Research Saturday 9.8.18
Ep 52 | 9.8.18

Leafminer espionage digs the Middle East.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges, for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Vikram Thakur: [00:01:42] So, the team that conducts a lot of research at Symantec was looking at some malware.

Dave Bittner: [00:01:47] That's Vikram Thakur. He's a Technical Director at Symantec. The research we're discussing today is titled "Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions."

Vikram Thakur: [00:01:59] And we sorted the malware, we found the distribution site, and we started just following the rabbit trail, which led us to the group of the attackers targeting a finite number of organizations in the Middle East. And when we started working with some of those organizations, the discovery just kept growing and we eventually landed up in a position where we could understand the mandate of the group. We could understand where they were most probably located, and then we just decided to put out a blog after we had already shared some of this information with some of the targeted organizations.

Dave Bittner: [00:02:36] Yeah, it's quite a story here. So, let's walk through it together. Why don't you take us through step by step. What was the first thing that caught your eye?

Vikram Thakur: [00:02:44] So, there was a piece of malware, or a file which was not doing things that it actually claimed that it was, that was found on a Middle Eastern organization's network. So, when we looked at the file and we deemed it malicious, we wanted to follow up and see whether we could find the origination of the file itself. So, when we did that, we stumbled across a website which had housed the file at some point, and our crawlers had sort of picked it up. So, we had the web location of where that file was hosted at one point in time.

Vikram Thakur: [00:03:24] When we went over there, we could find a whole bunch of other malicious files which were all housed or they were all sitting on this web server. And the server itself actually belonged to the president of Azerbaijan. At least that's the organization that it represented. So we, at that point, determined that somebody somewhere had hacked into the server and decided to use it as a little staging server to place all their tools, and which when they required, or the attackers required, they would just take the tool and then go and start targeting other entities.

Vikram Thakur: [00:04:00] So, that's sort of how it started. So, we had a good understanding of the tools that were being used by the group that we now call Leafminer. And when we used those tools and searched for those tools on different organizational networks, we started getting a bigger picture of who the targets were and how Leafminer was going about targeting these organizations.

Vikram Thakur: [00:04:25] Till date, we don't know what exactly their success rate may have been or what they were truly after. From a technical standpoint, we know that their tools were primarily geared towards stealing email copies. So, think about a situation where the attacker gets onto an organizational network, and then he tries to dump a particular user's complete mailbox or inbox into a file, and then take that file away and go through the contents of that email inbox at their own leisure. So, we see a lot of their tools were focused on doing that. We do not know what it is that they were searching for within those emails themselves.

Dave Bittner: [00:05:13] Take us through, who were they specifically targeting?

Vikram Thakur: [00:05:16] As part of the research, we stumbled across a file which was written in Farsi, and the file itself included a list of organizations that were being targeted. The list was approximately 700 organizations long, spread across multiple countries in the Middle East. And the targets were in aerospace, public sector, manufacturing, finance. Pretty much every single organization that you can think of in any geography.

Vikram Thakur: [00:05:50] But we think that the focus was on the public sector side of the house. So, ministries, agencies, departments of governments, that sort.

Dave Bittner: [00:06:00] And targeting, geographically, the Middle East?

Vikram Thakur: [00:06:02] Yes. I mean, the list actually showed us that the targeting was primarily in the Middle East. In fact, the list only focused on entities which were based in one of seven or eight different countries, I forget right now. But, through the grapevine, we have heard of organizations outside of these seven or eight countries attempting to follow up on Leafminer, which makes us think that the targeting may have been beyond just the Middle East too. But we don't have firsthand evidence of that part.

Dave Bittner: [00:06:36] Now, there were three main techniques that you all observed and documented in this blog post, ways that they intruded into other people's systems. Can you take us through those?

Vikram Thakur: [00:06:45] Yeah, yeah, sure. So, one of the methods which was quite novel back when these attacks were happening, they were not very widely used, was combining what we call watering holes with a technique for SMB. But essentially what really happens is the attacker tries to understand what kind of websites their intended targets normally visit. So, if the attackers wanted to compromise intelligence officials of a certain country, they realized that those intelligence officials are more likely to visit the government's intelligence website within that country.

Vikram Thakur: [00:07:23] So, they isolated these websites that they thought provided the traffic or the visitors that they intended to compromise, and then they hacked into these websites and planted a piece of code in addition to what the website was offering as information anyway. So, these websites now became compromised. They had some attacker code on them. So every time somebody visited these websites that malicious code which is on the website, that sent a beacon, or sent a little piece of information over to the attackers. The attackers tried to use that information to guess the passwords which were used by these individuals who were attempting to visit the website.

Vikram Thakur: [00:08:10] It's a bit of a technical jumble out here, but at the end of the day, the attackers really used watering holes in order to gain credentials, or gain access to the accounts of those who are visiting websites. Once they did, then they used those credentials, they used those usernames and passwords to go and legitimately access the targeted person's corporate network. And in some cases, they found themselves lucky and they were able to get in, and once they did, they kind of steered their way towards email mailboxes and tried to gather information from there.

Dave Bittner: [00:08:48] Now, they also used some vulnerability scanning tools?

Vikram Thakur: [00:08:51] Yeah, so those are the other techniques that they used. They used a lot of off-the-shelf public information trying to break into their target networks. So, they picked up things like some old framework tools which have been publicly documented over the past couple of years. They just took them and tried to use them as tools against target networks. So, in those networks that those servers or those machines were not updated with the latest security patches and security solutions, they would have found themselves vulnerable to these attacks by Leafminer.

Vikram Thakur: [00:09:31] But, in a lot of cases, we know for a fact that the success rate by Leafminer using these methods was very low. It just translates to most organizations have already patched or updated their computers against these known vulnerabilities. We see Leafminer doing this more and more, which is they are relying upon publicly documented tools or publicly available tools to conduct a lot of their attacks.

Vikram Thakur: [00:10:00] And this is usually reflective of one of two things in every attack group which does this. On one side, attackers are less dependent on their own technical skills to be able to conduct attacks, when they're just picking up somebody else's work and launching it against their own target.

Vikram Thakur: [00:10:20] But on the other side, it allows the attackers to stay under the radar for a longer period of time. So, since these tools are publicly available, a lot of organizations always think that they are unlikely to be used against them. So, when an attacker actually does use it, it turns out to their own advantage, and organizations realize a little bit too late.

Dave Bittner: [00:10:46] And does it make it harder to tag a specific organization if they're using something that may be being used by other organizations as well?

Vikram Thakur: [00:10:54] Yes, it actually becomes a little bit difficult for organizations to track publicly available tools, because in some cases organizations and their legitimate IT team uses these tools for things like internal testing of their own security defenses, or maybe in some cases using these tools to actually manage computers which might not be in the same physical location as themselves.

Vikram Thakur: [00:11:20] So, when the attacker uses these exact same IT-used tools, it becomes very difficult for that information security professional sitting in the middle to be able to distinguish between the legitimate intended use of these tools, versus the unauthorized use of these tools by attackers.

Dave Bittner: [00:11:40] Now, they also used some pretty straightforward things like dictionary attacks, but then, additionally, they had some custom malware that they spun up as well.

Vikram Thakur: [00:11:49] Yeah, I mean, we see these usage of custom malware going down, or really decreasing in the past few years, and we actually think that that trend is going to continue for a long period of time. In this case, they did use a couple of custom malwares which had been seen by us in the past as well, so that kind of gave it away in terms of who these people might be and where they might be sitting, because we've seen previous attacks use these same custom tools.

Vikram Thakur: [00:12:19] We're actually pretty certain that these tools will no longer be used, just because usage of these tools will allow attribution a lot easier to a certain group or certain entity. But in those cases, unfortunately, we're not able to find the original emails, or the original method by which these tools were delivered to the intended victims.

Dave Bittner: [00:12:44] Now, take us through what they were doing in terms of spreading out throughout a network, the lateral movement, and then getting the data out, the exfiltration.

Vikram Thakur: [00:12:53] So, in the case here, once the Leafminer group was able to get into a particular network, their first and foremost job was to steal an email from the server that they were on. So, they would use some publicly available tools to dump someone's email inbox into a local file, and then send that file away to their own servers which were external to the organization.

Vikram Thakur: [00:13:21] But at the same time, they were using these dictionary attacks or brute force attacks, which essentially just means, I'm going to try to log on as different users on the network using a pre-determined set of passwords which I saved in a text file. So, these are commonly used passwords, think of, like, "password," "password123," or "qwerty." These are just very simple passwords, but there's a long, long, long list of these which the attacker was trying to use to break into somebody else's account. And every time they were able to, they would use that same account, dump the email, and then continue in a very iterative manner.

Vikram Thakur: [00:14:03] At the same time, the Leafminer attack group was using publicly available tools to see what other servers and what other machines were available on the network. At the same time, they were using a scanning tool looking for essentially any network assets that they could, including searching for wireless networks, looking for SQL backup tools, or SQL backup servers. And in one case at least, they were able to find the backup server, and they targeted stealing the backup from one of those backup servers. So, think about the backup of the backup itself which was trying to be stolen.

Dave Bittner: [00:14:46] So, one of the things that you point out in your research is that you have some indications that perhaps these folks aren't very experienced.

Vikram Thakur: [00:14:55] Yeah, we don't think this group falls under even the average sophistication category. We think that they're on both sides, whether the technical as well as operational security side, they fall way short, showing us that they're relatively inexperienced attackers themselves.

Vikram Thakur: [00:15:15] But I'll break that down. On the technical side, the fact that they were relying so much upon publicly available tools in a very haphazard manner, where they were trying one tool, and when that failed they just went online and picked up another tool. And their lack of sophistication or technical knowledge to be able to tweak certain publicly available tools in order to gain what they intended to do with the tools, shows that they were not very technically capable. Even the malware itself that they were using is sort of middle-of-the-road in terms of coding techniques and sophistication, for that matter.

Vikram Thakur: [00:15:56] And on the other side, when I talk about operational security, I'm really referencing the security that they employed themselves in these operations. So, normally we would associate high-profile attacks, the ones where the attacker was able to victimize someone and the victim was not able to know that they were actually compromised for a long period of time.

Vikram Thakur: [00:16:20] In this case, the fact that the Leafminer gang was very noisy in environments, they were actually probing so many machines once they got onto a network. They were downloading publicly available tools onto these machines, onto these compromised computers, and then using them in a very ad hoc manner, made them very visible to networks where their presence was.

Vikram Thakur: [00:16:47] And it allowed us the opportunity also to go and find their staging server in literally no time. We found their server and kept track of it for months, until we even published the blog, and on the exact same day their server was still being used. It just kind of goes to show that these people are not very careful in hiding their own footsteps. So, overall we place them in an inexperienced bucket of attackers.

Dave Bittner: [00:17:17] Now, to that point were defensive tools detecting what they were up to?

Vikram Thakur: [00:17:21] Yes. You know, for the most part, the public tools were all already detected by multiple vendors, including ourselves. In some cases, where they did use some of these custom tools, they did have a degree of success where, in some cases, they were able to get onto a network, but just as they got onto the network they got detected out there. So, we don't think that their success rate was very high overall.

Dave Bittner: [00:17:48] So, what are the take-homes for you? What do you walk away with this one from? How does it inform what you all do in the future?

Vikram Thakur: [00:17:55] Well, a couple of things. I mean, one, we tell other organizations not to minimize the potential of publicly available tools against their organizations. We tell defenders that, listen, here's case in point of attack groups who are determined to get onto your network and they're just using what is already available out there. So, please, please, please make sure that you apply the security updates which are available from vendors, you update your security solutions, and you only expose the network assets, you only expose servers which are actually meant to be exposed by a business. There's no point in making a an internal server of yours accessible to the Internet if you don't have a business reason for it.

Vikram Thakur: [00:18:42] So, we're kind of taking this to defenders as a learning opportunity, where they can realize the worth of just simply applying these security updates and reducing the risk that their own surface area provides.

Vikram Thakur: [00:18:56] On the other side, from an attacker standpoint, what this tells us about attackers in different places, including Iran out here, is there's a new breed, or there are a whole bunch of people with very little experience are now getting into the offensive game. These attackers, that we believe are operating out of Iran, are exactly a poster representation of that message, where the bar is very, very, very low, and people with just enough motivation, whether it's financial, or geopolitical, or whatever that might be, are getting into this action, and the number of attacks that we're seeing are just going to keep increasing, using these living off the land tools.

Dave Bittner: [00:19:41] Do you have any sense for where a group like this would fit into the marketplace in a place like Iran? I guess what I'm trying to get at is do these folks represent the level of talent that Iran possesses right now, or are they an unskilled group who's just trying to get their way into the group? You know, Iran has an A-Team and these folks are not that A-Team. Do you get where I'm going with that?

Vikram Thakur: [00:20:07] Yeah, I see where you're going. I mean, whether it's Iran, or any other country for that matter, the odds of us finding offensive attackers are right across the whole spectrum. Yes, we will find people who are taking a class in cybersecurity and they decide that they want to go out and attack other entities. But, on the other end of the spectrum, we'll also find highly-skilled individuals who are working under governments, well-funded, with clear mandates, in order to create the tools and sustain attack campaigns for a very long time.

Vikram Thakur: [00:20:45] Now, we don't know whether Leafminer was working at the behest of any government or these were just some enthusiasts who decided to go off on their own, with the aim of getting data and proving themselves to somebody else. But we definitely think that they represent the lower end of that spectrum.

Vikram Thakur: [00:21:03] And we see these kind of attacks from other places as well, in other countries as well. And it's kind of hard to say whether the country as a whole only possesses attackers with low skill but high volume. I think that would be a naive thing for us to think about.

Vikram Thakur: [00:21:25] Our thanks to Vikram Thakur for joining us. The research is titled "Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions." You can find it on the Symantec website.

Dave Bittner: [00:21:37] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:21:45] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:21:53] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.