Research Saturday 5.18.19
Ep 86 | 5.18.19

Elfin APT group targets Middle East energy sector.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Alan Neville: [00:01:53] Elfin are actually a group that we've been tracking for a number of years.

Dave Bittner: [00:01:56] That's Alan Neville. He's a principal threat intelligence analyst at Symantec. The research we're discussing today is titled, "Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S."

Alan Neville: [00:02:09] They kind of first popped up onto our radar around 2015. They've reportedly been active even longer than this, maybe even back to 2013. It was interesting when we first came across them, just based on some of the targets which we had seen them go after in the past. We've seen them mainly kind of hitting the energy sector in the Middle East, which was kind of something of great interest for us. We didn't see a lot of groups at that time kind of being active in that area, but it has since exploded, particularly after, like, attacks with Shamoon and kind of other similar groups that are active in that region.

Dave Bittner: [00:02:38] Now, they also go by the name APT33 and, as you were saying, the Middle East seems to be where their focus, a lot of their attention - your research starts with a chart here, and Saudi Arabia is their number one target.

Alan Neville: [00:02:54] Yeah, so the majority of the organizations we've seen Elfin actually go after have all kind of been situated in Saudi Arabia, which kind of made up like 42 percent of all the organizations we've seen them go after. We've also seen a number of organizations in the last couple of years - so like around 2016 and again 2017 - where they've started targeting organizations in the US.

Alan Neville: [00:03:14] When we started digging deeper into some of those organizations, we could see they had a lot of affiliations or kind of ties to other organizations that also operate in the Middle East - so, like, subsidiaries or kind of co-owned organizations. So that was kind of interesting as well. So it kind of suggests that not only are they heavily focused on Saudi Arabia, but even some of the organizations that they go after in other countries also have ties to Saudi Arabia as well.

Dave Bittner: [00:03:37] And in terms of the verticals they're going after, what are you seeing there?

Alan Neville: [00:03:41] So the main ones that the Elfin generally have targeted have been mainly related to petrochemical organizations. Again, maybe all in the energy sector. We also see, like, technology organizations that provide IT services to organizations who operate within the energy sector in the Middle East, and similar with engineering and defense, and even some financial organizations, among others.

Dave Bittner: [00:04:03] Well, let's dig in to what exactly they're up to here. What was the initial vulnerability that you all were tracking?

Alan Neville: [00:04:09] More recently, the group have started using, well, they've always really used these spear phishing emails to send off to targets to be able to gain initial access to some of these organizations. And while that technique isn't very sophisticated, it was kind of - it worked very well for them. They've since kind of upped the ante a little bit, where they're not just relying on social engineering tactics, they're now kind of using vulnerabilities and exploits to be able to gain access to these organizations.

Alan Neville: [00:04:34] So, more recently we've seen them leveraging a WinRAR vulnerability, which was a CVE-2018-20250. Essentially, this allows you to construct an archive, and you can modify it after it's been created to then change the path where the file would be extracted to. And essentially, if you extract it to a - like a location such as your startup folder, it essentially gives you kind of arbitrary code execution. So they can extract a payload, put it into your start directory, and then when you restart your system, then it essentially executes that piece of malware that they've embedded within that archive. And they've been using this more recently only over the last couple of months to be able to gain access to some of these organizations.

Dave Bittner: [00:05:12] And using what would look like benign filenames. You point out one of them was "JobDetails.rar." You know, the kind of thing that an HR person might open routinely.

Alan Neville: [00:05:24] Yes. Traditionally, what they've done and what they continue to do even now, they look at organizations similar to the organizations they want to target. So, other organizations either operating within the same regions or similar regions, and in the same verticals. And they'll look at those job postings that they might have on their websites, and then they'll essentially set up some infrastructure and mimic those legitimate job postings.

Alan Neville: [00:05:43] So then they'll send a spear phishing email. It will have some information about some available job at a similar organization, at a similar role. And they'll have a link embedded within the email. So users are kind of tricked then, essentially, to click this link, and the link is controlled by the attackers themselves. And it looks like a legitimate job posting website. And once they click on one of those roles or one of those job postings, it essentially downloads kind of like an executable HTML file. So, as you view that page, it will execute some PowerShell in the background to download a backdoor.

Dave Bittner: [00:06:15] Now, there's a possible connection here with Shamoon?

Alan Neville: [00:06:19] Yeah, so, Shamoon were a group that again have been heavily targeting kind of the energy sector in the Middle East. They kind of first popped up around 2012, and they have basically destructive capabilities. They use wiping malware to wipe systems and basically stop operations for these organizations. Back in 2012, they had wiped over I think 30,000 machines at that time, and they had planted images of a burning US flag. And that kind of spoke to their intentions as such.

Alan Neville: [00:06:46] They struck again in the same year, at a later stage, and it was clear from some of the tools they were using and how they moved across the network before they found the systems of interest to wipe, and they had clear knowledge and kind of understanding of the network itself. They even had some of the credentials that were hardcoded into the malware itself. So it was able to wipe these systems very effectively and spread very quickly.

Alan Neville: [00:07:05] What we've seen is some organizations where we've seen Elfin activity, we've later seen them being hit by Shamoon. It kind of raised the question, was - is there any connections between the group? Perhaps Elfin are doing kind of some intelligence gathering, where they're collecting credentials, and then maybe sharing it with other groups such as Shamoon, where they can create malware to then run kind of disruption operations.

Alan Neville: [00:07:28] We've only seen it in one case so far, and in other organizations we've seen Elfin and Shamoon both active, it's essentially been quite a time difference between them. So, it's not really clear if Elfin have just remained active on the network for a long period of time collecting credentials and collecting other information, and then later shared it, or if they're actually working kind of more closely together than we realize. But that's what we've seen so far on it.

Dave Bittner: [00:07:51] Now, one of the things that you list out here in your research is the variety of tools that they use. It's quite a collection of both custom and off-the-shelf elements. Can you take us through - what sort of things are they using here?

Alan Neville: [00:08:04] Yeah, so, traditionally, they used to use a lot of kind of custom malware - so, malware they would either build themselves for specific operations and things. We've seen kind of a change or a shift more recently, where they have started using more off-the-shelf tools - so, these are tools that you can download either from, like, GitHub repos, or they're available for download, essentially, where you can then build them yourself, customize them to what you want them to do, and have them interact with whatever infrastructure you want to point it at.

Alan Neville: [00:08:29] This is kind of a commonality that we've seen across a number of these advanced persistent threat groups. More and more of them are kind of switching over to using these freely available tools, which, one, makes it somewhat a little bit more difficult to track, in terms of if they were using something custom, it's - when you see tool pop up somewhere, you could reliably kind of attribute to that group, or it's probably that group that have been active. Now, by switching over to these kind of more common tools, these freely available tools, it makes it a little bit more difficult to kind of separate its activities and attribute it back to that group for tracking purposes.

Alan Neville: [00:09:01] It also kind of benefits them in a way, where by being able to download these type of tools, they don't necessarily have to waste time on doing development. They can just grab these tools, they can just customize it to do what they want, build them, and then start distributing them.

Dave Bittner: [00:09:13] What's the thread with the tools that they're using? What's the type of information they're going after?

Alan Neville: [00:09:18] So, it seems to be mainly intelligence gathering operation. So, we can see them, once they get onto the network, they'll start dumping credentials, and they'll use that information to start basically moving across the networks, basically finding information of interest.

Alan Neville: [00:09:30] We do know that they have destructive capabilities as well. There has been malware associated with this group called Stonedrill, which, essentially, again, wipes systems, similar to what we've seen with Shamoon, and kind of more destructive groups. So we know they have the ability to do that, and we know they traditionally used to create their own malware, as well.

Alan Neville: [00:09:46] But essentially, using these kind of off-the-shelf tools as well makes it a little bit more difficult to be able to even see what their intentions are. But it's essentially an intelligence gathering operation, from the data that we can see.

Dave Bittner: [00:09:59] Well, let's walk through what happens when someone finds themselves attacked by Elfin. Take us through step-by-step - what occurs?

Alan Neville: [00:10:07] Yeah, so, essentially, kind of similar to what we were describing before, where the attackers would create an email, they'll set up some infrastructure. The infrastructure's generally named after either the target or the job posting portal they're trying to mimic. They'll create these emails and send them off to some of their targets. So, essentially, they'll probably, or likely, look for individuals that have specific roles that they may have an interest in the type of information that they would have access to, and they'll send these emails to them with these job kind of vacancies.

Alan Neville: [00:10:35] Once they gain access - so, essentially, once the user has been tricked into clicking the link and looking at the job post - it'll run some PowerShell in the background. And that basically will create a scheduled task which will run every several hours on that machine, and it'll reach out to the attackers' infrastructure to download backdoor tools. And this essentially gives them kind of access into the network, and then they can start downloading additional tools, such as Mimikatz, to be able to dump some of the credentials. They'll also push down some additional malware, either to get them kind of more capabilities moving across the network, and then they'll start downloading tools either to collect information and then infiltrate it off to their own infrastructure.

Dave Bittner: [00:11:12] How would you rate these activities in terms of their stealthiness? Are they fairly easy to detect, or are they staying under the radar?

Alan Neville: [00:11:19] Again, because they're moving to all of these kind of tools that are freely available, again, it makes a little bit more difficult to attribute some of the activity, but it's not impossible. It's still easy enough to be able to track some of the activities based on network infrastructure that they're putting in place. As I kind of mentioned before, they're they're naming a lot of this infrastructure after some of the job portals or the targets they're going after, which makes it easy to kind of see the organizations that they have an interest in. And like that, when you kind of pull it together, you can kind of see a commonality there, where a lot of it's all based - energy sector, it's all based in, mainly in Saudi, and again in the US, more recently.

Dave Bittner: [00:11:54] Do you have any sense where they're coming from, who's behind this?

Alan Neville: [00:11:58] There's been lots of publications about the activities of the group themselves. There have been researchers who've come out with some bits and pieces which kind of attributes it back to some nation-states, or a likely nation-state in the Middle Eastern region. We have seen indications there, where there was, let's say, for example, when we looked at how the group actually operates - so, for example, when we see them active on a network, you can kind of map some of the timings back to a standard 9 to 5, but it would all kind of sit nicely into a specific time zone that originated from that region as well.

Alan Neville: [00:12:29] Generally, we don't really care about the attribution side, and while that kind of helps in adding some context to our investigations, our main kind of mandate has always been around protection of our customers. So, while we can see some of the activities, we'll find it and figure out the tools that they're using, what they're going after, how they're doing it, and then we'll just use that information to protect our customers. So it's not something that we need to do or put a lot of effort into, to be able to kind of get a better understanding of the group and their - the context behind their activities.

Dave Bittner: [00:12:57] Now, in terms of protection, what are your recommendations?

Alan Neville: [00:13:01] The recommendations, obviously, to have your antivirus clients installed, make sure it's up-to-date. Ensure that you have the latest Windows patches applied to your system as well. But it's also very useful to have system-wide logging enabled. So if you were to see some of these, like, let's say, scheduled tasks being created, or you're starting to see, let's say, PowerShell command's being run on your machines that kind of look a bit suspicious, then obviously it's gonna be a good indication that there's a further investigation required.

Dave Bittner: [00:13:27] So, looking at the information you've gathered here, what are the take-homes? What can people take away from this research?

Alan Neville: [00:13:33] I suppose some of the takeaways from this research - essentially, Elfin is a very active group, particularly in the Middle Eastern region. For organizations or people who have business in that region, it's good to be well aware of the type of information that they're going after, the industries that they're targeting - so, like, energy - and the type of tools that they're using. And the fact that we can see them moving, or kind of this shift from custom tools into more off-the-shelf tools, it kind of gives, I suppose, credence to the fact of just by seeing some of the custom stuff, that's not necessarily just criminal activity, that likely could be something that's related to, like, espionage operations or intelligence gathering

Dave Bittner: [00:14:15] Our thanks to Alan Neville from Symantec for joining us. The research is titled, "Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S." We'll have a link in the show notes.

Dave Bittner: [00:14:29] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:14:38] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:14:44] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our CyberWire editor is John Petrik. Technical Editor, Chris Russell. Our staff writer is Tim Nodar. Executive Editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.