Research Saturday 4.1.23
Ep 275 | 4.1.23

Blackfly flies back again.


Dave Bittner: Hello, everyone, and welcome to the "CyberWire's Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dick O'Brien: So in about 2020, the US government indicted a number of members of Black Fly on a related group that we call Grey Fly.

Dave Bittner: That's Dick O'Brien. He's a principal intelligence analyst with Symantec's threat hunter team. The research we're discussing today is titled, Black Fly Espionage Group Targets Materials Technology.

Dick O'Brien: And sort of the indictment. You know, obviously, this is- these are charges and these people have yet to appear in court. But the indictment does appear to kind of put this group in the spotlight a little bit and give some kind of insights into how these Chinese sponsored groups work.

Dave Bittner: And what exactly do we know here?

Dick O'Brien: What we know here is that is Black Fly and Grey Fly, they were often considered to be kind of related groups. And indeed, a lot of vendors considered that to be one group and they refer to them under the umbrella name of ABT 41. And it seems that a number of these people who used to work for Grey Fly at the time were supposedly working in a technology company in Chengdu in China. But they also had links with the Chinese Ministry of the Security. And then a number of these people also worked with some people in Malaysia and seem to be involved in initially in attacks for financial gain, but they seem to have branched out into more common or garden espionage. And this is the group that's known as Black Fly.

Dave Bittner: That's an interesting element there that I don't think I was familiar with, the kind of crossover to Malaysia. I have to say, I guess I'm a little surprised that the Chinese government would tolerate that.

Dick O'Brien: I think from what it would seem, certainly going by these indictments, anyway, there's a lot of uses made of third party contractors. So these people may do some work on behalf of the Chinese government, but they also may do some work on behalf of themselves. And it's a very different way of working to maybe other nations, who tend to keep everything in house and closely tied with their own intelligence agencies. But we have seen other countries work in a similar fashion, most notably Iran.

Dave Bittner: So in this set of research that you all have released here, you're saying that they're targeting some materials, technology companies, can you flesh that out for us? Who are they going after here?

Dick O'Brien: I can't really give you too much detail beyond what we say in the blog, except that, you know, they're two subsidiaries of one conglomerate, an Asian company, both of which are in I guess, what you could broadly describe as the materials and composite sector. So reading between the lines, you would probably think in this case they're looking for intellectual property.

Dave Bittner: I see. And is that the typical playbook for Black Fly? I mean, what's the spectrum that they're known for?

Dick O'Brien: Yeah. I would say so are right. Back when this group first kind of came on the scene and began making a name for itself, it was known for just attacking gaming companies. And then when the indictment came out, it sort of made sense in [inaudible] that these people were using some of the tools they use for espionage attacks to make some money on the side by attacking the gaming sector. But now Black Fly, it's hard to say, but they seem to have kind of moved more into the orbit of traditional espionage. So we've seen them going after semiconductor companies, telecoms firms, pharmaceutical, media, advertising, you name it, really for a very broad range of sectors. Now, whether that is at the behest of somebody else, or whether they're acquiring this intellectual property to sell it to the highest bidder, who knows, but we do know that there are confirmed links with the Chinese security services there.

Dave Bittner: And what's the distinction between Black Fly and Grey Fly?

Dick O'Brien: There's some shared personnel between the two groups. Both there are I guess they've probably there are distinct teams if a [inaudible] is the best way to describe it. So some people work for both, but they are distinct operations. And Grey Fly is probably more closely tied in with the state sponsored espionage.

Dave Bittner: I suppose, you know, touching on the indictment. I mean, that's primarily a, I guess, a political statement more than anything else?

Dick O'Brien: It is, in the sense that the suspects probably unlikely that they will get to a courtroom in the United States. But it does kind of lay down the marker really of we know who you are, we know what you're doing. And if you ever- if we ever have the opera opportunity to arrest you, we will. So yeah, I mean, it is a political statement in that sense. But it's also I guess, you know, a move in the kind of in the power plays that go on between nation states.

Dave Bittner: Right. Be careful where you vacation.

Dick O'Brien: Yeah, I mean, like this, you would be surprised at the amount of suspects who are arrested while on vacation, where somebody is wanted in a jurisdiction, usually the [inaudible] and they're based in a country that doesn't have an extradition with them, and they decided to travel. And it turns out that authorities have been watching them, and they're arrested in that jurisdiction and extradited.


Dave Bittner: What are your recommendations here for organizations to best protect themselves against this sort of thing?

Dick O'Brien: I think the general recommendations about targeted attacks do tend to apply to Black Fly. And so it's lots of different recommendations really. It's about kind of adopting a defense in depth security posture. So number one, be aware of how these groups tend to compromise your organization. Spear phishing emails are very popular. The other big one we're seeing at the moment is the exploitation of vulnerabilities and public facing applications. The attackers increasingly are staying on top of when new vulnerabilities are found in enterprise applications, and looking for organizations that are slow in patching them. The other thing, then, I guess, is to be aware of how these attacks tend to unfold. So the next step, once they kind of get access to a machine on the network is stealing credentials. Administrative credentials are particularly valuable. So you have to kind of think about how you lock down them, like changing them regularly, adding two factor authentication, and then they tend to use those stolen credentials to move laterally across the network and exfiltrate data. [Music] So it's, you know, it's not just about having the best of breed security software. That always helps, but there's all of these best practices as well to adopt.

Dave Bittner: Our thanks to Dick O'Brien from Symantec Threat Hunter team for joining us. The research is titled Black Fly Espionage Group Targets Materials Technology. We'll have a link in the show notes.

Dave Bittner: The "Cyberwire Research Saturday Podcast" is a production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin and Senior Producer Jennifer Eiben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.