Analyzing Advanced Cyber threats — Part 1

Overview:

In a 3 part series, let’s try to understand some of the most powerful albeit not that commonly-observed actors in the cyberspace. We will start off by understanding what nation-state actors are, what sets them apart, and what can be done to improve threat profiling and threat hunting process, and the common tools that can be leveraged for the same.

Src: Spiceworks

Understanding Nation State Actors

Analyzing threat actors, adversaries and building threat profiles is key to improving cybersecurity posture and ensuring that we are not stuck in a reactive state of cyber defense. Understanding adversary goals, behaviors and techniques helps us direct key resources to protect the most critical of resources that will be targeted by the adversary, and ensuring a prompt response. This blog is a stepping stone and guide to getting started in understanding advanced adversaries i.e nation-state actors.

According to Mircrosoft’s Cyber Defense report of 2022, nation-state attacks are on a sharp rise. While nation-state attacks are few, once an organization is targeted and breached they can cause the most amount of damage(Impact) to the organization. Risk is usually represented as a product of magnitude of Impact and likelihood of occurrence, and in the case of nation state, though the likelihood will be dependent on the lucrativeness of the target to the actor, the magnitude is extremely high. Nation-state actors have been observed to target organizations from casinos, hospitals, banks to universities, so it would be wise to have a an understanding of these actors and have a mitigation, prevention and detection plan in place.

This blog is no where near exhaustive, but serves as more of a cursory guide to getting started in understanding nation-state actors and espionage. I have split this blog into several parts covering the analysis and threat modelling of advanced cyber threats. In the first part, I briefly iterate over some of the past nation-state attacks, and provide supplementing links. In the 2nd part, I provide some useful tools for getting started into threat hunting/best practices when dealing with such threats, and some useful reading resources.

What sets a nation state actor apart?

• Vast resources, time and infrastructure to pull of seemingly impossible attacks including and not limited to bypassing/circumventing PKI and HTTPS,exploiting fully patched systems with zero-days, compromising air gapped networks. They have enough money and connections to pay people and convert them to be intentional insiders.
• Patience: Patience to learn behaviors and persist in the network, before action on objectives
• Deception: A lot of resources are spent by nation state actors in misdirection so that the investigators are not able to trace the attack back to them. This ranges from placing code samples from other nation state actors or placing language strings related to other actors in files to make attribution difficult at best and extremely tedious at worst.
• Precision: Nation state actors are known to customize their malware/exploits based on the target after spending time in the target network, and understanding policies and procedures which help them avoid detection and execute action on objectives without failures.
• Resilience: continuous attempt until success, use of more advanced techniques and more resources in subsequent attempts.
• Averse to deterrence controls: The nation state actors usually operate unethically, and without fear of criminal prosecution. Often they disguise themselves under different monikers to brush claims/ties with nation state and dodge sanctions. The highest risk of nation state actors is attribution and detection, as once detected they have to change their infrastructure and techniques to succeed again.

Most powerful nation state actors active today

• United States (NSA/CIA)
• Israel (Mossad/Unit 8200)
• China (People’s Liberation Army — PLA)
• Russia (SVR)
• Iran (IRGC/ICA/Aashiyane/MABNA)
• North Korea (Unit 121/Lazarus Group)

Nation-State backed Cyber attacks

While most of the attacks probably go undetected and probably not attributed with a hundred percent certainty, but these are some of the interesting cyber attacks by nation states that caught the public attention. I have attached some resources, news articles for the ones I kept tabs on. Understanding how an adversary acts, the research they do, and the nature of delivery methods and techniques are critical for protecting against these deceptive , persistent and highly sophisticated actors

Russia

Russia operates one of the most advanced cyber offensive programs and has a long history of cyberattacks against what it considers the supporters of western imperialism and the United states , going back as far as the 1980s. (PS: Currently, I am reading the book “The Cuckoo’s egg” aka the story about the world’s first honeypot, and recommend it to anyone who is interested in learning/reading about codebreaking and espionage)

• REVIL/Sodikonobi/EvilCorp/Darkside: Highly skilled set of cyberattackers which were for long suspected to be backed by the Russian government until their arrest in 2022. They have used several monikers like EvilCorp and Darkside, these however could just be offshoots or branches, but the ransomware code has been found to bear similarities across these cybercrime actors.
• RYUK: Ransomware attributed to the adversary group Wizard Spider (also the group behind trickbot and the notorious banking trojan Emotet) which targeted mostly government and healthcare organizations around 2018. Though it is suspected, that the organization behind these operate out of both Ukraine and Russia.
• Colonial Pipeline attack : Darkside was behind the infamous colonial pipeline attack in 2021, a cyber attack that forced the President to declare an emergency. Darkside has been detected to have close ties with the Ransomware group REvil.
• Moonlight Maze , 1999 Probably the earliest known publicly acknowledged nation-state espionage attacks by Russia against the United States, against DoD and Brookhaven national Laboratory with the purpose of stealing classified information pertaining to defensive technologies related to the detection and mitigation of ICBMs. The research into this cyber espionage indicated that this wasn’t an isolated incident but part of a operation that was orchestrated for the long-term and designed to steal sensitive data from the US. In January 1999, in response to the first detection of this attack on the Brookhaven National Lab, the DoD setup a honeypot and then corelate the activities to IPs associated with Russian Academy of Sciences. The Threat actor Turla infamous for the Aagent.BTZ computer virus, was found to use the same rare Linux backdoor code samples.
• https://www.industrialcybersecuritypulse.com/facilities/throwback-attack-russia-launches-its-first-cyberattack-on-the-u-s-with-moonlight-maze/
• https://www.secureworld.io/industry-news/moonlight-maze-lives-on-researchers-find-link-to-current-apt
• Estonia Conflict,2007: Russian backed actors used a botnet (a largely unheard of technique at that time) to attack Estonia’s financial institutions to protest the prohibition of display of monuments that glorified soviet union
• Russia-Georgia war,2008: DDoS attacks against Georgia’s financial institutions and media companies carried out by Russia. Turkish and Ukrainian infrastructure were also targeted.
• Ukraine Election Hack 2014: “Cyberberkut” a ‘pro-Russian’ hacktivist group claiming to be based out of Ukraine ran a disinformation campaign on social media,DDoS attacks against cellular networks and NATO websites in favor of pro-russian Ukrainian Presidential candidate Viktor Yanukovych. They also were stated to have compromised election comittee servers and wiped out all internal data (which the group denied).Cyber-berkut was later identified to have russian ties and a branch of the Russian Intelligence Agency, and would reappear in the attack on DNC . Though this attempt was foiled by the admins removing the malware before it could execute, it’s success could have had the election to be forfeited and hemorrhaged the public trust in election integrity
• https://www.wsj.com/articles/ukraine-cyberwars-hottest-front-1447121671
• https://www.csmonitor.com/World/Passcode/2014/0617/Ukraine-election-narrowly-avoided-wanton-destruction-from-hackers
• https://www.kyivpost.com/post/7672
• Red October: Termed as the swiss-army knife of malware due to the versatility of attack vectors it could deploy and systems it could exploit, it is one of the most advanced cyberespionage campaign that was designed to target diplomatic, government and scientific organizations in former members of the Soviet Union(USSR). This malware was designed with varied modules for recon, exploitation, usb exfiltration, email exfiltration, persistence , keylogging and credential theft with adaptability. The malware would store data when it would be unable to exfiltrate, and had a vast C2 infrastructure.
• https://www.industrialcybersecuritypulse.com/threats-vulnerabilities/throwback-attack-red-october-is-the-swiss-army-knife-of-malware/
• US Election (DNC Guccifer Hack), 2016: The group that was behind conducting propaganda campaigns in 2016 U.S election on social media was earlier detected in the Ukrainian election hack of 2014. This also brought into light the massive cambridge-analytica data scandal which conduct ed business talks with the Trump campaign. In addition to this Hilary’s campaign manager John Podesta fell victim to a phishing campaign, despite checking this with the IT team, Podesta clicked on the malicious link compromising his laptop. The actor behind it claiming to be “Guccifer” initially disputed claims to be associated with Russia, and said they were Romanian and an independent actor. In the end however, it was clear with analysis of the malware,tactics used and facts unearthed in an audio interview that the actor’s claims of being romanian were false, and they were backed by nation state. The actor posted their findings in a website called “dcleaks.com” which was later taken down , and now it can be found on the wayback machine
• https://www.theguardian.com/news/2018/may/06/cambridge-analytica-how-turn-clicks-into-votes-christopher-wylie
• Wayback Machine DcLeaks
• https://www.washingtonpost.com/technology/2018/07/16/twitter-suspends-guccifer-dcleaks-after-mueller-links-them-russian-hacking-operation/
• French Presidential Election, 2017: Alleged russian interference attempt in the French Presidential election of 2017. The current president and then candidate was targeted with a phishing email which was disguised as coming from the campaign’s media and press head. A russian attacker , Antoliy Kovalev was identified to be the one behind the attacks, and was supposedly part of Russia’s GRU agency. A lot of data which was fabricated was leaked along with actual data to hamper his chances of winning the election. This along with the DNC election hack in 2016, and the Ukrainian election attacks provided key insights to understanding the Russian Election hacking model.
• https://www.pbs.org/newshour/world/macron-data-leaked-french-election
• https://www.theguardian.com/world/2017/may/06/emmanuel-macron-targeted-by-hackers-on-eve-of-french-election

North Korea

North Korea is a patient and dangerous cyber attacker which is notorious for attacks on financial institutions, banks, news media and government institutions, especially targeting those in weaker economies. Until 2011, the nation had barely any connection or investment in cyber attacks. North Korea’s current leader, Kim Jong Un spent considerable time studying computer science and likely realized the importance of cyberwarfare. Due to economic sanctions placed on the country, the nation-state attacker targets financial institutions for laundering money ranging in the billions of dollars. The complicated North korean financial threat model deserves a blog on its own. Most of the North korea’s cyber operations fall under the division 121 which is an extension of the Reconnaissance General Bureau and operates out of China.

• Dozer (1990s-2009): Wide scale attack on financial institutions which was attributed to North Korea. The notorious Dozer malware was dropped using Phishing emails. One of the first publicly seen attack on financial institutions by nation state actor and was active until the early 2000s. There were other institutions targeted besides the financial ones across South Korea and United States like media and government. These would later in 2014 be attributed to the Lazarus group by the United States, along with the 2013 Darkseoul attack.
• https://en.wikipedia.org/wiki/2009_DDoS_attacks_against_South_Korea
• https://www.darkreading.com/cyber-risk/cyber-attack-code-starts-killing-infected-pcs
• Darkseoul,2013: In 2013, Trend micro discovered a wave of spearphishing emails attempting to breach financial institutions in South Korea. The wiper malware wreaked havoc and destroyed infrastructure causing outages. The wiper malware wipes the MBR making recovery difficult. The infrastructure for the malware was setup in china, which caused an initial misattribution to china (alongside chinese names being uncovered in the malware analysis). False social media profiles and groups were setup taking credit for the attack, to misdirect and misguide attribution attempts
• https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Dark_Seoul_Cyberattack.pdf
• https://www.cisa.gov/sites/default/files/publications/South%20Korean%20Malware%20Attack.pdf
• https://www.giac.org/paper/gsec/31524/tracing-lineage-darkseoul/126346
• Sony Hack , 2014: The comedy film “The Interview” which was a story about two people set to interview the North Korean dictator Kim Jong Un, was not appreciated by the North Korean government and threatened action against the US and Sony pictures if they released the film. Though Sony reedited and cut out scenes to pacify them, it would not be enough. In one of the most notable cyber attacks, it crippled Sony by leaking confidential information of employees, leaked info about unreleased films, and other movies were released to be downloaded and pirated costing the company millions, which also led to the firing of employees . A second phase of the attack, released a destructive wiper malware Backdoor.destroyer to sabotage Sony’s infrastructure and wipe data. Many theatres fearing similar retaliation had to pull screening of the movie , further worsening the impact blow.
• https://arstechnica.com/information-technology/2014/12/sony-pictures-malware-tied-to-seoul-shamoon-cyber-attacks/
• https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
• Bank of Bangladesh Hack: Park Jin Hyok , a north korean citizen was issued with a criminal complaint by the United states department of justice in 2018 for several computer related crimes. The attack was devastating where the attackers spent a long time studying and understanding the environment before proceeding with execution. Park did incisive analysis into the social media accounts of employees, the bank website, and spent time studying the environment to craft out tailored exploits. Spearphishing emails were sent , and these were crafted specifically with each individual’s interest/hobbies etc to increase chances of a clickthrough. They managed to steal millions in USD with fraudulent transactions by compromising the SWIFT systems, and were only caught because of a typo detected by the Federal Reserve Bank of New York, which notified the Bank of Bangladesh — this prevented the theft from being in the billions.
• https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
• https://www.bbc.com/news/stories-57520169
• FASTCash: Fastcash is a malware designed by North Korea for financial fraud for which the US Department of Homeland security issued an advisory in 2018. This malware was designed to exploit vulnerable AIX systems and execute fraudulent transactions in banks across 20+ countries in 2017. This malware was seen in 2020 with newer versions, when it encountered AIX systems which weren’t vulnerable, and exploit Windows servers as well.
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware
• https://www.bankinfosecurity.com/lazarus-fastcash-bank-hackers-wield-aix-trojan-a-11694
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a

Iran

Iran has spent a considerable amount of time and effort developing infrastructure for cyberwarfare which it uses to attack governments and institutions it views conflicting with their Islamic doctrine. They have also used this to spy on their citizens who are critical of the regime. Iran has banned VPNs, social media and encrypted messaging applications. The ICA (Iranian Cyber Army) has targeted organizations and individuals who they believed to oppose Iran since 2009. The Iranian hacker group “Aashiyane” is believed to be linked with the ICA, with several corroborating evidence such as the similarity of defacement messages the two groups have used. Iran was always believed to be novice in terms of impact and sophistication as compared to other nation states such as US and Russia — However, this changed in early 2011.

• Diginotar breach — Gmail, 2011: It all began with the compromise of a dutch root certificate provider, Diginotar. This compromise by the nation state actor meant it could now issue and verify certificates to a organization of their choosing. The attackers issued and verified a false certificate for gmail. The takeover of Diginotar meant that they could issue fraudulent certificates and certify them as legitimate. This affected users within the Iranian address space who were notified with expired certificate message, and accept the new fraudulent certificate enabling the attacker to perform a MITM attack. There is still no clarity how a root certificate authority which should have extensive physical controls and keep the critical areas air gapped and secure were breached.
• https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
• https://spectrum.ieee.org/diginotar-certificate-authority-breach-crashes-egovernment-in-the-netherlands
• https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html
• Aramco Attack :In 2012, destructive Shamoon Wiper malware affected Aramco, a large government owned Saudi Arabian oil company. Over 30k systems were wiped (~85% of their entire infrastructure) within a short duration and replaced with the burning American flag, coercing the company to take the entire infrastructure offline. It is speculated that an intentional insider plugged in a USB drive, initiating the infection. The group “Cutting sword of Justice” claimed responsibility via pastebin around 2 hrs before the attack , around 9am in the morning. What didn’t help Aramco, was that the network was largely unsegmented/flat and unregulated , allowing the wiper to spread unchallenged and wipe MBR.
• https://darknetdiaries.com/episode/30/
• https://www.darkreading.com/cyberattacks-data-breaches/inside-the-aftermath-of-the-saudi-aramco-breach
• MABNA , 2014 Las vegas casino attacks: Shelden Adelson , the CEO of the Venetian casino, a staunch supporter of Israel, made a statement which got recorded and released , at a Jewish university event in New York. He said he would not support negotiations with Iran, and suggested that US should nuke Iran’s desert as a warning that the next one could be at their capital. This likely, caught the attention of the IRGC as the events to follow would indicate. A few months after this , the IT team in the bethlehem division began to notice recon and attrition activity in the network which theyh managed to dissipate, but nonetheless, the attackers persisted and managed to breach a staging server for the initial access and network. They were able to laterally move and elevate privileges. Once this foothold was gained, they released a VB malware which began wiping data, crashing the computers.
• https://darknetdiaries.com/episode/37/
• https://money.cnn.com/2015/02/27/technology/security/iran-hack-casino/index.html
• https://arstechnica.com/information-technology/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/

China

The Chinese government on the direction and vision of Ye Jianying (founder of PLA), established and developed programs for cyberwarfare as early as the 1970s. In 1979, the PLA Electronic Engineering College was established which trained people in bypassing and blocking radar communication. These made China one of the first nations to invest and develop cyberwarfare capabilities. Motivated by intellectual theft, China has been growing its cyberwarfare capabilities and engaging in espionage since the early 2000s.

• Titan rain: In 2003, the nation state actor began an advanced espionage attack against the US DoD. An analyst at Sandia National Laboratories, Shawn Carpenter, noticed suspicious activity. Shawn identified the attack as an espionage attempt to steal military classified documents , specifically aerospace themed information, fighter jet design and capability. The investigation led Shawn to conclude that the attack had originated from China, with intent to use the stolen information to build similar jets. The years and time spent by the US to develop these, were now in the knowledge of the Chinese nation-state allowing them to replicate it with a successful cyber espionage.
• https://www.cfr.org/cyber-operations/titan-rain
• https://www.youtube.com/watch?v=_atXkztpz6s
• Hidden Lynx: Between 2011–2012, Hidden Lynx targeted organizations associated with the US DoD which received substantial media visibility. An endpoint protection firm Bit9, was also targeted, and Hidden Lynx managed to steal digital certificates and learn about the network and environment via a phishing attack vector. Instead of a blacklist based on malware signatures, Bit9 uses whitelisting to allow files and applications on the system — with the certificates now compromised, the attackers could whitelist any file of their choosing. Hidden Lynx was also responsible for another espionage attack termed VOHO, in which they used the waterholing technique i.e strategically designing placing malware/malvertise or taking over legitimate websites that would draw visitors from the target and subsequentially placing backdoors on visitor’s endpoints.
• https://www.darkreading.com/cyberattacks-data-breaches/chinese-hidden-lynx-hackers-launch-widespread-apt-attacks
• https://arstechnica.com/information-technology/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/
• Black Vine Anthem Hack , 2015: The January of 2014 brought with it some troubling news to a system administrator working for Anthem, one of the largest health insurance providers — He discovered that someone had access to his account and used it to aggregate and exfiltrate sensitive customer data which are classified as PII (Personal Identifiable Information) amounting to millions of customers. TrendMicro and Symantec coined the term BlackVine for the attackers behind this attack, attributing the origin to SouthEast Asia. Initially it was thought to be a financially motivated attack, but it was soon revealed that the attack’s true motives were more aligned with those cyber espionage. Anthem provided healthcare benefits to US federal employees and background checks relating to security clearance for US citizens. Corelating the data from these two sources (healthcare and security clearance), the attackers were able to collate a list of individuals they believed to be CIA operatives. Anthem is one more victim to add to the list of targets of nation-state actors which aren’t government or defense related.
• https://www.zdnet.com/google-amp/article/black-vine-anthem-hackers-share-zero-days-with-rival-cyberattackers/
• https://arstechnica.com/information-technology/2015/07/group-that-hacked-anthem-shared-weaponized-0-days-with-rival-attackers/
• https://www.csoonline.com/article/552275/symantec-wellheeled-hacking-group-black-vine-behind-anthem-breach.html
• APT1 Unit 61398 , is an unit within the PLA which was discovered by Mandiant , a private company as part of their research, in which they highlighted a espionage operation by China spanning years. The report outed the different malware tools and techniques used by this unit — This was a novel level of research which was previously only done by government and state funded operations. In addition to this Mandiant was able to provide satellite photos in which the attackers worked out of. Once the security vendors began implementing defense based on the findings of the report and defend against the group. The nation state threat actor termed APT1 had to cease operations based on findings of a private firm, in one of the first of its kind events. The US DoJ issued indictments against the PLA operators involved in espionage operations.
• https://www.mandiant.com/resources/reports/apt1-exposing-one-chinas-cyber-espionage-units
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a

United States

Out of all the nation state actors, the US has been the most successful in avoiding public limelight and attention. This did change in 2013 with the Snowden leaks, and subsequently in 2015 when US declassified and released documents providing insight into the US espionage operations.

• Equation group: Kaspersky’s GREAT (Global Research and Analysis Team) published a paper in 2015 titled, “The Equation Group” which they used to refer to a nation-state espionage group. The group had been around since early 2001, and had ties to the NSA which was supported by NSA codewords found with the Malware produced by the Equation group. This group was found responsible for 500 operations across 42 countries. The groups surgical precision and attention to detail, and are notable at exploiting critical operating system and firewall flaws. Besides WannaCry, EternalBlue and DoublePulsar, this group was found to be behind the Stuxnet malware/worm which is discussed next.
• https://www.kaspersky.com/about/press-releases/2015_equation-group-the-crown-creator-of-cyber-espionage
• https://malpedia.caad.fkie.fraunhofer.de/actor/equation_group
• https://www.techtarget.com/searchsecurity/blog/Security-Bytes/The-Equation-Group-malware-mystery-Kaspersky-offers-an-explanation
• Stuxnet : The most devastating of cyber attacks in the modern world, the US was suspected to work with Israel to sabotage the Iran’s nuclear program. US and Israel have long opposed Iran’s reach to become a nuclear power state. Stuxnet a devastating cyberweapon, often dubbed the world’s first digital weapon, has been in development by the CIA , working closely alongside Israel. It is suspected that this has been in development as early as 2004. It used 4 zero-day exploits to breach the Natanz FEP (fuel enrichment plant), center of Iran’s nuclear program to hamper their Uranium enrichment and since Iran has a relatively limited supply of Uranium, it could delay it’s nuclear development program by years. In May of 2010, the stuxnet malware’s latest version being deployed by an intentional insider (suspected via USB) deployed it to the air gapped network of Natanz. The centrifuges spun out of control, their PLCs which interacted with the Windows OS using a software were rebooting randomly. Stuxnet was a worm, which meant it could spread infinitely using the network and infect device after device.
  The US emerged as the main suspect behind the attack after source code was analyzed, and the intent behind the attack was understood. The attack temporarily slowed Iran’s nuclear development program and the US continues to conduct cyberattacks against Iran as late as 2019, with attack on the oil tankers in the Strait of Hormuz.
  The Stuxnet worm however didn’t stop at the Natanz nuclear facility, it spread eventually spreading onto different regions of Iran and eventually across the globe and it was no longer contained. Symantec discovered this and published a report and Iran learns of this. Over the next years, every prominent scientist on Iran’s nuclear program is assassinated, including the Director of Natanz Nuclear Program.
• https://www.csoonline.com/article/562691/stuxnet-explained-the-first-known-cyberweapon.html#:~:text=Stuxnet%20is%20a%20powerful%20computer,about%20its%20design%20and%20purpose.
• https://www.youtube.com/watch?v=nd1x0csO3hU
• https://darknetdiaries.com/episode/29/
• https://nordvpn.com/blog/stuxnet-virus/