
Inside the Mind of State-Sponsored Cyberattackers
David Moulton: Are you a big fan of hip-hop?
Lior Rochberger: I can't say I'm a big fan, but I hear hip hop.
David Moulton: There's a line. "You better checkiddy check yourself before you wreckyiddy wreck yourself." It -- I don't know that that's what you guys keep in mind when you're rolling with your attribution, but that's what I heard.
Lior Rochberger: I tell you, I presented like in this conference a few years ago, but a different operation. And some of my manager actually added this meme of like every step you take, I'll be watching you. Just like, every time I like hear this song, I just remember this tracking the threat actors and kind of basically, you know, be like a spy that go through everything that they do. [ Music ]
David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] Today, I'm speaking with Lior Rochberger, Principal Threat Researcher at Palo Alto Networks. Lior has contributed to groundbreaking research such as exposing espionage operations, targeting Southeast Asian governments and analyzing threats like Raccoon Stealer and LockBit ransomware. You can see her work on the Unit 42 Threat Research Center. Today, we're going to talk about Operation Diplomatic Specter, a significant espionage campaign targeting foreign ministries in the Middle East, Africa, and Asia. This research reveals the complex tactics used by threat actors to infiltrate critical networks, emphasizing the growing need for advanced threat detection and response. This is an essential topic because it highlights how state-sponsored campaigns are evolving, posing a direct risk to national security, diplomacy, and sensitive data worldwide. Lior Rochberger, welcome to Threat Vector. Excited to have you here.
Lior Rochberger: I'm excited to be here.
David Moulton: The cybersecurity landscape is constantly evolving, and geopolitical factors often play a big role. Talk to me about how the changing administration in the United States can impact cyber activity around the world.
Lior Rochberger: So the election and the changing administration of the United States President, which often considered to be the most powerful person in the world, has far-reaching effects on global cybersecurity. We also saw it already during the election process itself, with Iranian and Russian hackers trying to interfere with the election process and actually not for the first time. There are also repercussions for relationship with other countries depending on the elected president. And we know that what we call the axis of evil, which is mainly Russia, Iran, North Korea, and China, they're paying a lot of attention to every step by the new administration. For example, Iran cyber tactics may change significantly based on the new stance of the new administration on the nuclear deal and the sanctions. And this could lead to new cyber campaigns targeting the United States and also their allies. Ultimately, we see that many nation-state threat actors are closely monitoring major political events and adapting their cyber activities accordingly.
David Moulton: Lior, today we're going to get into Operation Diplomatic Specter, what it is, how it's impacting organizations and some of your insights into the tactics used by state-sponsored threat actors. We have a ton to talk about today, so let's get right into it. Lior, you have such an impressive background in cyber threat hunting and malware research. I noticed that your research includes discoveries like Nodes Dealer 2.0 and backdoor families like Rochelle. Could you share how your journey into threat research began? And what led you to specialize in these high-stakes investigations?
Lior Rochberger: So my journey into threat research kind of kicked off about 10 years ago in the Israeli Air Force Cybersecurity Unit. That experience really like set the stage for me and kind of let me explore it for the first time. And after my service, I joined Cybereason and dove into the whole corporate world. That's where things got really interesting for me. I got to see the whole spectrum of cybersecurity, from working with customers to tackling a wide range of threats. It was really eye-opening to see how different it is from the defense sector and air gap networks. From there on, I just started seeing and investigating many incidents and learned how threat actors operate and how to hunt for those activities. And I used my experience to find really interesting cases ever since.
David Moulton: Could you summarize the key findings of Operation Diplomatic Specter for our listeners?
Lior Rochberger: Sure. So Operation Diplomatic Specter is a cyber espionage operation targeting government entities across the Middle East, Africa, and Asia, with the main goal of stealing very sensitive information from military operations to politicians and even correspondence between different diplomatic missions all over the world. In the campaign, the threat actor employed a unique set of techniques, tools, and procedures, including several techniques rarely seen in the wild and some previously undocumented ones, which really showed how sophisticated this attacker is and also how determined they were to get this information.
David Moulton: What makes this operation unique compared to other espionage campaigns that you've researched?
Lior Rochberger: I think that what sets this campaign apart is the unprecedented level of visibility we gained into the attacker's objectives. We uncovered specific keywords, individuals, military operations, and even details of meetings that the threat actor were interested in getting information about. And this level of insight into the threat actor's intelligence-gathering priorities is actually pretty rare in our field. Like usually, you can tell that the threat actor is looking to steal data, but this was just like another level. Like even when I present this at conferences and I get to this part where I show the exact email that the threat actor were looking for, you can kind of see the surprise on people's faces and hear like the wow from the audience. So it's really interesting and really unique findings.
David Moulton: What are some of the advanced techniques or tools employed by the attackers in this campaign?
Lior Rochberger: So the attackers in this campaign employed several advanced tactics and tools. They used an in-memory VB implant to kind of act as a web shell instead of the classic file-based like ASPX, which is a pretty rare technique. They also use the malware, which we call NTO Spy, that abuses the network providers in order to steal credentials. Yet another very interesting and new technique. This technique is actually mostly known as a proof of concept. And it was reported seen in the wild only a handful of times. Also, their email filtration tactic in which they abused a building tool to Microsoft, which is called Exchange Management Shell is also not widely reported seen in the wild. And in addition to all of that, they also used some new and undocumented dotnet backdoors. One of them even performs DNS tunneling for command and control communication.
David Moulton: Why do you think that the Middle East and Africa continue to be targeted for these types of operations, Lior?
Lior Rochberger: So looking at the Middle East and Africa, we see a region that has been kind of the -- in the cyber spotlight lately. The complex geopolitical dynamics, especially the relationship and tension between different countries, make them quite an attractive target for state-sponsored threat actors. If we talk specifically about China, for example, so China involves in this region, and they kind of see Africa is a unique opportunity. The continent is reaching natural resources that are crucial for China's industrial growth. And this represent a vast potential market for the Chinese goods and services and, of course, plays a significant role in Beijing's geopolitical ambitions. Throughout initiatives like the Belt and Road also known as as the Silk Road, the New Silk Road. China is kind of building a political and economic influence across Africa. And all these factors makes this region an attractive target for cyber operations as China seeks to gather intelligence, gain strategic advantages, and, of course, supports its diverse interest in the area from the energy sector and information about diplomatic secrets. And the scope is for potential targets is vast.
David Moulton: Lior. What IOCs or threat signatures should organizations look out for based on your findings?
Lior Rochberger: So, of course, we share the relevant IOCs if there are domains, hashes, and IPs which organizations can, of course, implement in their security products and add to block list. But more importantly, there are behavioral patterns that we share with the readers in our blogs. This includes suspicious PowerShell commands such as the abuse of the Exchange Management Shell, indicative file names that also are worth hunting for, a unique username that the threat actor uses, and different command lines, for example, the indicative arguments for the Nessus penetration toolset that was also used in the attack. And this all can quite easily be translated into hunting queries and even detection rules.
David Moulton: How do these indicators evolve as attackers refine their techniques?
Lior Rochberger: Usually, after publishing a blog and basically burning an operation, we sometimes see attackers refine their techniques and change their indicators. They might change the file hashes, use different infrastructure for command and control, or even modify their PowerShell scripts. And they can also even just completely change their tactics. And due to these constant changes, it's important that organizations stay updated with the latest threat intelligence and use more behavioral-based protection rather than just rely only on IOCs, which, again, can change very easily.
David Moulton: How do the tactics of the APT behind Operation Diplomatic Specter reflect trends in modern cyber espionage?
Lior Rochberger: The tactics used in Operation Diplomatic Specter reflect several trends in modern cyber espionage. This includes the use of very rare techniques that most security solutions don't know how to defend against, developing custom malware that designed to evade detections and traditional antiviruses, and operating in waves in order to maintain persistence in the targeted environment for a long period of time. And this way, the attackers can also just get back from time to time, steal the new desired data, and go silent again, which, of course, helps them in staying under the radar.
David Moulton: What lessons can organizations take from this to bolster their defenses against APTs?
Lior Rochberger: Organizations can learn several lessons from this operation to improve their defenses. First, they need to implement robust monitoring of legitimate tools such as PowerShell and also other tools that can also be abused. Second, they should focus on detecting unusual behavior rather than just known malware signatures and known techniques. And finally, many organizations think that they're kind of secured enough. But the truth is, is that when facing a determined and capable threat actor, it's only a matter of time until they find the way in. That's why it's important to know your enemies, keep track of the threat landscape, and invest in protocol-hunting sessions that are integrated with intelligence.
David Moulton: When you saw these APTs behaving in this very advanced way, what was your initial thought?
Lior Rochberger: I actually was very excited. I saw like these different techniques that I've never seen before. So I figured that there is something very serious going on there. And it's a very sophisticated threat actor. And when I dug into this, and it started to like analyze a different artifact and I found, for example, what the threat actor were looking for, like the exact keywords, the individuals that they were tracking, I got very excited because I understood that this is really big and really like unique to see and to investigate.
David Moulton: So I kind of want to peek behind the scenes a little bit. When you're looking at those artifacts, you're looking at those keywords, you're tracking a Chinese threat actor who's going after countries in the Middle East and Southeast Asia, what language are you tracking them in?
Lior Rochberger: So it really depends on the specific target. For example, in the Middle East, we saw keywords in English, and we also saw keywords in Arabic. So it really depends on the targeted country. But we search for everything that they're looking for every language that we could detect.
David Moulton: Are there hints in the way that you see those searches that give you an indication that it's a Chinese APT?
Lior Rochberger: Yes. So one of the first things that I noticed that the threat actor we're looking for is the keywords of anything related to China and to President Xi, the president of China. They even search for his wife, Peng Liyuan, if I pronounce it correctly. And then I realized like this threat actor is looking specifically about things that related to China in any way.
David Moulton: Can you walk us through the methodology Unit 42 used to attribute the campaign to a specific actor or region? I know we just talked about it a little bit, but I'm wondering if you could go a little deeper.
Lior Rochberger: Sure. So Unit 42 attribution methodology actually involves several steps. And it's mainly relied on the known diamond model of attribution, which is widely used in the industry. In this process, we take into consideration the tools, the infrastructure, the tactics, and, of course, the victimology. And we compare this set of indicators to other known threat actors and previous campaigns. In this specific case, it was very challenging and not kind of straightforward, if I can even say that on attribution. Most of the tools and techniques we observed were very rare and even completely new. So, comparing it to other known groups or known attacks didn't really point to any specific suspect. And after we tracked and collected data about this activity and threat actor for over a year and tested all the data we had against the diamond model of attribution, it became quite clear to us that this is actually a very distinct activity carried out by what we believe to be a new group. And even though we believe this is a new group, we were still able to attribute activity and attribute is threat actor to China based on different findings, such as the linguistic artifacts that we found that were in Mandarin, that kind of pointed towards China, the activity timeframe that was consistent with the activity -- with the working hours of 09:00 to 05:00 in UC plus 8, and also the infrastructure that was used in the operation that we found that it's actually part of an infrastructure that is shared among multiple Chinese threat actors.
David Moulton: What are the challenges in confidently attributing such attacks?
Lior Rochberger: So of course, attribution should always be taken with a grain of salt. There are many challenges in attribution. For example, we know of threat actors that are trying to lure analysts into different directions or trying to masquerade as another threat actor, which can, of course, lead to a wrong attribution. We as researchers should never take anything as it is and always check ourselves if we're on the right path and not biased regarding who might be behind this activity. And of course, we keep track of the activity. And sometimes we discover new information that can help shed more light on the identity of the threat reactor
David Moulton: Lior, is there value in the common org knowing these details?
Lior Rochberger: I think that it's important that organizations and also researchers will be aware of this threat actor and this activity since it can help the community to not only know about the potential risks but perhaps to contribute and to provide more information to our findings that can help us to shed new light about this threat actor. And, of course, it can help organizations to better protect themselves against this specific threat. [ Music ]
David Moulton: Based on your research, what mistakes do organizations commonly make when defending against espionage campaigns?
Lior Rochberger: The main issue that organizations face is that they focus too much only on the tools and not enough on the people. Like we know that advanced security tools are important, no doubt about it. But it's only half of the equation. The other half, which many organizations kind of overlook, is the human capital. We're dealing with two aspects here. First, general awareness of all the employees about information security and how to defend and protect themselves against it. And second and perhaps more critical is experts who really know how to leverage these security tools to defense against cyber attacks. And when we have skilled teams that understand the network in depth, can identify anomalies, and of course, respond quickly, that's a game changer. The tools give us visibility and information and give us a big advantage against those sophisticated threats. But we need to make sure that we have people who know how to interpret it correctly and also act accordingly. So yes, organizations should invest in technology, but equally important is investing in the people who operate it. And I believe this is like the path to truly effective defense against advanced cyber threats.
David Moulton: What emerging trends do you see in the state-sponsored cyber campaigns, especially in and around espionage?
Lior Rochberger: So in the landscape of state-sponsored cyber operations, and specifically in espionage, we have observed some very interesting trends. One audible trend is the rise in supply chain attacks. Threat actors are increasingly targeting suppliers and partners to ultimately reach their intended high-value targets. This approach allow them to exploit trusted relationship and bypass traditional security measures, for example, the supply chain attack on the United Kingdom Ministry of Defense by another Chinese threat actor that happened earlier this year. And we're also observing an uptick in the exploitation of both zero-day vulnerabilities and known vulnerabilities. State actors are kind of quick to leverage newly discovered flaws before patches are available. And while also kind of taking advantage of organizations that unfortunately keep a bad security hygiene and not applying patches and updates to non vulnerabilities, which happens quite a lot, unfortunately.
David Moulton: What role does threat intelligence like that from Unit 42 play in shaping cybersecurity strategies for governments and then conversely for enterprises?
Lior Rochberger: So threat intelligence is a game changer in the cybersecurity strategies in both government and the enterprise sectors. It provides critical insights into the evolving threat landscape, helping organizations not just to really understand the risks but also to stay ahead of potential risks. This information guides policy decisions, resource allocations, and even prioritization of security measures, especially in identifying emerging threats before they become major issues.
David Moulton: Lior, I'm curious, how do you see threat research evolving over the next five years?
Lior Rochberger: So, looking at the next five years, we'll likely see threat research evolve in very exciting ways. I think that AI and machine learning will probably play a bigger role in threat analysis. These technologies enable us to process and analyze vast amount of data at unprecedented speed levels, uncovering similarities and patterns that can also really help us with attribution and basically help us to cover -- to uncover threats more effectively than ever before.
David Moulton: Lior, what's the most important thing that a listener should remember from our conversation today?
Lior Rochberger: I think the most important thing to like remember and to take from this conversation is that the threat actors can evolve really rapidly. And this really -- this case really shows like different techniques and tools that were not known before. So we always need to take this into consideration and not just rely on known things, known tactics, known techniques, but just to know that it is possible to come across threat actor that uses completely new techniques, new tactics. And we need to know that we have to be one step before them. And we need to kind of anticipate what they're going to do next. [ Music ]
David Moulton: Thanks for a great conversation today. I appreciate you sharing your insights on Operation Diplomatic Specter here on Threat Vector today.
Lior Rochberger: Thank you. It was great being here.
David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Those reviews and your feedback really do help me understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Benco, and Virginia Tran. Elliot Peltzman edits the show and mixes our audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]