Why Do APTs Use Ransomware? [ML B-Side]

Assaf Dahan, Head of Threat Research with the Cybereason Nocturnus Team, discusses new discoveries about Iranian APTs Moses Staff and Phosphorus that blur the line between state-sponsored attacks and criminal activity.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Assaf Dahan

Sr. Director, Head of Threat Research at Cybereason

Cyber security expert, with over 15 years of experience in the InfoSec industry - Military and civilian background.

Episode Transcript:

Transcription edited by Dick Curits

[Ran] Hi and welcome to Cybereason’s Malicious Life B-Sides. I’m Ran Levi.

Earlier this month, February 2022, Cybereason’s Nocturnist team, a group specializing in the analysis and reverse engineering of new attack vectors and malware tools, released two new and interesting reports about two Iranian hacker groups, Moses Staff and Phosphorus. These two nation-sponsored actors, in particular Moses Staff, blur the line between criminal hacker gangs and APT by using a variety of criminal techniques and open-source tools. Why would an APT try to masquerade itself as a criminal entity?

One obvious reason is to make things more difficult for the investigators of their attacks. But as Assaf Dahan notes in the following conversation with Nate Nelson, there are other reasons, some practical and some geopolitical. So what is the dividing line between state-sponsored attacks and criminal activity? Why would an APT attacker use ransomware? Assaf Dahan gives us a glimpse into the mind of an APT actor.

Both reports about Phosphorus and Moses Staff are available at Cybereason’s blog at cybereason.com/blog. Enjoy the interview.


[Nate] Assaf, I imagine that most people think of cybercrime and nation-state attacks as distinct phenomena, but increasingly they’re not. At what point in history did that line start to blur?

[Assaf] Yeah, that’s a very good observation. I think while it’s not a completely new phenomena, we definitely see an increase in where those lines get blurred. Over the years, we’ve seen that different groups, especially like nation-state groups, kind of like dabbling in what it seems like cybercrime, or at least, you know, at a first glance, right? So some of those operations can look criminal in nature or hacktivist, but when you kind of like scrape the surface, you understand that they’re politically motivated.

So we have like examples like the North Koreans with the Sony picture attack from 2014, where they hacked Sony because they were, I guess, not very happy about one of the films that were portraying North Korea or the leader of North Korea in a certain light. And we all remember WannaCry, which was one of the largest ransomware attacks in history. And following this, they had also, I believe it was like in 2016 with the North Koreans, for example. So they had like the Bangladeshi Bank money heist where they stole like 80 million dollars. And even recently, we saw cryptocurrencies exchanges getting hacked and kind of like robbed by the North Koreans. I think they stole 400 million dollars this year, only in 2021.

[Nate] And other nations besides the DPRK do the same?

[Assaf] This is, I guess, this is more marginal. What we more often see is nations that will feign cybercriminal activity to kind of like hide the true motivations. We’ve seen it with the Russians carrying out NotPetya and Bad Rabbit. So they kind of like camouflaged sophisticated wipers under the guise of ransomware. And we saw this how it played out.

And it’s kind of funny how history has a tendency to repeat itself, because in the last round or a couple of rounds ago, there was like the Ukrainian and Russian conflict. And you saw how those dangerous wipers were used to shut down a lot of the Ukrainian government and a lot of Ukrainian targets back then. And it’s interesting that we see it happening again and again. And these groups joining those that list of nations, we see the Iranians or some of the Iranian groups shifted from, let’s say, more clandestine espionage operations. And now some of those groups, they’re conducting louder operations.

[Nate] If I understand correctly, then the theme is that, you know, ransomware groups are using APT like tactics to penetrate networks for multimillion dollar paydays. And nation state sponsored APTs are using cybercriminal tools like ransomware to distract and disrupt and thwart investigations.

[Assaf] Yes. So, again, this is a very good example of how those lines get blurred. I think traditionally when we think about cyber criminals, for instance, like the trends that we’ve been observing, they usually kind of look up to nation states and kind of like adopt or mimic some of the exploits or the techniques that they’re using, the modus operandi. What we’ve seen in recent years is actually kind of like an inverted situation where we see nation state trying to copycat or mimic cyber criminal behavior to camouflage, let’s say, espionage or destructive type of attacks.

And again, these lines get blurred all the time. We see, for instance, cyber criminals, they use more exploits and supply chain attacks, something that was especially supply chain attacks were predominantly done more by nation states. And we saw REvil doing it last year with the Kaseya ransomware supply chain. So we can definitely see borrowing like mutual borrowing from each other. And they could definitely think they’re very alert. They see what works and then they use it in their operations, basically.

[Nate] And that’s exactly what our story is about today. Nation state operations that employ some cybercrime TTPs. Assaf, could you tell me how it all begins, how you first became interested in your investigations?

[Assaf] We’ve been tracking different Iranian groups over the past couple of years, and specifically in 2021, we saw this interesting uptick and attacks originating from Iran or carried out by different APT groups. And we saw this shift in this modus operandi, as I mentioned before.
Historically, the attacks were largely more clandestine, focusing on espionage. There were some also some destructive attacks, but they didn’t really masquerade as ransomware attacks. And what we’re seeing more and more, we’re seeing groups that hack different targets all over the world.

We see it happening in the US, in Israel, Europe, the Gulf countries, usually countries where that they have some geopolitical conflict with the Iranian regime. And what we see is very interesting modus operandi where they kind of like hack those companies. They steal a lot of data.
So there’s definitely like an espionage aspect to it. And then once they’re done taking what they can, they basically deploy a ransomware or what they’d like us to think is a ransomware. But it’s interesting that they don’t really ask for money in many of those cases. And in some cases, they do ask for money. But these are like negligible fees. Like, I don’t know, we’ve seen something like seven thousand dollars, eight thousand dollars, as opposed to millions where like in a normal cyber criminal attack where the payouts are very high.

[Nate] Then what’s the point of it?

[Assaf] According to our research and our assessments, these ransomware, they serve multiple purposes. One, of course, is to confuse us a little bit, especially investigators or the companies that were actually organizations that were hit to think that there might be some sort of a criminal activity involved. So this is kind of to get us sidetracked.

The second thing is, of course, to cause disruption or even destruction. So if you cause damage or it can affect business continuity, it can hurt the business or the organization. And there is also, I guess, a psychological aspect to it, like disseminating fear or cause humiliation, like to humiliate the companies or the organizations that were hacked, because they’re not only encrypting things, they also leak it.

OK, so it’s to show that these organizations, it could be, you know, defense contractors, research institutes, I don’t know, different companies and kind of embarrass them with the leaked data. And of course, the last thing that ransomware serve is a way to cover their tracks, because once you encrypt a computer or a server, it’s very hard to follow the tracks and kind of like understand what went on there.

[Nate] I see. Although I can imagine them achieving the same effect using methods that are more conventional to state-sponsored actors.

[Assaf] It’s interesting because it allows them by, you know, feigning ransomware or cyber criminal activity. It creates a room for, you know, plausible deniability. It lets them to distance themselves maybe from the attack because it’s maybe harder to attribute it. And I think most of all, it helps them to maintain a certain status quo. Because if you’re going to launch, you know, a large scale attack against a country, let’s say you want to shut down their power grid or something like, you know, of that magnitude, this is like a blunt act of war and the retaliation might be very severe.

But as long as these operations are kept kind of like small, they’re more of a nuisance, if anything. I mean, they do cause a lot of damages, but it’s not like a country would go to war over such acts. So I think it creates that space of, if you will, guerrilla war rather than like a fully fledged cyber warfare or cyber war.

[Nate] And what have we been able to deduce about the attackers themselves?

[Assaf] Our research discusses two groups. One is the Phosphorus group, also known as APT 35. They’ve been active for many years.
I mean, like they’ve been active since I think at least 2014. They’ve been involved in a lot of cyber espionage operations, but also some more offensive operations. We saw them meddling or trying to meddle with the 2020 election campaign. So they’ve been quite active and since 2014, ever evolving, always showing great adaptiveness and creating new tools and new techniques. So they’ve been quite industrious over the years.

And the other group, which is called Moses Staff, this is a new group that I think first emerged in September or October of last year, like 2021. And they’re quite different from Phosphorus. Their modus operandi seems a bit more erratic, a little bit. They seem slightly less organized.
I think it’s also something that they kind of want to show the world that they’re more of like political hacktivists rather than, you know, like an organized group. Right.

But our indications or assessments that both groups are are backed and sponsored by the Iranian regime. With Moses Staff, they really follow kind of like the ransomware with the double extortion methodology. They even have like their own website where they publish which victims they attacked. And maybe they also leak certain documents as a proof of concept that they, you know, that they were actually there.
And they’re quite vocal about their goals. They’re saying that they’re political hacktivists and all that.

[Nate] Now, could you dive deeper with me into these groups as tools and their methods of operation?

[Assaf] So with the Phosphorus group, we found very interesting backdoor written in PowerShell called the PowerLess backdoor.
And again, it has like four level of encryption. You can see that the attackers are kind of like went out of their way to keep the code safe, like keep the code from prying eyes or from being detected. And using this backdoor, it gives them both foothold in the network and they can also run reconnaissance, collect data, exfiltrate data.

[Nate] And Moses Staff?

[Assaf] With regards to Moses Staff, we found the StrifeWater RAT, which was a very interesting missing link because with Moses Staff, it was quite clear how they get in and they collect a lot of data and then they we knew they ran somewhere. But there was a bit of like a missing link of how do they create persistence or how do they run their reconnaissance commands? How do they get information or how they collect information about their victims? And StrifeWater was that missing link that we found.

[Nate] With all that being said, what in your view separates these groups from other nation state APTs that we’re already familiar with?

[Assaf] I think what’s interesting about these two groups, and maybe they’re not very different from other nation state or even cyber criminal groups operating, but we see them kind of like riding this wave of mass exploitation of vulnerabilities. This is something that we’ve identified as the number one infection vector when we see attacks from these groups. So they would exploit various vulnerabilities, mostly Microsoft Exchange server vulnerabilities.

We’ve seen them also incorporating Log4j or Log4Shell vulnerabilities and a lot of VPN clients vulnerabilities. These three are like the top infection vectors that we’ve identified for these groups. And what I’m trying to say, they’re not using sophisticated zero days most of the time.
It’s recent or sometimes even old vulnerabilities that eventually get them in.

[Nate] Lastly, what kind of damage have these groups been able to cause already?

[Assaf] We know of organizations and companies worldwide that have been hit by these Iranian groups. And the damages, I mean, they can vary. With some companies, we saw like a real disruption to the business. But aside from that, there’s also the reputational damage.
Let’s say if they hack an insurance company or if they hack a government office.

So aside from knowing that they might have stolen very sensitive information about people or technologies or whatever they’re after,
there’s also a damage to the reputation of that company. And by proxy or by association, that nation, because again, the attacks are politically motivated. So, for instance, if Moses Staff claimed that they hacked, I don’t know, Israeli intelligence or Israeli cybersecurity companies, it kind of, of course, embarrasses the companies, but it also kind of like embarrasses maybe Israel or the U.S. or like whatever country that they have attacked.

[Nate] Asaf, what would you hope that listeners take away from this episode?

[Assaf] Please patch your systems. I know that it might sound very trivial, but again, 95 percent of the attacks that we are aware of or that we analyzed when it comes to these Iranian threat actors and fake ransomware originated from unpatched systems. We’re talking about Microsoft Exchange server vulnerabilities, Log4j and a lot of VPN clients that are not up to date. So that would be a good start.

And I think if you look at our research, it really underlines the importance of detecting the attacks in their early phases. So not just the infection vector, but their first steps, because usually what they do, they would create foothold. They would run reconnaissance. They would try to move laterally. And even if you have a technology that can stop ransomware or stop the encryption for happening, that’s a little bit too late because they already stole the data. The ransomware is just, you know, the cherry on the top of the cake there. But most of the data is already gone and the damage is done. So you want to make sure that you’re able not just to block ransomware.That’s great. That will prevent a  lot of damage. But some of the damage is actually caused by the stealing of the data. So if you’re able to nip those attacks in the bud and detect and prevent them early on, I think that’s a key message for defenders.