DeadRinger [ML B-Side]

Nate Nelson talks to Assaf Dahan, Sr. Director and Head of Threat Research at Cybereason’s Nocturnus team about a recent attack they uncovered, on multiple major Telecommunication companies.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Assaf Dahan

Sr. Director, Head of Threat Research at Cybereason

Cyber security expert, with over 15 years of experience in the InfoSec industry - Military and civilian background.

Episode Transcript:

Transcription edited by Ayo Joshua Tayo-Balogun

[Ran] Hi and welcome to CyberReason’s Malicious Life, I’m Ran Levy. Two years ago, in July 2019, we released a special episode titled Operation SoftCelll. In it, I told the story of how researchers from CyberReason’s Nocturnus research team
uncovered a massive espionage campaign against some of the world’s largest telecommunications companies by APT-10, a Chinese state-sponsored cyber espionage group. APT-10 used a variety of tools to infiltrate these telcos networks and steal Cell Data
Records, or CDRs. These records hold meta-information about phone calls by the telcos customers, such as the source and destination phone numbers, geographic locations of the devices, and more. SoftCell was an extremely targeted attack. In one case, for example, records of only some 20 individuals were exfiltrated. We can only guess their identities. Leaders? Journalists? Dissidents? Who knows? A few days ago, in early August of 2021, CyberReason released a new report, this time titled Operation Dead Ringer, detailing a new massive espionage campaign targeting major telcos. As usual, we took advantage of the fact that CyberReason is our show’s sponsor to get a rare inside look at how exactly that campaign was uncovered. Nate Nelson, our senior producer, spoke with Assaf Dahan, senior director and head of threat research at CyberReason’s Nocturnus team. As usual, I’ll step in once in a while to provide you with background information and context where needed. Enjoy the interview.

[Nate] Assaf, let’s just start with you briefly introducing who you are.

[Assaf] Hi Nate, thanks for having me. So my name is Assaf. I’m senior director and head of threat research at the Nocturnus team at CyberReason. My team and I, we follow different threat actors, be it cybercrime or nation-state APT threat groups.

[Nate] So to get things started, what triggered the investigation that we’re going to be talking about today?

[Assaf] Okay, so one of the main triggers for this investigation, there are two actually.
So the first one is, if you remember back in 2019, we released a very detailed report about a threat group called SoftCell, an activity group which attacked telcos in different locations around the world. They weren’t known back at the time and we found out that they’ve been active since 2012. Since then, we continued monitoring their activity and looking for new signs of activity. So that was one of them. But I guess one of the major triggers for that was when Microsoft released their happening report speaking about which detailed and disclosed the discovery of several Microsoft Exchange server vulnerabilities. So that was in March 2021, earlier this year. And once we learned about those vulnerabilities, our incident response and threat hunting teams and my team as well, we started to proactively hunt for behavioral indicators of these attacks.

[Nate] And what do you know?

[Assaf] We found dozens of attacks worldwide across multiple industries. So that was fun, a lot of work, a lot of sleepless nights. And we started going over a huge amount of data from our telemetry. And one specific intrusion kind of stood out and looked very familiar. It’s like we had this deja vu feeling that got us kind of excited because we could immediately recognize SoftCell fingerprints all over the scene, all over the crime scene. So that kind of started the investigation. And over a couple of weeks, we gathered more and more data. The more we dived into it and went down that rabbit hole, the more stuff that we found. And we started noticing several anomalies. Some things just didn’t add up. And the more we investigated, we realized that we were actually looking at not one but actually three clusters of intrusions. So that was a big deal. And each cluster had its own unique properties, behavioral indicators and set of tools, which we were later able to attribute those three clusters to three different clusters of Chinese APT groups. The first one was SoftCell, the second one was the Nikon APT, and the third one is APT27.

[Nate] So you had spotted signs of SoftCell. But how, as researchers, do you know it’s them, right? What is it about the data that you’re finding that you can then point to and say, oh, we’ve seen these guys before?

[Assaf] Yeah, that’s a good question. So as I said, we started looking at a lot of data. We started working our way from exploited IAS and exchange servers because that was kind of like our starting point. And from there, we climbed down the tree and started seeing a lot of behavioral data, specific tools, specific commands, and a tradecraft. When you look at a lot of data, and once you’ve done it for a long time and you’re familiar quite intimately with certain threat actors, you can spot a tradecraft, you can see patterns of activity that correlated and overlapped with what we previously known about the group and how they operate their modus operandi. And considering the geographical locations in Southeast Asia and the industry, which is telecommunications or telcos, that kind of like checked all of the boxes. Again, of course, with attribution, it’s always prone to psychological warfare and false flags and everything. So of course, everything needs to be taken with a grain of salt. But at this point, we’re quite sure that at least the first cluster that I mentioned was soft cell and then we found the other clusters.

[Nate] And we’re going to get to the other clusters. But firstly, a number of our listeners will have heard the content that we did about soft cell, but it was a while ago. So if you wouldn’t mind, can you just remind us who they are, what they do?

[Assaf] Yeah, so the profile of this threat actor is, well, we believe or indicate there was a lot of indication that point that it’s an APT group or threat group that is working or operating on behalf of Chinese state interest. They have attacked or penetrated different telcos worldwide. And the goal was to conduct covert cyber espionage operations. So imagine if you hack a telco, you can access, you can potentially access data of millions of subscribers, specifically CDR data, for example, which is the call data records, which can help them track down their targets, location, they can understand with whom their targets were communicating, which times, locations, stuff like that. So it’s a very powerful tool. Once you hack a telco, you can get a lot of information because everything we do nowadays is through our phones, basically.

[Nate] Yeah. And we’re going to get to that a bit later. But firstly, what is it that helps you define clusters, right? So you see evidence of soft cell, but then presumably you see data that leads you to other groups. How do you set the boundaries? How do you know when it’s not them anymore and that there are three distinct entities?

[Assaf] That’s a very good question. So I think from, and this is perhaps one of the greatest challenges that threat researchers and threat intelligence analysts face is how do you distinguish one kill chain from another, one intrusion from another, right? Especially if they’re happening around the same time. I mean, let’s say on any given network nowadays, there’s at least one threat actor operating, whether it’s cyber crime or APT nation state, right? So how do you distinguish one kill chain from another? And that was even more challenging because they were there on a specific same network around similar timeframes and sometimes even on the same end points. So it’s almost like instinctively we want to, you know, our brain is almost wired to treat it all as one big attack, right? But I always say that God is in the details. And once you really start processing the data, you start to see that some things just don’t add up. Like there are anomalies, like all of a sudden you see a different tool, a different technique that was never used before, or something that doesn’t add up with a timeline. So you start digging in more, you bring more data, and all of a sudden, you know, once you start to do clustering the right way through an attribution model, we work with the famous diamond attribution model.

[Ran] Assaf mentioned a term, attribution model, that I think some of our listeners might not be familiar with. An excellent opportunity for me to introduce this important concept. A big part of any analysis of a cyber incident is attribution, determining who is the entity responsible for the attack. As we all know, such attribution is not an easy thing in cybersecurity, but given the fact that even the best attackers usually leave some traces of their actions behind them, skilled analysts can try to connect these dots and figure out who is behind the attack. The problem is that such an investigation can yield many, many pieces of information, and trying to combine this information with existing knowledge, such as threat intel, is like trying to solve a giant Sudoku puzzle. An attribution model is an attempt to apply scientific principles to intrusion analysis, a kind of cognitive framework that can help an analyst make sense of all that information, tie new pieces of information together with existing ones, and identify knowledge gaps. Think of it as guidelines on how to efficiently solve Sudoku puzzles. The diamond model is one such framework. There’s really no point in going into details, so I’ll just provide you with a very basic overview. It has four core elements. The adversary, the threat actor responsible for the attack, the capability, the tools and techniques used by the adversary, the infrastructure, the physical and logical communication means used in the attack, such as email or IP addresses, and finally the victim, the attacked entity. These four elements are tied together in the model, hence the diamond shape. As Assaf said, he and his team used the diamond attribution model to analyze the data they gathered to identify three possible threat actors involved in the attack. Back to Nate and Assaf.

[Assaf] You see that three distinct patterns emerge. Again, at this point we’re not saying that the three clusters are not connected and we’re not saying they are connected, we’re saying that there’s an interesting overlap. We’re just saying that these are three distinct clusters and we attribute them to three different threat actors. Whether those threat actors work in tandem, whether they are cooperating, or maybe they work independently, or even maybe piggybacking on each other’s access, these are all plausible scenarios and we actually refer to it in our blog, in our attribution section, because there could be numerous scenarios that can happen there. In many cases, based on our experience with Chinese threat actors and other threat actors sometimes you’ll have like an access team that will grant you access to a certain target and then like there’s another team that comes and takes over and like pulls a certain data and then there’s another team that does, or they could have like different missions. There could be any number of scenarios and we try to account for those scenarios.

[Nate] Yeah, but I’ve dragged it out long enough, Assaf, before we continue, can you just define these clusters for us? It sounds like we’ve heard a bit about A, but also B and C.

[Assaf] Yes, so cluster A is a cluster that we first observed in, I want to say, late 2020 and this is the cluster that we attributed to the soft cell threat actor. Once we started digging in, we saw, we actually got, we were pretty lucky and we found forensic evidence that showed that they’ve been operating on this specific network for over two and a half years. So they’ve been there since 2018, actually, and when we got to the scene, we got to the scene at late 2020, once we identified their activity, we started to contain it. We tried to mitigate it and it kind of took us in a very interesting path of this cat and mouse game because we would block them and then they would retool or change their tactics a little bit and come back. And then, so this went on and on for a couple of months until we were able to hopefully kick them out. This is perhaps wishful thinking, but nowadays there are no signs of them being on that specific network. And of course, all the indicators that we found correlated with our understanding of what is soft cell as a threat actor. There were very unique command lines and tools and almost like a playbook that they used and we were able to identify it almost like, when you look at it, if you put it in a spreadsheet almost, it’s almost identical, unless it’s a copycat, that’s always a possibility, right? The second cluster is a cluster that we found also in late 2020, but we haven’t found evidence that show that it goes back. I think we really believe that they started their activity around late 2020.And one of the indications is that they used a very rare backdoor called a nebula backdoor, which we thought we were first to discover, but then we were scooped by a different security company. And, but anyway, what I’m trying to say is that this backdoor is very rare. It’s very new. It has, I think, almost, it doesn’t have a lot of references online. And so we really feel it’s like a fresh APT or fresh activity as opposed to the soft cell activity that happened for since 2018.

[Ran] Assaf mentioned the nebulae backdoor. What is the nebulae backdoor? Well, late last year, in 2020, researchers from Bitdefender uncovered an espionage campaign against several military organizations in Southeast Asia by an APT group called Nikon. Nikon is a Chinese APT threat actor, which has been active for more than 10 years already. Nikon used several tools in the campaign, and one of them was a malware, an executable file and a DLL file that the researchers named nebulae, which I personally think is a beautiful name for what is, sadly, a pretty nasty piece of software. It allows the attackers to gather information about the infected machines, delete files and directories, and download and upload files from a command and control server. So in a few more minutes, Assaf will mention two more names, Iron Tiger and Owa Backdoor. So let’s go over these two briefly. Iron Tiger is another group of Chinese hackers, also known as Lucky Mouse and APT-27. That group is responsible for a recent attack against several Western corporations, which resulted in massive amounts of stolen information, including email dumps, intellectual property, strategic planning documents and more. Owa, spelled O-W-A, is the Outlook web application mail server. The Owa Backdoor is an advanced malware that can infect such servers and allow attackers to steal email passwords and similar information.

[Assaf] In both cluster A and cluster B, we saw a lot of reconnaissance activity. They really tried to map out the network, gain access to high profile targets and high profile assets, like major servers. They took over the domain admin, so basically they gained control over the network. And the last cluster, which we called it a mini cluster, was identified mostly by a very rare Owa Backdoor. At first we thought it was a brand new thing, but once we dived into the code of the Backdoor, we saw great similarities to a Backdoor that was identified back in 2017, I think in Operation Iron Tiger, which was attributed to the APT-27, also a Chinese threat actor. By the way, the Nikon APT threat actor was attributed by different security firms to the PLA, to the Chinese People’s Liberation Army. They have a cyber division there. All three clusters are somehow linked to Chinese threat actors. This very rare Owa Backdoor is pretty interesting because it sits almost like a leech on a Microsoft Exchange server and IIS servers, so anyone who tries to log in to their Outlook within the attack company, any employee, it will record their credentials and other data there and send it back to the attackers, meaning that the attackers could have the credentials of anyone working for that telco. Another interesting thing is that we were, again, lucky and found forensic evidence that the earliest signs of intrusion, I guess, dates back to 2017. They’ve been operating since 2017 all the way through 2021 pretty much uninterrupted, which is pretty cool.

[Nate] How is it that they and Softcell stayed undetected for so long? What stealth tactics did they use?

[Assaf] That’s a very good question because in most major companies, especially big companies such as telcos, you have antiviruses and firewalls and different security measures at place. Sometimes I myself am baffled that something like that has been under the radar for so long. But then again, when you look at the techniques that they used, when you look at the tools that they used, a lot of them used, let’s say, techniques like law bins, like living off the land binaries, they had custom tools that had very low detection rate or even none on virus total. So they knew exactly how to evade certain, let’s say, traditional security mechanisms. They also employed in certain cases anti-forensics techniques to really thwart detection and investigation efforts. What else? I mentioned that it was a can-mouse game. We blocked them and then they came back. So we saw that they would repackage or retool their tools in a way that would also bypass certain, let’s say, traditional security products, but would also circumvent behavioral-based solutions such as ours. So it was very interesting and very challenging, but also fun in a way from our perspective to play this game of who will outsmart whom.

[Nate] OK, so we have three clusters concentrated in Telco network. Now in your documentation, as you mentioned, you have all these kinds of scenarios for what may be going on here. Can you sort of draw us through it? What are all of these entities doing and why are they so close to one another?

[Assaf] The honest answer is that we don’t know. We don’t know. We can only hypothesize why are they found together. So as I mentioned before, it could be that they are all working somehow in tandem, working together to achieve a certain goal It could be that they are, let’s say, aware of each other, but each team, let’s say, works independently and they have their own missions and different goals. And it could be that they work separately, completely separately. And whether they are aware or unaware of each other, that’s a good question. But we do know that at least from an attribution perspective, the three clusters seem distinct. They don’t look the same, right? I mean, we know that they’re all somehow linked to China or Chinese threat groups.
But the truth is, we actually don’t know how and if they’re interconnected or not. In our documentation, in our blog, we actually raise this question. We provide, as I mentioned, different plausible scenarios. But we also send a message of, I guess, hope or, I mean, we’re hoping that over time, and as more researchers and security companies look into that attack, we’ll get more answers. Attribution is something that has to be always reassessed and reevaluated over time because what we know today and what we know, let’s say, in a month time or in a year’s time can change the picture. So we try to be accurate and stick to the facts. And wherever we hypothesize, we mentioned, okay, this is a hypothesis we don’t know. And hopefully, maybe in the near foreseeable future, there’ll be more clarity around the connections between those groups. We also, in our attribution part of the blog, we also draw a very interesting connection to another Chinese APT group called APT-41. Some refer to it as Winti. So again, kind of like all signs point in the direction of Chinese threat actors’ involvement. But sometimes the connection between them can be a bit tricky to pin down.

[Nate] One thing you mentioned earlier that I want to get to is why these attackers are going after telcos in the first place because, and you’ll correct me if I’m wrong, my assumption is that it’s not the telecommunications companies themselves that are so important to these foreign entities. It is rather that through the telcos, they could hack or learn information about any number of other entities that are communicating over these lines, right? It’s part of this pattern of supply chain attacks, SolarWinds, MS Exchange, and so on. So what do we know about what these attackers want, what data they’re going after, what they’re looking for?

[Assaf] Once you hack a telco and you’re able to access information about the telco’s subscribers, you can get a lot of information about potential targets. So, I mean, it can potentially affect millions and millions of subscribers, but like realistically speaking, the cyber espionage program usually targets, let’s say a few dozens or a few hundreds only in a certain country, yeah, maybe a thousand really depends on the mission, right? So we know that the attackers try to gain access to servers that contain CDR data, but there could have been other things that they were after. For instance, knowing, you know, where certain cell towers are deployed or knowing the topology of a certain telecommunication network is also essential when you have a cyber espionage programs to get, you know, more sources and stuff like that. So there could be other motivations for the attack, but the premises or like the current assessment that we have is that it was mainly they were after cyber espionage. There are other plausible scenarios where, let’s say in a state of war or if they want to somehow affect different events, I don’t know, like elections or stuff like that happening in a given country, let’s say if they own the network, they can potentially shut down or cause outages of service. So I’m not saying that this is what happened or that was their goal, but I’m saying that it is another plausible scenario.

[Nate] And maybe it seems obvious, but just to state it anyway, what can an attacker learn from the data that telecommunications companies have about you?

[Assaf] Oh, yeah, you can build an entire profile about about a person. So if you know where a person is located, every part of the day, you can build a profile and you can say, OK, this is this is the target’s office. This is probably their target’s homes. This is where they’re met. We know that, for instance, let’s say a target is supposed to meet with, I don’t know, like a journalist or something like that at a certain time. But we don’t you don’t know where. So, I mean, you can do a lot of profiling. You can see who they contacted. OK, when did they send a text? When did they call someone who was on the other side? There’s I mean, you can get creative with it, but basically you can really profile your targets quite well.

[Nate] And one more maybe obvious thing, but I think it’s important, you know, when we talk about major telcos, Chinese government, U.S. government, it can all feel a bit separated. You know, most of our listeners aren’t involved with these giant entities. So why should people out there care in particular about this story?

[Assaf] I think it’s very troubling to know that governments, I mean, this time it’s China. But I mean, I’m not naive. I guess every major power and every major country with a strong cyber capabilities are performing cyber espionage worldwide, whether it’s the U.S., whether it’s the European countries, Asian countries. I mean, so I don’t think China is like the only country that hacks telcos. And today it can happen to in this region or to this telco tomorrow. It can happen to another telco in a different region or maybe perhaps a different industry. But I think it’s important to I think for cybersecurity practitioners, I think it’s important to learn, first of all, really study our reports, our blogs and other stuff that is available out there online, understand the modus operandi and understand the techniques because today it could be telcos, but tomorrow it could be pharmaceuticals or it could be energy companies or it could be something else, governments. So if you understand how a certain threat actor works, you understand, you know how to detect their tools. It can really benefit others.

[Nate] Yeah. Although my thought in all of this is that if Softcell and Cluster C got to stick around this particular telecom network for all the time that they did, what other communications networks are currently compromised that we just don’t know about yet?

[Assaf] Exactly. So and for that reason, I mean, let’s say for every blog that we published are a lot of other investigations that we don’t publish for different reasons, legals and different reasons, privacy and so on. But when we choose to publish a blog is mostly because we want to alert the public or the cybersecurity or the InfoSec community because we want to make our insights actionable and we provide IOCs and a lot of behavioral indicators. So if any of our listeners is working for a telco, for instance, but not just telcos, but if they are working for telcos in particular, I would strongly advise them to really study their report and try to take the IOCs and but most of all the behavioral indicators and to start proactively hunt for similar behaviors and similar attack patterns because as we said, these guys are very stealthy. They know how to run long operations and they’ve done it quite successfully over the years, as we know. So I think that this type of report or blog is gold for security practitioners.

[Nate] And that leads right into my last question, which is how can telcos protect themselves against these kinds of attacks? But also important, how can companies and individuals protect themselves against attacks against telcos that they don’t have any control over?

[Assaf] First of all, I think it starts with having a good security posture. And we always say that security comes in. There are different layers of defense. You want to have a layered security. So you want to make sure that your external parameter, your internal parameter are covered by different. So there’s not a single security product that will stop an attack completely or will detect everything. So it’s all about the world is moving towards an XDR type of like a more holistic, more wholesome view of security. So you want to be able to correlate network information with endpoint information and so on. You want to have security solutions that are maybe not so much outdated, that have machine learning algorithms there. Because it’s very easy, I mean, to bypass traditional antiviruses. Back in my hacking days, sorry, penetration testing days, I was never a criminal. Back in my penetration testing days, it didn’t take me that much to bypass most antiviruses. And I’m not the world’s greatest hacker. So let alone a nation state that has all the resources and time and brilliant minds there. So you want to make sure that you have the right visibility, the right tools that can not only see the attacks, but also block them.
But most of all, I think, and I cannot stress this enough, I think you really have to take it from a purely defensive or reactive state of mind towards a proactive state of mind. And I know this is a buzzword and people are saying it all the time, be proactive. But I really mean it because this is how you eventually find gold, the real covert attacks. If you just wait for an alert to pop, yeah, you know, there’s a good chance you will find stuff. But if your team, you and your team are proactively looking for known threats that can target your industry or your region, this is where you usually find the more sexy or like more covert stuff. And so this is why, you know, teams like blue teams need to have to work together with research teams and a threat intelligence team to understand the threat landscape that is relevant to their company, to their industry, to their region.
So know thy enemy, right? So you need to know who’s out there, who’s potentially do a lot of threat modeling, for instance. And of course, always try to, I personally commission red teams and penetration tests, at least once or twice a year, because you know, it’s when you try to defend a large parameters such as a telco or like any other big company, there are so many ways of you know, of getting in and the attackers only need one successful entry point. So you want to be able to cover all those topics, I guess. But I think the number one is is really be proactive, know the threats, understand how they work, understand the tools and make sure that all of those insights are translated into an actionable intelligence that you have the IOCs, that you have good hunting queries, Yaroos, and so on.

[Nate] All right. Thank you, Assaf.

[Assaf] That was fun. Thank you for having me.