Research Saturday 5.11.24
Ep 329 | 5.11.24

The double-edged sword of cyber espionage.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Dick O'Brien: We discovered a previously unknown piece of malware which we have called BirdyClient because we think the attackers themselves call it BirdyClient. And it initially got our attention because it was submitted from Ukraine, which is always interesting given what's going on there at the moment.

Dave Bittner: That's Dick O'Brien, a principal intelligence analyst with Symantec's Threat Hunter team. The research we're discussing today is titled "Graph: Growing Number of Threats Leveraging Microsoft API." [ Music ]

Dick O'Brien: And then, on analysis, we discovered that its functionality included the ability to use the Microsoft Graph API to communicate with a command and control server that was hosted on a Microsoft OneDrive account. And we thought that was notable because it is the latest in a growing number of threats that seem to leverage the Graph API, in particular in relation to command and control communications. It has been happening for a couple of years now, but the number of actors who seem to be capitalizing on it is growing.

Dave Bittner: Well, before we dig into some of the history here, can you give us a little rundown of what exactly the Graph API is designed to do?

Dick O'Brien: Okay. Yeah, it's very simple. It is meant to be there to allow application developers to have an easy way to access resources that are hosted on Microsoft Cloud Services, such as Microsoft 365 and all of that kind of thing. And it means that you can effectively log in using an OAuth access token and grab information from there and integrate it into whatever you are developing yourself. So that could be emails, calendar events, files that are hosted on OneDrive, for example. So if you wanted to create a dashboard with lots of information, including information drawn from Microsoft accounts, Graph API would help you do that really quickly. So that's the legitimate use case. But attackers have discovered that they can use it for their own purposes and they can have their command and control infrastructure hosted on a Microsoft service like OneDrive and then use Graph API to communicate with it.

Dave Bittner: Well, the research that you all have published points out kind of a long history of folks using this. Can we go through some of that together?

Dick O'Brien: Yeah, I mean, we've gone back to the start and highlighted the notable instances. There are more, so it's not an exhaustive list. So the first group to do so was a North Korean-linked espionage group that we call Vedalia. Older vendors call them APT37. And as is common with a lot of these espionage groups, they tend to keep an eye on what they're doing. And if they see somebody implementing an interesting attack technique, they tend to try it out for themselves. So subsequently, in October 2021, we saw a state-backed group called Harvester going after organizations in Asia using a tool called backdoor.graphon. And it implemented nearly exactly the same technique. But where it really came to public attention was early January 2022, a malware family that was christened Graphite was discovered. And it was linked to the Russian espionage group that we call Swallowtail and other vendors variously called APT28 or Fancy Bear. And they began leveraging this technique to connect to a OneDrive-hosted command and control server. And I think that really put the technique into the spotlight and things started to snowball after that. Because Russian espionage groups, in particular, the group that we call Fraternary [phonetic] or APT29, other vendors call them, are really -- they are really the masters in knowing their way around Microsoft systems and exploiting them, particularly their cloud systems. So they really know how they work. They have a deep understanding of these systems. And indeed, you know, they've managed to breach Microsoft themselves on occasion. So if Russian espionage is using this as a technique, that definitely got a lot of people's attention. So then, as time goes on, we saw various other groups, including the Flea group, who are also known as APT15. They're a Chinese group. They began leveraging the technique in a campaign that was directed against foreign affairs ministries in the Americas. And what they did was they got an older piece of malware called Ketrican. And they just bolted on this functionality. They decided this is something they wanted. So they implemented that as their command and control technique. So in the, you know, in the -- let me say in the past 12 months or so, there have been multiple attacks involving this technique, some of which are linked to known groups, many of which have been publicly reported. So what we have discovered is just a [inaudible 00:07:11] long line of threats that have leveraged this technique.

Dave Bittner: We'll be right back. And what is it about the functionality of this API that allows these folks to do the things they want to do and simultaneously evade detection?

Dick O'Brien: Very simply, I guess, if you are behind anything but the most basic form of attack, communication back and forth with the compromised network is a key component that you want to issue commands to the tools that you have installed on your target network, and you want to exfiltrate data back from the targeted network. But unfortunately, that traffic is one of the things that can trip you up, that can raise red flags in your victim. So what is maybe less likely to raise suspicion, and I suspect this is, you know, one of the chief motivations for attackers, is communications with a known entity. So somebody using a Microsoft API to interact with Microsoft Cloud Services, that kind of seems an awful lot more run-of-the-mill than anomalous traffic between your network and some unknown server. And then for attackers, it's a cheap source of infrastructure. You know, you can get something like a OneDrive account for yourself for nothing. So not only is it inconspicuous, but it's also cheap and convenient, you know. And, you know, things like Microsoft Cloud Services, they have pretty good security around them. So there's less likelihood that somebody you don't want to sleep on your own infrastructure. So there's a lot of selling points for attackers.

Dave Bittner: Yeah. What are your recommendations then for folks to best protect themselves here?

Dick O'Brien: I think it's time for -- I know this is a concern for organizations because we do talk to a lot of our customers about stuff we're working on, we're researching. And this was a topic that seemed to really resonate with them. And a lot of them came back and said, "Well, this is something we're really worried about at the moment." And it's not just things like OneDrive. They also mentioned other popular cloud services. So I think it's time for organizations to start looking at the cloud accounts that people are using. I think probably need to start really locking it down to tenants and accounts that belong to the enterprise. So it's not at all uncommon to hear about people saving stuff to their cloud account from their work computer. But that kind of thing, I think, needs to probably be severely limited. Because if you are allowing that, it means that traffic to attacker-controlled accounts is maybe less likely to be noticed, you know. I can't think of some -- there's lots of Graph logging tools, you know, so it may be time to start more proactively monitoring connections to the Graph API and checking them.

Dave Bittner: Do you have any sense for how Microsoft has approached this? I mean, to what degree are they saying, "Well, the API is working as designed, and so we're good here," right?

Dick O'Brien: Yeah, I mean, obviously, like, it's probably more of a question for Microsoft. But I mean -- the difficulty for them is that the attackers are not necessarily, you know, breaching their services. They're using them as intended. Although I'm pretty sure the terms and conditions would specify that, you know, you should not use your Microsoft account for purposes like these, you know. But they are signing up, like, legit users and, you know, to all intents and purposes, they're acting like that, you know. So -- -- I'm [inaudible 00:11:55] sure that Microsoft are aware of attackers using this technique and using their services. I guess, you know, if I was somebody like Microsoft, I'd be working hard to try and profile the malicious users and try and block them more quickly, you know, because that probably is a very distinct pattern of usage.

Dave Bittner: When an organization discovers that they have fallen victim to this, how does it usually reveal itself?

Dick O'Brien: You usually find it in the malware.

Dave Bittner: The malware itself.

Dick O'Brien: That is usually the starting point. You discover the malware on your network, and then the malware reveals that this is how they've been communicating. [ Music ]

Dave Bittner: And that's Research Saturday brought to you by N2K CyberWire. Our thanks to Dick O'Brien from Symantec's Threat Hunter team for joining us. The research is titled "Graph: Growing Number of Threats Leveraging Microsoft API." You can find a link and additional resources in our show notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment: your people. We make you smarter about your teams while making your team smarter. Learn how at This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tré Hester. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. [ Music ]