Thrip espionage group lives off the land.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com
Jon DiMaggio: [00:01:42] It first came on our radar through a tool that my team has been using for years.
Dave Bittner: [00:01:46] That's Jon DiMaggio. He's a Senior Cyber Intelligence Analyst at Symantec. The research we're discussing today is titled "Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies."
Jon DiMaggio: [00:01:59] "Targeted Attack Analytics" is what it's called publicly now, but for years my team has used it, and it's just recently something that is publicly available. But anyway, the main point of that, or what was exciting about it, is it flagged something that was very boring that actually turned into a thread that unwinded this whole investigation. It was just what appeared to be an administrator running a legitimate tool called PsExec.
Jon DiMaggio: [00:02:25] And what was interesting about it is the tool flagged this for us, and it was simply using this PsExec to install a binary. Well, that was an unknown binary. We didn't know what it was. It wasn't detected as malicious, but it was flagged as suspicious. And the reason, when I say flagged as suspicious is, you know, there are binaries that have attributes to them, or hooks, for example, if it's a key logger or something like that. There's specific things or libraries that they might use, or pieces of code that are similar. It doesn't always mean that it is something malicious. It could just be that whatever the legitimate tool is used some aspect of that.
Jon DiMaggio: [00:02:59] So we wanted to take a look in to see what that is. And that's when it really got interesting. When we did our analysis on this unknown binary, not only did it capture keystrokes from web browsers, but these were, you know, updated web browsers. So, for example, Firefox recently, for all intents and purposes, redesigned their code completely, tried to make it quicker and more effective. Well, a lot of old tools, because of that, were now ineffective. And Chrome is always updating, and that's something bad guys have issues with, is how it handles their activity.
Jon DiMaggio: [00:03:30] So this tool, being able to capture credentials from both of those updated versions of the browsers, was interesting, because the timestamp on it showed it from 2016. However, that can be forged. It was very interesting, but here's where it gets even better. Outside of that, it also took screenshots. All right, so there is no legitimate administrator that's going to need to capture your credentials and take screenshots of your computer.
Jon DiMaggio: [00:03:57] And the third piece that was interesting is, the name of the file was something close to this, "inetview.exe," and they spelled it wrong, they switched a couple of the letters accidentally, I guess while typing it. So that also stuck out, that it was legitimate that the chances that it be, I mean, you can name anything you want, you can change the names. But it just, again, all these little things together, it was like, okay, something's going on here.
Dave Bittner: [00:04:20] Yeah. It's an interesting mismatch to have software that has a certain amount of sophistication, or is at least being kept up to date, and then some sloppiness in the naming.
Jon DiMaggio: [00:04:29] Yes correct. And, like I said, it was interesting because the compile time on this thing was 2016, but this new version of Firefox that's come out in the past couple of months. Again, I'm not a browser expert, but from what I've read on their web page it's been completely updated and rewritten to be more effective and fast. So, my point is, that the fact that it's working with that tells me that these guys are, at a minimum, that they had this in mind when they were designing it to make sure that it would work with recent browsers.
Dave Bittner: [00:04:54] Yeah. Well, let's back up a little bit. One of the things you describe in the research is this notion of groups adopting a living off the land tactic. Can you describe for us, what do you mean there?
Jon DiMaggio: [00:05:05] Before I answer that, if I can, let me just explain to you what we've traditionally seen by cyber espionage groups. And then, when I explain the living off the land part, it will explain why it's important and what the impact is, and why it is significant, as opposed to just talking about living off the land.
Dave Bittner: [00:05:20] Sure.
Jon DiMaggio: [00:05:20] So, essentially, you know, I've been tracking cyber espionage groups now since 2008, so I've seen a lot come and go, and I've seen a lot of the activity. So, this particular group we believe originated from China, so I'm going to reference some of the historical China-based attacks, or the tactics from them anyway.
Jon DiMaggio: [00:05:38] What we used to see a lot of is these groups would develop their own custom malware. Now, they would do that for a couple of reasons. One to suit the capability of whatever it was that their operation was, to fit their target.
Jon DiMaggio: [00:05:49] The other, though, was to avoid detection. Well, it made it very hard to detect, but once we found it, it was a great high fidelity indicator to where we could really then pull all of the activity out of our telemetry. You know, we've got this unbelievable amount of telemetry, so it would make it much easier once we found this custom malware, since it was custom, to just sort of pull out and give us a map of the attack lifecycle.
Jon DiMaggio: [00:06:14] Well, what we're seeing in this particular case, which is a drastic change from that, where we have not seen, at least here at Symantec, very much of coming out of espionage groups in China is this living off the land technique.
Jon DiMaggio: [00:06:28] And what that means is the adversary in this case, they do have a custom info-stealer and a custom backdoor. However, they're using them very sparingly, and I'm going to say that's by design. So, it takes a little more discipline to use that only when you absolutely have to, as opposed to relying on those tools because it makes their life easier. Instead though, what they're doing is once they get on the network they're looking at tools that are already in the environment. Legitimate tools that are in the environment that will allow them to still compromise their target.
Jon DiMaggio: [00:06:59] So, for example, most Microsoft computers up today are running PowerShell, for example, and that's something that's a normal everyday thing in an environment. So, when an adversary is using that to run commands or schedule tasks, it blends in with the legitimate traffic, and of course it is a legitimate tool, so it's not going to get flagged necessarily by defenders.
Jon DiMaggio: [00:07:19] Same with this PsExec tool that we saw. That's a Microsoft tool, so it being present on a system that is running a Microsoft operating system is something that's normal that we would see, not on every system, but at least for administrators and, you know, maybe help desk folks and things like that. So, again, by itself, it just sort of blends in.
Dave Bittner: [00:07:39] Would it be likely that, when the bad guys gained access to a machine, that some of these tools would already be there so they wouldn't have to do the installation?
Jon DiMaggio: [00:07:48] Correct. Yes. That takes the whole, you know, downloading and connecting to their infrastructure piece out of it for those tools. They're already there. They're legitimate. There's other legitimate users likely using this, and it allows them to blend in with legitimate traffic. And unless you really go look, you know, way down in the weeds to see, like, what commands were run with this, and look at the time frames, and see what else was happening when this legitimate tool was being used, you'd probably completely miss it.
Jon DiMaggio: [00:08:17] It's really difficult when they start doing this. I'm not saying it's impossible, I'm just saying it has to really change the approach that companies and defenders are taking today. And what I mean by that is, you can no longer just rely on looking at the bad stuff. You can't just wait for your defenses, through automation, to flag, hey, this is malicious. Now you need to be proactive, and you need to monitor any of these type of tools that have a capability to have any sort of administrative or technical attributes that could affect the environment. So, like PsExec, or there's a whole list of them that are out there.
Jon DiMaggio: [00:08:50] But the point is, is that they now have to look at that legitimate traffic as well, if they want to catch this stuff. And, while this is a very targeted attack, and all the espionage stuff is, let's say it's less than ten percent of the activity that's out there that we see worldwide, well, just because it's a small percent, that doesn't relate to impact. The impact of what these smaller targeted groups do is, you know, devastating. I mean, just look at some of the past things we've had, you know, so let's look at the health care industry for example. You had, a couple of years ago, the whole, the Aetna, I think it was, the compromise and things like that, where they lost the 800 million records, or something to that effect.
Jon DiMaggio: [00:09:25] My point is, is that you really now have to be on it with these guys, because the impacts of these groups, of what they're doing, is significant to companies and it is so small and minute, the activity. I'm not trying to, you know, saying things to scare people. I'm just being honest. This tactic, it's going to require a proactive approach from defenders in order to identify it.
Dave Bittner: [00:09:44] Now, one of the things that caught my eye in the research, you discussed how it was really the activity that caught your eye. The tools you were using were able to spot the patterns of malicious activity, even though they were using legitimate tools that regularly wouldn't draw attention to themselves.
Jon DiMaggio: [00:10:01] Right.
Dave Bittner: [00:10:01] This sentence caught my eye in particular. You said, "in short, Thrip's attempts at camouflage blew its cover." Let's dig into that a little bit. That's an interesting insight.
Jon DiMaggio: [00:10:09] Sure. So, to explain that, first let me talk about the tools that my team used that finds things like this, and I think we can kind of go from there just to give you an understanding.
Jon DiMaggio: [00:10:18] So, I mentioned that we are using a tool that is, it now carries the name Targeted Attack Analytics. As I mentioned before, our team has been using that now for quite a bit. The way that we've been using it, and the way that that works is, over the past couple of years, all of our investigations that we have, we would work with our, sort of, sister component which is, so I'm on the attack investigation team. We have a team called TAA, and it's not just the tool, and we would work with them when they developed that tool.
Jon DiMaggio: [00:10:44] After our investigations, whenever there was something interesting, whether it's commands run, or something interesting from a binary. Anything that would not normally be flagged, whether it's a behavior, or an attribute of a hack tool or malware, we would share with them so that they could build that logic into this tool. Essentially, what it is, is it's an AI that goes through huge amounts of data, and looks for these sort of anomalies and patterns that we've sort of programmed it by, over the years through our espionage and targeted attack investigations.
Jon DiMaggio: [00:11:15] So, I'll be honest, you know, when we first talked about this before we actually started implementing it, I wasn't so sure that it was going to really work, because, you know, lots of companies come out and say, oh, we've got this stuff, it'll make your analysts' workflow easier.
Dave Bittner: [00:11:27] Sure.
Jon DiMaggio: [00:11:28] It's not always the case but, you know, I've got no sales angle, I'm pure analyst, but I love this tool. It's something that we use in all of our investigations. But what it does is, like I said, it's got an AI that combs through all of our telemetry, and it will pull out anything that fits these anomalies, and it uses machine learning and things of that nature. So it just makes it much easier for us to see things.
Jon DiMaggio: [00:11:48] Now, granted, there's always going to be some false positives. But the time spent going through false positives is still much shorter than the time it would take by going through all of our telemetries and analysts trying to find this needle in the haystack which, like in this investigation with Thrip, where they were, you know, downloading that binary with PsExec.
Jon DiMaggio: [00:12:06] We don't even know how they got in the environment. You know, usually we see it either at the beginning of the attack phase, when they're attempting to get that initial exploit, whether it's through spear phishing or a watering hole, or, you know, we get alerted and brought in after the fact, in which case things are being exfil'd.
Jon DiMaggio: [00:12:22] You know, in this case, we got the flag, and they were already on the network. So, we came in at a different time frame than we normally do in investigations, and that sort of gave us, not only a different view, but we had to kind of take a different approach in how we investigated this. But this tool made it much easier for me and my fellow analysts to sort of find the initial thread again to pull, that sort of unraveled all of this.
Dave Bittner: [00:12:47] So, let's move on and talk about who they were going after. You say this is an espionage operation. Who are they targeting?
Jon DiMaggio: [00:12:55] Yeah, so that's the most interesting, to me, that's the most interesting part of this. So, the first thing, you know, that we did, once we had that binary that initially started this, is we created a signature for it. We were able to then go back and do a rear-view look to see if there were previous times where this binary was seen, and then look at where, you know, in our current telemetry, what was actively going on. Doing so, it connected the dots and pulled relevant traffic out of our telemetry.
Jon DiMaggio: [00:13:24] So, the first target that we looked at was, we didn't know what it was at first, but it was a satellite communications company. And one of the things that we do, we need to know motivation, okay? You know, you don't know right off the bat that it's a cyber espionage group, or it's financial crime, or whatever the case might be. But what we do is we start looking at what systems the adversary is on, what tools and malware were used on each of those systems, and how long they spent on each of those systems.
Jon DiMaggio: [00:13:52] What that sort of does is it gives us a path to follow. And, when we get to the end of that path, it's usually showing us the high-value system or systems of interest to the adversary. In this particular case, they were systems that were running command-and-control software for these satellites, as well as having access to a database that facilitated information and data that traversed, about the data that traversed through those satellites.
Jon DiMaggio: [00:14:19] So that was the first target. That was obviously very alarming when we saw that. So, at that time, if you were just to look at one target, and not look at the entire operation in whole, you might say, okay, command-and-control, you know, these guys are going to start making satellites drop out of the sky, worst case scenario, or something like that. Well, we continued to look at the targets, and that's why it's so important to never just look at one incident when you're profiling an actor while we're looking at it, because it doesn't usually tell you the full story.
Jon DiMaggio: [00:14:47] Our next victim shed some light on that, however. Our next victim that we found was in the geospatial imagery and analysis business. Well, let's kind of think about this. This geospatial imagery organization, their prime functionality is to analyze the type of data that's going through satellites. So, these two together it makes it safe to say, to put a theory together, they're probably not going to try and make satellites drop from the sky or they wouldn't have spent their time on this other company that does analysis of that type of imagery.
Jon DiMaggio: [00:15:18] So, I think then it was more probable that we thought, okay, so either they want to learn about the satellites and the technologies, or they want to change data that's associated with them, or they just want to learn about, you know, different orbit patterns, and sort of customers might be going through, or they might have associated with these satellites. But the point is, is that they looked at both the analysis software and the satellite. And, again, that just gives us a little bit better picture.
Jon DiMaggio: [00:15:43] And then, when we continued to look at victims, we found two other interesting victims. A telecom provider in Southeast Asia and another organization that had some sort of a defense contractor implementation there. One reason I word it like that is we know that that's one of the things that this organization does. They do other things, you know, like research and development, and stuff like that.
Jon DiMaggio: [00:16:05] But, big picture, putting it all together, you know, when you have all these things, with the exception of the defense contractor, the scene that we have here, these are all means of communication. With satellites, understanding the data from the satellites, and then this large telecommunication company. The telecommunications company, however, we see that frequently in cyber espionage, but it's usually the customers of that telecommunication company that they're interested in. In this, similar to the satellite and the geospatial companies, they were interested in the operational side of the house.
Jon DiMaggio: [00:16:39] So, again, all of this sort of fit together way too nicely to be targets of opportunity. So that sort of told us with high confidence we can say that these were specific targets of a planned operation. This wasn't by chance. So, that kind of started to piece together the espionage angle that we believe is what motivates the Thrip attacker.
Dave Bittner: [00:17:01] Now, when you have a situation like this, where you discover someone doing these sorts of things in the systems, do you ever find yourself sort of stepping back and, now that you know what they're doing, rather than simply removing them, keeping an eye on them for a while? You know what they're doing, you know, maybe feeding them some data. You get where I'm going with this?
Jon DiMaggio: [00:17:22] I do get where you're going with this. And so, to answer your question, there's a very small window that we have where we can try and learn what they're doing, versus stopping the activity. So, at the end of the day, as much as--I have an intel background, as much as I love digging and learning more about the groups--at the end of the day, as a company, our first priority has got to be protecting the customer.
Jon DiMaggio: [00:17:45] So there is a small window when we're working, once we identify this and we're working with a customer, that we do have to do things where we can sort of learn that. But to be honest with you, that's not always even necessary, because once we have a way to pull the telemetry associated with these attacks out of our data lake, we can then kind of do a reverse look, and we can see everything that they did before we detected them.
Jon DiMaggio: [00:18:09] So that gives us, in this case, let's say it was a four month window of activity, you know, but where no one knew what they were doing, where we could see all their tactics, we could see how they were maneuvering on networks, what they liked to do, what tools they liked to use. And this is a great example of where, you know, we wouldn't have to have a lot of time moving forward to have some intel gathering. We have the historical records because we captured that if our software was on the system when they were doing these activities. Does that make sense?
Dave Bittner: [00:18:39] Yeah, it absolutely does. How often does it happen that, in the work that you do, the bad guys will be onto you and pivot afterwards?
Jon DiMaggio: [00:18:49] It doesn't happen often where they know, prior to us creating a signature that just right out blocks their activity, prior to that, when we're looking into these investigations and let's say, you know, we're working with the customer, we don't really know exactly, you know, the motivation yet, and they're okay to do some of this more intel gathering, monitoring phases, and we have a handle on the attacker. They generally, again, from my experience anyway, in the investigations that I've done in the four and a half years that I've been at Symantec anyway, that's not been the case. There's not been evidence that they were on to us.
Jon DiMaggio: [00:19:23] Now, what does happen, however, and this is pretty common, like in this example, we created these signatures, and let's say it was a few weeks prior to, or even a month prior to writing this. Between creating the signatures, that's going to automatically bring a decrease in activity because you're no longer going to have those successful, new successful infections that are going to be effective or work, because we're going to stop it now that we've got these signatures.
Jon DiMaggio: [00:19:49] Then, if you write a blog about it, which we don't do all the time, but when we do, that's the second stage of also where we really see a decline in activity. Because now you've got the signatures and then you've got everybody, you know, publicly, it's now known.
Jon DiMaggio: [00:20:02] So, those two combinations generally will signify a large decrease in activity. Now, the interesting aspect that we see with espionage groups is, it might take time, but we'll see them come back again. You know, like the Dragonfly report that we did, I think it was last September, last year, maybe it was 2017. But anyway, we had written about them in 2014 and they went away for like a year, and then eventually they retooled and came back.
Jon DiMaggio: [00:20:27] So, it's important to us that not just during the investigation we track these groups but, when it's something like this where it's a cyber espionage campaign and it's this aggressive, we need to follow them moving forward and keep an eye on monitoring them, and try to not lose track of them, because it's important, because history tells us they're going to eventually come back.
Dave Bittner: [00:20:46] Now, from your point of view, when you get an indicator like this, it must be fun to get this and sort of set down that path that the, you know, the game is afoot. You have something to chase after.
Jon DiMaggio: [00:20:56] It absolutely is. I mean, this was my hobby actually, before I did it for a living. I was a network engineer by trade when I started out, and this was just a hobby before I was able to do it for a living. But yes, it is extremely, for me anyway, it's extremely exciting. I love the hunt, I love the chase. You know, you always got to keep in mind, it's not fun for the victims so you can't let that excitement, you know, transcend into your conversations and things with the victims.
Jon DiMaggio: [00:21:22] But from a pure, technical, scientific aspect of it, it is a very exciting job. It's chasing bad guys, you know, so when we do get, you know, a new investigation or a new indicator, we don't know what it is, it looks very suspicious and, you know, as you connect each dot and you get more and more, it is very exciting and it's very interesting to piece together to get that big picture.
Dave Bittner: [00:21:45] Now, with the sophistication of these sorts of things that you're seeing, the evolution of them, what are your recommendations for people to effectively protect themselves?
Jon DiMaggio: [00:21:55] Obviously, the standard that already exists needs to continue. You know, the basics, you know, your network defenses, your host-based defenses, endpoint protection, and all that still stays in place, that does not change, because that's going to still capture, you know, ninety, ninety-five percent of all the malicious activity.
Jon DiMaggio: [00:22:11] Now, these well-funded, objective-oriented attackers like Thrip are a little bit different, and that's kind of what I was alluding to earlier with this whole living off the land aspect that we're seeing, not just with groups originating from China, but we're seeing that with, globally as a change that we're starting to see in many advanced groups.
Jon DiMaggio: [00:22:30] So, to do that, as I mentioned before, you need to start taking a proactive approach. So you have to now look at the legitimate activity that tools of privilege, you know, like PsExec and PowerShell, and any sort of administrative tool that's in the environment, you have to watch. You have to watch for who's using it, what's the commands that are running, times that they're being run, I mean, all of those things, because if you don't look at that legitimate traffic now, especially if you're in one of these industries that would be a prime target for an espionage group, you really need to do the proactive approach and look at the legitimate traffic to find this stuff.
Jon DiMaggio: [00:23:06] Now, sure, you might, you know, the automated defenses will flag, like in this case, the info-stealer and the backdoor that Thrip used that were both custom. But, you know, in most of these cases they used each one of those once, maybe twice, at most. So it would look like a very small activity and you would miss the whole, you know, the meat of it, of them, you know, escalating their privileges, traversing the networks, searching through directories, and, you know, going after something specific. You would just miss all that. So, it's just a whole different mindset that needs to happen for defenders moving forward as the attackers are evolving with these new techniques.
Jon DiMaggio: [00:23:41] One of the things in this instance, that I think is relevant or important is, you know, there are also publicly available tools that the bad guys are using. It's not all just living off the land, but even by using publicly available tools now, instead of using a custom hack tool, though it's still malicious--like Mimikatz, for example, which we saw with Thrip--that's only used for nefarious purposes for the most part. But I mean, it was, it's been around forever, it was made by a French developer. It by itself is, you know, not significant of any one group, but things like that that are publicly available make attribution very hard.
Jon DiMaggio: [00:24:17] So when we're, even when we're not seeing just the living off the land, we are also seeing, instead of using these custom hack tools now, they're using publicly available hack tools. So, it's not just living off the land, it's the whole mindset that attackers are now changing of doing everything they can to deceive, and have deception, and avoid detection. And this is just the latest technique. So, the only message, I guess, like I said, from that is just, we've got to change our mindset. Proactive defense, look at the good, not just the bad
Dave Bittner: [00:24:47] Our thanks to Jon DiMaggio from Symantec for joining us. The research is titled "Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies." You can find it on the Symantec website.
Dave Bittner: [00:25:00] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:25:08] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:25:17] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.