Research Saturday 5.28.22
Ep 234 | 5.28.22

Compromised military tech?


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dick O'brien: StoneFly has - it initially caught our eyes because, in our view, it is probably the most interesting of the North Korean-sponsored espionage groups. 

Dave Bittner: That's Dick O'Brien. He's principal editor at Symantec. The research we're discussing today is titled "StoneFly: North Korea-linked Spying Operation Continues to Hit High-Value Targets." 

Dick O'brien: So, yeah, they're interesting for a few reasons. They've been around for a good while. I think they first appeared around 2009. And at the start, they were, like, you know, your - what was at the time your prototypical North Korean-sponsored group. So they were involved in sort of lots of noisy, you know, not terribly sophisticated attacks. So they started out doing distributed denial of service attacks against targets in South Korea and the U.S. And, you know, they kind of pop up every couple of years with DDoS attacks. Then they introduced a backdoor Trojan. They were obviously stealing some information. They were involved in some disk-wiping attacks in, I think, 2013. 

Dick O'brien: But something interesting happened to them along the way. Some time either in 2019 or probably sometime before that, they completely pivoted into something very, very different. And since that time, they have been focused on a very small number of espionage attacks, and they're very tightly focused on what we believe to be acquiring kind of sensitive, classified or advanced intellectual property. So they seem to be, like, this really super-focused specialist team who are just kind of going after this type of information. So every time we see a StoneFly attack, the victim is always really, really interesting. 

Dave Bittner: What makes you believe that this is the same group that we'd seen previously, you know, since 2009 if they updated their techniques and indeed headed in a different direction? Are there things that point to it still being a continuation of the same group? 

Dick O'brien: There's definitely a continuation in terms of the tools that are used. So you can kind of - you know, obviously, the tools they use today are of no resemblance to what the tools they started out with. But there is a kind of a daisy chain or an overlap of tools used all along the way. So these days they use a custom backdoor Trojan that we call Preft. Some other vendors call it Dtrack or Valefor. And that's kind of the - from our perspective, the calling card because they're the only group who use that particular backdoor. So, yeah, we've been able to kind of follow them through the years, through overlapping of toolsets. 

Dave Bittner: Yeah. Well, let's go through together this latest target that you all analyzed here in the research. Can you walk us through, step by step? What exactly did you all witness? 

Dick O'brien: What we came across, it was kind of an interesting attack from our perspective because, initially, we thought it might be ransomware because we were doing a ransomware investigation that was another customer on - you know, completely different geographic investigation and a completely different geographic location. And we found a tool there that we thought was linked to the ransomware, and then we saw on this particular organization where we were - you know, we were giving them the heads-up that there may be some ransomware actors on their network. And then it turns out that the tool wasn't linked to the ransomware attackers at all, that it was actually a Stonefly tool. So then, of course, you know, we spun up our investigation on it. What we found was a long-term intrusion against this organization. 

Dave Bittner: Well, let's go through it, I mean, step by step. But when you all initially started the investigation, what sort of things caught your eye? 

Dick O'brien: The means of entry was interesting enough. We believe it was a exploitation of the Log4j vulnerability, which I guess most people would be familiar with. It really hit the news back in December. I say we believe - that's because an exploit was run for this vulnerability against a VMware View server that was publicly facing. And the exploit ran, and then within 24 hours - I think it was 17 hours - we saw our first evidence of what was definitely Stonefly activity on the computer. So given the timeframe there, you know, it seems that this was their way into the network. So they got onto the server. And they did a lot of groundwork, I guess, in terms of establishing a persistent presence. So they put a backdoor there. They got some communications back to their command-and-control server. There was evidence of them dumping credentials and things like that. And then once they kind of got all the information that they needed, they began moving laterally across the network. I think it was about 18 computers in total that they got on to. So, you know, a good opportunity for them to kind of look around and see if they can find anything interesting. 

Dave Bittner: Let's talk about that Preft backdoor itself. You all pointed out that it seemed to be that they had updated it in this particular campaign. 

Dick O'brien: Yeah. Yeah. I mean, and this is not uncommon for an actor like Stonefly. They'll continuously develop their malware. At the very least, you know, they'll adopt different obfuscation techniques to try and avoid triggering any security alerts. And in this case, they added a couple of additional bits of functionality. And I think it was an ability, in this case, to support a wider range of plug-ins. So I think the previous versions we've seen could only handle two different types of plug-ins, and this one could handle four executable BPS patch files and shellcode. 

Dave Bittner: Well, walk me through exactly, sort of step by step, what Preft does when it kicks into action. 

Dick O'brien: It is - it's essentially - it's a backdoor Trojan. So if you're - you have a persistent presence on the victim's machine. So it does have the kind of functionality that allows you to perform certain actions on the computer, take information identified for exfiltration. 

Dave Bittner: And so is there any sense for exactly what they were after here? Was there any, you know, pattern in the types of things they seem to be interested in exfiltrating? 

Dick O'brien: What I would say is that - I would say this company - I can't say too much about them. But they're a very specialized engineering company. So they work in the energy sector, particularly energy - offshore type of energy extraction. And they also work with the military. So presumably, they're kind of looking for information about, you know, how they do things or how they work with the potential to kind of leverage that intellectual property and whatever they want to do themselves. 

Dave Bittner: You know, you mentioned at the outset that, sort of historically, North Korea kind of came on the scene and were - had a reputation for being noisy and not especially nuanced. Where do they stand today? How do they rate on the global stage? 

Dick O'brien: It's an interesting country to look at from an espionage perspective. I guess, first of all, the whole North Korean cyber espionage scene, it's quite opaque. I mean, like, you know, as espionage tends to be, I mean, you don't know about every country's espionage operations in detail. But in North Korea, it's particularly so. So we have very little visibility or insight into the overall structure of it, you know? And indeed, you know, lots of people just tend to refer to North Korean espionage operations under just one umbrella name, which is Lazarus. And then the U.S. government call it Hidden Cobra. But we've seen several kind of distinct patterns of activity which suggests that there are at least several distinct teams operating there. And so how do that - they're unusual, too, in that they carry out a lot of financially motivated attacks, which isn't really within the remit of other countries' intelligence services. And, you know, any time you do see it happening with other state-sponsored actors, we usually suspect it's some contractor doing it, you know, earning some money on the side. But with North Korea, it's definitely part of their core goals - is to acquire foreign currency. So we've seen them do - you know, do everything from kind of stealing multimillion dollar amounts from banks. We've seen them be involved in ATM-type fraud. They're quite interested in cryptocurrencies and that sort of thing, you know? 

Dick O'brien: So I think the regime there sees it as one way of getting foreign currency. So that's quite unusual. But, yeah, there are some teams that are very specialized that would be kind of - you know, would be comparable to other state-sponsored actors on this front. So there's an ongoing campaign called Operation Dream Job, which tends to target different industry sectors at a time in - usually probably in pursuit of technology or intellectual property. And that would be up there with kind of most second-tier nation-state-sponsored espionage actors. And then there's this people like StoneFly, who seem to be super-focused on a very small number of selective targets. 

Dave Bittner: Can you give us some insights into what happens with an incident like this when it comes to incident response? I mean, something like this gets discovered. What - how do you kick into action here? What sort of things go into play? 

Dick O'brien: For us ourselves, I guess it usually starts with a little bit of fragmentary evidence. We find - uncover one tool or something the attacker does that generates an alert, and we follow it up. And then it's really kind of a case of following the breadcrumbs, realizing - trying to figure out where this tool came from, what was used to install it and then, you know - and really trying to trace the attack back to the origin and then forward to the ultimate payload or - and map it out in that way. 

Dick O'brien: And then once we kind of have a reasonably good understanding of what we're dealing with, we often - you know, obviously, you know, we'd update our product to, you know, make sure it doesn't happen again. But we'd also notify the customer, which can be anything from an email to maybe a phone call or something like that to explain what we discovered on our network on the significance of this. You know, it's - you know, in the case of something like StoneFly - all right. We would do - we'd make an effort to have a conversation with them about it. 

Dave Bittner: Right. Right. I suppose if you're on StoneFly's radar, it is undoubtedly a serious situation for you. 

Dick O'brien: Yeah, it is. It is because a lot of their targets are dealing with, you know, highly classified stuff, you know? And everything they go after tends to have, like, either civilian or military application. So I think, you know, any organization that is being targeted by StoneFly would want to know about it and would be very worried about what they're trying to get going by what we've seen from their attacks. 

Dave Bittner: So what are your recommendations, then, in terms of organizations protecting themselves? What are your words of wisdom there? 

Dick O'brien: The words of wisdom - I mean, for StoneFly, the words of wisdom are for - as they would apply for any espionage operation, which is to kind of, you know, educate yourself about how these attacks typically unfold and then try and implement, I guess, a multilayered approach to your security so that you don't really have any single point of failure. In this case, the means of access appear to be Log4j. So that server was unpatched for some reason. And so, you know, obviously we don't know why. Organizations have different patching policies and what have you. But it just goes to show the importance of patching vulnerabilities in as timely manner as you can, especially on public-facing servers, because, you know, if that wasn't there, the attackers may have found it much harder to get in if not impossible. 

Dave Bittner: Our thanks to Dick O'Brien from Symantec for joining us. The research is titled "StoneFly: North Korea-linked Spying Operation Continues to Hit High-Value Targets." 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.