Research Saturday 5.25.19
Ep 87 | 5.25.19

A fresh look at GOSSIPGIRL and the Supra Threat Actors.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Juan Andres Guerrero-Saade: [00:01:53] We had this upcoming conference called SAS, and the Security Analysts Summit is where a lot of researchers kind of come together to show off some of the stuff they've found and try to release original content.

Dave Bittner: [00:02:05] That's Juan Andres Guerrero-Saade. He's Research Tsar at Chronicle. The report we're discussing today is titled, "Who is GOSSIPGIRL?"

Juan Andres Guerrero-Saade: [00:02:14] And as we were building up to this, there was an itch that I wanted to scratch. There was a certain dissatisfaction with how we, as an industry, had gone about covering a cluster of very interesting operations. Essentially, between 2010 and 2012, malware analysts discovered some of the most interesting threat actors and malware-based operations that we know about today. It essentially birthed most of the private sector threat intelligence industry that we think of these days.

Juan Andres Guerrero-Saade: [00:02:45] But if you look back, we essentially found these things - the researchers at Symantec and Kaspersky and all these different places discovered these different pieces, they researched them in-depth, and then we moved on and never looked back. And that was something that didn't quite sit right with me. I mean, we've done other historical research; I had focused on Moonlight Maze with Costin Raiu and Danny Moore and Thomas Rid. We worked on this a couple of years back, and what we realized was that no matter how old the operation, taking that retrospective look allows you to discover entirely new things and tie all these different things together you would have never imagined.

Juan Andres Guerrero-Saade: [00:03:24] So, we wanted to do the same with this cluster. We wanted to say, you know, what's there that folks missed, that they weren't able to see, or they didn't have the context to see, or the tools to see? So, that was the primary question that drove us.

Dave Bittner: [00:03:35] And you mentioned the tools. Can you give us some perspective on, when we're talking back to that era, what did we and did we not have back then?

Juan Andres Guerrero-Saade: [00:03:43] The change is very stark. For those that are familiar with some of the threat intelligence and malware analysis tools that folks are using these days, most of the tools that we think of as standard weren't really around. And by that I mean YARA, which is the primary signature engine that most folks use. It's like the universal signature language that most malware analysts and threat intelligence companies use in order to share rules and provide rules for customers. That wasn't really in wide adoption. We didn't have access to things like VirusTotal's Retrohunt, which is what most companies rely on to be able to do retrospective searches. We didn't have access to a lot of sort of the beefier metadata-based databases that we might use, like what's exposed by VirusTotal and what my team has access to. There's a lot of different things that we would rely on for even the simplest of malware analysis cases or threat intelligence investigations these days that, you know, we're talking seven years ago were just not available to researchers.

Juan Andres Guerrero-Saade: [00:04:48] And to exemplify that, I mean, if you go back to some of the best reports that were written about Stuxnet, about Flame, or Duqu, or Gauss, there are no YARA rules available. Most of the hits and most of the samples that were discovered, were discovered using the antivirus companies' sort of proprietary technology to cluster things or to make signatures for things. And it was very good - I mean, they were able to discover these things and to track them - but there's something inherently, you know, proprietary, by the very nature of what that is, that that is inaccessible to anybody trying to recreate this research from the outside.

Dave Bittner: [00:05:24] So, you decide you're going to take a look back - where did you target your efforts?

Juan Andres Guerrero-Saade: [00:05:28] Well, to be honest, you know, we cast a very wide net. The idea was really to track down this name, right? So, that was kind of the funny narrative that we set up for ourselves. You know, if you look back at some of these leaked documents, you know, a lot of people are kind of spooked away from looking at some of these slides, but they have some very interesting information about how the government or the intelligence community writ large does counter CNE, which is their name for, essentially, threat intelligence in the intelligence space. And, you know, you're always very curious about, you know, what threat actors they know about, what things do they see that we haven't seen. And one of the things that caught our attention was a name, which was "GOSSIPGIRL."

Dave Bittner: [00:06:11] Now, before we dig too far in, when you're talking about a slide deck, which slide deck are we talking about, and how did it come to light?

Juan Andres Guerrero-Saade: [00:06:17] So, this is one of the many documents that got released with the Snowden sort of leak of classified documents.

Dave Bittner: [00:06:24] Hmm.

Juan Andres Guerrero-Saade: [00:06:23] And that's why I say, you know, it's - some people get very squirrelly about looking at these things. Thankfully, you know, I don't have a security clearance, I don't have to worry about that. I don't think I'll ever have a security clearance. But more importantly, it allows you to have a more comprehensive view and take everything into account. I mean, we can get into some complex discussions of what to do with this information, but from the perspective of an independent threat intelligence researcher, I think it's better to have a wider view of everything that's at play.

Juan Andres Guerrero-Saade: [00:06:52] So, looking at some of these decks, I think that some of the most interesting decks for researchers trying to recreate some of this information are some that have been leaked out of CSEC, the Canadian signals intelligence agency. And if I remember correctly, the name of this particular slide deck is, "Pay attention to the man behind the curtain." And it details some of their efforts to - and this is probably as early as 2010, if I remember correctly - it details their efforts to track different threat actors, at a time when most of the private sector anti-malware industry wasn't really thinking about any espionage actors. They were just about to come on board that train. So there's a lot of institutional knowledge to learn from there, from whatever can be gleaned from little bullet points on slide decks.

Dave Bittner: [00:07:42] So, I mean, is it fair to say that at this stage of the game, these government organizations had a bit of a head start over folks in private industry?

Juan Andres Guerrero-Saade: [00:07:49] Oh, absolutely.

Dave Bittner: [00:07:50] Yeah.

Juan Andres Guerrero-Saade: [00:07:51] And in some ways they, you know, they probably still do. I mean, we've gotten a lot better on the private sector. I think we have now developed techniques and have repositories of information that, in some ways, rival the intelligence community, and hopefully complement the needs of the intelligence community. But they definitely have a much greater understanding of the institutions involved, of all source information that they're able to piece together.

Juan Andres Guerrero-Saade: [00:08:19] I mean, that's another thing you have to keep in mind. Threat intelligence researchers, for the most part, focus on the technical artifacts that they're able to discern. We don't have access to human assets, or the kind of political analysts and folks that understand regions and get access to privileged information about these regions that they can put together with the incidents that we're looking at.

Juan Andres Guerrero-Saade: [00:08:42] That's actually one of the reasons that, you know, in previous research, I've argued pretty vociferously for getting away from institutional attribution, because the government sector and the intelligence community are in a fantastic position to put together clues from different sources of information, but in the private sector, we're really not. And many times it tends to kind of lead us down the wrong path.

Dave Bittner: [00:09:04] So, you decide that you're going to chase after this GOSSIPGIRL. Where does it lead you?

Juan Andres Guerrero-Saade: [00:09:10] Well, it takes us down a very, very thin, narrow, speculative path of one other screenshot that essentially connects the name GOSSIPGIRL to a known malware family, which is Flame. So, for those listeners that might not know Flame, Flame was a fascinating discovery that comes along around 2012, when the - if I remember correctly - the Iranian CERT, in cooperation with researchers from CrySyS lab in Hungary, with Kaspersky Lab and some other folks, discovered this unbelievable modular espionage platform that was infecting not just Iran, but other institutions in the Middle East.

Juan Andres Guerrero-Saade: [00:09:50] And what was interesting about it was, you're talking about very big files, they contain a Lua virtual machine, that the attackers were using in order to expand their malware to whatever espionage requirements they had. So, that might sound standard in 2019, when we get a different APT by a different vendor every other week, but in 2012, it was sort of this harbinger of things to come. It was this amazing example of what an espionage tool kit should look like, would look like, had looked like, for sort of the big players in the game.

Dave Bittner: [00:10:27] Very forward-looking.

Juan Andres Guerrero-Saade: [00:10:29] Oh, absolutely. And moreover, it had been operating for at least four years before it was discovered.

Dave Bittner: [00:10:35] So you make this connection with Flame, and where does that lead you?

Juan Andres Guerrero-Saade: [00:10:38] We knew that a lot of the research had already been done into Flame. I mean, we don't disparage - and when I say "we," I mean, you know, Silas Cutler and I, my partner in crime here at Chronicle. We knew that a lot of the research had already been done, that there was a lot of amazing work already. Symantec researchers, CrySys lab researchers, Kaspersky researchers had all published extensively on Flame.

Juan Andres Guerrero-Saade: [00:10:59] But our thinking was, you know, at the time they didn't have some of the tools that we do. They didn't have access to the repositories that we do. They didn't have access to, for example, some of the greatest developments in threat intel tooling, like code similarity analysis didn't really exist at the time, not at scale the way that we use it now. So why don't we just take another look? You know, why don't we just go back and pull some of the samples and see what we can find? You know, you never know.

Juan Andres Guerrero-Saade: [00:11:24] We start going down this path of looking at Flame, and that took us to a series of related malware families. So, things like Miniflame and Gauss that were discovered at the time as related to Flame. And then when you look at that, you realize, well, actually, at the time, researchers discovered that a Flame component actually connects Flame to the development of Stuxnet, and that, actually, the development of Stuxnet connects to the Equation platform, and development of Stuxnet connects to the Duqu platform. And essentially, it just started building out this tree, where, you know, we were pulling on one very thin thread, and we actually had a very wide wool sweater to make our way through.

Dave Bittner: [00:12:03] And to be clear, no one had made these connections before?

Juan Andres Guerrero-Saade: [00:12:06] Well, they had made some of the connections before. So, what allowed us to do this work was that we were building, you know, we were standing on the shoulders of giants. A lot of these discoveries had been made back in the day, but some discoveries were not. So, what we were able to do is, standing on top of this research, taking it as both competent and authoritative, we then set out to say, well, what have they missed?

Juan Andres Guerrero-Saade: [00:12:31] So, in that process, we make a series of small discoveries, and I think we make one big ontological reorganization, or - I won't say discovery, but we essentially decided that what GOSSIPGIRL, you know, taking a little creative license, what GOSSIPGIRL would mean to us was what we would begin to call a "Supra Threat Actor."

Dave Bittner: [00:12:51] Hmm.

Juan Andres Guerrero-Saade: [00:12:51] Not to get too in the weeds of, you know, threat intelligence methodology and things that people might find to be too inside baseball, essentially, in threat intelligence we tend to focus on threat actors - the idea that there is a cluster of activity that we can associate with a single entity, whether that's a criminal organization, or maybe an intelligence institution, or a group of mercenaries. Just a single organization.

Dave Bittner: [00:13:15] Mm-hmm.

Juan Andres Guerrero-Saade: [00:13:16] There's a deficiency there as we start to do more complex research, which is, what happens when we start to find different threat actors playing together? What happens when you see several independent threat actors with their own storied past, and their own malware platforms, and their own TTPs, their own ways of acting, clearly coming together for a common goal. We're not talking about somebody stealing somebody else's source code, or reusing, you know, open-source tools, or things like that that might get folks confused. We're talking about, you know, very complex platforms obviously being leveraged to play along.

Juan Andres Guerrero-Saade: [00:13:54] So, for us, that essentially required us to expand our lexicon, and required us to kind of shift our thinking, and say, okay, let's create this other category, where we're going to say, look, we know there was a collaboration, we know that many folks were in this room creating this very complex thing, and what can we know about them based on that collaboration? What can we understand about what they created, on the basis of the fact that it was multiple people playing along?

Dave Bittner: [00:14:22] Perhaps to strain the analogy to the breaking point, but would it be fair to say that you have your threat actors, those are your superheroes, and the Supra Threat Actor would be like the Avengers?

Juan Andres Guerrero-Saade: [00:14:34] (Laughs) Right. Yes. Yeah, essentially, we wanted to look at the Avengers. My partner in crime Silas likened it to looking at the Led Zeppelin of threat actors. We were looking at a supergroup, right?

Dave Bittner: [00:14:44] I see, okay, right, sure. (Laughs)

Juan Andres Guerrero-Saade: [00:14:45] So, you know you've got multiple platforms...

Dave Bittner: [00:14:48] The Traveling Wilburys, yeah.

Juan Andres Guerrero-Saade: [00:14:51] Exactly. (Laughs) You have many good analogies for them. But yeah, it's essentially that, right? When you have a difficult mission, and some would have likened it to trying to save the world, you know, you get the best folks in a room with a shared mission, and you use everyone's particular skill set towards advancing that goal. So it's a good analogy, in a sense.

Dave Bittner: [00:15:11] Yeah. And so, ultimately, where does this lead you?

Juan Andres Guerrero-Saade: [00:15:13] There was a series of discoveries. One of the more interesting one among them was that there was in fact one more team involved in the development of Stuxnet. So, not to give you the convoluted timeline, because there's a lot of sort of weird things that come along as folks researched Stuxnet. You know, the older versions were discovered after the newest versions, and so there's a lot of confusing things there.

Juan Andres Guerrero-Saade: [00:15:36] But when we started to look at some of the code similarity analysis from some of the oldest versions of Stuxnet that were ever discovered, we actually found connections to an entirely different threat actor that had never been linked to Stuxnet before. It's a threat actor called "Flowershop." It's also known as "Cheshire Cat." It maps on - for anybody that's following along at home, if you ever look at the territorial dispute research that CrySyS lab released in 2018, it maps on to signature 17, signature 18. So, this is one of these players with a lot of longevity and a lot of expertise, but that has gone largely underreported and had not been tied into some of the more interesting events that came along from 2010 and so on.

Dave Bittner: [00:16:20] Explain to me, what is the significance of that, of connecting those dots?

Juan Andres Guerrero-Saade: [00:16:24] Well, for us, it expands sort of the supergroup, right? So we - it puts another person in the room. It gives us greater context as well. If you read through Symantec's research when they discovered Stuxnet and, you know, they were first publishing on it, they speculated as to a couple of things. First, they speculated that Stuxnet was probably in development as early as 2005. But they couldn't necessarily prove that. It was, you know, just sort of a hunch based on a lot of indicators that they've seen. They also speculated that based on the specificity of some of the Stuxnet tooling, that there must have been a previous intelligence gathering platform that was utilized predating Stuxnet in order to gather some of the information they would need in order to design Stuxnet's components.

Juan Andres Guerrero-Saade: [00:17:10] So, for us, it starts to fill some of those gaps. We discovered a component embedded within Stuxnet - the early Stuxnet module 231, Resource 231. It's something that we call Stuxshop. We call it that because it is built with code from the Flowershop platform, but it's specifically built to be a Stuxnet module. So, you know, a bit of overlap there. And what's very interesting about it is it's clearly designed using an older platform. For example, it has code to handle things like dial-up windows. You know, if you remember back in the day of dial-up...

Dave Bittner: [00:17:48] (Laughs)

Juan Andres Guerrero-Saade: [00:17:48] ...If you ever tried to, back in the prehistoric ages of dial-up...

Dave Bittner: [00:17:52] Right. Right.

Juan Andres Guerrero-Saade: [00:17:53] ...If your machine tried to do something Internet-related and you weren't connected to the Internet, it would pop up that annoying little dial-up box.

Dave Bittner: [00:18:00] Mm-hmm.

Juan Andres Guerrero-Saade: [00:18:00] It would say, you know, would you like to dial-up? You're trying to do something related to Internet connectivity. Now, if you're trying to infect machines that are airgapped and are almost certainly not connected to the Internet, and every time you try to reach out to a command-and-control server, the person using that computer gets a little dial-up window, that's suspicious.

Dave Bittner: [00:18:20] (Laughs) Yeah, shootin' up a little bit of a flare there.

Juan Andres Guerrero-Saade: [00:18:22] Right. So, you know, you get that message three hundred times a day and you're not doing anything internet-related - a little suspicious. So one of the many things that the Stuxshop module does is it does command-and-control communication in a way that subverts some of those things. So, like, that window would be hooked and suppressed so would never show up ,and it would be a little more cognizant of the sort of system that it was embedded in.

Juan Andres Guerrero-Saade: [00:18:43] But that functionality all comes from this Flowershop platform, which was actually active as early as 2002. This is a very old platform. Marion Marschalek did some fantastic reverse engineering of what she called "Cheshire Cat," which were a handful of samples of Flowershop, and the things that she found - the malware was targeting Windows NT, like, we were talking about, if I remember correctly, 95, 98, 2000...

Dave Bittner: [00:19:08] Wow.

Juan Andres Guerrero-Saade: [00:19:06] ...You know, versions of Windows that are exceedingly old and that you have to design specifically for. So, this is clearly - let's put it this way: the earliest versions of Stuxnet essentially delegated their command-and-control module to this team.

Dave Bittner: [00:19:21] Hmm.

Juan Andres Guerrero-Saade: [00:19:21] That's how command-and-control was handled until the later version of Stuxnet, the one that the researchers first ever discovered, the more aggressive version, which had taken over a lot of that functionality and dumped the Flowershop code, which is why nobody found it back in those days.

Dave Bittner: [00:19:39] Now, one of the things that you dug into here was this sort of resurrection of Flame. Walk us through that, because there's an interesting story there.

Juan Andres Guerrero-Saade: [00:19:48] Oh yeah, absolutely. I'll admit something - this is, apart from fan-boying over the amazing work that the folks at Kaspersky, the folks at Symantec, and CrySyS lab got to do in these days, you know, when you come in as a younger malware researcher, you look at those days and go, you know, maybe I missed the boat, maybe I missed, like, all the exciting stuff that was happening back in those days. And I always had an admiration for Flame, mostly over how advanced it was, over how visionary it was, and how early on it was acting. And I was a little sad to have missed the main research boat on that.

Juan Andres Guerrero-Saade: [00:20:20] So, it was very exciting. As we were going through this, Flame was our original entry point with the GOSSIPGIRL threat actor before we started taking the liberty of expanding what that term would go on to mean. And as we were closing the research - and I'll admit, this was two weeks before we were going to give this talk - I was a little upset that Flame hadn't really yielded any results.

Juan Andres Guerrero-Saade: [00:20:42] So, the operations that we knew were connected to Flame, which are Miniflame and Gauss, each kind of famous in its own right, when we look back at both of those, they died alongside Flame. It looks like Miniflame was an older version that predated Flame, so of course, it goes out of fashion. Flame takes over for a period of years. Gauss is some kind of reengineering of Flame that is operative for a couple years. And then, you know, when Flame gets discovered, the people running Flame essentially burn down all of the infrastructure, they issue a SUICIDE module that cleans up all of the infections that were still out in the field, and everybody thought, you know, May 2012 is the day that Flame died.

Dave Bittner: [00:21:26] And what was Flame's functionality?

Juan Andres Guerrero-Saade: [00:21:28] Flame was essentially an espionage Swiss Army knife.

Dave Bittner: [00:21:34] Ah.

Juan Andres Guerrero-Saade: [00:21:34] So Flame would, you know, you would infect the machine with Flame, and from that point forward, you had access to about thirty modules to do very specific espionage functions, some very interesting espionage functions. So everything from, you know, backdooring that machine, creating a fake account so that you can have access, to being able to infect USB modules, to more interesting things, like being able to beacon to nearby Bluetooth devices so that, you know, somebody nearby might be able to detect that that machine was infected, you know, somebody was trying to get information from there.

Juan Andres Guerrero-Saade: [00:22:09] Even more interesting things, like, one of the modules in Flame, called the "GADGET" module, actually was one of the most interesting old-school supply chain attacks. So, the GADGET module in Flame actually uses this cryptographic MD5 collision attack in order to fake legitimate Windows certificates, Microsoft certificates. So, they do this - they use these fake certificates, and essentially are able to subvert the Windows Update functionality inside of an enterprise in order to spread. So, from a supply chain attack perspective, you're basically turning Windows Update into your entry vector for lateral movement into the rest of an enterprise.

Dave Bittner: [00:22:58] Hmm.

Juan Andres Guerrero-Saade: [00:22:58] You know, supply chain is all the rage now, and, you know, we're looking at all these fascinating attacks like ShadowHammer and CCleaner. But people forget, I mean, back in 2010, 2012, Flame was already doing this, and doing it in a more hardcore way than we've seen so far.

Dave Bittner: [00:23:14] Yeah. So people think that Flame is gone, but not necessarily the case?

Juan Andres Guerrero-Saade: [00:23:18] Not necessarily the case. The impression that we get is that the attackers thought that they could lay low, pretend to be dead, and wait until folks moved on. And it turns out that that was the case. In May 2012, there's the SUICIDE module, everything gets burned down, the threat intelligence industry moves on, they start to discover other things, they move on to other things. And then we discover that as early as 2014, new samples of a slightly retooled version of Flame started to be compiled - something that we call Flame 2.0.

Juan Andres Guerrero-Saade: [00:23:52] So, what's very interesting about this is that those samples were reengineered in order to be harder to analyze, in order to not be detected by, obviously, by the same detections that discovered the original Flame components. And more importantly, they were also faking all the timestamps to look like they were old Flame samples, just in case. So, if somebody was looking back, they could say, oh, this is something people have already discovered, move on.

Dave Bittner: [00:24:21] Wow.

Juan Andres Guerrero-Saade: [00:24:21] But there was an error. As early as the original version of Flame, there was sort of a little bug that would embed the real compilation time of one of the underlying libraries. So, they use a PuTTY library in order to do a lot of their network connections for, you know, SSH and telnet and so on. And that library, when you don't put a version number, actually spits out the time that it's compiled. So even though the Flame sample might say, oh, I was compiled in 1997, which is obviously fake, the PuTTY string would still say, hey, I was compiled in March 2012 or March 2014. So, when we started to map those strings, we realized, oh my God, we've been sitting on samples that were compiled two years after the Flame SUICIDE module. And that's what led us down the line.

Dave Bittner: [00:25:14] Why do you suppose you were able to connect these dots and other folks had missed it?

Juan Andres Guerrero-Saade: [00:25:20] There's a couple of different things there, right? So, one of them is perspective. Obviously, seven years down the line, with a lot of other APT investigations under our belt, in an ecosystem that has the benefits of so much information sharing, of so many folks working openly on threat intelligence, we come to this with very different perspectives. But also, I honestly believe that most folks moved on from these operations and never really looked back. There's obviously a certain reticence to going back to some of these these campaigns. There's also a reticence to going back to things that have already been researched. Right? Like, we all want to work on something new, something exciting. From a PR standpoint, you seldom get to a call up a reporter and say, hey, I redid the work that this other company did six months ago, would you like a story?

Dave Bittner: [00:26:09] Right.

Juan Andres Guerrero-Saade: [00:26:10] So, some of the incentives are misaligned with going back and doing due diligence on things that have already been investigated in the past.

Dave Bittner: [00:26:17] What do you think the take-home lesson is then? With what you've gathered here by taking that look into the past, how does it inform what you're going to do going forward?

Juan Andres Guerrero-Saade: [00:26:26] I think there are several lessons in there, mostly for researchers, really. This is - some of the take-home is essentially trying to urge researchers to eat their vegetables and not just move on to the newest hottest thing, but rather, do go back, take the time, look at some of the older operations, apply new tooling, apply new perspective. Don't assume that you know what's happening with a threat actor or with a campaign just because somebody already published on it, whether that was three months ago or five years ago.

Juan Andres Guerrero-Saade: [00:26:56] I also hope some of the lesson is also shared with folks that are trying to get into this industry. I meet a lot of students and different people that want to get into malware analysis, they want to get into threat intelligence. It's a largely undocumented field - it's hard to find what feels like a good entry point, unless you find somebody to essentially mentor you through it. And they always ask, you know, what what can I work on. And honestly, some of the best work you can do is just go back and take a second look at what's already been done. This isn't the only case of going back and discovering entirely new things.

Juan Andres Guerrero-Saade: [00:27:31] And from a defender standpoint, I mean, I think Flame, the Duqu 1.5 module which we didn't really get to touch on, and Flame 2.0, I think that there are clear indications that just because something seems old doesn't mean that the threat has passed. There's nothing that says that because somebody published a blog, that a threat actor closed shop. So, as defenders, we definitely have a remit to and a responsibility to make sure that we keep our tracking ongoing of these threat actors, particularly some of these apex threat actors, and make sure that we know where they are, even if we've got to keep them in our peripheral vision, just to say, you know, we have this threat under monitoring, under control. We're tracking it, we know what to expect, and that, you know, something that we've considered dead won't just come back into play eighteen months later and blindside us.

Dave Bittner: [00:28:27] Our thanks to Juan Andres Guerrero-Saade for joining us. The research is titled, "Who is GOSSIPGIRL?" It's on the Chronicle blog. We'll have a link in the show notes.

Dave Bittner: [00:28:36] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:28:45] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our CyberWire editor is John Petrik. Technical Editor, Chris Russell. Our staff writer is Tim Nodar. Executive Editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.