Research Saturday 2.23.19
Ep 74 | 2.23.19

Rosneft suspicions shift from espionage to business email compromise.


Dave Bittner: [00:00:02] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business - from your endpoints to your edge, and every cloud in between - with Juniper's connected security. Learn more at RSA booth number 5859, or connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:16] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Kevin Livelli: [00:01:56] Well, this first came to our attention the way many research projects come through to our attention. You know, we're always sort of on the lookout for new and interesting malware, or new and interesting attack methods.

Dave Bittner: [00:02:07] That's Kevin Livelli. He's Director of Threat Intelligence and Cylance. The research we're discussing today is titled, "Poking the Bear: Three-Year Campaign Targets Russian Critical Infrastructure."

Kevin Livelli: [00:02:17] And we pay particular attention to targeted attacks. Myself and another security researcher named Jon Gross spend a lot of time tracking the so-called APT groups - advanced persistent threat groups, or state or state-sponsored groups. And so, we started out just by investigating some interesting files we found in a common malware repository, and thought - at least initially - that we were onto another foreign espionage campaign.

Dave Bittner: [00:02:45] And a lot of this centers around this organization called Rosneft. Can you give us some background here? Who are they, and how did they get to be at the center of this?

Kevin Livelli: [00:02:56] Well, we found out that Rosneft was involved here. Rosneft was actually just one of a number of state-owned Russian critical infrastructure companies whose names were invoked in the infrastructure - the command-and-control infrastructure - that was used to carry out this attack. Right? So, we didn't see it at first, but when we started to look at the infrastructure that was used here, we saw that name. Rosneft is - well, they call themselves the largest publicly-traded oil company in the world. And they are a company whose name caught our eye, because - first of all, where they're located. Second of all, the fact that they're owned, at least in part, by the Russian government.

Kevin Livelli: [00:03:41] But that name also caught my attention because Rosneft was the subject of a rather mysterious deal a couple of years ago that took a portion of the company private. And it was noteworthy for a number of reasons. First of all, the amount of money involved.

Kevin Livelli: [00:04:02] Secondly, the fact that anything having to do with this oil company was going to potentially be of geopolitical significance, because - as has been reported in The New York Times and elsewhere - Russia often uses its state-owned companies, particularly this one, as a tool of foreign policy. So that held our attention.

Kevin Livelli: [00:04:25] And the third reason was because there was a lot of intrigue surrounding how the deal to take it private was being done - who was involved? Who were the buyers? Who was mediating the process? All of that led to reporters spilling quite a bit of ink, right?...

Dave Bittner: [00:04:43] Mm-hmm.

Kevin Livelli: [00:04:42] ...In the press. And Rosneft even got a rather conspicuous mention in the now-infamous Steele dossier, which was that sort of collection of raw intelligence that a former British intelligence officer put together, and which was published, I think, by BuzzFeed a while ago. The Rosneft deal, and its potential intersection with the Trump administration, was mentioned in that report. So, having seen all that, John and I thought immediately that this was going to be worth investigating further. And indeed, because of all these reasons, we thought that we were probably looking at a company that was the target of a state or state-sponsored espionage campaign.

Dave Bittner: [00:05:37] Right. I mean, that makes sense. Certainly, at first glance, all the stuff adds up to that being a likely thing going on here. But then as you dug into it, it got a little more interesting.

Kevin Livelli: [00:05:49] Yeah. That's right. I mean, in fact, you know - so there were two interesting things here, regarding this research. One is the sort of tick-tock of uncovering what exactly was going on here, and why were - not just Rosneft, but why were more than two dozen Russian state-owned critical infrastructure companies, and even some financial institutions - why were their names being invoked in the infrastructure of this attack?

Kevin Livelli: [00:06:15] There's that, and then at a higher level, there's this sort of onion that we just started peeling. Which is a little bit about confirmation bias among security researchers who often follow geopolitical developments and mentions of deals like this in the news, and are looking for sort of the evidence of some sub-rosa cyber activity, right? - that may accompany it. And so that's the road we were heading down.

Kevin Livelli: [00:06:43] But what did we learn? We learned, when we started to investigate further, we learned that Rosneft wasn't alone. As I mentioned, this threat actor had created similar websites that mimicked lots of other state-owned oil, gas, chemical, agricultural organizations. And that we discovered that this had been going on for a long time, and that this threat actor was not changing the malware that was being used in this attack - had not changed it in several years, which was also intriguing.

Dave Bittner: [00:07:16] Let's go through some of the technical things that you found here. Can you walk us through - how would someone have found themselves infected here? And then take us step-by-step, what happened after that?

Kevin Livelli: [00:07:28] The files that we started with were phishing documents that we pulled out of a common malware repository. That's one indicator of compromise. And through our analysis of those documents, we eventually got to the malware that was being used here, which was - you know, there were several stages of it - but ultimately, sort of the piece of malware we're talking about here was a keylogger. So this was a piece of malware that did lots of things and had the capacity to exfiltrate data, but its principal function and sort of its raison d'être, rather, was keylogging.

Kevin Livelli: [00:08:05] And so, you know, we were a little bit confused at that point as to - you know, we understand what a keylogger does and why it might be helpful, but what we didn't understand until we read a report by another security company, was what the significance was of all of the mirrored Russian critical infrastructure company names among the domains that were used as infrastructure. We didn't know why those names were there, right? Many of those websites, if you tried to go to them, had been taken down by the time we came around to it.

Kevin Livelli: [00:08:40] So we didn't quite understand what exactly we were looking at, right? We knew we had a keylogger, and we knew we had a lot of this infrastructure that was designed to look very much like, not just these websites of these organizations, but portions or subdomains of these companies' websites that dealt with money. Right?

Dave Bittner: [00:09:02] Uh-huh.

Kevin Livelli: [00:09:01] Right, there was a Rosneft site that was invoked that, if you went to it or the site that it was mimicking, it was the place where you would go if you were trying to blow the whistle on sort of corporate embezzlement.

Dave Bittner: [00:09:15] Hmm.

Kevin Livelli: [00:09:16] Another series of websites brought you to the place where you would go if you were bidding for contracts for an oil or gas supplier. So these are places where money was changing hands, which ultimately, you know, sort of made sense once we read the research of this other, as it turns out, Russian security company, and put the pieces together.

Dave Bittner: [00:09:40] I guess I'm trying to understand how they were making money here. They had stood up all of these sites that imitated the legitimate sites...

Kevin Livelli: [00:09:50] Yeah.

Dave Bittner: [00:09:50] What was their game plan here?

Kevin Livelli: [00:09:52] Well, you know, we're sort of reliant upon, as I said, I think the excellent analysis that was published, rather curiously, as paid content in Forbes, of all places - but in a Russian version of Forbes magazine - by Group-IB. Right? Which is a Russian infosec company. And their founder and CEO released details of an attack that - well, it's the same attack, right?

Dave Bittner: [00:10:18] Right.

Kevin Livelli: [00:10:19] We later figured out. But we hadn't seen any sort of independently published research about it. And again, we're reading it in translation. But what they claimed in their report was that they had at least one, probably more, of these companies as clients. And they had taken screenshots of some of these mirrored websites. And so, what it looks like the purpose of those ended up being was to collect credentials, right?

Kevin Livelli: [00:10:47] So you had malware - what they didn't write about was the malware. That's what we were writing about. The malware was probably collecting credentials, but then if you went to these mirrored websites, these fake websites, and entered your credentials - well, then there was another way in which they could harvest them. And putting all those pieces together, this looks like a business email compromise attack.

Dave Bittner: [00:11:07] I see.

Kevin Livelli: [00:11:07] A business email compromise attack is one where criminals collect credentials so that they can later sign in as you, right? Sign in as the victim...

Dave Bittner: [00:11:18] Right.

Kevin Livelli: [00:11:19] ...Into their email account, into their legitimate email account, and watch email traffic go back and forth, and attempt to insert themselves into the process and misdirect funds, or direct funds into their own accounts, right?

Dave Bittner: [00:11:32] Right.

Kevin Livelli: [00:11:33] So if they were, you know, signing in as a financial officer at Rosneft, they could wait for the email that would come across, normally come through their inbox, to say, okay, "pay this contractor," or "here's an alert of some potential fraud happening," and take advantage of the knowledge that they gain from being in that position and try to direct the funds elsewhere.

Dave Bittner: [00:11:58] Right. So the notion is that's why they're imitating specific parts of these websites that deal with things like contracting.

Kevin Livelli: [00:12:05] Yeah, that's our assessment. This is an intelligence analysis, to a certain extent here, right?

Dave Bittner: [00:12:09] Right. Right. Sure.

Kevin Livelli: [00:12:10] We're making a judgment. I don't know exactly, but we're making a judgment here based on what Group-IB wrote, and based on the function of the malware that we uncovered. So putting those pieces together, yes - that's exactly what it looks like. This looks like a criminal attempt to steal money by inserting yourself into the legitimate business process of these companies and misdirect funds.

Dave Bittner: [00:12:36] Now, as part of your analysis, do you suspect that they were trying to look like an espionage group to throw people off the trail, or - was that deliberate, or was that simply the path that you all started on down? Do you follow where I'm going with that?

Kevin Livelli: [00:12:54] Yeah. That's, you know, the intent and the mindset of the attacker is is one of the hardest things to try to figure out when you're coming after the fact. I think that it was an advantage, whether or not it was the intention of this guy to begin with. Right?

Dave Bittner: [00:13:07] Right.

Kevin Livelli: [00:13:08] So, I think that, in general, this was interesting to us because it sort of fits a larger trend that we've been watching, where - okay, there's been discussion for some time now about the overlap between criminal syndicates and nation-state hacking groups, right?

Dave Bittner: [00:13:27] Right.

Kevin Livelli: [00:13:27] Particularly in Russia and Eastern Europe. And what we're starting to see increasingly is a blending of the attack styles. Okay, so forget the personnel - I'm talking about the approach.

Dave Bittner: [00:13:41] Mm-hmm.

Kevin Livelli: [00:13:41] So, a typical criminal approach might have you taking a scattershot approach and throwing malware not just at your target, but at lots of other companies that are tangential to your target, that might be interacting with your target, with the hope of getting in somewhere. Right?

Dave Bittner: [00:13:58] Right.

Kevin Livelli: [00:13:59] Finding some chink in the armor. Whereas a lot of sort of traditional APT attacks - or state-sponsored attacks - have, you know, are known to have the flavor of just surgically targeting not just a particular organization, but even servers within that organization. Right? And so, what we're seeing is - are criminal groups that are taking that targeted approach, and nation-state groups that that are known, you know, historically, for using targeted attacks, that are taking that criminal approach. Right? Of using that sort of broader, scattershot attack method.

Kevin Livelli: [00:14:35] Here, you know, this seemed relatively targeted, right? I mean, he was - this threat actor, we do believe it's either probably an individual or a small group of people, and we can talk about that in a minute.

Dave Bittner: [00:14:48] Yeah.

Kevin Livelli: [00:14:48] We think that they pick - there's certainly a flavor of their targets, right? They all have a common theme. But it just happened to be a knock-on effect, I think, that because they're targeting critical infrastructure companies at a time when some of them are in the news and the subject of a lot of geopolitical intrigue, that it might also lead investigators and security researchers like us to start to think that maybe this is an espionage campaign, and not an attempt to steal money. They kind of hide in the noise, as it were, you know?

Dave Bittner: [00:15:20] So it's a good lesson to researchers and investigators that this fuzzing between these flavors of groups can make it harder to know for sure where something's coming from?

Kevin Livelli: [00:15:35] That's right. I mean, I think that, in general, when you're doing analysis of a malware campaign or an attack, you know, you should constantly be aware and sensitive to, number one, what are your technical collection limitations? Right? If you're going to make judgments about an attack, you have to be cognizant of what kind of forensic evidence do you have access to, and what kind of forensic evidence do you not have access to. How big is your window, is another way of saying that.

Kevin Livelli: [00:16:04] The other piece of that is that, once you collect all of this technical data and are going to write it up - either for a client, or for an executive, or for a public audience like we're doing here - you're engaging in some sort of level of intelligence analysis that must also take on that idea that you might have some biases, right? And that you should check what those biases are. Don't jump to conclusions about what this is, because you'll end up writing about and drawing conclusions that may be incorrect.

Dave Bittner: [00:16:39] Hmm.

Kevin Livelli: [00:16:40] Right? If we had just kind of gone down this road and kept on looking for evidence of a huge, well-resourced, state-sponsored espionage campaign, we'd still be sitting there scratching our heads, right? Because that's not what it was, right? And so, you know, we were able to assess that with some high level of confidence at the end of the day because, well, this threat actor made some operational security mistakes.

Dave Bittner: [00:17:05] (Laughs)

Kevin Livelli: [00:17:07] And when you do that, sometimes those things can be critical. And so, we had a combination of indicators at the end of the day that pointed towards this being a small group or maybe even an individual effort to target these companies for financial gain, and not a multipronged, long-running, state-sponsored espionage campaign that's designed to siphon intellectual property or something like that out of the company.

Dave Bittner: [00:17:34] Right. I suspect too that you have to have a certain amount of humility to protect yourself against the not-invented-here problem.

Kevin Livelli: [00:17:42] Yeah.

Dave Bittner: [00:17:42] I mean, you mentioned how, you know, you sort of had an aha moment when you came across this research from Group-IB which connected some of the dots for you. And I could see internal groups having a bias against that, just to - you know, in a natural way.

Kevin Livelli: [00:17:58] Right. Well, this is part of the reason why we publish research like this, right?

Dave Bittner: [00:18:01] Yeah.

Kevin Livelli: [00:18:01] It's to share what we're finding with other security researchers in the community, right?

Dave Bittner: [00:18:08] Right.

Kevin Livelli: [00:18:08] So that they can maybe take the indicators of compromise that we had access to and that we developed, and put them together with what they have, and then try to fill in the picture a bit more, right? I mean, that's actually kind of a nice thing, I think.

Dave Bittner: [00:18:24] Yeah.

Kevin Livelli: [00:18:24] I don't know the researchers at Group-IB who were responsible, or the incident responders who were responsible for this particular attack. But, you know, we don't even speak the same language, and here we were able to essentially arrive at the same conclusion and add to each other's body of knowledge. Right? They helped us make sense of the malware that we found, we found the malware and more of the infrastructure that they had a piece of, right?

Dave Bittner: [00:18:51] Yeah.

Kevin Livelli: [00:18:51] So, those two things I think go together very nicely.

Dave Bittner: [00:18:55] Yeah. Now, you mentioned earlier that you had some reason to believe that this was an individual or a small group. What led you to that conclusion?

Kevin Livelli: [00:19:02] Well, the first thing was that, you know, in doing a little bit of malware archaeology, we discovered that this threat actor had reused malware in infrastructure previously in criminal efforts to steal from users of a video game platform. It's escaping me which one it is...

Dave Bittner: [00:19:20] Was it Steam, I think?

Kevin Livelli: [00:19:21] Oh yeah, Steam.

Dave Bittner: [00:19:23] Yeah.

Kevin Livelli: [00:19:23] And that - a lot of the toolset that was used there, so that's - I think that was used, again, to steal credentials of users so that you could take money in-game, I think. Which then you could cash out, presumably, in some way. I'm not not a big Steam user, sorry...

Kevin Livelli: [00:19:40] Yeah.

Kevin Livelli: [00:19:40] ...For all of those listeners who might be. Evidently there were ways in which you can make some money if you can take over a number of accounts. And that's - so that's what had happened there. And so, the toolset hadn't changed, and we thought to ourselves, you know, when we found that out, we said, wait a minute - this doesn't really sound like something that the government hacking group would be involved in, right? And so, of course, there are people that do both things and wear both hats, and that's certainly a possibility here too, right? But it was the first indicator to us that this was not a nation-state group, right? That this is a criminal group, and the work of at least an individual or a small group of people whose track record we can uncover, right?

Dave Bittner: [00:20:25] Yeah.

Kevin Livelli: [00:20:24] And whose lineage, in their malware use and infrastructure use, we could trace. Cylance does not feel that it is very helpful to network defenders and enterprises to go into great granularity about who's behind an attack, right?

Dave Bittner: [00:20:42] Right.

Kevin Livelli: [00:20:42] We can have a whole other discussion, Dave, about that...

Dave Bittner: [00:20:45] Yeah.

Kevin Livelli: [00:20:44] ...Another time if you like.

Dave Bittner: [00:20:47] Yeah.

Kevin Livelli: [00:20:47] So we don't - we tend not to put details like that in here. But rest assured that those details exist, such that, you know, this threat group made enough mistakes that we could have a pretty good idea of who they are, right? Where they live, what they're interested in. Right? The country that they're in, probably. All of those things. Which was further evidence, right?

Kevin Livelli: [00:21:11] So put that together with the video game attacking in the past, his operational security blunders, and then the third piece was, again, the context that we've got by reading the Group-IB report, to see that this was likely a business email compromise type of attack designed to steal money. And if you put those three things together, then you go, okay, this is very likely not a nation-state group, right? This is likely a couple of guys who were trying to get rich.

Kevin Livelli: [00:21:39] And I should add, a couple of rather bold individuals, right? Our feeling is that this person or group is located either in Russia or in that neighborhood. And so, to take on a Russian state-owned oil giant and financial exchange...

Dave Bittner: [00:21:57] Mm-hmm.

Kevin Livelli: [00:21:56] And not just one or two, but more than two dozen - I think it's closer to thirty of them...

Dave Bittner: [00:22:03] Yeah.

Kevin Livelli: [00:22:03] ...For three years, where you're OPSEC is not all that great, is - it shows incredible chutzpah. Incredible chutzpah.

Dave Bittner: [00:22:12] Yeah. Talk about poking the bear, literally, right?

Kevin Livelli: [00:22:16] That's kind of what we met, right?

Dave Bittner: [00:22:18] (Laughs) Yeah. Yeah.

Kevin Livelli: [00:22:18] It's exactly the kind of thing that, again, when we came to that conclusion we couldn't believe it. You know, we thought to ourselves, boy, this guy is probably going to end up in the Gulag, right? Somewhere, in short order, if folks in among the target set in Russia are reading ThreatVector. Which I hope they are. (Laughs) But you don't know.

Dave Bittner: [00:22:42] Yeah. Now, do you have any sense - are these folks still active? Are they still at it?

Kevin Livelli: [00:22:47] I think so. The last bit of forensic evidence that we looked at is now a month or so old, right? I haven't gone back to check it, but typically when campaigns run like this for some length of time, unchanged or largely unchanged, it's an indicator that it's working, right? And it's an indicator that, if some of this activity has been uncovered, right, I think the Group-IB report - well, obviously, it preceded our research, right? I don't remember exactly by how many months - but it didn't seem to have an effect, because at the time that we were completing this research and writing this analysis up, the activity was still ongoing, despite the fact that Group-IB had already published. You see what I mean?

Dave Bittner: [00:23:31] Yeah, yeah.

Kevin Livelli: [00:23:31] So, Group-IB exposed a piece of it, had beautiful screenshots of it, and, you know, had written about it not on their own website or not through sort of, you know, the infosec community's normal channels of disseminating this kind of thing, but in Forbes Magazine of all places, right? Which presumably is going to get some wider readership out of the infosec community and it didn't deter this group, right? This guy kept going. So I suspect it's probably likely still the case, right?

Dave Bittner: [00:24:02] Yeah. It's interesting in itself. All those little details are fascinating on their own. That this was placed in a paid-for way in Forbes is itself, makes you think.

Kevin Livelli: [00:24:14] Yeah. Well, they accept content right?

Dave Bittner: [00:24:15] Right.

Kevin Livelli: [00:24:16] From various corporations and companies all the time. That part of it is not unusual, but the fact that we didn't see the research published on Group-IB's website, right?...

Dave Bittner: [00:24:26] Yeah.

Kevin Livelli: [00:24:24] ...Was a little strange. And the fact that it read as like a narrative. Right? I think they called their thing "Attack Of The Clones," believe it or not...

Dave Bittner: [00:24:34] (Laughs)

Kevin Livelli: [00:24:33] ...Was the name of the article. And they did mention Rosneft in there, right? So, we knew enough - they had enough technical detail in there for us to determine with certainty that we were talking about the same thing.

Dave Bittner: [00:24:48] Right

Kevin Livelli: [00:24:48] But it wasn't the typical kind of, you know, threat research where there were indicators of compromise at the end of the report and - right?

Dave Bittner: [00:24:53] Yeah.

Kevin Livelli: [00:24:53] And there wasn't any kind of, like, deep-dive analysis into how the malware worked, and how you would decrypt different functions of it, and what the stages of it were, and all those kind of stuff. Which is part of what we include here, right?

Dave Bittner: [00:25:05] Yeah.

Kevin Livelli: [00:25:04] We're blending analysis and technical discussion in this blog post. They just sort of kept it at the analysis level, right? And talked sort of anecdotally about their own clients. But yeah, fascinating stuff, right?

Dave Bittner: [00:25:17] Yeah.

Kevin Livelli: [00:25:17] I mean, it's unusual and unlikely.

Dave Bittner: [00:25:20] Yeah, lots of intrigue here.

Kevin Livelli: [00:25:21] Lots of pieces of this are unusual and unlikely, right? So, that's why we decided that it would be probably interesting for others to read about. I think that the important takeaway for researchers and for those involved in network defense at the enterprise level is don't always go with your first blush instinct, right? Don't always have that knee-jerk response and jump to conclusions. What at first blush seems to be a clear indicator of nation-state activity might just end up being a, you know, a criminal attempt to steal money, right? And vice versa. And what I would say, watch that space. I think that that blurring of that line between those two styles is something we're going to see more of.

Dave Bittner: [00:26:08] Our thanks to Kevin Livelli for joining us. The research is titled, "Poking the Bear: Three-Year Campaign Targets Russian Critical Infrastructure." We'll have a link in the show notes.

Dave Bittner: [00:26:19] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:26:28] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:26:37] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.