China’s stealthiest spy operation yet.

[ Music ]

Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

 

Assaf Dahan: So Phantom Taurus is a newly identified what we call a "state-sponsored Chinese espionage group." And what really sets them apart from other APT groups is the large-scale intelligence collection activity that we've been observing. So they mainly target governments, embassies, ministries of foreign affairs, and defense sectors.

 

Dave Bittner: That's Assaf Dahan, Director of Threat Research at Palo Alto Networks. The research we're discussing today is about Phantom Taurus, a new China APT uncovered by Unit 42. [ Music ]

 

Assaf Dahan: We've seen them in a number of geographies, spanning from Africa, the Middle East, and Asia. And yeah, so it's pretty vast in terms of who they target, the level and the scale of their intelligence collection efforts. And also, it's not every day that we get to uncover a brand-new, what we call a "top tier" APT. So most of the time, you know, when we're tracking, I guess, cyber activity or malicious, nefarious cyber activity, we usually can attribute the activity to known groups. And today we pretty much came out and revealed a new group that has not been known to the public before. So it's a big deal on our end.

 

Dave Bittner: Yeah. Well, how do you suppose that Phantom Taurus fits into the broader landscape of Chinese state-aligned threat activity?

 

Assaf Dahan: So when it comes to Phantom Taurus, the way we characterize the group is a group that is focused mainly on intelligence collection or intelligence gathering. There are multiple facets and multiple groups operating on behalf of Chinese state interests. Some of them maybe would go after technological, I guess, aspects, or go after intellectual property, for instance. Some would try to spy on friends and foes, right? And so they really fit into the like more traditional side of the spying games, if you will. So they go after governments, embassies, foreign ministries. So the targeting tends to be very geopolitical and with some economic sides as well, but mostly geopolitical. So when it comes to their targeting, as I mentioned, I think this is why it's such an exciting or at least interesting type of threat actor, is that the correlation with geopolitical events was pretty striking. So we would see them operating in certain networks, let's say, a month or two before a major, let's say, conference or a summit or an important meeting between two statesmen, right? Whether it's their friends or their foes, you'd see them like really spying on the people that they're interacting with. So we thought it was pretty interesting.

 

Dave Bittner: Well, let's dig into some of their tactics and capabilities here. Is there anything that stands out about their tactics, techniques, and procedures compared to some of the other Chinese ABT groups we're used to seeing out there?

 

Assaf Dahan: Yeah. So there are actually a number of things that we've noticed and really set them apart from other threat actors. So first and foremost, I think it's their level of persistence. And they're quite tenacious, right? They put the P in APT, as we like to say when it comes to persistence. You know, most groups, you know, when they get caught or when the operation is blown, they'll try to, you know, stay away, like hide for a bit, regroup, and then come back after a few months, a few years. We've seen them coming back in a matter of days, sometimes hours. So they're really persistent. You can see like the level of commitment, if you will, that they have for getting the intelligence that they're after. So like very persistent group. They have like their own homegrown tools. So like they don't use like the like generic tools that we've come to have seen and known. And they have like -- they do develop their own malware and their own tools, which are quite sophisticated, state-of-the-art tools. We have the NET-STAR suite that we just discovered. And prior to that, there was the Spectre malware suite. And they are really well engineered, designed for extra stealth. And we haven't observed these type of tools being used anywhere else or by any other threat actors. So that is also what makes them special. And when it comes to their techniques or tactics, what is interesting to see is that they are not the sort of a threat actor that goes after individuals so much. In terms of like we haven't seen spear phishing or elaborate social engineering attacks. They are like -- their hallmark activities is going after vulnerable infrastructure. So they go straight to the jugular, or they go straight to the crown jewels, be it database servers, email exchange servers. So instead of like trying to target an individual, let's say the prime minister or a minister of a said country, they'll go for the main server of the ministry of foreign affairs. And so they can have access to diplomatic cables, correspondence, and other type of sensitive documents and information.

 

Dave Bittner: One of the things I noted in the research is you highlight how the group's data collection strategies have evolved over time. You point out them shifting from email servers to databases, for example.

 

Assaf Dahan: That is correct. And again, I don't think it's necessarily mutually exclusive either/or; I think that they can still do both. But we have noticed that in the last year, they haven't been targeting exchange servers or email servers as much as they used to. And most of their current activity revolves around trying to get into databases, really, backend databases which kind of aggregate or have or contain so much more information than just email correspondences, if that makes sense. So it's really about they're looking for, I guess, a good -- in a sense, you can say that they're looking for a good ROI. So where they can find the most -- where they can get the most bang for buck -- what's the expression?

 

Dave Bittner: Yeah, bang for the buck.

 

Assaf Dahan: Yeah, exactly. Like how can they get their hands on as much information with the least effort?

 

Dave Bittner: We'll be right back. Well, can you take us behind the scenes a little bit of your own process? I mean, how did you and your colleagues determine that this was a distinct new actor rather than activity from an existing group?

 

Assaf Dahan: It's a really good question. It's been two and a half years of, really, it's been a journey, two and a half years of investigative work. Because when we first started observing this activity, we didn't know what we were looking at. We tried to characterize it. So the first process was understanding or at least try to understand the motivation and the playbook of the attackers. And we quickly realized, okay, these guys are not there for financial motivation. It's not a ransomware group. This is -- so what we could glean from their activities was that they were really after collecting information or stealing information, which -- so we quickly understood that we're looking at an espionage group. Okay, that fine, but there are dozens, if not hundreds, of APT groups operating in this sphere, not just Chinese. You have like so many other countries spying on each other. And then we started collecting a lot of data points and connecting the dots. And slowly but surely, we were able to scope it better and to notice patterns in their activity that coincided or like pointed us to the conclusion that we're looking at -- probably looking at a Chinese threat actor. And then we, over the course of two and a half years, we implemented our attribution methodology. Which is a long-term -- it's based on a long-term monitoring of a given activity or a threat actor. So we started with a cluster, okay, without assigning any attribution, saying, hey, we are noticing an activity that is repeated in different regions of the world on different organizations. And we started clustering it. Then after a year of monitoring this activity, we had enough evidence and enough data to elevate it to a temporary group. Now we were able -- with all the information that we were able to collect for over a year, we were able to say, hey, this looks like a Chinese activity. We still don't know if it's a new group or if it's like a spinoff or like a subgroup of a known group. But what we do see here is a really distinct activity, repeated patterns that we're not able to tie to any other sort of activity that we're seeing. And we're tracking and monitoring over 20 APT groups, just like coming from China. And nothing really stuck. We really tried to do these matchings and clustering. And after two and a half years of like reviewing, carefully reviewing, the information again and again and again, and trying to really look for any connection for any known groups, we were not able to find such groups. And that's why we were pretty confident in coming up with a new threat actor. As threat intelligence or threat researchers, we are probably the last people who want to throw a new name into the already growing pile of mix of threat actors. It's not something that we like to do. But we really took a lot of time and effort to make sure that this is a new threat actor and we're not just like adding a new name to the pile.

 

Dave Bittner: Well, I mean, you talk about Phantom Taurus's persistence. It sounds to me like you and your colleagues had to have a certain amount of persistence yourselves.

 

Assaf Dahan: Yes, it did become, you know, a bit of a baby project for some of the team, especially a researcher called Leo Rockburgerx. She was the main force behind the investigation. She led the investigation. She's currently honeymooning, so that's why she's not on the call. But she was like the main researcher. There were other collaborations with other researchers, but she was the main speedboat. And she is an extremely persistent researcher and an extremely capable one.

 

Dave Bittner: You speak to an interesting aspect here, which is, I think, you know, it's important, my perception anyway, and correct me if I'm wrong, is that it's important that groups like yours have the leeway to chase down these sorts of things. And they might not always pay off, but in this case, it seems like it did. But that's part of the culture of your research organization.

 

Assaf Dahan: That is correct. I mean, and you have to understand that our research is not done for academic purposes, right? The reason that we invest so much in tracking those, like the various groups that we're tracking, be it cybercrime or nation-state threat actors, is that at the end of the day, our entire research is being translated to actionable intelligence, and namely, it helps us, A, feed our product, making sure that we have all the right IOCs and all the right identifiers, you know, be it malware hashes, domains, IPs for a given threat. But more than that, it's really about when you monitor threat actors so closely, you get to learn their MO. And you learn how -- we quickly start to learn how they think and how they react, and you can anticipate their next moves. And all of this knowledge and insights, we try to bake it into the product, trying to come up with behavioral rules and try to come up with train our machine learning algorithms for detection and prevention. So that's why it really pays off to track these threat actors and group for a long time.

 

Dave Bittner: Well, what are the takeaways here? When we're speaking to defenders and security teams who are checking out your research, what do you hope they come away with here when it comes to Phantom Taurus?

 

Assaf Dahan: I think, I mean, it's going to sound a bit like a cliche, but it is still true. I think that one of the reasons that Phantom Taurus was able to penetrate so deep into so many organizations has to do with the more trivial stuff rather than like fancy zero days or like, you know, fancy exploits. Like the root cause of 90% of their success in penetrating organizations has to do with patch management or lack thereof, outdated versions, unpatched servers. And I think it's -- I'm not going to say anything that will shock, I think, the audience, but I think good IT hygiene will, you know, it goes a long way. And again, I'm not saying that a skilled and highly motivated threat actor would not find a way to circumvent or bypass things or even like use like heavier exploits, like zero days and such to get to where they need to get. But sometimes it seems like almost too easy, because the servers or like internet facing systems are not guarded enough, be it with, you know, having sufficient security tools and mitigations put in place. And also, yeah, as I mentioned, like the outdated systems. [ Music ]

 

Dave Bittner: Our thanks to Assaf Dahan from Palo Alto Networks for joining us. The research is about Phantom Taurus, a new China APT uncovered by Unit 42. We'll have a link in the Show Notes. And that's Research Saturday, brought to you by N2K's CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]