they did was they actually sent the e-mail to icehockey [at] pyeongchang2018.com. But they actually copied about just in excess of 300 organizations in that. And I'm one of the things I can say is that we, you know, we're pretty confident that there were some organizations and some recipients that actually fell for it and subsequently were infected.
Dave Bittner: [00:05:49] And so this steganography component, can you describe that for us? First of all, just describe to us what does that mean?
Raj Samani: [00:05:56] Okay, so steganography is where you can embed data within an image file. So you know it looks like an image file, it looks like a normal picture, but actually you can hide content and hide data inside. So it's a really clever way of obfuscating and hiding data within image files, so it looks like an ordinary file but it's not. And you know they actually used a tool called PS Image which had been published about a week earlier. So again you know they were monitoring the types of tools that the industry were producing and they used them for nefarious purposes.
Dave Bittner: [00:06:40] And quick turnaround there as well, I mean they're not wasting, they're not they're not sitting on their hands.
Raj Samani: [00:06:43] Yeah, I mean it was a week, and actually there was you know, there was a lot of obfuscation involved in, I guess that kind of second iteration, because you know, the user would receive an e-mail and within that would be a Word document. If they enabled the content there'd be a PowerShell script. Incidentally, we know who was behind this. It was an author by the name of John. So that clears it up all right? John was behind it. It's kind of tongue in cheek but actually you know the PowerShell Script was actually, had the name of John as the author. So what it then does, it then connects to a remote server, and that remote server then downloads an image file and within that image file there was another script within that which then was launched via the command line and then, would then connect. And actually that PowerShell script then, you know that was then executed, had a lot of obfuscation within that. Obviously once that script ran it would then connect to the command and control server. And obviously that would then allow the criminals the ability to be able to connect to these particular systems and, you know, we were able to actually gain access to the log server. And having to look through the logs, what we were able to determine was that there were connections from South Korea. So we know that there were systems that were compromised as part of this attack.
Dave Bittner: [00:08:14] And what does it seem like there after?
Raj Samani: [00:08:17] Anything they want. Because once they've got access to the systems via the C2 server then they can do what they want. I mean you know I think that's kind of where we kind of hit a wall which was, you know, we were able to determine how they got in. We were able to determine the fact that systems were impacted. But what they did was they then had a, like an encrypted section between the victim and the control server. And by the way the control server was actually hosted in Costa Rica. So what we don't know obviously was what's inside that connection. What we, you know obviously because it's encrypted our ability to be able to go further really requires us being able to get access to the C2 server and then being able to inspect what goes on thereafter. So obviously that's kind of one of the challenges that we face as an industry is, at some point you know we can only tell some of the story.
Dave Bittner: [00:09:13] Now looking at your research is it accurate that one of the command and control server seemed to be a compromised server, a server that perhaps the people running it didn't know that they were, that they were serving out this function?
Raj Samani: [00:09:27] So actually it's the it's the Apache server that was being used for the logging purposes.
Dave Bittner: [00:09:33] I see.
Dave Bittner: [00:09:34] And that was, yeah, and that was compromised. And so what appears to happen here is that somebody's just running the server and completely unaware that it's being used for malicious purposes.
Dave Bittner: [00:09:46] And so in terms of attribution, in terms of who's behind this, what kind of clues do you have there?
Raj Samani: [00:09:52] Well, so we intentionally don't do attribution. And one of the reasons we don't do that is because you know we can have all of the technical indicators in place. And what I will tell you is the technical indicators suggest that it's nation-state and it's a group that speaks Korean. Now you're going to say to me, ha ha, Raj, I know who that is. Right? It's you know, if you look at the list then it's pretty much one, you know, one entity. But there is clear evidence to suggest that there are groups out there that intentionally leverage and use false flags. You know for example using language packs or you know even something as simple as making the IP address appear to come from somewhere it isn't.
Raj Samani: [00:10:35] So what we won't to is, and what we will never do as a company is say, OK we believe it was country X or country Y. I know you know there are other organizations that may be willing to do that, but I kind of feel, I think we've got a kind of a sense of purpose which is that what we'll do is we'll share all about technical evidence with the industry so that we can learn from this. Fundamentally we need to understand the threat actor and how they're evolving and how they're getting better. But any information with regards to attribution, you know should be left to public sector such as law enforcement.
Dave Bittner: [00:11:10] And so how can people protect themselves against this sort of thing?
Raj Samani: [00:11:14] I probably want to just take a slight detour, um, this is actually one of four publications and really phenomenal research that my team have done. Like I said we began in, I think November was the first one that I think was remarkable where we had evidence of you know a group that we believe could be APT28 using dynamic data exchange. We then had a nation state who'd never really done this before, who migrated over to the mobile space. They actually went after religious groups, we believe to target defectors, and then just I think just a week after this one we published research on a similar nation state who were going and using social media and chat apps to go after journalists as well as defectors.
Raj Samani: [00:12:04] And so the number one thing that anybody can do is be aware of what's happening because you know in the last few weeks we've seen one of the most prevalent and nefarious threat actors move to mobile, and that's never happened. We've seen threat actors leverage dynamic data exchange, we've seen them using steganography. This is all new. And so we need to be aware of the tactics and techniques that they're using because, and I'm not going to quote Sun Tzu because you know it's 2018, but we need to understand the way that these threat actors are evolving so we can better defend ourselves. And I would say you know publications like the CyberWire for example, and organizations such as ISACA and others, they're so important in terms of being up to date with the way that these techniques are being leveraged and being used and so I think for me the most important thing here is being aware of the way the threat actors are evolving and adapt and adjust your defense accordingly.
Dave Bittner: [00:13:10] I'm not quite sure how to ask this question. The fact that this is centered around the Olympics. Do you think that they are specifically targeting Olympic organizations or do you think that the Olympics are sort of an excuse if you will, a framework for which to hang a campaign that they would have done anyway? Do you follow where I'm going with that question?
Raj Samani: [00:13:36] Yeah no, I mean if you look at the organizations that they targeted they went after organizations predominantly associated with the Olympics. The entire theme of this was associated with the Olympics. So this was a targeted campaign specifically focused on the Olympics. You know, much like we saw the APT28 group in November, that was targeted at organizations associated with the military, specifically those engaged with the U.S., right? But it is very, very specifically minded towards compromising specific organizations and so, look there's is no doubt in my mind they wanted to go after these organizations.
Dave Bittner: [00:14:16] And so that points to more of an espionage goal than say, making money.
Raj Samani: [00:14:21] Oh yeah, without doubt. You know I remember the last time we spoke we talked about ransomware for example. You know there was uncertainty where the ransomware is making money or for disruption. I mean this one for me suggests absolutely intended for espionage. I don't think there's any monetary gain involved in any of this at all.
Dave Bittner: [00:14:41] So if people want to find out more about this particular campaign and some of the other work that you and your team are doing what's the best way to do that?
Raj Samani: [00:14:49] So we actually post everything on our blog site which is securingtomorrow.mcafee.com. But you know have a look on Twitter and you know myself and the team will always tweet all of the latest research that we're doing. So it's Twitter which is @Raj_Samani. But also McAfee Labs we've got our own Twitter feed to McAfee Labs as well. And you know we've got a great pipeline of research coming out. So the best thing you can do is be up to speed with the way that these criminals are adapting their techniques and hopefully we'll shine a light on that.
Dave Bittner: [00:15:25] Can you speak to the nature of community when it comes to researchers like yourself both at McAfee and other companies, the importance of putting this information out there and collaborating?
Raj Samani: [00:15:31] Oh I'd love to speak about community because you know I started in this industry and it was an infosec community and you know it's now become an industry. What we do is we collaborate we communicate we share information with partners wherever we can. And in most cases I would say it's well-received. But you know lately there's been a kind of trend of individuals to kind of, I guess talk badly about vendors and say, look I'll give you an example. So Bruce Schneier recently did a blog on the No More Ransom initiative and he was very very positive about it.
Raj Samani: [00:16:16] And in the reader comments there was one individual who says, look I don't trust McAfee, I don't trust Kaspersky. They've done No More Ransom what's in it for them? And what I would say to that is, look I realize you know, yes we're a commercial company and you know commercial companies are there to make money, but for us as researchers we do everything that we can to share samples with each other and you know when WannaCry happened we were communicating on Slack forums and messages and doing everything we can to get the information out there and so we're trying our best to shine a light to this. And if you've got any feedback if anybody has any suggestions please let us know and you know it's an open door and if anybody wants to collaborate and share information with us we're willing to do that. I mean you know we launched No More Ransom against ransomware, that's about 100 organizations. We also work on the Cyber Threat Alliance for example, that's ourself, Semantic, Fortinet and others.
Raj Samani: [00:17:14] So really the intent here is we've got to work together against the bad guys are working together and they've been doing it for a long time. So as an industry I think we've got a lot of catching up to do.
Dave Bittner: [00:17:31] Our thanks to Raj Samani from McAfee for joining us. You can read their complete report which is titled Malicious Document Targets PyeongChang Olympics. It's on the McAfee Labs website at securingtomorrow.mcafee.com. Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber. The CyberWire's Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.