TABLE OF CONTENTS

TABLE OF CONTENTS I

EXECUTIVE SUMMARY III

INTRODUCTION 1 GENESIS OF THE PROJECT 1 RESEARCH QUESTIONS 1 INDUSTRY SITUATION 2 METHODOLOGY 3 GENERAL COMMENTS ON INTERVIEWS 5

APT1 (CHINA) 6 SUMMARY 7 THE GROUP 7 TIMELINE 7 TYPOLOGY OF ATTACKS 9 DISCLOSURE EVENTS 9

APT10 (CHINA) 13 INTRODUCTION 14 THE GROUP 14 TIMELINE 15 TYPOLOGY OF ATTACKS 16 DISCLOSURE EVENTS 18

COBALT (CRIMINAL GROUP) 22 INTRODUCTION 23 THE GROUP 23 TIMELINE 25 TYPOLOGY OF ATTACKS 27 DISCLOSURE EVENTS 30

APT33 (IRAN) 33 INTRODUCTION 34 THE GROUP 34 TIMELINE 35 TYPOLOGY OF ATTACKS 37 DISCLOSURE EVENTS 38

APT34 (IRAN) 41 INTRODUCTION 42 THE GROUP 42

SIPA Capstone 2020 i The Impact of Information Disclosures on APT Operations TIMELINE 43 TYPOLOGY OF ATTACKS 44 DISCLOSURE EVENTS 48

APT38 (NORTH KOREA) 52 INTRODUCTION 53 THE GROUP 53 TIMELINE 55 TYPOLOGY OF ATTACKS 59 DISCLOSURE EVENTS 61

APT28 (RUSSIA) 65 INTRODUCTION 66 THE GROUP 66 TIMELINE 66 TYPOLOGY OF ATTACKS 69 DISCLOSURE EVENTS 71

APT29 (RUSSIA) 74 INTRODUCTION 75 THE GROUP 75 TIMELINE 76 TYPOLOGY OF ATTACKS 79 DISCLOSURE EVENTS 81

COMPARISON AND ANALYSIS 84 DIFFERENCES BETWEEN ACTOR RESPONSE 84 CONTRIBUTING FACTORS TO SIMILARITIES AND DIFFERENCES 86 MEASURING THE SUCCESS OF DISCLOSURES 90

IMPLICATIONS OF OUR RESEARCH 92 FOR PERSISTENT ENGAGEMENT AND FORWARD DEFENSE 92 FOR PRIVATE CYBERSECURITY VENDORS 96 FOR THE FINANCIAL SECTOR 96 ROOM FOR FURTHER RESEARCH 97

ACKNOWLEDGEMENTS 98

ABOUT THE TEAM 99

SIPA Capstone 2020 ii The Impact of Information Disclosures on APT Operations EXECUTIVE SUMMARY

This project was completed to fulfill the including the scope of the disclosure and capstone requirement for Columbia Uni- the disclosing actor. However, disclo- versity’s School of International and Pub- sures may in fact also lead cyberthreats lic Affairs. It investigates the effects of to become more resilient and creative information disclosures on the opera- because they need to retool, rebuild tions of cyber adversaries, and the impli- their infrastructure, or change their TTPs. cations of those observed effects for the The exceptions to this observation are U.S. Department of De- China’s APT1 and APT10, fense’s cyber strategy of both of whom ultimately Information disclosures persistent engagement ceased operations follow- and forward defense. may lead cyber threat ing highly public disclo- actors to become more We examined the impact sures and U.S. Department of disclosures on nine sophisticated, resilient, of Justice indictments. APT groups from five dif- and creative. Given these findings, dis- ferent contexts: closures are somewhat APT1/PLA Unit 61398 useful in achieving the objectives of per- China APT10/MenuPass Team sistent engagement by imposing costs Criminal and increasing the resiliency of networks. Cobalt Group Groups However, the level of cost imposed by APT33/Elfin disclosure events is simply not high Iran APT34/OilRig/Helix Kitten enough to significantly change the deci- North sion calculus of most adversaries con- APT38/Lazarus Group Korea ducting cyber activity. Disclosures must APT28/Fancy Bear Russia be care-fully targeted and used in com- APT29/Cozy Bear bination with other elements of power. Our research found that public disclo- Lastly, private cybersecurity vendors sures generally failed to stop cyber ac- hoping to use information disclosure of- tors’ operations or cause long-term fensively should consider the geostrate- disruption, but that they do often im- gic context in which they operate, and pose at least short-term friction. We find they should target disclosures more ef- that the disruptive effect varies signifi- fectively to counter individual groups. cantly based on a number of factors,

SIPA Capstone 2020 iii The Impact of Information Disclosures on APT Operations INTRODUCTION

GENESIS OF THE PROJECT RESEARCH QUESTIONS

The project’s original TOR states that there This report was completed in order to fulfill have been leaks of information and tools as- their Capstone graduation requirement for sociated with numerous advanced persistent the Master of Public Administration/Master threat (APT) groups in Iran. The TOR asks the of International Affairs program at Columbia capstone team to answer two questions in University’s School of International and Pub- order to provide actionable information to lic Affairs (Columbia | SIPA). Standard Chartered Bank and scholars of Ken Wolf, a 2016 graduate of Columbia | cyber conflict: SIPA and Senior Manager on Standard Char- tered Bank’s cyber threat intelligence team ¨ What is the impact of leaks and in- wrote the project’s original Terms of Refer- formation disclosures on adversary ence (TOR). In designing the TOR, he sought operations? to combine the cyber threat intelligence ¨ How can the answer to the first needs of Standard Chartered Bank and other question inform the U.S. strategy financial institutions with the research that of persistent engagement and for- scholars of cyber conflict are conducting to ward defense? understand the implications of the United We found ourselves unable to comprehen- States Department of Defense’s cyber strat- sively respond to the TOR without expand- egy of persistent engagement and forward ing its scope. In order to fully address both defense. questions posed, we chose to include adver- A team of nine postgraduates worked to- sary groups from outside of Iran, including gether throughout the Spring 2020 semester criminal groups and APTs from other coun- to conduct the research needed to satisfy tries, which are relevant to understanding the TOR. Eight of the nine are students of both the threats that financial institutions international security policy, and the remain- face and to understanding persistent en- ing student international finance and eco- gagement and forward defense. We also nomic policy. All have taken courses on considered the impact of different types of cyber threat intelligence and cyber conflict. disclosures, which can contain different The project’s faculty advisor, Adjunct Profes- types of information, and which come from sor Neal Pollard, oversaw and guided their different sources, such as the private sector work, providing feedback and assistance and government agencies. where necessary.

SIPA Capstone 2020 1 The Impact of Information Disclosures on APT Operations We then posed two additional questions: organizations that specialize in attacking fi- nancial institutions. Cybercriminal organiza- ¨ Under what conditions is a disrup- tions are becoming increasingly capable. tion likely to succeed? They have developed sophisticated meth- ¨ What evidence indicates that a dis- ods to bypass anti-fraud systems and ruption has successfully contributed measures, and to attack ATMs. They are to the strategy of persistent en- challenging the sector’s ability to implement gagement and forward defense? strong multi-factor authentication protocols, since authentication factors can be bypassed via creativity, social engineering, and vulner- abilities in biometrics algorithms. They re- INDUSTRY SITUATION lentlessly steal and monetize millions of 3 Standard Chartered Bank is a member of the consumers’ credit card information. financial services sector. This sector is an im- The nation-state threat to the financial ser- portant part of both U.S. and global critical vices sector is multifaceted. Nation-states infrastructure, and Standard Chartered Bank can target financial institutions for political is one of thirty global systemically important reasons, carrying out disruptive attacks on banks (G-SIB).1 The sector is comprised of institutions to cause their adver- depository institutions like Stand- saries economic pain. Political ard Chartered Bank, insurers, in- Financial services considerations factored into vestors, credit and financing institutions face Iran’s Operation Ababil and organizations, and financial utili- cyberthreats from North Korea’s DarkSeoul, both of ties providers. It is subject to an both criminals and which were DDoS campaigns increasingly large and sophisti- from nation-states. against U.S. and South Korean fi- cated number of cyberattacks.2 nancial institutions respectively. Financial services institutions face cyber- States can also spy on financial threats from both criminals and nation- institutions to gain intelligence on politically states. From criminals, they face traditional sensitive customers or the operations of the 4 cybercrime carried out by criminal institution and its corporate clients. Finally,

1 Financial Stability Board, 2019 List of Global Predictions’ (3 December 2019), Kaspersky: Systemically Important Banks (G-SIBs) (22 No- https://securelist.com/financial-predictions- vember 2019): https://www.fsb.org/wp-con- 2020/95388/ tent/uploads/P221119-1.pdf 4 FireEye, Cyber Threats to the Financial Ser- 2 ‘Financial Services Sector’, CISA: vices and Insurance Industries (2016), 1: https://www.cisa.gov/financial-services-sector https://www.fireeye.com/content/dam/fireeye- 3 Y. Namestnikov & D. Bestuhev, ‘Cyberthreats www/solutions/pdfs/ib-finance.pdf to Financial Institutions 2020: Overview and

SIPA Capstone 2020 2 The Impact of Information Disclosures on APT Operations states may target financial institutions to APT1/PLA Unit 61398 steal money, as seen in North Korea’s at- China APT10/MenuPass Team tacks on the SWIFT banking transfer system.5 Criminal Cobalt Group METHODOLOGY Organizations

APT33/Elfin We approached the abovementioned ques- Iran tion qualitatively. First, APT groups were se- APT34/OilRig/Helix Kitten lected from different geopolitical contexts: North Korea APT38/Lazarus Group four countries and criminal enterprises. We APT28/Fancy Bear chose notorious and otherwise prominent Russia APT29/Cozy Bear threat actors which have received a signifi- cant amount of public attention from cyber After the selection process, we mapped out threat intelligence firms, and which have public disclosures from cyber threat intelli- been the subject of numerous public disclo- gence firms and government indictments sures. In order to control for the groups’ dif- (where applicable) according to the thresh- ferences in geopolitical situation, and to olds designated on the Pyramid discern whether (or which) con- of Pain. We included public re- textual similarities effect a spe- These disclosures leases of network and host arti- cific response, we endeavored force APTs to change facts, tools, or TTPs as a to analyze two APTs from each their infrastructure, disclosure; and we added the country. We had originally tools, and tactics fol- public revelation of individual omitted APT38 (Lazarus Group) lowing their release. hackers and their cyber perso- given its lack of a suitable North nae to both the Pyramid of Pain Korean correlative, but later ex- and our list of possible disclo- panded our selection criteria to include it at sure events. These events were selected be- the client’s request. cause they impose significant costs on threat The countries and contexts covered in this actor groups in terms of the changes that report appear in alphabetical order. Within must be made to their infrastructure, tools, each country, APTs are listed in numerical and tactics following a disclosure. Disclosure order according to FireEye’s APT-labeling events below our threshold–domain names, system: IP addresses, hash values–provide actiona- ble intelligence to network defenders, but

5 W. Carter, ‘Forces Shaping the Cyber Threat public/171006_Cyber_Threat_Land- Landscape for Financial Institutions’ (2 October scape%20_Carter.pdf?UWqJEbDm.dBKSLEIFTy 2017), Swift Institute, 6: https://csis- Ys1IxJaExh9Y7 prod.s3.amazonaws.com/s3fs-

SIPA Capstone 2020 3 The Impact of Information Disclosures on APT Operations fail to cause enough pain to the adversary to 3 Government versus private sector warrant inclusion. disclosure: Government indictments should cause more pain than cyberse- curity vendors’ disclosure reports be- cause the former entails internationally enforceable conse- quences. Individual private sector firms cannot, perforce, oblige others to follow rules; governments can.

4 Reach of disclosing state’s law en- forcement: Disclosures from a state that has an extradition treaty with the threat actor’s own home state should We then assessed the impact of different cause more pain than the inverse be- disclosure events according to several fac- cause extradition agreements en- tors: hance the likelihood that a cost will be imposed on the wrongdoer. Further- 1 The use of public versus custom more, if the disclosing state’s govern- tools: The release of information on ment maintains extradition treaties bespoke tooling should cause more with many different countries, it pain to a threat actor than the release should proportionally reduce the of publicly available tools because the threat actor’s ability to travel abroad. development of custom software re- quires more time, talent, and money 5 Publicity of disclosure: The more than the simple purchase of off-the- publicity behind a disclosure, the shelf malware. Outfits reliant on cus- more pain it should cause because tom software would therefore, ceteris more network defenders are likely to paribus, exhibit greater signs of dis- read it. The more network defenders ruption in the wake of a disclosure. to read a disclosure, the greater the chance that networks will be prepared 2 Domestic political pressure: Disclo- against future actions taken by the sure events which generate consider- threat actor. able publicity in the home-state or region of the group should cause 6 Specificity of target: Cyberthreats more pain than low-publicity disclo- that target specific entities should feel sures because public awareness can more pain from disclosures than lead to demands that the group cyberthreats that cultivate a broad ceases its activities. range of targets because a single

SIPA Capstone 2020 4 The Impact of Information Disclosures on APT Operations target can react more quickly and of the aforementioned APTs and to hypoth- comprehensively than a group of or- esize whether or not disclosure events had a ganizations or an entire sector. Fur- significant impact on them. We only had ac- ther, if a group has a specific target cess to information that is publicly available set, it has built expertise and capabil- online, so we had no insight into these APTs’ ities specific to that set (i.e. SCADA, actions in the times between one public dis- ICS, oil and gas). When such a group closure and the next. Accordingly, we inter- is disrupted, it should have more diffi- viewed numerous experts in the private culty reconstituting that capability sector and government who track these than a group which conducts general groups and work in the cybersecurity field to computer network exploitation determine whether our hypotheses were against a wider range of targets. correct and to identify gaps in our infor- mation. We also used interviews with gov- 7 Maturity of other cyber capabilities: ernment experts and academics to explore Disclosure events should cause more the relationship between public disclosures pain to newer and immature threat ac- and persistent engagement, in order to ad- tors because, perforce, they have less dress the second part of our research ques- architecture, fewer tools, and fewer tion. TTPs to rely on. Mature actors might belong to larger threat actor organi- GENERAL COMMENTS ON zations with advanced and capable ar- INTERVIEWS senals, as well as numerous campaigns occurring simultaneously. The team carried out interviews throughout Importantly, mature state actors with the month of March and the first half of April. several APTs should be less disrupted Our access to experts was slightly hindered in the long term because they likely by the COVID-19 pandemic and quarantine, have the organizational flexibility to and two people declined interviews, citing incorporate a disrupted group into the need to manage the effects of the eco- another. A less mature state actor nomic downturn and the security threats that without backup or incidental groups arose from a wide-scale move to remote on which to fall back should experi- work. We did, however, speak to members ence more pain from disruptions. of industry, government, and academia; and our interviewees included operations-ori- We collected data in two steps. First, we ented and policy-oriented professionals. conducted open-source research into disclo- Although many interviewees consented to sure events to create a timeline of each on-the-record interviews, some asked that group’s activity and related disclosures. This we withhold their names from our final re- research enabled us to collect initial evi- port so that they could speak freely. dence on the impact of disclosures on each

SIPA Capstone 2020 5 The Impact of Information Disclosures on APT Operations APT1 (CHINA)

Timeline: Activity Levels and Disclosures

2018

2017

2016

U.S. DoJ Activity ceases 2015 Indictments

Resumes activity 2014 Heavy activity Reduced activity Mandiant Report continues 2013 Activity significantly increases 2012

Attacks on 11+ 2011 victims

Attacks on 10+ 2010 victims + US Steel

Attacks on 6+ 2009 victims + Alcoa

Attacks on 4+ 2008 Symantec identifies victims APT1 activity 2007

2006

IMPACT OF DISCLOSURES

SIPA Capstone 2020 6 The Impact of Information Disclosures on APT Operations SUMMARY of the PLA General Staff Department. The Unit was primarily responsible for targeting English-speaking countries.2 The manpower APT1 (Comment Crew, Comment Group, needed to perform APT1’s large operations Comment Panda) was a Chinese military was significant, and the group likely con- cyber espionage group active from 2006 to sisted of hundreds of operators supported 2014. APT1 gained widespread attention in by teams of linguists, developers, intelli- 2013, when Mandiant released a major re- gence analysts, and operations managers.3 port that attributed the group to the Peo- Perhaps unsurprisingly, then, Mandiant de- ple’s Liberation Army and described its scribed APT1 during the interval of 2006 to operations in detail.1 Following this disclo- 2014 as ‘one of the most prolific cyber espi- sure, APT1’s operations were significantly onage groups’.4 disrupted and did not return to normal levels for 153 days. Fifteen months later, the U.S. Mandiant found that APT1 exfiltrated data Department of Justice indicted five mem- from 141 organizations in various industries. bers of APT1, after which all recognizable ac- Nothing indicates that APT1 conducted of- tivity ceased. APT1 provides a clear case of fensive cyber operations: espionage ap- significant and lasting operational disruption pears to have been its sole responsibility, caused directly by public disclosures. Its ex- and in that work, it was notably persistent. tensive use of custom tooling, the interna- Mandiant calculated that it spent an average tional political environment surrounding of 356 days on a network, though in certain Chinese economic espionage, and the coer- cases it exfiltrated data for years.5 cive power of indictments contributed to the success of these disclosures. TIMELINE

2006 Symantec first identifies APT1 ac- THE GROUP tivity in late 2006.6 7 APT1 has been attributed to China’s Peo- 2007 APT1 compromises four victims. ple’s Liberation Army Unit 61398, which was assigned to the 3rd Department, 2nd Bureau

1 ‘APT1: Exposing One of China’s Cyber Espio- 6A. L. Johnson, ‘APT1: Q&A on Attacks by the nage Units’ (19 February 2013), Mandiant: Comment Crew’ (19 February 2013), Broadcom: https://www.fireeye.com/content/dam/fireeye- https://community.broadcom.com/symantecen- www/services/pdfs/mandiant-apt1-report.pdf terprise/communities/community-home/li- 2 Mandiant 2013 (n. 1), 8 f. brarydocuments/viewdocument?DocumentKey 3 id., 5. =f1265df5-6e5e-4fcc-9828-d4ddb- 4 id., 2. bafd3d7&CommunityKey=1ecf5f55-9545-44d6- 5 id., 20 f. b0f4-4e4a7f5f5e68&tab=librarydocuments 7 Mandiant 2013 (n. 1), 20.

SIPA Capstone 2020 7 The Impact of Information Disclosures on APT Operations 2008 APT1 compromises six victims, in- Mar: Mandiant observes APT1 re- cluding Alcoa.8 sume activity on 25 March.17 2009 APT1 compromises ten victims, May: Mandiant reports that including U.S. Steel.9 APT1’s activity decreased follow- 2010 APT1 compromises over eleven ing the release of their report in victims.10 February. They observed APT1 continuing intrusion activity but 2011 Activity significantly increases.11 forced to retool and burn infra- 2012 APT1 continues heavy activity. structure that was disclosed.18 Digital Bond reports that it was Jul: Mandiant observes APT1 re- spear-phished by APT1.12 Brian sume activity at normal levels on Krebs identifies APT1 as respon- July 22.19 sible for an intrusion at a Cana- dian electric company.13 APT1 2014 Mar: ThreatConnect identifies begins targeting SolarWorldAG.14 APT1 activity using domains that had been disclosed in the Mandi- 2013 Jan: Targeting of USW ends.15 ant report and elsewhere as early Feb: Mandiant APT1 Report re- as 2011.20 leased on 19 February. On 20 Apr: APT1 member creates mali- February APT1 changes the regis- cious domain.21 tration information for five mali- cious domains.16 The Mandiant May: U.S. DoJ indicts 5 members 22 report disclosed four of these do- of APT1 on May 19. mains. Aug: Lockheed Martin reports an immediate reduction in malicious

8 ib.; ‘United States of America v. Wang Dong, https://www. Sun Kailiang, Wen Xinyu, Huang Zhenyu, and fireeye.com/current-threats/annual-threat-re- Gu Chunhui’ (19 May 2014), United States Dis- port/mtrends/rpt-2014-mtrends.html trict Court, Western District of Pennsylvania, 7: 18 D. McWhorter, ‘APT1 Three Months Later – https://www.justice.gov Significantly Impacted, Though Active & Re- /iso/opa/resources/5122014519132358461949 building’ (21 May 2013), FireEye: .pdf. Hereafter referenced as DoJ Indictment. https://www.fireeye.com/blog/ 9 Mandiant 2013 (n. 1), 20; DoJ Indictment (n. threat-research/2013/05/apt1-months-signifi- 8), 6. cantly-impacted-active-rebuilding.html 10 Mandiant 2013 (n. 1), 20. 19 Mandiant 2014 (n. 17), 20. 11 ib. 20 ThreatConnect Research Team, ‘Old Habits 12 id., 26. Die Hard: Iterative Intelligence & Comment 13 ib. Crew Activity’ (22 March 2014), ThreatConnect: 14 DoJ Indictment (n. 8), 4. https://threatconnect.com/blog/tag/apt1/ 15 id., 26. 21 DoJ Indictment (n. 8), 35. 16 id., 35. 22 id., passim. 17 ‘M-Trends 2014 Annual Threat Report: Be- yond the Breach’ (April 2014), Mandiant, 20:

SIPA Capstone 2020 8 The Impact of Information Disclosures on APT Operations activity targeting their networks from 19 May 2014. 28 Although reports on after release of Mandiant APT1 APT1’s activity had previously been pub- 23 Report. lished, these disclosures were the first to de- tail TTPs and individual members and the TYPOLOGY OF ATTACKS first to attribute the activity to the Chinese APT1 generally began its campaigns with government. spear-phishing emails that impersonated in- Mandiant’s report disclosed IP addresses, dividuals known to the tar- domain names, malware families, get. 24 After the victim had APT1 provides a clear TTPs, and the identities of three clicked the malicious link or at- members. The impact was immedi- case of significant tachment included in the ate and clear. Within twenty-four and lasting opera- email, their device down- hours of the disclosure, a member tional disruption loaded bespoke malware that of APT1 changed some of the do- provided APT1 with back- caused directly by main registration information for doors and covert communica- public disclosures. four domains disclosed in the re- tion capabilities. 25 The port.29 Furthermore, Mandiant ob- constant evolution of this custom malware, served the group abandoning much of its coupled with the organized deployment of infrastructure and beginning to retool. APT1 these upgrades, suggests that it had its own nonetheless resumed its intrusions on 25 internal development capability. 26 In con- March, albeit at reduced levels;30 and its ac- trast, APT1 largely used public tools for priv- tivity returned to previously seen levels by ilege escalation.27 22 July 2013.31 Mandiant’s report thus ap- pears to have stopped APT1’s intrusion ac- DISCLOSURE EVENTS tivity for thirty-three days and to have had a larger disruptive effect for 153 days. Two major disclosures revealed APT1’s ac- tivity: namely, Mandiant’s exposé of 19 Feb- The U.S. Department of Justice indictment ruary 2013 and the U.S. Department of occurred fifteen months after Mandiant’s re- Justice indictment of five members of APT1 port. It disclosed domain names, TTPs, and

23 M. Lennon, ‘Lockheed: Attackers Went Quiet 28 DoJ Indictment (n. 8). After APT1 Report Exposed Chinese Hackers’ 29 id., 35. (14 August 2014), Security Week: 30 ‘M-Trends 2014 Annual Threat Report: Be- https://www.securityweek. yond the Breach’ (April 2014), Mandiant: com/lockheed-attackers-went-quiet-after-apt1- https://www.fireeye. report-exposed-chinese-hackers com/current-threats/annual-threat-re- 24 Mandiant 2014 (n. 17), 28. port/mtrends/ 25 id., 30. rpt-2014-mtrends.html, 20. 26 id., 27. 31 Mandiant 2014 (n. 17), 20. 27 e.g. Mimikatz and gsecdump: id., 34.

SIPA Capstone 2020 9 The Impact of Information Disclosures on APT Operations the identities of five members of APT1. All uncomfortably in parallel. On the one hand, activity attributable to APT1 ceased thereaf- the U.S. government had been reluctant to ter. attribute cyber operations in public—far more than today. The Chinese government, Several plausible reasons offer to account on the other hand, had repeatedly insisted for the efficacy of these disclosures. APT1’s that it did not conduct cyber espionage for reliance on custom malware is the foremost economic purposes. Mandiant’s report re- factor. Capability development is a time-in- vealed the mendacity of any such claims, tensive and technically difficult task; and and it did so definitively. Mandiant reported that APT1 had utilized over forty malware families.32 The process of A third factor inheres within a qualitative dif- retooling, as APT1 was observed doing, ference between the report and the indict- therefore reduced APT1’s operational ca- ment. The Mandiant report was merely pacity. Additionally, Mandiant’s report de- informative: it did not seek per se to effect a termined that a certain Mei Qiang belonged change. This does not, however, suggest to ‘a smaller group of highly capable devel- that the authors of the report did not expect, opers within APT1’.33 That observation is in- or even desire, APT1 to change its behavior structive. based on what was revealed – they most cer- tainly did. Nevertheless, unlike the indict- Even if Qiang continued to work for APT1 ment, the report did not instantiate an act. post disclosure, new operational security ef- On the other hand, the indictment consti- forts would likely disrupt the development tutes an action against the five named PLA workflow. Such a state of changing circum- officers. That had real-world consequences stances and protocols may have informed for the ability of these individuals to travel. the 153-day disruption period after Mandi- Furthermore, the indictment clearly com- ant’s report. It fails, however, to explain municates the intent (both present and fu- APT1’s disappearance after the Department ture) of the U.S., insofar as the disclosure of Justice indictment. represented the U.S. government’s willing- A second factor relates to the Mandiant re- ness to confront China over its duplicity in port qua public disclosure. It was the first cyber matters. CrowdStrike’s Dmitri Alpero- major revelation of its kind; and neither the vitch has noted the significant impact of in- international reaction nor the impact on dictments on PLA cyber operations, APT1’s operations were immediately clear. specifically citing the disruptions of APT1, The report also represented a reckoning be- APT3, and APT10.34 tween two policies that had existed

32 Mandiant 2013 (n. 1), 5. https://www.rsaconference. 33 id., 58. com/usa/us-2020/agenda/hacking-exposed- 34 D. Alperovitch, ‘Global Threat Brief’ (26 Feb- global-threat-brief ruary 2020), RSA Conference:

SIPA Capstone 2020 10 The Impact of Information Disclosures on APT Operations As mentioned above, APT1’s activity ceased be more difficult to transfer their capability after the indictment. Yet it seems highly un- unawares. likely that its talent and resources were Although it appears likely that the Mandiant simply disbanded. The group no longer ex- report and the U.S. indictment significantly ists in its formerly recognizable form, to be disrupted APT1, if not directly precipitating sure; however, a likelier explanation for its their disappearance, alternate explanations disappearance is that its personnel, capabil- exist. In a 2016 report, FireEye noted that ities, and targets were reassigned to another overall Chinese cyber activity had declined Chinese government cyber organization. since mid-2014. They furnished two explana- Two factors make this plausible. First, the tions: internal factors, such as President Xi’s Chinese have several ma- efforts to centralize and ture computer network op- Public disclosures significantly consolidate military cyber erations units. This impacted APT1’s operations operations in the Strategic preexisting infrastructure and directly contributed to their Support Force; and exter- facilitates the reconstitu- disappearance. nal factors, such as public tion of one APT into an- disclosures and subse- other to obfuscate its quent U.S. responses.35 Further, Elsa Kania activities, while concurrently minimizing the and John Costello note that PLA cyber units disruption to the state’s overall capacity to have focused more on military objectives conduct cyber operations. Conversely, if a since the Strategic Support Force was cre- state lacks a large, mature cyber capability, ated. Political and economic targets, in turn, its ability to disband and reassign an APT have shifted to the Ministry of State Secu- would be limited. Second, APT1 targeted a rity.36 Still another internal factor is President wide range of industries. The variety of its Xi’s campaign against corruption, which for victims eases the process of transferring any cyber units often involved moonlighting to sector-specific responsibilities to another conduct financially motivated theft. 37 The group without attracting undue attention. 2015 agreement between Presidents Were APT1 highly specialized—only target- Obama and Xi not to conduct espionage for ing, for example, SCADA systems—it would commercial gain may also have contributed

35 iSight Intelligence, ‘Red Line Drawn: China Operations’, The Cyber Defense Review 3.1 Recalculates Its Use of Cyber Espionage’ (21 (2018), 106 f. June 2016), FireEye: 37 M. Hvistendahl, ‘The Decline in Chinese https://www.fireeye.com/blog/threat-re- Cyberattacks: The Story Behind the Numbers’ search/2016/06/red-line-drawn-china-espio- (25 October 2016), MIT Technology Review: nage.html https://www.technolo- 36 E. Kania & J. Costello, ‘The Strategic Support gyreview.com/2016/10/25/156465/the-decline- Force and the Future of Chinese Information in-chinese-cyberattacks-the-story-behind-the- numbers/

SIPA Capstone 2020 11 The Impact of Information Disclosures on APT Operations to the decline.38 Nevertheless, whatever ef- events reveals that public disclosures signif- fect these other factors may have had on icantly impacted APT1’s operations and di- Chinese cyber operations (and they almost rectly contributed to their disappearance. certainly did), the timeline of disruption fol- lowing the two abovementioned disclosure

38 iSight Intelligence 2016 (n. 35).

SIPA Capstone 2020 12 The Impact of Information Disclosures on APT Operations APT10 (CHINA)

Timeline: Activity Levels and Disclosures

2020 U.S. Department of Justice Activty Ceases indictments Intrusion Truth 2019 Disclosures

Trochilus Malware Campaigns 2018 PwC/BAE Dislosure: Cloud Fidelis Disclosure: Trade Secret Hopper TradeSecret Campaign Tests Quasar, ChChes & RedLeaves 2017

2016

Cloud Hopper campaign 2015

Began PlugX Malware Attacks 2014 FireEye Report: PoisonIvy PoisonIvy Malware attacks cont. 2013

2012

IMPACT OF DISCLOSURES

SIPA Capstone 2020 13 The Impact of Information Disclosures on APT Operations INTRODUCTION Japanese defense and government infor- mation as well as sensitive trade secrets in an array of sectors. Several reports from the APT10 is a Chinese threat actor believed to online group Intrusion Truth have tied have ties to the Chinese Ministry of State Se- APT10 activity to individuals associated with curity (MSS). This highly prolific threat group the Chinese MSS. Although it is believed to has conducted large espionage campaigns have begun operations around 2006, APT10 against both intellectual property and West- did not receive widespread attention until a ern defense information. APT10 has been 2013 FireEye report that associated it with the subject of several high-profile disclo- PoisonIvy, a remote access tool (RAT) which sures, including a 2017 report detailing the had been used against U.S. and overseas extent and nature of its campaign against defense contractors since 2009.1 managed service providers (known as Cloud Hopper) and an associated U.S. Department APT10 is best known for an espionage cam- of Justice indictment in 2018 against several paign against managed services providers Chinese nationals believed to be associated (MSP). This campaign was disclosed in a with the group. Although most public re- 2017 collaborative report from PwC UK and porting on APT10’s activities has done little BAE Systems, Operation Cloud Hopper. 2 to impact its operations, the publication of The campaign targeted MSPs and their cli- the Cloud Hopper report disrupted APT10 ents from around the world—Canada, activity for approximately seven weeks and France, South Africa, Australia, Japan, India, the associated U.S. Department of Justice Norway, the United States. 3 By targeting indictment appears to have halted APT10’s MSPs, APT10 could pivot to its desired tar- campaigns completely. get, a client network, more easily and more covertly than by attacking them directly. The THE GROUP campaign also marked a shift in APT10’s tar- geting. Whereas previous efforts focused on APT10 (MenuPass, Cloud Hopper, Red Western defense contractors, the Cloud Apollo, CNVX, Stone Panda) is a Chinese Hopper campaign saw the expansion of threat actor known for its expansive espio- APT10’s targets to include firms in the nage campaigns against sources of U.S. and

1 ‘Poison Ivy: Assessing Damage and Extracting 3 ‘APT10: A Brief Look into the Chinese Hacker Intelligence’ (August 2013), FireEye: Group’s Targets and Operations’ (24 November https://www.fireeye. 2018), Cyware: https://cy- com/content/dam/fireeye-www/global/en/cur- ware.com/news/apt10-a-brief-look-into-the-chi- rent-threats/pdfs/rpt-poison-ivy.pdf nese-hacker-groups-targets-and-operations- 2 ‘Operation Cloud Hopper’ (April 2017), PwC: e95ac4c3 https://www.pwc.co.uk/cyber-secu- rity/pdf/cloud-hopper-report-final-v4.pdf

SIPA Capstone 2020 14 The Impact of Information Disclosures on APT Operations finance, biotech, electronics, and telecom- notable, therefore, that Operation Could munication sectors.4 Hopper alone appears to have succeeded in disrupting APT10 activity, albeit in combina- TIMELINE tion with an aggressive multi-stakeholder re- sponse on client networks—and even then APT10’s espionage campaigns fall into two only for seven weeks.7 general periods. The first phase lasted from at least 2006 to 2013. During this time, Subsequent to this disruption, APT10 activ- APT10 targeted U.S. and overseas defense ity resumed with the targeting of Japanese 8 contractors with PoisonIvy. After the release government entities and MSPs. This activity of the 2013 FireEye report, which detailed ceased after the U.S. Department of Justice the use of that malware by indictment (17 December various actors, APT10 APT10 undertook both retooling 2018) of two individuals who were believed to be shelved PoisonIvy and be- efforts and espionage campaigns associated with APT10. 9 gan a retooling and re- simultaneously, allowing the platforming effort. 5 The Private cybersecurity group to stay ahead of defenders second phase spanned firms corroborated the and mitigate the impact of public 2014 through the begin- cessation of activity. This ning of 2019. During this disclosures. hiatus has apparently interval APT10 used a held: the TTPs, domains, combination of bespoke and open source and IPs associated with APT10 activity have tools to conduct its operations. Operation not been publicly reported as of April 2020. Cloud Hopper suggests that APT10 under- 2006 First reports that U.S. and over- took both retooling efforts and espionage seas defense contractors and campaigns simultaneously, allowing the agencies are targeted.10 group to stay ahead of defenders and miti- gate the impact of public disclosures.6 It is

4 B. Barrett, ‘How China’s Elite Hackers Stole the research/2018/09/ World’s Most Valuable Secrets’ (20 December apt10-targeting-japanese-corporations-using- 2018), Wired: https://www.wired.com/story/doj- updated-ttps.html. MSPs: Insikt Group, ‘APT10 indictment-chinese-hackers-apt10/ Targeted Norwegian MSP and U.S. Companies 5 PwC 2017 (n. 2), 5. in Sustained Campaign’ (6 February 2019), Rec- 6 id., 16. orded Future: https://www.recorded- 7 Interview with a senior cybersecurity consult- future.com/apt10-cyberespionage-campaign/ ant. 9 viz. Zhu Hua and Zhang Shilong. 8 Japanese government: A. Matsuda & I. Mu- 10 ‘United States of America v. Zhu Hua and hammad, ‘APT10 Targeting Japanese Corpora- Zhang Shilong’ (17 December 2018), Untied tions Using Updated TTPs’ (13 September States District Court, Southern District of New 2018), FireEye: https:// York: https://www.justice.gov/opa/press- www.fireeye.com/blog/threat-

SIPA Capstone 2020 15 The Impact of Information Disclosures on APT Operations 2013 Aug: FireEye releases PoisonIvy 2018 Dec: U.S. DoJ indictment re- report, documenting APT10 us- leased; APT10 activity ceases. age of malware.11 TYPOLOGY OF ATTACKS 2014 Beginning of the Cloud Hopper campaign, targeting MSPs APT10 gained access to victims’ systems around the world.12 through two primary methods. The first is Late 2014: APT10 targets Euro- spear-phishing. Its spear-phishing cam- pean organizations.13 paigns displayed keen insight into its tar- 2016 Sep–Nov: APT10 campaign gets, typically aligning the malicious email’s against Japanese academics and manufacturing organizations.14 content with the target’s own interests at the time. This implies that APT10 conducted Late 2016: APT10 retools and tests Quasar, ChChes and substantial reconnaissance prior to its oper- 18 RedLeaves malware families.15 ations. That procedural decision may also 2017 Early 2017: Beginning of cam- have influenced its preferred vector into a 19 paign against Ministry of Foreign network—namely, decoy documents. In Affairs in Japan and the National certain cases, such as the campaigns against Foreign Trade Council in the Japanese organizations, APT10 registered United States.16 domains with names similar to legitimate en- Apr: Operation Cloud Hopper tities as another means of deceit. 20 It also released; APT10 activity against used web reconnaissance tools to conduct MSPs disrupted temporarily. research on potential targets for later spear- Nov–Sep 2018: revamped cam- phishing campaigns.21 paigns against MSPs and other The second infiltration method used by companies with sensitive intel- lectual property.17 APT10 depended on the infrastructure link- ing MSPs and their clients. In short, it stole

release/file/1121706/download. Hereafter refer- 16 Threat Research Team, ‘Operation TradeSe- enced as DoJ Indictment cret: Cyber Espionage at the Heart of Global 11 FireEye 2013 (n. 1), 25–31. Trade’ (5 April 2017), Fidelis Cybersecurity: 12 DoJ Indictment (n. 10), passim. https://www.fidelissecu- 13 PwC 2017 (n. 2), 17. rity.com/threatgeek/threat-intelligence/cyber- 14 J. Miller-Osborn & J. Grunzweig, ‘MenuPass espionage-global-trade/ Returns with New Malware and New Attacks 17 Matsuda & Muhammad (n. 8). Against Japanese Academics and Organiza- 18 PwC 2017 (n. 2), 16. tions’ (16 February 2017), Palo Alto Networks: 19 id., 11. https://unit42.paloaltonetworks.com/unit42- 20 id., 12. menupass-returns-new-malware-new-attacks- 21 e.g. Scanbox: Fidelis Cybersecurity 2017 (n. japanese-academics-/organizations/ 16). 15 PwC 2017 (n. 2), 16.

SIPA Capstone 2020 16 The Impact of Information Disclosures on APT Operations or falsified network credentials from the MSP In 2014 or shortly before, APT10 began us- in order to pivot onto the target network.22 ing the PlugX malware in its spear-phishing This technique obviated the risk of detection attacks. Multiple variants of the PlugX soft- that it would incur by spear-phishing its tar- ware were deployed between 2014 and get directly. The Cloud Hopper campaign 2016, and with increasing sophistication. made significant use of this technique, gen- This campaign supported the larger Cloud erally after a spear-phishing email afforded Hopper operation and its concurrent efforts it access to an MSP’s network. Having en- to spy on Japanese organizations. tered said network, APT10 worked quickly to Late 2016 infect additional systems with malware in or- der to provide itself sustained access. During APT10 underwent another retooling pro- the network reconnaissance phase, APT10 cess, during which it developed and tested sought out usernames and passwords that versions of the Quasar, ChChes, and could directly access the target network.23 RedLeaves malware families. These tools were incorporated slowly, sometimes used 2006 to Mid-2013 with PlugX and PoisonIvy, and were seen un- APT10’s initial operations targeting the U.S. til the end of 2018.26 Its campaign against defense industrial base relied heavily on Japanese academics from September to No- spear-phishing. In or around 2009, APT10 vember 2016 offers a representative exam- began to disseminate the PoisonIvy malware ple of its operations at this time. The ChChes in its phishing emails along with several less trojan (or another RAT) was imbedded in an frequently used RATs. These spear-phishing attachment of a spear-phishing email and emails were, again, well-tailored to intended provided the group with initial access. After targets and included malicious attachments the victim opened the malicious attachment, that infected the victim system.24 ChChes would beacon back to C2 nodes with an MD5 hash representing the victim; Mid-2013 to 2014 from that point, the infected machine re- APT10 underwent a retooling process after ceived additional malware through this C2 FireEye’s report on PoisonIvy. The decrease channel.27 in its operations coincided with the observa- tion from cyber threat intelligence groups 2017 to 2018 that PoisonIvy was no longer being used di- APT10 continued to use the RedLeaves and rectly against its targets.25 ChChes malware in its spear-phishing cam- 2014 to 2016 paigns, but now alongside a new backdoor,

22 Cyware 2018 (n. 3). 26 ib. 23 PwC 2017 (n. 2), 17. 27 e.g. PoisonIvy or PlugX: Miller-Osborn & 24 FireEye 2013 (n. 1), 25 f. Grundzweig 2017 (n. 14). 25 PwC 2017 (n. 2), 16.

SIPA Capstone 2020 17 The Impact of Information Disclosures on APT Operations Uppercut. It also employed variations of and September 2018—three disclosures did Quasar and the Trochilus malware family for have a marked effect. network persistence and espionage. In 2018 The first effective disclosure was FireEye’s it began to use stolen login credentials for 2013 report on PoisonIvy. As mentioned remote desktop applications, such as Citrix, above, usage of that tool decreased after to gain initial access. the report was released, though it remains Although the publication of Operation unclear whether APT10 was engaged in con- Cloud Hopper disrupted the campaigns temporaneous campaigns that used other against MSPs and Japanese organizations malware. Thereafter, APT10 began a retool- were disrupted for approximately seven ing and re-platforming initiative, lasting from weeks, campaigns against certain Japanese 2014 to 2018, that saw the continuous de- organizations resumed in late 2017. Further- velopment and deployment of new tools more, from November 2017 onwards, against its targets. This arms-race strategy APT10 reportedly resumed targeting MSPs. allowed APT10 to conduct operations In one attack against Visma, a Norwegian largely unimpeded despite a higher number MSP, the group used stolen remote desktop of disclosures in 2017 and 2018.30 credentials to gain access, escalate network Operation Cloud Hopper was the next dis- privileges, and infect systems with Trochilus closure to have a palpable effect—a disrup- malware. It then packaged and exfiltrated tion in activity for approximately seven sensitive data through Dropbox. It used sim- weeks. The positive effect of the report was ilar TTPs during this interval to attack an in- due in part to PwC’s coordination of its re- ternational apparel company, a U.S. law firm lease with the victims and cybersecurity specializing in intellectual property law, 28 firms, who used the pre-publication time to and companies in the Japanese media sec- catch APT10 unawares and implement plans tor.29 to regain control of their networks.

DISCLOSURE EVENTS The most effective disclosure against APT10 to date was the U.S. Department of Justice Until the cessation of operations in Decem- indictment of two of the group’s members. ber 2018, APT10 shifted its TTPs and infra- All recognizable APT10 activity ceased fol- structure multiple times in order to stay lowing the indictments, which comports with ahead of defenders. Although many of the the impact of similar U.S. indictments of Chi- disclosures had little impact on its opera- nese threat groups associated with the gov- tions—especially those between April 2017 ernment.

28 Recorded Future 2019 (n. 8). 30 Cobalt Group adopted a similar approach in 29 Matsuda & Muhammad 2018 (n. 8). 2017.

SIPA Capstone 2020 18 The Impact of Information Disclosures on APT Operations FireEye PoisonIvy Report: August 2013 and IP addresses used in this campaign. It also included indicators of compromise for FireEye’s study on observed cases of Poi- each malware family and domain names sonIvy was one of the first reports to disclose used in APT10’s C2 operations.33 significant information regarding APT10’s activity and TTPs. It detailed three different Operation Cloud Hopper Report: April cyber-espionage campaigns that relied on 2017 the PoisonIvy malware, one of which was at- PwC’s Operation Cloud Hopper provided tributed to APT10. The report provided a the definitive account of APT10’s campaign technical analysis of PoisonIvy, including its against MSPs. Part narrative and part tech- customizable features, configurations, com- nical, the report detailed the pervasive na- munication methods, and how to defend ture of APT10’s activities, including targets, 31 against it. Further, it expounded APT10’s apparent goals, and methodology. The vari- usage of PoisonIvy, attack ous elements of a typical vectors, weaponization, tar- The most effective disclo- APT10 operation were docu- gets, and passwords, along sure against APT10 to date mented from initial compro- with the domains and IP ad- was the U.S. Department of mise and reconnaissance to 32 dresses used by APT10. Justice indictment of two of exfiltration. A time-based Palo Alto Unit 42 Disclosure: the group’s members. analysis of APT10’s activity Feb 2017 tied the group to China, while a comparison of APT10’s targets to This report provided information on the other observed Chinese hacking operations APT10 campaign against Japanese academ- provided further insight into its likely motiva- ics from September to November 2016. The tions. The detailed timeline and history of targeted individuals primarily worked in APT10’s malware, how it was used, and how STEM fields such as Japanese pharmaceuti- cal companies and the U.S.-based subsidiar- the group changed it over time to accom- ies of Japanese manufacturing modate new goals were particularly note- 34 organizations. Unit 42 noted the use of worthy elements. The technical annex PlugX and PoisonIvy in the campaign, and provided a thorough examination of included a technical analysis of the newly- APT10’s malware, tools, and its infrastruc- 35 discovered ChChes malware. ture from 2009 to mid-2016.

Furthermore, the report identified the infra- Operation TradeSecret Report: April 2017 structure overlap between APT10’s previ- Fidelis Security’s report Operation TradeSe- ously reported C2 structure and the domains cret offered a different vantage into APT10’s

31 FireEye 2013 (n. 1), 9 f. 34 PwC 2017 (n. 2). 32 id., 25–31. 35 id., Technical Annex. 33 Miller-Osborn & Grundzweig 2017 (n. 14).

SIPA Capstone 2020 19 The Impact of Information Disclosures on APT Operations initial target reconnaissance activities, the domains, two IP addresses, and indicators of research needed before launching spear- compromise associated with the malware.38 phishing campaigns. Rather than the usual Intrusion Truth Disclosures: July to Septem- suspect of MSPs and defense contractors, Fi- ber 2018 delis Security investigated APT10’s targeting of lobbyists involved in U.S. foreign trade Intrusion Truth released several reports dur- policy. APT10 used ScanBox to compromise ing the summer of 2018 which identified four the webpages that were used to register for individuals and two companies that may meetings of the National Foreign Trade have been associated with APT10 opera- Council. Similarly, it identified the Japanese tions. They ultimately tied APT10 to the Ministry of Foreign Affairs as a target. The Tianjin bureau of the Chinese Ministry of report also included a more technical report State Security.39 on the TTPs used in these attacks, an analy- FireEye Disclosure: September 2018 sis of ScanBox, and a list of the domains as- sociated with the activity.36 This report covered APT10’s Uppercut/Anel malware campaign against the Japanese FireEye Disclosure: April 2017 media sector. FireEye documented the In this disclosure, FireEye documented what phishing emails, malicious attachments used they dubbed ‘APT10’s resurgence’ from in the attack, and the available information 2016 to early 2017. They identified and sum- on the Uppercut workflow, including marized several pieces of malware and dis- APT10’s alterations of the malware over time cussed attack vectors and methods similar to and concomitant changes to the indicators those identified in Operation Cloud Hop- of compromise.40 per.37 U.S. DoJ Indictment: December 2018 Accenture RedLeaves Report: April 2018 The indictment identified two members of Accenture reported that APT10 had again APT10, Zhang Shilong and Zhu Hua. It de- been targeting Japan with the RedLeaves tailed their activities as employees of the malware. They also analyzed the capabilities Huaying Haitai Company on behalf of the of RedLeaves from a sample acquired in Jan- Tianjin State Security Bureau of the Chinese uary 2018, and they registered four Ministry of State Security. They were

36 Fidelis Cybersecurity 2017 (n. 16). 38 J. Ray, ‘Hogfish Alert’ (23 April 2018), Accen- 37 iSIGHT Intelligence, ‘APT10 (MenuPass ture: https://www.accenture.com/us- Group): New Tools, Global Campaign Latest en/blogs/blogs-hogfish-alert Manifestation of Longstanding Threat’ (6 April 39 ‘APT10 Was Managed by the Tianjun Bureau 2017), FireEye: of the Chinese Minsitry of State Security’ (15 Au- https://www.fireeye.com/blog/threat-research gust 2018), Intrusion Truth: https://intru- /2017/04/apt10_menupass_grou.html siontruth.wordpress.com/category/apt10/ 40 Matsuda & Muhammad 2018 (n. 8).

SIPA Capstone 2020 20 The Impact of Information Disclosures on APT Operations implicated in campaigns dating back to identified an APT10 campaign against 2006 to steal information from U.S. govern- Visma, a Norwegian MSP, and two other ment agencies and commercial and defense companies between November 2017 and technology companies as well as APT10’s September 2018. APT10 was seen using a global campaign to steal intellectual prop- new variant of the Trochilus malware along- erty through client-MSP infrastructure. The side the Uppercut backdoor on which indictment identified attack methodology, FireEye previously reported. APT10 used TTPs, targets, and the role of the those in- Citrix remote desktop credentials to access dicted in these activities. Specifically, the in- the three victim networks, and the report dictment accused them of computer provides an attack timeline. More techni- intrusion offensives, wire fraud, and aggra- cally, it included an analysis of the Trochilus vated identity theft.41 malware, an identification of the encryption used by APT10, and a registry of the do- Recorded Future Disclosure: February 2019 mains and indicators of compromise that This collaboration between the Insikt Group were associated with the attack.42 and Rapid7, published by Recorded Future,

41 DoJ Indictment (n. 10), 15–20. 42 Recorded Future 2019 (n. 8).

SIPA Capstone 2020 21 The Impact of Information Disclosures on APT Operations COBALT (CRIMINAL GROUP)

Timeline: Activity Levels and Disclosures

2019 Payment gateway Spicy Omellete campaign in Russia Report

Group-IB report: Payment Gateway Attack

Arrest of Leader in New SWIFT Spain Campaign 2018

FireEye Report: Improved phishing Payment Gateway Attacks Kaspersky Report: PetrWrap Card Processing 2017 Ransomware Campaign

Group-IB report: First Commercial Logical ATM Taiwan ATM heist Attacks SWIFT attack in Hong Kong

2016

IMPACT OF DISCLOSURES

SIPA Capstone 2020 22 The Impact of Information Disclosures on APT Operations INTRODUCTION by the time that each disclosure has oc- curred, Cobalt has moved on.

Disclosures have not affected Cobalt Group’s attacks and behavioral patterns, nor THE GROUP do they seem likely to undermine its criminal Cobalt Group ranks among the most aggres- enterprise. Cobalt’s profit motive, combined sive nonstate cybercriminal groups in the with its development of one-off in-house world.1 It has been responsible for some of malware, renders disclosures largely impo- the most sophisticated and costly attacks on tent. This motive also allows the group to the financial sector, with Europol estimating pivot easily and attack any bank anywhere in that it has stolen over a billion Euros from the world. Furthermore, the success of Co- over a hundred banks in over forty coun- balt’s operations is not predicated on any tries—ranging from Russia and former Soviet single vulnerability or exploit. The Group ex- states to Western Europe and East Asia. The ploits macro-level structures within a bank’s Central Bank of Russia has deemed Cobalt infrastructure: utilizing the legitimate opera- to be the foremost cyberthreat to the Rus- tion of the system rather than hijacking the sian financial sector.2 It has stolen over $1 processes towards another end. Thus it col- billion to date.3 lects cash from ATMs, withdraws cash from debit cards, and uses payment gateways to Since appearing in 2016, the development transfer money to itself. The fix to these of new tools and tactics has greatly facili- hacks therefore depends on an individual tated Cobalt’s success. The eponymous soft- bank’s combination of software and hard- ware CobaltStrike provides it a dependable ware. Disclosures consequently have limited and up-to-date suite of penetration testing prophylactic use, if released in time to iden- and social engineering tools, but the diver- tify the process currently under attack. But sity of its campaigns and the novelty of its malware from 2017 strongly suggest that its greatest resource is a suite of in-house

1 They feature regularly in annual cyberthreat https://www.ptsecurity.com/ww-en/analytics/cy- trend reports, e.g. Group-IB, ‘Hi-Tech Crime bersecurity-threatscape-2018/ Trends 2018’ (https://www.group-ib.com/re- 2 J. Kirk, ‘Cobalt Cybercrime Gang Reboots Af- sources/threat-research/2018-report.html), ter Alleged Leader’s Bust’ (28 May 2018), Bank- ‘High-Tech Crime Trends 2019/2020’ InfoSecurity: (https://www.group-ib.com/resources https://www.bankinfosecurity.com/billion-euro- /threat-research/2019-report.html); iDefense, cybercrime-gang-reboots-after-arrest-a-11037. ‘2019 Cyber Threatscape Report’, Accenture Se- 3 J. Kirk, ‘Cobalt Cybercrime Gang Reboots Af- curity: https://www.accenture.com/_acnme- ter Alleged Leader’s Bust’ (28 May 2018), Bank- dia/pdf-107/accenture-security-cyber.pdf ; InfoSecurity: Positive Technologies, ‘Cybersecurity https://www.bankinfosecurity.com/billion-euro- Threatscape 2018’ (18 March 2019), cybercrime-gang-reboots-after-arrest-a-11037.

SIPA Capstone 2020 23 The Impact of Information Disclosures on APT Operations developers who design and write new mal- cooperation with other (highly technical and ware.4 The structure of the group also ap- successful) cybercriminal organizations ex- pears to be fluid and adaptable to changes pands its capabilities and available vectors in personnel: Cobalt’s operations saw no im- of attack. Connections to these groups are mediate effect from the apprehension of its registered below. leader in Alicante, Spain 5 or from subse- Buhtrap Carbanak quent and related arrests.6 Europol released TTPs are identi- Cobalt’s 2017 attacks news of the leader’s arrest (28 March 2018) cal or very simi- used a secure shell (SSH) 7 well after the fact, but this did nothing to re- lar to those used backdoor (previously tard a new attack in southeast Asia that April. by Carbanak.10 unique to Carbanak’s 2014 campaign) and used Lastly, Cobalt possibly overlaps with other a similar theft schema.11 known cybercriminal organizations from Cobalt’s first at- Carbanak’s SSH back- 8 Eastern Europe, specifically the Buhtrap tack occurred doors and C2 addresses and Carbanak gangs. 9 The diversification three months af- were located on the same 12 and expansion of Cobalt’s workforce offers ter the disclo- subnets, which shows sure of the that a single group likely another defense against disclosures, insofar source code for controlled them. The as it dilutes the risk to the Group’s own infra- the Buhtrap same is true for the SSH structure; but perhaps more importantly, malware. (Co- backdoor and Co- balt takes two baltStrike C2 server used

4 This expansion of capacity is often referred to https://cyberpolice.gov.ua/news/kiberpolicziya- as Cobalt’s “evolution”, for example: ‘Cobalt vykryla-ukrayinskogo-xakera-u-vzlami- Strikes Back: an Evolving Multinational Threat to kompyuteriv-svitovyx-bankiv-ta-goteliv-4470/ Finance’ (1 August 2017), Positive Technologies: 7 Europol, ‘Mastermind Behind €1 Billion Cyber https://www. Bank Robbery Arrested in Spain’ (26 March ptsecurity.com/upload/corporate/ww-en/analyt- 2018): https://www.europol.europa.eu/news- ics/Cobalt-2017-eng.pdf; ‘Cobalt: Evolution and room/news/ Joint Operations’ (May 2018), Group-IB: mastermind-behind-eur-1-billion-cyber-bank- https://www. robbery-arrested-in-spain group-ib.com/resources/threat-research/cobalt- 8 A portmanteau of buhgalter (бухгалтер, “ac- evolution.html countant”) and the English word “trap”. 5 J. Vijayan, ‘2018 Arrests Have Done Little to 9 See further: Group-IB 2018 (n. 4). Stop Marauding Threat Group’ (8 May 2018), 10 J-I. Boutin, ‘Operation Buhtrap, the Trap for Dark Reading: https://www.darkreading.com/at- Russian Accountants’ (9 April 2015), tacks-breaches WeLiveSecurity: https:// /2018-arrests-have-done-little-to-stop-maraud- www.welivesecurity.com/2015/04/09/operation- ing-threat-group/d/d-id/1334652; Kirk 2018 (n. buhtrap/ 2). 11 The backdoor had identical RSA and public 6 ‘Кіберполіція викрила українського keys installed on the two targeted Linux servers хакера у взламі комп’ютерів світових for data transfer to the C2 servers. банків та готелів’ (26 March 2018), Cyber Po- 12 190.123.35.0/24, 190.123.36.0/24. lice of Ukraine (Кіберполіції України):

SIPA Capstone 2020 24 The Impact of Information Disclosures on APT Operations months on aver- by Cobalt Group in timeline cannot adequately show the extent 13 age for infiltra- 2017, which again sug- to which Cobalt appears to shift towards tar- tion and gests single ownership of gets in Asia following a disclosure or other- reconnaissance.) both elements. wise pivot away from Western Europe and The phishing Cobalt’s campaigns have emails used in become less technically the U.S. with its phishing emails. Despite the the 2016 SWIFT complex over time: relying apparent shift, there are not enough in- attack employed more on preexisting ele- stances of this to label it a true behavioral techniques iden- ments of bank’s networks pattern. tical to those and requiring the compro- used by the mise of less software. This 2016 Mar: Last attack from Buhtrap un- Buhtrap group. streamlining more closely til 2019;15 activation and configu- resembles Carbank’s crim- ration of the servers used in the inal infrastructure. upcoming Hong Kong SWIFT at- TIMELINE tacks. Apr: Theft through SWIFT in Cobalt has undertaken four major cam- Hong Kong; theft through SWIFT 16 paigns to date. From the information availa- in Ukraine. ble, 14 no clear pattern exists between its Jun: First attack in Russia as Co- 17 heists or its use of new TTPs and disclosure balt. events. Cobalt appears to have a pattern of Jul: Successful attack against First activity and rest, approximately every two Commercial Bank ATMs in Tai- 18 months, which is possibly a deliberate as- wan. pect of its business model or strategy. The

13 89.37.226.0/24. https://www.kyivpost.com/article/con- 14 The definitive source for which, to date of tent/ukraine-politics/hackers-steal-10-million- publication: Group-IB 2018 (n. 4). from-a-ukrainian-bank-through-swift-loophole- 15 P. Paganini, ‘Buhtrap Group Stole Tens of Mil- 417202.html lions of Dollars from Russian Banks’ (18 March 17 V. Mateeva, ‘Secrets of Cobalt’ (15 August 2016), Security Affairs: https://securityaf- 2017), Group-IB: https://www.group- fairs.co/wordpress/ ib.com/blog/cobalt 45405/cyber-crime/buhtrap-group-attacks.html. 18 L. Chung, ‘How Taiwanese Police Cracked Note, however, that erroneous reports of NT$83 Million ATM Heist’ (6 August 2016), planned activity continued, e.g. E. Gerden, South China Morning Post: ‘Russian Hacker Group Targeting Largest EU https://www.scmp.com/news/china/ Banks’ (11 April 2016), SC Magazine UK: money-wealth/article/1999019/how-taiwanese- https://www.scmagazine.com/ police-cracked-nt83-million-atm-heist; C. Cim- home/security-news/russian-hacker-group-tar- panu, ‘Events Behind July 2016 Taiwan ATM geting-largest-eu-banks Heists Are Coming to Light’ (27 January 2017), 16 J. Kovensky, ‘Hackers Reportedly Steal $10 Bleeping Computer: https://www.bleepingcom- Million from a Ukrainian Bank Through SWIFT puter.com/news/security/events-behind-july- Loophole’ (25 June 2016), Kyiv Post: 2016-taiwan-atm-heists-are-coming-to-light/

SIPA Capstone 2020 25 The Impact of Information Disclosures on APT Operations Sept: Preparation for the upcom- Mar: Attacks on e-wallet and pay- ing campaign against card pro- ment terminal companies; phish- cessors. ing emails see improved quality; Nov: First successful attack on banks penetrated through their 24 card processing in Kazakhstan; supply chains. ATM jackpotting spree in Eu- Apr: First attack on a payment rope;19 Group-IB publishes a re- gateway using a unique pro- port on its ATM hacks.20 gram.25 2017 Feb: First attack using PetrWrap May: New JavaScript backdoor ransomware at a small Russian implemented; first use of decoy bank;21 beginning of supply chain documents.26 attacks on card processing ser- Aug: First attack on Russian tele- 22 vice providers; compromise of communications companies; at- 23 an IT integrator. tack thwarted, goals unclear.27

19 J. Finkle, ‘Hackers Target ATMs Across Eu- 22 Positive Technologies 2017 (n. 4), 3; I. Ar- rope as Cyber Threat Grows’ (21 November ghire, ‘Cobalt Hackers Now Using Supply Chain 2016), Reuters: https://in.reuters.com/arti- Attacks’ (2 August 2017), Security Week: cle/cyber-banks-atms-idINKBN13G254; Z. Zorz, https://www.securityweek. ‘Cobalt Hackers Executed Massive, Synchro- com/cobalt-hackers-now-using-supply-chain-at- nized ATM Heists Across Europe, Russia’ (22 tacks November 2016), Help Net Security: https:// 23 ‘Cobalt’s Latest Attacks on Banks Confirm www.helpnetsecurity.com/2016/11/22/cobalt- Connection to Anunak’ (29 May 2018), Group- hackers-synchronized-atm-heists/ IB: https:// 20 ‘Cobalt: Logical Attacks on ATMs’ (November www.group-ib.com/media/group-ib-cobalts-lat- 2016), Group-IB: https://www.infosecuri- est-attacks-on-banks-confirms-connection-to- tyeurope. anunak/ com/__novadocu- 24 ib. ments/459980?v=6365767641776 25 Group-IB 2018 (n. 4), 18–20. 30000 26 id., 30, 21 resp.; M. Gorelik, ‘Cobalt Group 21 A. Ivanov & F. Sinitsyn, ‘PetrWrap: The New 2.0’ (8 October 2018), Morphisec: Petya-Based Ransomware Used in Targeted At- https://blog.morphisec. tacks’ (14 March 2017), Kaspersky: https://se- com/cobalt-gang-2.0 curelist.com/ 27 L. Bermejo, R. Giagone, R. Wu, F. Yarochkin, petrwrap-the-new-petya-based-ransomware- ‘Backdoor-Carrying Emails Set Sights on Rus- used-in-targeted-attacks/77762/; L. Abrams, sian-Speaking Businesses’ (7 August 2017), ‘The Week in Ransomware - March 17th 2017 - Trend Micro: https:// Revenge, PetrWrap, and Captain Kirk’ (18 March blog.trendmicro.com/trendlabs-security-intelli- 2017), Bleeping Computer: https://www.bleep- gence/ ingcomputer. backdoor-carrying-emails-set-sights-on-russian- com/news/security/the-week-in-ransomware- speaking-businesses/ march-17th-2017-revenge-petrwrap-and-cap- tain-kirk/

SIPA Capstone 2020 26 The Impact of Information Disclosures on APT Operations Sept: Joint attack with Carbanak Soviet Union; Cobalt begins against payment gateways; use of phishing campaign under the new program, InfoStealer v. 0.2, guise of U.S. companies IBM and which is wholly hosted in Verifon and the international or- 32 memory.28 ganization Spamhaus. Nov: Nov. 14, CVE-2017-11882 is Apr: Cobalt is detected in a Swe- 33 published and patched by Mi- dish company’s network. crosoft; 29Nov. 21, proof of con- May: Cobalt begins new phishing cept is published for that exploit campaign against Russia and on GitHub;30 Cobalt immediately post-Soviet states under the begins a large phishing campaign guise of Kaspersky.34 against financial institutions with a Aug: SWIFT and card processing malicious document that initially attacks in Russia.35 goes undetected by AV.31 36 Dec: Cobalt’s spear phishing TYPOLOGY OF ATTACKS emails contain a link to a new Java applet (dropper). A key aspect of Cobalt’s relative immunity to 2018 Feb: Cobalt stops using Java. information disclosure events is the strategy behind its attacks. Aside from regularly Mar: Cobalt’s leader and chief malware author is arrested in changing its tactics and victims, Cobalt’s at- Spain; activity reduced in former tacks do not hinge on any single vulnerability

28 Group-IB 2018 (n. 4), 34 f. 32 Group-IB 2018 (n. 4), passim. 29 See further: National Vulnerability Database, 33 id., 7. ‘CVE-2017-11882 Detail’ (14 November 2017), 34 ClearSky Cyber Security, ‘2018 Cyber Events NIST: https://nvd.nist.gov/vuln/detail/CVE- Summary Report “Year of the Dragon”’ (2019), 2017-11882; T. Spring, ‘Microsoft Patches 17- 25: https://www.clearskysec.com/wp-con- Year-Old Office Bug’ (15 November 2017), tent/uploads/2019/02/ClearSky- Threat Post: https://threatpost.com/microsoft- End_of_Year_Report-2018.pdf patches-17-year-old-office-bug/128904/ 35 ASERT Team, ‘Double the Infection, Double 30 https://github.com/embedi/CVE-2017-11882 the Fun’ (30 August 2018), NetScout Systems: 31 J. Manual & J. Salvio, ‘Cobalt Malware Strikes https://www. Using CVE-2017-11882 RTF Vulnerability’ (27 netscout.com/blog/asert/double-infection-dou- November 2017), Fortinet: ble-fun https://www.fortinet.com/blog/ 36 The detailed information in this section is only threat-research/cobalt-malware-strikes-using- available in the Group-IB report Cobalt: Evolu- cve-2017-11882-rtf-vulnerability.html. The bug tion and Joint Operations from May 2018 (n. 4). was still a viable vector of attack two years later: That document is the definitive account of Co- T. Seals, ‘Microsoft Warns of Email Attacks Exe- balt’s operations from inception through the cuting Code Using an Old Bug’ (10 June 2019), date of publication and is the source for what Threat Post: https:// follows. threatpost.com/microsoft-arbitrary-code-execu- tion-old-bug/145527/

SIPA Capstone 2020 27 The Impact of Information Disclosures on APT Operations in a network or brute force techniques—un- The Group gained initial entry into the victim like, for instance, many hacks of cryptocur- bank’s network with a phishing email. With rency exchanges. Instead, Cobalt coopts the the malware in place on the workstation and normal processes and workflow of banks’ in contact with the C2 server, it waited until networks in small but meaningful ways to si- the SWIFT operator logged into SWIFT por- phon out funds. Disclosures may curtail the tal. The malware then embedded a mali- phishing stage of a new campaign or signal cious JavaScript script in the original portal that a cybersecurity firm has login page which logged removed Cobalt from a net- the credentials of the oper- Cobalt coopts the normal work, but a Cobalt heist has ator and relayed them to the processes and workflow of yet to be caught in medias C2 server. Cobalt used the res. Nevertheless, whether a banks’ networks in small but stolen credentials to access disclosure would deter Cobalt meaningful ways to siphon the SWIFT server and com- is not immediately clear be- out funds. promise it with a credential cause its attacks, as described harvester and a log suppres- below, target universal aspects of banks’ in- sor targeting fraudulent payment messages. frastructure. The usual specifics included in a It then used these SWIFT server credentials disclosure may not necessarily translate to to initiate fund transfers. The theft itself oc- another bank’s situation in the same way that curred on 28 April. Whether the Group a report about a new trojan would. needed the entire month to prepare or if other considerations were involved is un- Hong Kong SWIFT clear. Cobalt Group’s first recorded activity was a Jackpotting ATMs campaign to steal money from a bank in Hong Kong through the SWIFT system. This July 2016 saw the culmination of Cobalt attack began on 20 March 2016, with the up- Group’s second major campaign. This time, loading of the Cobalt Strike payload to a it targeted the ATM network of First Com- server in Germany which subsequently at- mercial Bank in Taiwan. To have ATMs sur- tacked the HK bank. This was repeated two render their cash, Cobalt needed to find the days later with a server in the US; however, segment of the Bank’s internal network that the Metasploit framework was also found on controlled the ATMs. The Group again that server, which may suggest that another achieved initial compromise through phish- group was involved in the attack. Cobalt was ing emails sent from two servers in Russia in able to transfer money through the SWIFT June 2016 under the guise of the European system by compromising the credentials of Central Bank, Wincor Nixdorf (an ATM man- SWIFT operators in the bank, implementing ufacturer), and local banks. If the exploit con- a unique JavaScript in authorization forms tained in the phishing email was successful and unique malware to search for SWIFT at compromising the recipient’s payment confirmation messages.

SIPA Capstone 2020 28 The Impact of Information Disclosures on APT Operations workstation,37 the malware injected the Co- denomination cassettes within the physical balt Strike payload “Beacon” into the machine. Money mules would appear at the memory, which allowed the Group to deliver ATMs, make a phone call, and then collect further payloads to the workstation and ulti- the cash in large duffle bags as it was mately control it.38 Cobalt then expanded its ejected. control over workstations on the network— The methods and malware used to compro- building, in effect, a network of infected ma- mise First Commercial Bank in Taiwan are chines within the Bank’s own network. A sin- functionally identical to those used by the gle CobaltStrike console installed on a Buhtrap Group against Russian banks’ ATMs remote server could then control this sub- during the interval of August 2015 to Janu- network of infected workstations and use it ary 2016.39 to branch out to further hosts on the internal network. Researchers first documented the Credit/Debit Card Processing use of the Cobalt Strike Beacon against a fi- In September 2016, two months after the at- nancial institution the month before the at- tack on First Commercial Bank’s ATMs, Co- tack in Taiwan, in June 2016 against a bank balt Group gained access to the network of in Russia. a Kazakh bank. Over the next two months, With control of the Bank’s network and re- the Group prepared to conduct a new man- dundant access channels established, Co- ner of attack; namely, theft through a bank’s balt sought out the workstations of card processing system. A major issue with employees who interfaced with the ATM Cobalt’s previous operation in Taiwan (and servers and software. With access to these subsequent attempts in Russia and Romania) machines, it instructed individual ATMs to was that local law enforcement tended to dispense cash from the different find and arrest the money mules—and with some rapidity.40 A plausible element in the

37 Using CVE-2015-1641. seeks to escalate its privileges on the network 38 The initial injection into memory is not perma- to establish their access to the internal network nent, and it would be lost should the system re- independent of any single workstation. start. To gain permanent control over the 39 The last confirmed attack by the Buhtrap workstation, Beacon scans for applications in- Group on a bank was March 2016. The criminal cluded in autorun and substitutes those legiti- group used to launder the stolen money was ar- mate files with identically named malicious rested in May 2016; and June 2016 registers the executables. Hence normal services will auto- first attack on a Russian bank with Cobalt Strike. matically launch malicious applications after a 40 J. Pan, ‘East European Trio Indicted Over First restart or other even that wipes the memory Commercial Heist’ (14 September 2016), Taipei clear. That does not, however, establish perma- Times: https://www.taipei- nent access to the local network: the infected times.com/News/front/archives/ workstation can still be shut down or have its 2016/09/14/2003655108; T. Ferry, ‘Looking OS changed/reinstalled. The Group therefore Back at the First Bank’s ATM Heist’ (15 February

SIPA Capstone 2020 29 The Impact of Information Disclosures on APT Operations mules’ quick apprehension was the coinci- France, Austria, Germany, the Netherlands, dence of the bank’s location and the loca- and Belgium, mules began to withdraw cash. tion of the hacked ATMs, which is to say that Bank officials quickly noticed the changes on First Bank only had ATMs in Taiwan. Cobalt Monday and had all illicit accounts deac- now sought to cash out from ATMs inde- tivated before noon. pendent of the bank to which the account Payment Gateway belonged or not in the same country as the bank’s headquarters. This new strategy also In late March 2017 Cobalt began a spear- simplified the collection of the stolen cash: phishing campaign against electronic wallet the Group’s hacker wing no longer needed and payment terminal companies in Russia to coordinate a cyberattack with the mules’ and Ukraine. During the reconnaissance physical presence at the correct ATM. More- phase, it discovered several payment gate- over, withdrawing cash in another county way servers that process requests to transfer puts distance between the mules, local law money. These gateways are most often used enforcement, and the bank’s security team. to convey small sums from one account to another: Cobalt had to automate transac- The operation itself was markedly simpler tions to steal a large amount. To do so, it than prior operations. The first phase was created a new program that sent fraudulent identical to what was seen at First Commer- transfer requests and the criminal recipient’s cial Bank, beginning with phishing emails. account information. The malicious attachments in these emails contained the CobaltStrike payload, which Here again, Cobalt had the technical ability the Group then used to establish an infected to steal money through various parts of a sub-network on the bank’s internal network. bank’s network but lacked a safe means to Over the next two months (9 September–10 cash out. Nevertheless, targeting a small- November), it used CobaltStrike to collect transactions gateway, which processes thou- data on domains and local user accounts. Af- sands of requests each day, afforded it some ter Cobalt established persistence in the net- degree of cover via the volume of transac- work, it spent three weeks conducting tion traffic and the paucity of the sums, reconnaissance on the card processing sys- which it used to evade fraud detection and tems while members opened accounts at countermeasures. the bank. A brief hiatus ensued as the organ- DISCLOSURE EVENTS ization waited for the debit cards to be de- livered. On 18 December 2016 (Sunday), the As mentioned above, disclosures of Cobalt’s Group effected the necessary changes to its TTPs and activity have only occurred post accounts; and in Russia, Latvia, Estonia, facto. Banks, both victims and near-victims,

2017), Taiwan Business Topics: https://top- /2017/02/looking-back-at-the-first-banks-atm- ics.amcham.com.tw heist/

SIPA Capstone 2020 30 The Impact of Information Disclosures on APT Operations have largely remained silent on any relevant What follows is not a comprehensive list, but incidents. But their reticence sounds a deaf- a selection of the most important and most ening undertone for the broader threat- salient reports. For reasons of time and man- scape, which is itself starved for power, it lies beyond the remit of reports that are contemporary, this project to sift through the vast Perhaps the largest detailed, and public. With over number of warnings and adviso- setback to one of $1.2 billion stolen to date, one ries from cybersecurity firms and would be justifiably incredulous Cobalt’s campaigns blogs that occur on any given Co- of the idea that banks, cyberse- was self-inflicted balt development. That is not to curity firms, or law enforcement say, however, that they lack im- lack a reliable means to preclude Cobalt portance, merely that there is no open- from bank robberies or otherwise obviate its source method to determine their effect four known techniques. And, yet, such while staving away conjecture. seems to be the case. Most of the relevant PetrWrap Ransomware Report: May 2016 disclosures from cybersecurity firms are phishing detection notices, reports on spe- Kaspersky revealed the existence of a new cific malware, or analyses of completed cam- Petya variant and provided a full technical 42 paigns. Only Group-IB’s (non-public) report analysis. A little less than a year later, in Cobalt Evolution detailed how Cobalt steals February 2017, Cobalt began using the ran- money. Indeed, perhaps the largest setback somware. to one of Cobalt’s campaigns was self-in- Logical ATM Attacks: November 2016 flicted: it forgot to blind carbon copy the During the spate of ATM attacks in Europe, 1,880 targets in a Kazakh bank spear-phish- Group-IB published a report on the First ing campaign during March 2017, and in- Bank ATM heist from July that year.43 The stead put them all in the “to” field—a ATM attacks resumed in Russia approxi- mistake it made again, in November of that mately one year later. year, for a campaign against Russian and Turkish banks.41 Even with such forewarning, Positive Technologies: After May 2017 Cobalt had several successful attacks against Sometime between May 2017 and the new Russian banks later that year. That is perhaps year, Positive Technologies published a re- the most damning evidence against the util- view of Cobalt’s phishing emails from earlier ity of public disclosures. that year and provided a general explana- tion of how the malware worked. 44 This

41 Y. Klijnsma, ‘Gaffe Reveals Full List of Targets 42 F. Sinitsyn, ‘Petya: The Two-In-One Trojan’ (4 in Spear Phishing Attack Using Cobalt Strike May 2016), Kaspersky: https://secure- Against Financial Institutions’ (28 November list.com/petya-the-two-in-one-trojan/74609/ 2017), RiskIQ: 43 Group-IB 2016 (n. 20). https://www.riskiq.com/blog/labs/cobalt-strike/ 44 Positive Technologies 2017 (n. 4).

SIPA Capstone 2020 31 The Impact of Information Disclosures on APT Operations report was non-technical and so wanted for Sometime after May 2018 (publication date the usual IPs, TTPs, and hashes that one is unlisted), Bitdefender published a white- might expect in a report of its length. paper that detailed every step in Cobalt’s mid-2018 spear-phishing campaign, which Arrest of Leader in Spain: March 2018 had notably pivoted away from East Europe Europol arrested the supposed leader of Co- and the former Soviet Union. The report was 45 balt Group, with subsequent arrests in highly detailed, including all the usual tech- 46 Ukraine. Operations continued without a nical indicators and a complete timeline of perceptible pause. its on-network activity that showed its activ- Group-IB ‘Cobalt: Evolution’ Report: May ity on a minute-by-minute basis. 48 Cobalt 2018 merely refocused on Russia and the former Soviet states during the second half of the Group-IB published a comprehensive report year, and with its usual success. on Cobalt Group’s to-date activity, but only for paying customers. 47 It provided a de- ASERT Team: August 2018 tailed explanation for each of Cobalt’s four Shortly before Cobalt could count any suc- known theft techniques in addition to the full cess in its new Russian bank campaign, suite of technical indicators for its known ASERT put out a technical analysis of the malware. malware which it used in that phishing cam- Bitdefender’s APT Blueprint: After May 2018 paign. Slightly more than half a month sepa- rated initial detection and publication.49

45 Europol 2018 (n. 7). https://www.bitdefender.com/files/News/Cas- 46 Ukrainian Cyber Police 2018 (n. 6). eStudies/study/262/Bitdefender-WhitePaper- 47 Group-IB 2018 (n. 4). An-APT-Blueprint-Gaining-New-Visibility-into- 48 ‘An APT Blueprint: Gaining New Visibility into Financial-Threats-interactive.pdf Financial Threats’, Bitdefender: 49 ASERT Team 2018 (n. 35).

SIPA Capstone 2020 32 The Impact of Information Disclosures on APT Operations APT33 (IRAN)

Timeline: Activity Levels and Disclosures 2020 Microsoft Password-spraying Presentation attacks

Symantec Attack on Saudi Disclosure Symantec, McAfee chemical sector and FireEye Shahmoon attacks 2019 Disclosures

MS Outlook attacks Dragos Non-Public Suppy chain Disclosure: attacks Attacks on engineering firms 2018 FireEye Disclosure

Attack on Saudi & Korean orgs

2017

Attacks on aerospace & aviation

2016

IMPACT OF DISCLOSURES

SIPA Capstone 2020 33 The Impact of Information Disclosures on APT Operations INTRODUCTION of its members has been linked to the Nasr Institute—a group controlled directly by the Iranian government. Yet signs of this con- APT33 is an Iranian group whose actions nection exist elsewhere. It employs hacking align with the strategic and political objec- tools that are commonly used by Iranian tives of the Iranian government, primarily its hackers, as well as DNS servers suspected to national defense and economic priorities— be used by other Iranian cyber groups; and, though it remains unclear how closely the tellingly, its hours of operation coincide with group is linked to the regime in Tehran. As a the Iranian workday and workweek. cyber actor, it has been resilient against in- formation disclosures: various cyber threat Cyber threat intelligence firms have tracked intelligence groups have disclosed TTPs and APT33 since at least 2013.3 The group did network artifacts with little perceivable effect not, however, become a major threat actor (deterrent or otherwise) on the frequency of until 2017, when it and other Iranian-linked APT33’s operations or capabilities.1 Instead, groups became increasingly active and in- APT33 has continued to expand its list of tar- creased their presence, persistence, and so- gets and increase the destructiveness of its phistication. 4 Throughout this interval, attacks, which have shifted from espionage APT33 primarily targeted Middle Eastern to sabotage through wiper attacks. countries and companies that Tehran views as regional rivals—Saudi Arabia, the UAE, THE GROUP Jordan, and Morocco.5 But its scope is not limited to that region. APT33 has also at- APT33 (Elfin, Magnallium, Holmium)2 is gen- tacked the United States, the United King- erally accepted to be an Iranian cyberthreat dom, Italy, Germany, Belgium, the Czech actor. The extent of its ties to the Iranian government are unclear, though at least one

1 Finding confirmed in an interview with FireEye Ties to Destructive Malware’ (20 September analyst Ben Read. 2017), FireEye: 2 Respectively: ‘APT33’ (28 June 2019), Mitre: https://www.fireeye.com/blog/threat-re- https://attack.mitre.org/groups/G0064/; ‘Mag- search/2017 nallium’, Dragos: https://dragos.com/re- /09/apt33-insights-into-iranian-cyber-espio- source/magnallium/; AFP, ‘Iranian Hackers nage.html Caused Losses in Hundreds of Millions: Mi- 4 ‘2017 in Cyber Perspective: the Rise of Iranian crosoft Researchers’ (7 March 2019), Radio Threat Actors, Repeat Attacks and Other Farda: https://en.radiofarda.com/a/ Trends’ (5 April 2018), Cyware: https://cy- iranian-hackers-caused-losses-in-hundreds-of- ware.com/news/2017 millions-microsoft-researchers/29808137.html -in-cyber-perspective-the-rise-of-iranian-threat- 3 J. O’Leary, J. Kimble, K. Vanderlee, N. Fraser, actors-repeat-attacks-and-other-trends- ‘Insights into Iranian Cyber Espionage: APT33 76013e05 Targets Aerospace and Energy Sectors and Has 5 ib.

SIPA Capstone 2020 34 The Impact of Information Disclosures on APT Operations Republic, China, South Korea, and India. 6 TIMELINE Many of its operations outside the Middle East have focused on companies with ties to Since its formation in 2013, APT33 has car- the Middle East through holdings and busi- ried out numerous campaigns and attacks. ness but which are based outside the re- Although it seems to alternate between pe- gion.7 riods of attack and rest, operations have ap- peared continuously since redoubling its As APT33 has targeted more countries over efforts in 2017; and in 2018 it expanded its time, the number of industries affected has focus to include Europe and North America, likewise expanded. This trend began in beyond its 2017 remit of the Middle East.10 2017, before which it was primarily targeting Its activity has been particularly visible since military and commercial aviation companies late 2018, as its TTPs began to change more and the energy sector (specifically petro- regularly and its attacks took on a higher de- chemical production). 8 Since then, APT33 gree of frequency and destructivity. Pass- has moved on to the aerospace, oil and gas, word-spraying attacks, for instance, were electric, government, research, chemical, conducted throughout most of 2019. 11 engineering, manufacturing, consulting, fi- Therefore, Intervals of low reported activity nance, and telecommunications sectors, as cannot be assumed to represent periods of well as the manufacturers, suppliers, and dormancy: such a hiatus more likely repre- maintainers of industrial control systems sents a preparatory phase for the next wave equipment.9 of attacks.

6 The reporting on these sundry attacks is pre- Multiple Organizations in Saudi Arabia and U.S.’ dictably voluminous. The following reports illus- (27 March 2019), Symantec: https://www.syman- trate the widening scope of APT33’s targets: tec.com/blogs/threat-intelligence/elfin-apt33- O’Leary et al. 2017 (n. 3); Critical Attack Discov- espionage ery and Intelligence Team, ‘Shamoon: Destruc- 7 ‘Magnallium’, Dragos: https://dragos.com/re- tive Threat Re-Emerges with New Sting in Its source/magnallium/ Tail’ (14 December 2018), Symantec: 8 O’Leary et al. 2017 (n. 3). https://www.symantec.com/blogs/threat-intelli- 9 Some illustrative examples: Dragos (n. 2); Criti- gence/shamoon-destructive-threat-re-emerges- cal Attack Discovery and Intelligence Team new-sting-its-tail; AFP, ‘Iranian Hackers Caused 2018 (n. 6); Critical Attack Discovery and Intelli- Losses in Hundreds of Millions: Microsoft Re- gence Team 2019 (n. 6); A. Greenberg, ‘A No- searchers’ (7 March 2019), Radio Farda: torious Iranian Hacking Crew Is Targeting https://en.radiofarda.com/a/ Industrial Control Systems’ (11 November 2019), iranian-hackers-caused-losses-in-hundreds-of- Wired: https://www.wired.com/story/ millions-microsoft-researchers/29808137.html; iran-apt33-industrial-control-systems/ Critical Attack Discovery and Intelligence Team, 10 Dragos (n. 2). ‘Elfin: Relentless Espionage Group Targets 11 Greenberg 2019 (n. 9).

SIPA Capstone 2020 35 The Impact of Information Disclosures on APT Operations 12 engineering sector to modify us- 2013 APT33 forms. ers’ MS Outlook client homep- 2016 Mid-2016 to early 2017: APT33 ages to enable code execution 19 compromises aerospace and avi- and persistence. ation companies in Saudi Arabia Dec: APT33 uses Shamoon and a and the U.S.; compromises oil new wiper variant against numer- and petrochemical company in ous targets in the oil and gas sec- 13 South Korea. tor;20Symantec, McAfee, and FireEye report on the campaign. 2017 May: APT33 targets a Saudi or- ganization and a South Korean 2019 Feb: APT33 conducts remote ac- 14 business conglomerate. cess and privilege exploitation Sep: FireEye releases first major against a Saudi chemical sector 21 disclosure on APT33 activities.15 target.

Nov: APT33 uses stolen creden- Mar: Symantec reports on the 22 tials and publicly available tools, February attack. targeting within the engineering Sep-Nov: APT33 conducts nar- sector to escalate privileges and rowed password-spraying attacks 16 steal more credentials. against smaller number of organi- zations, but with increased num- 2018 Dragos releases a non-public dis- ber of attacks against those closure on APT33.17 organizations; focus on gaining Feb: APT33 compromises a U.S. entry to ICS.23 company to steal information.18 Nov: Microsoft reports on the July-Aug: APT33 uses stolen cre- password-spraying campaign at dentials and publicly available CYEBRWWARCON.24 tools, again targeting within the

12 Mitre 2019 (n. 2). 17 Dragos (n. 2). 13 O’Leary et al. 2017 (n. 3). 18 Critical Attack Discovery and Intelligence 14 ib. Team 2019 (n. 6). 15 ib. 19 Ackerman et al. 2018 (n. 16). 16 G. Ackerman, R. Cole, A. Thompson, A. Orle- 20 Critical Attack Discovery and Intelligence ans, N. Carr, ‘OVERRULED: Containing a Poten- Team 2018 (n. 6). tially Destructive Adversary’ (21 December 21 Critical Attack Discovery and Intelligence 2018), FireEye: Team 2019 (n. 6). https://www.fireeye.com/blog/threat-research/ 22 ib. 2018/12/overruled-containing-a-potentially-de- 23 Greenberg 2019 (n. 9). structive-adversary.html 24 ib.

SIPA Capstone 2020 36 The Impact of Information Disclosures on APT Operations TYPOLOGY OF ATTACKS linked to the Iranian government and thus takes great pains to carefully manage its in- APT33 regularly uses spear-phishing emails frastructure and activities to prevent re- containing fraudulent job opportunities and searchers from connecting the two.25 As a offers to gain initial access to targets. But as result, there is a dearth of incentive for Teh- its capabilities have grown, so too have its ran to pressure the group into inactivity. means of entry. It has been seen utilizing Mid-2016 through Mid-2017 pre-stolen credentials and exploiting pub- licly available vulnerabilities, which culmi- Prior to this period, APT33 relied heavily on nated in the mass password-spraying attacks spear-phishing to gain access into networks, of 2019. primarily those of Saudi companies. In 2016 it began domain masquerading to improve Public disclosures are unlikely to affect the quality of its phishing emails, 26 which APT33 in any meaningful manner, and for themselves contained fallacious job oppor- various reasons. First, it uses tunities and offers. These at- both commodity and be- APT33 does not particularly tacks saw the use of multiple spoke tools, which allows it care about its tools and its custom backdoors in con- to switch between tools with targets being disclosed. junction with publicly availa- relative ease. Second, alt- ble tools, likely to offset or hough targeted organiza- minimize the research and tions monitor their networks for the development costs of the custom tools. presence of known malware signatures, they Some of these attacks also used a dropper cannot consistently protect their employees similar to a Shamoon variant.27 from well-made spear phishing emails. So long as employees continue to click on links Late-2017 through Mid-2018 and open malicious attachments, APT33 will APT33 conducted a series of attacks against be able to gain a foothold in the network. engineering firms to gain access, maintain Finally, APT33 serves as an Iranian proxy presence, and farm credentials. Using al- group rather than an explicit part of the Ira- ready-stolen credentials, the group was able nian government, thereby granting Tehran to map target networks, modify MS Outlook plausible deniability for APT33’s actions. client homepages, and use commodity tools While APT33 does not particularly care for privilege escalation and credential theft. about its tools and its targets being dis- Multiple variations of this homepage exploit closed, it does care about being directly also debuted during this span. If it were

25 Interview with a senior cybersecurity consult- their Western partners, in order to have the ant. sender’s address in the phishing email appear 26 i.e. registering domains that appear to be plausibly valid. owned and operated by Saudi companies and 27 O’Leary et al. 2017 (n. 3).

SIPA Capstone 2020 37 The Impact of Information Disclosures on APT Operations caught and its presence contained on a net- September 2019 through November 2019 work, it would reestablish access and main- Using its own botnets and private VPNs, tain persistence through password spraying. APT33 spent several months on a password- December 2018 spraying campaign that tested common passwords against user accounts at tens of APT33 conducted a supply chain attack thousands of organizations.31 From Septem- against several Middle Eastern companies ber to November, its focus narrowed to a se- via their European suppliers, again using the lect number of organizations per month job offer template for the initial spear-phish- while simultaneously increasing the number ing effort. It used the Shamoon v.3 wiper as of accounts targeted at those organizations. part of a toolkit alongside several other Motivations for the attack are ostensibly re- modules, including the Filerase wiper, that lated to gaining access to industrial control made the toolkit extremely destructive. Sha- systems, but researchers believe that these moon v.3 is itself very similar to v.2, which companies are upstream in the supply chain suggests that APT33’s goals included test- from the actual targets. APT33 could be tar- ing new wiper modules.28 Working in tan- geting critical infrastructure organizations dem, Shamoon v.3 erased the master boot that use these control systems.32 records of an infected computer while Fil- 29 erase deleted and overwrote files. DISCLOSURE EVENTS February 2019 Despite numerous cyber threat intelligence APT33 targeted a Saudi company in the groups reporting on APT33 since 2017, the chemical sector with a spear-phishing attack group has remained undeterred from action. that again alleged to link to a job descrip- Its TTPs have, however, shifted over time; tion. Once inside the network, APT33 used and with that, the network and host artifacts both custom and commodity malware to ex- have also changed. Two likely explanations ploit a known vulnerability that yielded the for this shift are directly opposed. On the ability to archive, compress, and extract one hand, these changes could reflect the files. 30 Symantec ultimately prevented it overall escalation in the intensity and sever- from doing so. ity of the threat posed by APT33. That is to

28 T. Roccia, J. Saavedra-Morales, & C. Beek, 30 Critical Attack Discovery and Intelligence ‘Shamoon Attackers Employ New Tool Kit to Team 2019 (n. 6). Wipe Infected Systems’ (19 December 2018), 31 T. Seals, ‘APT33 Mounts Focused, Highly Tar- McAfee: https://www.mcafee.com/blogs/other- geted Botnet Attacks Against U.S. Victims’ (14 blogs/mcafee-labs/shamoon-attackers-employ- November 2019), Threatpost: https://threat- new-tool-kit-to-wipe-infected-systems/ post.com/apt33-mounts-targeted-botnet-at- 29 Critical Attack Discovery and Intelligence tacks-us/150248/ Team 2018 (n. 6). 32 Greenberg 2019 (n. 9).

SIPA Capstone 2020 38 The Impact of Information Disclosures on APT Operations say, the shift could ensue from a natural ex- Dragos Non-Public Disclosure: 2018 pansion of its ambitions and the desire to In 2018 Dragos published a report on APT33 enhance the destructiveness of its opera- for its paying customers. The report itself tions, suggesting that disclosures fail to alter was not made public and therefore does not its behavior. On the other hand, the increas- count as a public disclosure, but Dragos did ingly aggressive nature of its operations release a summary that contained limited in- could be a result of the forced obsolescence formation on the group. The primary value of TTPs revealed in disclosures. Yet intelli- of this précis to our report is its consistency gence rarely tolerates such intellectual pu- with other reports and disclosures on APT33 rity. The reality of the situation is no less from other firms. It explained how APT33’s plausibly a mix of both theo- focus started local, mainly ries and other factors here- focused on Saudi energy tofore unknown or The increasingly aggressive and aviation firms, and ex- indiscernible. It should also nature of its operations panded over time. It also be noted that the U.S. De- could be a result of the covered APT33’s use of partment of Justice has not forced obsolescence of TTPs spear-phishing as the pri- indicted any members of revealed in disclosures. mary means of gaining initial APT33. access, and touched on its FireEye Disclosure: September 2017 seeming interest in industrial control sys- tems—an observation that would be con- FireEye’s September 2017 report on APT33 firmed by the group’s password-spraying was the first large disclosure made on the attacks in 2019.34 group. The report offered a general timeline of APT33’s actions up to the publication Symantec Disclosure: December 2018 date; a list of TTPs, including a description Symantec was the first firm to report on the of the fake-job spear-phishing emails; and a December 2018 attack that used the new description of how its tools were extremely Shamoon v.3 and the Filerase wiper, and it similar to the dropper used in attacks con- linked the attack back to APT33. The disclo- taining Shamoon variants. The disclosure sure did not report on TTPs but did describe detailed the group’s links to Iran and leaked tools used, protective measures to take, and the online handle of one of its members, indicators of compromise.35 whom FireEye linked to Iran’s Nasr Institute. The report also included an appendix of mal- McAfee Disclosure: December 2018 ware families used by APT33, domain The McAfee disclosure on the December names, and indicators of compromise.33 2018 attack came a few days after the Sy- mantec report, and it confirmed the use of

33 O’Leary et al. 2017 (n. 3). 35 Critical Attack Discovery and Intelligence 34 Dragos (n. 2). Team 2018 (n. 6).

SIPA Capstone 2020 39 The Impact of Information Disclosures on APT Operations Shamoon v.3 and the Filerase wiper. The re- used in the attack. Symantec included their port included information on TTPs, including own illustration of how APT33 attacks un- the fake-job spear-phishing emails, a Quran fold, albeit the old attack from February verse embedded in the code, tools, network 2018 as the example. That example included and host artifacts, domain names, and indi- C2 servers, IP addresses, TTPs, and indica- cators of compromise.36 tors of compromise.38

FireEye Disclosure: December 2018 Microsoft Presentation at CYBERWARCON: November 2019 FireEye published its own report two days after the McAfee disclosure, one week after In a presentation at the 2019 the original Symantec disclosure. FireEye CYBERWARCON, an annual conference was initially less confident that APT33 or- near Washington, D.C., a researcher from chestrated the attack, though an update Microsoft described APT33’s 2019 pass- posted in May 2019 affirmed that APT33 was word-spraying campaign. The presentation indeed responsible. The original report reg- outlined how the attack’s focus narrowed istered TTPs, network and host artifacts, do- throughout the year; and the speaker indi- main names, and indicators of cated that it appeared to be targeting indus- compromise—including those of bespoke trial control systems. Furthermore, the malware. It also showed how APT33 esca- presenter speculated that the password- lated privileges once on a network and de- spraying attack could be a supply chain at- scribed how defenders could protect their tack, with APT33 using it to gain access networks.37 through lateral movement to other parties linked via networks to the organizations Symantec Disclosure: March 2019 presently under attack. The presenter also Symantec published a report on how suggested that APT33 could be using the at- APT33’s February 2019 attack unfolded. The tack to gain a position to target critical infra- disclosure reviewed its TTPs, such as the structure components linked to industrial spear-phishing emails, dropper codes, and control systems.39 both the commodity and bespoke toolsets

36 Roccia et al. 2018 (n. 28). 38 Critical Attack Discovery and Intelligence 37 Ackerman et al. 2018 (n. 16). Team 2019 (n. 6). 39 Greenberg 2019 (n. 9).

SIPA Capstone 2020 40 The Impact of Information Disclosures on APT Operations APT34 (IRAN)

Timeline: Activity Levels and Disclosures

ClearSky Fox Kitten Report NSA-NCSC Report: Tonedeaf, Turla Group Valuevault, and 2020 Compromise FireEye Disclosure: Longwatch attacks LinkedIn Activity begin Lab Dookhtegan leaks FoxKitten Campagin Begins 2019

Quadagent attacks begin OopsIE malware Nyotron Report attacks begin Introduces new tools 2018 SecureWorks ISMAgent malware Disclosure: attacks begin PupyRat attacks ClearSky LinkedIn PupyRat Disclosure: Oxford attacks Impersonation Impersonates 2017 Oxford Domains Palo Alto Unit 42 FireEye Disclosure Disclosures Begin

Begins 2016 Spearphishing Campaigns with Helminth

2015

IMPACT OF DISCLOSURES

SIPA Capstone 2020 41 The Impact of Information Disclosures on APT Operations INTRODUCTION typically involve extracting data on the users and processes of target computer systems.3 It gains access to networks through spear- APT34 is an Iranian cyber threat group phishing emails and other types of social en- known for sustained cyber-espionage activi- gineering campaigns, both of which demon- ties, which it is believed to do on behalf of strate a certain level of research on its the Iranian government. ATP34 consistently targets. In 2019, it ostensibly began to ex- targets Middle Eastern organizations that periment with new delivery vectors for its hold substantial interest to Iranian state malware, including the impersonation of IT goals.1 Despite (or perhaps because of) the vendors and the exploitation of unpatched many disclosures of its activity, APT34 regu- VPN and RDP client vulnerabilities. larly updates and upgrades its TTPs, and it continues to expand the scope of its opera- APT34 primarily targets organizations in the tions. Middle East, both private businesses and government agencies, that tend to be of cer- THE GROUP tain interest with respect to Iranian state ob- jectives.4 Consequently, the target countries APT34 (OilRig, Helix Kitten) is believed to are often Iran’s regional adversaries or com- have close ties to the Iranian government, petitors—Saudi Arabia, the UAE, Israel, Ku- specifically to the Iranian Ministry of Intelli- wait, Lebanon, Bahrain, Turkey, Qatar. More gence. Concrete evidence of its existence recently, APT34 expanded its sights to in- dates no earlier than 2016; however, re- clude infrastructure and companies based in searchers believe that it has been active the U.S., Europe, and Australia. Its targets since 2014 and its first campaign likely have thus spanned a wide range of sectors, started in late 2015. Since its initial detec- from government, energy, and telecommu- tion, APT34 has remained highly active and nications to higher education, hospitality, fi- invested in updating its toolset.2 Its opera- nance, and aerospace.5 tions are classifiable as espionage and

1 M. Sardiwal, V. Cannon, N. Fraser, Y. Longhe, oopsie-oilrig-uses-threedollars-deliver-new-tro- N. Richard, J. O'Leary, ‘New Targeted Attack in jan/ the Middle East by APT34, a Suspected Iranian 3 Sardiwal et al. 2017 (n. 1). Threat Group, Using CVE-2017-11882 Exploit’ 4 ib. (7 December 2017), FireEye: 5 T. Seals, ‘OilRig APT Continues its Ongoing https://www.fireeye.com/blog/threat Malware Evolution’ (13 September 2018), -research/2017/12/targeted-attack-in-middle- Threatpost: https:// east-by-apt34.html threatpost.com/oilrig-apt-continues-its-ongo- 2 B. Lee & R. Falcone, ‘OopsIE! Oilrig Uses ing-malware-evolution/137444/; A. Meyers, ThreeDollars to Deliver New Trojan’ (23 Febru- ‘Meet CrowdStrike’s Adversary of the Month for ary 2018), Palo Alto Networks, Unit42: November: HELIX KITTEN’ (27 November https://unit42.paloaltonetworks.com/unit42- 2018), CrowdStrike:

SIPA Capstone 2020 42 The Impact of Information Disclosures on APT Operations TIMELINE in various sectors using Helminth malware.9 The first attestation of APT34 occurred on 22 2017 Jan–Feb: APT34 uses socially en- May 2016. On that day, FireEye issued a gineered LinkedIn accounts to warning about an unknown threat actor deliver PupyRAT malware against which had sent emails with malicious attach- Saudi technology and energy ments to Middle Eastern banks. Since then, companies.10 cyber threat analysts have come to under- Jul–Aug: ISMAgent malware de- stand APT34 much better, assisted in no buts; improved anti-analysis tech- small part by APT34’s high level of activity niques; malware sent to a UAE and reuse of assets.6 It often uses its tooling government organization. and infrastructure, for instance, in multiple concurrent campaigns—a telling contrast to Nov: APT34 introduces several other groups, such as APT28 and APT29. In- new tools (e.g. ALMA Communi- deed, its consistent use of several tools and cator, Powruner, Bondupdater, the same infrastructure significantly helped Twoface, RGDoor) to conceal C2 infrastructure better, beat anti- identify it as a single group.7 malware tools, and provide alter- 2015 First observed conducting spear- native backdoors; continues use of spear-phishing, fake job web- phishing against the Saudi de- sites, and credential harvesting fense sector.8 for access. 2016 May–Oct: APT34 undertakes a se- 2018 Jan: APT34 introduces OopsIE ries of spear-phishing campaigns malware and a new delivery doc- against Middle East organizations ument.

https://www.crowdstrike.com/blog/meet- saudi-arabian-organizations-deliver-helminth- crowdstrikes backdoor/ -adversary-of-the-month-for-november-helix-kit- 9 J. Grunzweig & R. Falcone, ‘OilRig Malware ten/ Campaign Updates Toolset and Expands Tar- 6 Two years after their detection, in February gets’ (4 October 2016), Palo Alto Networks 2018, Palo Alto Networks’ Unit 42 was able to Unit42: https://unit42. assert that ‘the OilRig group remains highly ac- paloaltonetworks.com/unit42-oilrig-malware- tive in their attack campaigns while they con- campaign-updates-toolset-and-expands-tar- tinue to evolve their toolset’ (Lee & Falcone gets/ 2018 [n. 2]). 10 Counter Threat Unit Research Team, ‘The Cu- 7 ib. rious Case of Mia Ash: Fake Persona Lures Mid- 8 R. Falcone & B. Lee, ‘The OilRig Campaign: dle Eastern Targets’ (27 July 2017), Attacks on Saudi Arabian Organizations Deliver Secureworks: https://www. Helminth Backdoor’ (26 May 2016), Palo Alto secureworks.com/research/the-curious-case-of- Networks Unit42: https://unit42.paloaltonet- mia-ash works.com/the-oilrig-campaign-attacks-on-

SIPA Capstone 2020 43 The Impact of Information Disclosures on APT Operations May–Aug: APT34 adds further operation. As is customary for these organi- anti-analysis features to OopsIE zations, APT34 makes significant use of and Bondupdater; Quadagent spear-phishing and social engineering to de- malware debuts. liver malicious attachments with embedded Nov: Attacks pivot to the tele- executables.11 It regularly updates its TTPs communications sector. and tooling, and further increases their so- 2019 Mar: Lab Dookhtegan leaks multi- phistication—particularly in regards to C2 12 ple tools, infrastructure details, obfuscation. The bespoke nature of these TTPs, and individual personalities attacks indicates robust target reconnais- associated with APT34 via Tele- sance and research. For example, APT34’s gram. spear-phishing campaigns have used emails related to the target’s internal IT system, in- Jun: APT34 introduces Tonedeaf, cluding what appeared to be a conversation Valuevault, and Longwatch; con- between two actual employees at the organ- ducts spear-phishing attacks ization.13 Another attack used a subject line through fake accounts on that referred to a topic recently covered in LinkedIn. an internal publication from the target.14 To Oct: NSA and NCSC release de- further its credibility with a target, APT34 has tails on the Turla group and com- also sent emails from compromised ac- promise APT34 infrastructure. counts at organizations related to the target or that do business with them. These mes- 2020 Early 2020: APT34 continues use sages are often related to IT and corporate of Tonedeaf and Valuevault 15 against a U.S. company; VPN and infrastructure. RDP vulnerability attacks, possibly APT34 has used other intricate ploys to gain dating back to 2017, are ex- the trust of targets, including socially engi- posed. neered attacks on social media. It uses these TYPOLOGY OF ATTACKS attacks after its more usual phishing efforts have failed: it uses fake social media profiles, To achieve its cyberespionage objectives, ranging from amateur models to university APT34 relies primarily on in-house tools and researchers, to lure targets into clicking on a techniques that it tailors for a specific use or

11Meyers 2018 (n. 5). 14 T. Seals, ‘Oilrig Sends an OopsIE to Mideast 12 Sardiwal et al. 2017 (n. 1). Government Targets’ (5 September 2018), 13 S. Singh & Y. H. Chang, ‘Targeted Attacks Threatpost: https://threatpost.com/oilrig-sends- Against Banks in the Middle East’ (22 May an-oopsie-to-mideast-government-tar- 2016), FireEye: gets/137220/ https://www.fireeye.com/blog/threat-research/ 15 Meyers 2018 (n. 5). 2016/05/targeted_attacksaga.html

SIPA Capstone 2020 44 The Impact of Information Disclosures on APT Operations malicious attachment.16 The group has also company in Qatar, and government organi- shown increased technical sophistication in zations in Turkey, Israel, and the United its attempts to entice targets, including VPN States. The phishing emails were, however, portal spoofing, IT vendor impersonation, detected during the initial stages of recon- and security certificate theft.17 In that vein, naissance against these organizations, ClearSky Cyber Security recently identified thereby giving cyber threat firms a signifi- an extensive campaign to ex- cant period of observation. 18 ploit unpatched VPN and RDP The bespoke nature of The emails were sent from services, purportedly extending these attacks spoofed accounts and con- as far back as 2017 and perhaps indicates robust tained an attachment that de- in conjunction with other Iranian target reconnaissance livered the Helminth backdoor cyberthreat groups. In this cam- and research. onto the victim’s machine. paign, APT34 gained access to Throughout this period, APT34 targets through a one-day exploit before made changes to both the attached docu- companies had patched or by using stolen ment and the malware that lessened the or faked credentials and certificates. After chances that its actions would be detected.19 securing access, it implanted backdoors to During autumn 2016, APT34 attempted to maintain network presence, and then moved deliver Helminth through a fake VPN portal, laterally to find and exfiltrate sensitive infor- to which targets were directed through mation. emails sent from the accounts of compro- mised IT vendors.20 Meanwhile, in another May to October 2016 effort, it used stolen certificates to imperson- APT34 conducted a series of targeted spear- ate the University of Oxford’s domain, on phishing campaigns against several financial which it hosted a ‘job symposium’ registra- and tech organizations in Saudi Arabia, a tion portal that hid malware.21

16 Respectively: T. Spring, ‘APT Group Uses Cat- Impersonates University of Oxford’ (5 January fish Technique to Ensnare Victims’ (27 July 2017), ClearSky Cyber Security: 2017), Threatpost: https://threatpost.com/apt- https://www.clearskysec.com/oilrig/ group-uses-catfish-technique-to-ensnare-vic- 18 Singh & Chang 2016 (n. 13). tims/127028/[;] M. Bromiley, N. Klapprodt, N. 19 ib.; Grunzweig & Falcone 2016 (n. 9). Fraser, Y. Longhe, N. Schroeder, J. Rocchio, 20 ClearSky Research Team 2017 (n. 17). ‘Hard Pass: Declining APT34’s Invite to Join 21 ib. The impersonation of the University of Ox- Their Professional Network’ (18 July 2019), ford was particularly sloppy, neither spoofing FireEye: https://www.fireeye.com/blog/threat- nor trying to approximate a believable research/ “ox.ac.uk” domain, nor an “@ox.ac.uk” email, 2019/07/hard-pass-declining-apt34-invite-to- nor the University’s preferred san-serif font, nor join-their-professional-network.html the correct Oxonian blue (#002147). They also 17 ClearSky Research Team, ‘Iranian Threat failed to realize that the University is comprised Agent OilRig Delivers Digitally Signed Malware, of constituent colleges and independent

SIPA Capstone 2020 45 The Impact of Information Disclosures on APT Operations January to February 2017 machine. This new backdoor granted addi- tional C2 functionality with a domain gener- APT34 attempted to use social media pro- ation algorithm called BondUpdater. 23 files on LinkedIn to lure specific targets after APT34 later delivered ISMAgent through a email phishing attempts had failed. It cu- new injector, creatively dubbed ISMInjector, rated two fake profile, possibly over the which further decreased the conspicuity of course of years, of a young London-based the installation and provided additional photographer and an amateur model named hedges against anti-virus detection.24 Mia Ash. These personae were used to tar- get tech-focused employees at large Saudi November 2017 energy and technology companies, to whom APT34 introduced several new tools and up- they sent attachments containing the dated versions of older ones that had been PupyRAT malware.22 overserved in the wild for some time. Re- July to August 2017 searchers observed the group using Mimi- katz in coordination with a new DNS APT34 targeted government organizations tunneling trojan, the ALMA Communicator, in the UAE with a Rich Text Format file that at a public utilities company in the Middle contained a new PowerShell-based back- East.25 This attack marked an enhancement door—built on the recently released CVE- in the accessibility and stealth of its C2 infra- 2017-0199. This document contained a vari- structure, with the novel incorporation of the ant of its Clayside script that pushed the new TwoFace webshell and the RGDoor back- backdoor, called ISMAgent (itself a variant of door.26 the ISMDoor trojan), onto the victim’s

faculties, and therefore lacks a central hiring au- https://unit42.paloaltonetworks.com/unit42-oil- thority. Not to mention their dismal command rig-uses-ismdoor-variant-possibly-linked-green- of the English language, which one would imag- bug-threat-group/ ine to be prerequisite before trying to imper- 24 R. Falcone & B. Lee, ‘OilRig Group Steps Up sonate the world’s foremost English-speaking Attacks with New Delivery Documents and New university. The University would never host a Injector Trojan’ (9 October 2017), Palo Alto Net- ‘job symposium’ because (a) that is not the cor- works Unit42: https://unit42.paloaltonet- rect use of “symposium”, let alone in so formal works.com/unit42-oilrig-group-steps-attacks- an academic setting, and (b) the use of the word new-delivery-documents-new-injector-trojan/ “job” in this context (as opposed to “career”) is 25 R. Falcone, ‘OilRig Deploys “ALMA Commu- distinctly American. nicator” – DNS Tunneling Trojan’ (8 November 22 Counter Threat Unit Research Team 2017 (n. 2017), Palo Alto Networks Unit42: 10). https://unit42.paloaltonetworks.com/unit42-oil- 23 R. Falcone & B Lee, ‘OilRig Uses ISMDoor rig-deploys-alma-communicator-dns-tunneling- Variant; Possibly Linked to Greenbug Threat trojan/ Group’ (27 July 2017), Palo Alto Networks 26 R. Falcone, ‘OilRig uses RGDoor IIS Backdoor Unit42: on Targets in the Middle East’ (25 January 2018), Palo Alto Networks Unit42:

SIPA Capstone 2020 46 The Impact of Information Disclosures on APT Operations In late November, APT34 debuted DNSpio- November 2018 nage, which it used to deliver Microsoft Of- In early November, CrowdStrike observed fice document with malicious macros.27 that APT34 was targeting a specific cus- January 2018 tomer in the telecommunication vertical. While this represented a shift in targeting, APT34 attacked Middle Eastern insurance APT34 utilized the same tools and TTPs.32 and financial companies with OopsIE and ThreeDollars, respectively a new malware June 2019 and a new delivery document.28 APT34 impersonated researchers at the Uni- May to August 2018: versity of Cambridge on LinkedIn and of- fered fake job opportunities to certain APT34 premiered the Quadagent backdoor. individuals. It sent malicious messages con- Using stolen credentials from trusted organ- taining the new Tonedeaf, Valuevault, and izations within a specific nation-state, it con- Longwatch malware.33 ducted spear-phishing attacks against a government entity and a tech service pro- January to February 2020 vider in the same country.29 APT34 contin- APT34 used an updated version of Tonedeaf ued to add anti-analysis features to its and Valuevault against the U.S. company OopsIE and Bondupdater tools.30,31 Westat.34 Together with APT33 and APT39, it launched a campaign to exploit unpatched VPN and RDP vulnerabilities in order to gain

https://unit42.paloaltonetworks.com/unit42-oil- https://unit42.paloaltonetworks.com/unit42-oil- rig-uses-rgdoor-iis-backdoor-targets-middle- rig-targets-middle-eastern-government-adds- east/ evasion-techniques-oopsie/ 27 W. Mercer & P. Rascagneres, ‘DNSpionage 31 K. Wilhoit & R. Falcone, ‘OilRig Uses Updated Campaign Targets Middle East’ (27 November BONDUPDATER to Target Middle Eastern Gov- 2018), Talos Intelligence: https://blog.talosintel- ernment’ (12 September 2018), Palo Alto Net- ligence.com/2018/11/dnspionage-campaign- works Unit42: targets-middle-east.html https://unit42.paloaltonetworks.com/unit42-oil- 28 Lee & Falcone 2018 (n. 2). rig-uses-updated-bondupdater-target-middle- 29 B. Lee & R. Falcone, ‘OilRig Targets Technol- eastern-government/ ogy Service Provider and Government Agency 32 Meyers 2018 (n. 5). with QUADAGENT’ (25 July 2018), Palo Alto 33 Bromiley et al. 2019 (n. 16). Networks Unit42: https://unit42.paloaltonet- 34 P. Litvak & M. Kajiloti, ‘New Iranian Campaign works.com/unit42-oilrig-targets-technology-ser- Tailored to U.S. Companies Uses an Updated vice-provider-government-agency-quadagent/ Toolset’ (30 January 2020), Intezer: 30 R. Falcone, B. Lee, R. Porter, ‘OilRig Targets a https://intezer.com/blog/apt/new-iranian-cam- Middle Eastern Government and Adds Evasion paign-tailored-to-us-companies-uses-updated- Techniques to OopsIE’ (4 September 2018), toolset/ Palo Alto Networks Unit42:

SIPA Capstone 2020 47 The Impact of Information Disclosures on APT Operations access to target networks in Israel and some to capitalize on one-day exploits, and its cre- Gulf states. This activity potentially ex- dential-harvesting operations now obtain tended back to 2017, and included a few throughout the Middle East. Moreover, previously unreported TTPs and malware APT34 has increasingly broadened the that affected dozens of companies around scope of its targets in terms of both region the world. and sector: techniques well known in one area may be entirely novel in another. Per- DISCLOSURE EVENTS haps most important is its proven capacity for updating and upgrading its malware dur- Since 2016 there have been no less than ing the middle of an operation. A disclosure twenty-five public disclosures, leaks, or re- poses no threat if its information can be ports on APT34’s TTPs, tools, and infrastruc- quickly rendered outdated or otherwise ob- ture. Information viated through planned disclosures appear to In the eyes of APT34, disclosures patching. Accordingly, the regulate APT34’s be- do not particularly jeopardize the only disclosure to disrupt havior, insofar as it fre- its activity was the Lab quently updates its efficacy of its tools and tactics. Dookhtegan leak, which malware and TTPs and both divulged an exten- enhances the sophistication of its C2 infra- sive amount of information and directly com- structure and anti-virus detection capabili- promised individual members of APT34.35 ties. Nevertheless, available evidence fails to suggest that disclosures disrupt its activity. FireEye Disclosure: May 2016 Its TTPs often remain unchanged from one FireEye’s report on a series of spear-phish- attack to the next, regardless of whether a ing attacks against certain Middle Eastern disclosure occurred. One could therefore banks marked the first disclosure of APT34’s presume that, in the eyes of APT34, disclo- activity. Although the culprit remained un- sures do not particularly jeopardize the effi- known at the time, FireEye later attributed cacy of its tools and tactics. Hence the lack the activity to APT34 in December 2017. The of correlation between the dates of disclo- initial report provided the basis for most sub- sures and the longevity of its operations. sequent reporting on its activity. The report Several reasons explain this lack of impact. identified the highly targeted nature of its For one, APT34 is increasing its vectors of spear-phishing emails and the primary deliv- attack. Although phishing emails still appear ery method as macro-enabled XLS files. The de rigueur in the opening phases of a cam- report also detailed the contents of the paign, APT34 has demonstrated the ability emails and XLS files, and analyzed what

35 Thus FireEye’s Ben Read, in an interview on 15 April 2020.

SIPA Capstone 2020 48 The Impact of Information Disclosures on APT Operations would become known as the Helminth mal- downloads were signed with a valid but sto- ware.36 len security certificate from a legitimate soft- ware company. The report also discussed Palo Alto Unit 42 Disclosures: May and Oc- the four domains that APT34 used to imper- tober 2016 sonate the University of Oxford.38 Palo Alto Networks’ Unit 42 issued two re- SecureWorks Counter Threat Unit Disclo- ports on activity similar to what was men- sure: July 2017 tioned in the FireEye report in May 2016. The reports named the campaign OilRig, the This report highlighted APT34’s use of fake malware Helminth, and the document Clay- social media accounts to conduct spear side. Unit 42 connected this activity to inci- phishing. SecureWorks identified the TTPs dents involving the Saudi defense industry in employed by APT34 to lure targets with the 2015. Across the two reports, Unit 42 can- account and deliver the PupyRAT malware. vassed APT34’s TTPs, analyzed the malware The report described the primary social me- and its variants, the indicators of compro- dia account of a fake persona known as Mia mise, and Helminth’s C2 infrastructure. Of Ash and attributed the profile to APT34. note was Unit 42’s discovery that variants of Nyotron Attack Response Center Report: Helminth dropped files named fireeye.vbs March 2018 and fireeye.ps1, suggesting that the authors of these updates had read The Nyotron report was the FireEye’s report.37 first systematic catalogue of Variants of Helminth APT34’s activity up to that ClearSky Cyber Security Disclo- dropped files named point. It registered the TTPs sure: January 2017 fireeye.vbs and and tools used to bypass de- ClearSky found and published fireeye.ps1, suggesting fenses, establish persistence, the first examples of APT34 us- that the authors of these escalate privileges, conduct ing fake VPN portals, fake web- updates had read internal reconnaissance, and sites, and stolen security FireEye’s report. move laterally. Notably, the certificates. ClearSky’s report report provided technical de- detailed how these websites tails of three previously un- downloaded the Helminth malware onto the documented C2 and data exfiltration target computers through both the VPN capabilities.39 software and the malicious webpages. The

36 Singh & Chang 2016 (n. 13). Techniques’ (March 2018), Nyotron: https://nyo- 37 Falcone & Lee 2016 (n. 8). tron.com/wpcontent/uploads/2018/03/Nyotron- 38 ClearSky Research Team 2017 (n. 17). OilRig-Malware-Report-March-2018b.pdf 39 Nyotron Attack Response Center, ‘OilRig is Back with Next-Generation Tools and

SIPA Capstone 2020 49 The Impact of Information Disclosures on APT Operations Lab Dookhtegan Leak: March 2019 staff at the University of Cambridge and its three new malware tools. The reported ac- An anonymous entity dumped a trove of tivity occurred in June, only a few months af- data that allegedly originated from APT34’s ter the Lab Dookhtegan Leaks. FireEye also operations. In sum, the disclosure included a provided the expected analysis of the new list of 13,000 stolen credentials and compro- malware and new indicators of compro- mised systems, one-hundred different web mise.41 shell-launching URLs, various backdoors and DNS hijacking tools, screenshots of their op- NSA-NCSC Report: October 2019 erational platforms, sundry details on their This joint report between NSA and NCSC C2 infrastructure, and details about specific detailed the Turla Group’s apparent com- individuals associated with the Iranian minis- promise of APT34’s C2 infrastructure. It pro- try of Intelligence. The leaked information vided two indicators of compromise, suggested that APT34 had conducted oper- although whether the indicators signify activ- ations against ninety-seven organizations ity from APT34 or Turla remains unclear.42 across twenty-seven countries.40 Intezer Disclosure: January 2020 FireEye Disclosure: July 2019 Intezer reported on APT34’s phishing cam- FireEye identified activity similar to what was paign against the U.S. company Westat. The found in the SecureWorks report on APT34’s campaign used a bogus employee satisfac- LinkedIn operations. FireEye’s report cov- tion survey embedded with malicious code, ered APT34’s impersonation of research which in turn downloaded the version of the staff at the University of Cambridge and its ToneDeaf malware treated by FireEye’s re- three new malware tools. The reported ac- port from July 2019. Intezer’s document tivity occurred in June, only a few months af- identified TTPs, C2 infrastructure, specific ter the Lab Dookhtegan Leaks. FireEye also updates to the malware, and indicators of provided the expected analysis of the new compromise. 43 malware and new indicators of compromise identified activity similar to what was found ClearSky Fox Kitten Report: February 2020 in the SecureWorks report on APT34’s Utilizing undisclosed information from the LinkedIn operations. FireEye’s report cov- cybersecurity firm Dragos, ClearSky issued a ered APT34’s impersonation of research report on APT34’s extensive use of

40 B. Lee & R. Falcone, ‘Behind the Scenes with Turla Group Exploits Iranian APT to Expand Oilrig’ (30 April 2019), Palo Alto Networks Coverage of Victims’ (21 October 2019), Unit42: https://unit42.paloaltonetworks.com/be- https://media.de- hind-the-scenes-with-oilrig/ fense.gov/2019/Oct/18/2002197242/-1/- 41 Bromiley et al. 2019 (n. 16). 1/0/NSA_CSA_TURLA_20191021%20VER%203 42 U.S. National Security Agency, U.K. National %20-%20COPY.PDF Cybersecurity Centre, ‘Cybersecurity Advisory: 43 Litvak & Kajiloti 2020 (n. 34).

SIPA Capstone 2020 50 The Impact of Information Disclosures on APT Operations unpatched VPN and RDP software to infil- exfiltrated data. The report attributed the trate target networks. They analyzed the activity to APT34 but remained open to the tools and TTPs used in the attacks, with spe- possibility that APT33 or APT39 was respon- cific attention to how APT34 gained access, sible. It included indicators of compromise, escalated privileges, moved laterally, and hashes, and associated IP addresses.44

44 ClearSky Research Team, ‘Fox Kitten – Wide- (16 February 2020), ClearSky Cyber Security: spread Iranian Espionage-Offensive Campaign’ https://www.clearskysec.com/fox-kitten/

SIPA Capstone 2020 51 The Impact of Information Disclosures on APT Operations APT38 (NORTH KOREA)

Timeline: Activity Levels and Disclosures

U.S. DoJ Indictment 2020

McAfee: Op Attacks on critical Sharpshooter infrastructure 2019 U.S. DoJ Indictment Recorded Future Disclosure Bitcoin Spear- 2018 phishing campaign Global WannaCry Kaspersky: Under begins Attack the Hood

2017 Bangladesh Central Novetta: Op Bank heist Blockbuster 2016 Palo Alto: TDrop2

SWIFT bank heists Sony Pictures begin Hacked 2015

2014 DarkSeoul Attacks McAfee: Op Troy

2013

2012

IMPACT OF DISCLOSURES

SIPA Capstone 2020 52 The Impact of Information Disclosures on APT Operations INTRODUCTION THE GROUP

APT38 (Hidden Cobra, Zinc, Stardust Lazarus Group’s imperviousness to disclo- Chollima, Guardians of Peace, WhoIs sures has several likely sources. It’s con- Group),1 better known as the Lazarus Group, cealed by the secretiveness of North Korean is a threat actor run by the North Korean society and, as part of the military structure, state intelligence agency, the Reconnais- is unconcerned with foreign criminal investi- sance General Bureau. 2 Lazarus’ first cam- gations. It has also been primarily financially paign launched in 2009, first against the motivated since the 2013 United Nations United States and then against South Ko- sanctions on North Korea and its 2014 Sony rea.3 Since then, it has increased its interna- Pictures hack. This new motivation has al- tional notoriety with several significant lowed Lazarus to diversify its target base: incidents, such as its 2014 breach of Sony first attacking national banks then pivoting Pictures’ networks;4 its 2016 heist at Bangla- to cryptocurrency exchanges in 2017 when desh’s Central Bank through the SWIFT sys- Bitcoin prices rose. As cryptocurrency prices tem;5 and its 2017 release of WannaCry 2.0 settled, it began conducting FASTCash op- into the world.6 Although Lazarus’ activities erations in a variety of locations from South have drifted from espionage to disruption, America to Africa. In April 2020, the U.S. its primary activity appears to be financial cy- government cautioned that the group had bercrime—no doubt to help the North Ko- started providing its cybercrime services to rean regime weather an array of United international clients—a move which could Nations and U.S. sanctions. South Korean confound the attribution process further. law enforcement has estimated that North Disclosures have been unable to change the Korea had a force of at least ten-thousand decision-calculus of a regime with no alter- trained hackers as far back as 2011.7 native streams for revenue and little to lose.

1 ‘Lazarus Group’, Malpedia: 3 A. L. Johnson, ‘Born on the 4th of July’ (9 July https://malpedia.caad.fkie.fraunhofer.de/ac- 2009), Symantec: From https://commu- tor/lazarus_group ; R. Sherstobitoff, I. Liba, & J. nity.broadcom.com/symantecenterprise/com- Walter, ‘Dissecting Operation Troy: Cyberespio- munities/community-home/librarydocuments/ nage in South Korea’ (June 2013), McAfee: viewdocument?DocumentKey=d5fc6afb-02e8- https://www.mcafee.com/enterprise/en-us/as- 423f-8feb-f77c68ec7c8a&CommunityKey sets/white-papers/wp-dissecting-operation- =1ecf5f55-9545-44d6- troy.pdf b0f44e4a7f5f5e68&tab=librarydocuments 2 ‘United States of America v. Park Jin Hyok’ (8 4 Novetta 2016 (n. 1), 6. June 2018), United States District Court, Central 5 DoJ Indictment (n. 2), 56. District of California: https://www.jus- 6 id., 106. tice.gov/opa/press-release/file/1092091/down- 7 D. Gewirtz, ‘Inside the Early Days of North load. Hereafter referred to as DoJ Indictment. Korea’s Cyberwar Factory’ (12 June 2018),

SIPA Capstone 2020 53 The Impact of Information Disclosures on APT Operations Lazarus Group hides behind the isolation of regime lacks something meaningful (or any- North Korea to present itself in different thing) to lose, or if the intended source of ways. It conducted Operation Troy from coercion does not impose a significant 2009–2013 as the WhoIs Group and enough cost. The group operates akin to a NewRomanic Cyber Army Team. For its criminal group, and immune to the fear of breach of Sony Pictures, it self-identified as extradition or sanctions on individuals, there a hacktivist group called the Guardians of is little reason that public disclosures or even Peace. In 2016, the data analytic company indictments will impact its operations.10 Novetta labelled it ‘Lazarus Group’, a term Over the past decade, Lazarus’ operations which has come to encompass a sizable have expanded to such an extent that it now amount of North Korean cybercrime opera- touts two highly successful subgroups, An- tions. An indictment from the U.S. Depart- dariel and Bluenoroff.11 The former refers to ment of Justice in 2018 identified an the outfit that targets the South Korean gov- individual and several com- ernment and its associated panies that Lazarus used as organizations: the latter fronts for its operations, Immune to the fear of extradi- focuses on global espio- again suggesting that the tion or sanctions on individuals, nage and the monetiza- relative obscurity of North there is little reason that public tion of cyber capabilities Korea plays to its ad- disclosures or even indictments for the North Korean re- vantage outside the Korean will impact its operations. gime. This recategoriza- Peninsula.8 tion of its threat activity There is little that the U.S. can do to deter supervened on the identification of similar the Group because the North Korean re- code in the malware used during these di- gime has few alternative streams for reve- vergent operations. According to a senior nue.9 Indictments from the U.S. government security researcher with Kaspersky, ‘[Lazarus and its allies may send a signal that they con- Group] adapt their toolkit to match, and sider such behavior a threat; however, these then dispose and keep going’.12 actions will fail to have an impact if the

ZDNet: https://www.zdnet.com/article/inside- 11 ‘A Look into the Lazarus Group’s Operations’ the-early-days-of-north-koreas-cyberwar-factory/ (24 January 2018), Trend Micro: (originally published in Counterterrorism https://www.trendmicro.com/vinfo/us/secu- Magazine 2012). rity/news/cyber-attacks/a-look-into-the-lazarus- 8 DoJ Indictment (n. 2). groups-operations 9 Thus Jenny Jun, Non-Resident Fellow at the 12 K. Zetter, ‘The Sony Hackers Were Causing Atlantic Council Cyber Statecraft Initiative, and Mayhem Years Before They Hit the Company’ lead author of the 2018 CSIS report North Ko- (24 February 2016), WIRED Magazine: rea’s Cyber Operations. https://www.wired.com/2016/02/sony-hackers- 10 Dmitri Alperovitch Interview. causing-mayhem-years-hit-company/

SIPA Capstone 2020 54 The Impact of Information Disclosures on APT Operations Most recently, in April 2020, the U.S. govern- March and May.18 The group eluded serious ment suggested that Lazarus had begun to public scrutiny until 2013, when McAfee’s re- offer hacker-for-hire services to nation-state port Dissecting Operation Troy examined and criminal cyber groups.13 In a New York the DarkSeoul malware that ravaged sys- Times article discussing the alert, FireEye’s tems at several South Korean targets in Director of Intelligence Analysis John 2013.19 The report expressed the belief that Hultquist stated, ‘we never knew that, and Lazarus had been present in those systems what it shows is the level to which North Ko- as far back as October 2009.20 rean hackers are maximizing their cyber ca- Lazarus remained relatively enigmatic in this pabilities’.14 period before the Sony Pictures hack. It TIMELINE donned the mantle of hacktivists to evade, confuse, or otherwise misdirect its victims;21 Researchers first observed Lazarus Group in that tactic would again feature prominently 2009 but believe it formed two years prior.15 in their November 2014 campaign against Its first known campaign began on 4 July Sony Pictures, where it took responsibility for 2009 with a series of DDoS attacks, first the defacement and exfiltration of confiden- against the United States and then South tial data under the guise of the “Guardians Korea later that week16. A hiatus ensued im- of Peace”. An FBI investigation into the inci- mediately thereafter and lasted through dent quickly identified North Korea as the 22 2010.17 Lazarus reappeared in 2011 with a culprit, but several years and several more DDoS and espionage campaign—dubbed high-profile incidents passed before the U.S. the “Ten Days of Rain”—which occurred in government issued an indictment.

13 U.S. CERT 2020 (n. 1). 19 R. Sherstobitoff, I. Liba, J, Walter, ‘Dissecting 14 D. E. Sanger & N. Perlroth, ‘U.S. Accuses Operation Troy: Cyberespionage in South Ko- North Korea of Cyberattacks, a Sign That Deter- rea’ (June 2013), McAfee: rence Is Failing’ (15 April 2020), The New York https://www.mcafee.com/enterprise/en-us/as- Times: https://www.nytimes.com/ sets/white-papers/wp-dissecting-operation- 2020/04/15/world/asia/north-korea-cyber.html troy.pdf 15 Novetta 2016 (n. 1), 21. 20 ib., 17. 16 Johnson 2009 (n. 3). 21 ‘A Look into the Lazarus Group’s Operations’ 17 J. A. Guerrero-Saade & C. Raiu, ‘Operation (24 January 2018), Trend Micro: Blockbuster Revealed’ (24 February 2014), https://www.trendmicro.com/vinfo/us/secu- Kaspersky: https://securelist.com/operation- rity/news/cyber-attacks/a-look-into-the-lazarus- blockbuster-revealed/73914/ groups-operations 18 ‘Ten Days of Rain’ (July 2011), McAfee: 22 ‘Update on Sony Investigation’ (19 December https://www.mcafee.com/wp-content/up- 2014), Federal Bureau of Investigation: loads/2011/07/ https://www. McAfee-Labs-10-Days-of-Rain-July-2011.pdf fbi.gov/news/pressrel/press-releases/update- on-sony-investigation

SIPA Capstone 2020 55 The Impact of Information Disclosures on APT Operations After 2014, Lazarus pivoted from political employed, and past incidents that could be campaigns to cybercrime. From January attributed to the group. 2015 through October 2017, the group con- Despite the revelations from Operation ducted successful bank heists in Ecuador,23 Blockbuster and the publicity of the Bangla- the Philippines, Taiwan, and most memora- desh Central Bank heist, Lazarus’ operations bly Bangladesh—where SWIFT form spelling against banks in South East Asia and Europe errors reduced the intended haul of $1 bil- persisted and even grew in lion $81 million.24 Two ex- scope to include crypto- ceptions came when the Despite the revelations from currency exchanges. 27 In group failed to rob TPBank Operation Blockbuster and the April 2017, Kaspersky re- in Vietnam in late 2015 and publicity of the Bangladesh leased Lazarus Under the an anonymous bank in 28 Central Bank heist, Lazarus’ op- Hood, which revealed South Asia in mid-2016.25 erations against banks in South more information on a fi- Lazarus received attention nance-focused Lazarus East Asia and Europe persisted in February 2016, the very subgroup that it called and even grew in scope. month that the Bangladesh Bluenoroff. 29 That report Central Bank was hit, when revealed Bluenoroff’s TTPs Novetta published Operation Blockbuster. and tools, and by extension those of Lazarus. This report pieced together the clues from Until this point, Lazarus’ activities had been Operation Troy and the Sony Pictures target-specific. That changed with breach to expose and name the threat group WannaCry 2.0 in May 2017.30 This ransom- as the Lazarus Group. 26 The disclosure re- ware swept across the world and only vealed details on malware used, TTPs

23 D. Barrett, & K. Burne, ‘Now It’s Three: Ecua- content/uploads/sites/43/2018/03/ dor Bank Hacked via Swift’ (19 May 2016), Wall 07180244/Lazarus_Un- Street Journal: https://www.wsj.com/arti- der_The_Hood_PDF_final.pdf cles/lawsuit-claims-another-global-banking- 26 Novetta 2016 (n. 1), 13. hack-1463695820 27 J. A. Guerrero-Saade, & P. Moriuchi, ‘North 24 J. Pagliery, ‘Global Banking System Under At- Korea Targeted South Korean Cryptocurrency tack - What You need to know’ (28 May 2016), Users and Exchange in Late 2017 Campaign’ (16 CNN: https://money.cnn.com/2016/05/27/tech- January 2018), Recorded Future: https://go.rec- nology/ ordedfuture.com/ swift-bank-hack/index.html hubfs/reports/cta-2018-0116.pdf 25 See, respectively: ‘Vietnamese Bank Foils $1m 28 Kaspersky 2018 (n. 25). Cyber Heist’ (15 May 2016), The Guardian: 29 id., 3. https://www.theguardian.com/technol- 30 A. L. Johnson, ‘WannaCry: Ransomware at- ogy/2016/may/16/vietnamese-bank-foils-1m- tacks show strong links to Lazarus group’ (22 cyber-heist; ‘Lazarus Under The Hood’ (3 April May 2017), Symantec: https://community.broad- 2018), Kaspersky, 4–13: https://me- com.com/symantecenterprise/communi- dia.kasperskycontenthub.com/wp- ties/community-

SIPA Capstone 2020 56 The Impact of Information Disclosures on APT Operations stopped when researchers found and acti- Nevertheless, this campaign continued un- vated a kill switch. deterred for several months after the indict- ment. In June 2018, more than a year after WannaCry, the U.S. Department of Justice By the spring of 2019, Lazarus appeared to indicted a North Korean individual, Park Jin have both doubled down on ransomware at- Hyok.31 The Department of Justice identified tacks and expanded its targets. Researchers Hyok by his travel to China,32 his background found the group targeting Russian firms 36 in computer programming, 33 and his con- and exploring backdoors into MacOS. 37 It nection to Korea Expo Joint Venture—an al- also ran several ransomware campaigns re- leged front for the North Korean hacking cell lated to the Ryuk malware.38 That same year, Lab 110.34 The indictment confirmed the link the U.S. government imposed sanctions between Lazarus and the Reconnaissance against the group and its North Korean affil- General Bureau as well as the group’s in- iates,39 along with a pair of Chinese allies in volvement in the Sony Pictures hack, the 2020.40 Shortly thereafter, several U.S. gov- Bangladesh Central Bank heist, and ernment agencies released a joint statement WannaCry. The timing of the indictment was that Lazarus Group is offering its cybercrime opportune: Lazarus’ new campaign against services for hire across the world.41 cryptocurrency exchanges, Operation

Sharpshooter, was well underway. 35

home/librarydocuments/viewdocument?Docu- MacOS Malware’ (23 August 2018), Kaspersky: mentKey=b2b00f1b-e553-47df-920d- https://securelist.com/operation-ap- f79281a80269&CommunityKey=1ecf5f55-9545- plejeus/87553/ 44d6-b0f4-4e4a7f5f5e68&tab=librarydocu- 38 A. Hanel, ‘Big Game Hunting with Ryuk: An- ments other Lucrative Targeted Ransomware’ (10 Janu- 31 DoJ Indictment (n. 2). ary 2019), CrowdStrike: 32 id., 142. https://www.crowdstrike.com/blog/big-game- 33 FireEye 2018 (n. 1), 27. hunting-with-ryuk-another-lucrative-targeted- 34 DoJ Indictment (n. 2), 5. ransomware/ 35 McAfee Labs and Advanced Threat Research, 39 ‘Treasury Sanctions North Korean State-Spon- ‘Operation Sharpshooter’ (12 December 2018), sored Malicious Cyber Groups’ (13 September McAfee: https://www.mcafee.com/enter- 2019), U.S. Department of the Treasury: prise/en-us/assets/reports/rp-operation-sharp- https://home.treasury.gov/in- shooter.pdf dex.php/news/press-releases/sm774 36 ‘North Korea Turns Against New Targets?!’ 40 ‘Treasury Sanctions Individuals Laundering (19 February 2019), Check Point: https://re- Cryptocurrency for Lazarus Group’ (2 March search.checkpoint.com/2019/north-korea-turns- 2020) U.S. Department of the Treasury: against-russian-targets/ https://home.treasury.gov 37 ‘Operation AppleJeus: Lazarus Hits Crypto- /news/press-releases/sm924 currency Exchange with Fake Installer and 41 U.S. CERT 2020 (n. 1).

SIPA Capstone 2020 57 The Impact of Information Disclosures on APT Operations 2007 Speculative formation of Lazarus Dec: Vietnam’s TPBank success- Group. fully prevents a heist; details re- 2009 Jul: DDoS attacks against U.S. main confidential. government and South Korean 2016 Feb: $81 million stolen from targets. Bangladesh Central Bank through Oct 2009–Mar 2013: DDoS and the SWIFT system; Novetta re- espionage campaigns against leases Operation Blockbuster, South Korean targets. which christens the group “Laza- rus” and details TTPs, malware, 2011 Jul: McAfee reports on Ten Days network artifacts, and other tech- of Rain, outlining network arti- nical specifics. facts. May: Lazarus attempts a heist on 2013 Jun: McAfee reports on Opera- another Vietnamese bank. tion Troy, detailing TTPs and Aug: Lazarus targets an undis- tools used in what is considered a closed bank in South East Asia. years-long operation. 2017 Jan: Lazarus targets Polish and 2014 Nov: Hacktivist group “Guardians other European Banks. of Peace” reveals the massive breach of Sony Pictures. Apr: Lazarus commences a so- phisticated spear-phishing cam- 2015 Jan: $12 million stolen from paign against Bitcoin exchanges; Banco del Austro in Ecuador; inci- Kaspersky publishes Lazarus Un- dent remains confidential until a der the Hood, which identifies case filed against Wells Fargo in the Bluenoroff subgroup and de- 2016. tails the TTPs and malware em-

Oct: $1 million stolen from an un- ployed in bank heists. named Philippine bank; details May: Lazarus releases WannaCry remain confidential. 2.0.

Nov: Palo Alto Networks notes Oct: Lazarus steals $60 million the return of a malware previously from Far Eastern International used in the 2013 DarkSeoul at- Bank. tacks. 2018 Jan: Recorded Future reports on the spear-phishing campaign against cryptocurrency exchanges

SIPA Capstone 2020 58 The Impact of Information Disclosures on APT Operations from April–October 2017, detail- TYPOLOGY OF ATTACKS ing network artifacts and TTPs. The Lazarus Group typically begins its oper- Feb: McAfee releases its own re- ations with a spear-phishing campaign to port on the cryptocurrency ex- gain initial access to victim systems; through change spear-phishing campaign. a combination of spear-phishing, decoy doc- Jun: U.S. DoJ indicts Park Jin uments, and watering holes, the group usu- Hyok, a member of Lazarus ally succeeds in ensnaring a target. This Group, for the Sony Pictures pattern of behavior persists in multiple forms Hack, Bangladesh Central Bank from Operation Troy in 2013 to the cam- Heist, and WannaCry 2.0. paigns against cryptocurrency exchanges in 2018. The group conducts extensive re- Aug: Kaspersky reports on Oper- search on its targets and ultimately becomes ation AppleJeus and provides de- capable of passive persistence within a sys- tails on the MacOS malware tem for extended periods of times, such as employed and other tools. in bank heists where it was present for eight 42 Oct–Nov: Lazarus targets critical months undetected. infrastructure and global defense Knowing that its actions will be investigated, across the world. Lazarus puts significant effort into obfusca- Nov: FireEye promotes tion and misleading investigators. This ten- TEMP.Hermit to APT38. dency was seen in 2013, when two separate groups claimed ownership of Operation Dec: McAfee reports on Opera- Troy;43 in 2014, when a fake hacktivist group tion Sharpshooter, which oc- also claimed responsibility for the Sony Pic- curred from October to tures hack;44 and in 2018, when Lazarus em- November of that year. ployed false-flag tactics to appear like Russia 2019 Feb: Check Point reports on Laza- and China.45 rus’ apparent targeting of Russian 2009-2013 firms. As mentioned above Lazarus has used the 2020 Mar: U.S. DoJ indicts two Chinese same social engineering methodology since nationals for assisting North Ko- its first foray into espionage and disruption, rea in cryptocurrency scheme. namely 2013’s Operation Troy. It spear- phished a victim within its target

42 Kaspersky 2018 (n. 25), 8. 44 Novetta 2016 (n. 1), 12. 43 Sherstobitoff et al. 2013 (n. 19), 4. 45 Check Point 2019 (n. 36).

SIPA Capstone 2020 59 The Impact of Information Disclosures on APT Operations organizations with a RAT, 46 though it re- including wipers, uninstallers, spreaders, mains unclear how far in advance of the op- RAT, proxy, loaders, keyloggers, installers, eration this occurred—a matter of several and HTTP and DDoS servers.50 The group weeks to months. In contrast to the nonetheless seemed to forego a retooling DarkSeoul wiper, which was compiled in ad- effort. Instead, it may be deduced that Laza- vance, the dropper used in this attack was rus sought to improve previous iterations of compiled on the day of the attack.47 After its malware. Reports from Kaspersky demon- the target was infected with the RAT, the strated the links between the malware used malware modified the registry property to al- in the Sony Pictures hack (Destover) and the low remote connections. Lazarus then DarkSeoul malware,51 while Palo Alto Net- launched the wiper after its espionage ob- works similarly demonstrated the connec- jectives were completed or after the zombie tions between the new TDrop malware and machines had contributed to a DDoS cam- the dropper used in 2013’s Operation paign.48 Troy. 52 Despite the disclosure of TTPs and tools in Operation Kaspersky noted an opera- Knowing that its actions Blockbuster—not to mention tional pause in the its activity will be investigated, Laz- US-CERT’s various alerts re- between 2012 and 2013.49 Ge- arus puts significant ef- garding the msoutc.exe mal- opolitical or structural changes fort into obfuscation and ware used in heists of TPBank within the North Korean re- misleading investigators. in Vietnam and the Bangladesh gime perhaps best explain this Central Bank—BAE Systems gap: a disruption resulting was still able to opine some from an information disclosure seems un- two years later that that Lazarus’ malware ex- likely given that Operation Troy was well un- hibited ‘the same unique characteristics,’53 derway by 2013. suggesting that Operation Blockbuster and 2014-2016 the increased scrutiny from U.S. law enforce- Novetta’s Operation Blockbuster, published ment did not cause Lazarus to retool. February 2014, identified forty-five different families of malware used by Lazarus,

46 Sherstobitoff et al. 2013 (n. 19), 6. 52 B. Lee & J. Grunzweig, ‘TDrop2 Attacks Sug- 47 id., 3. gest Dark Seoul Attackers Return’ (18 Novem- 48 id., 7. ber 2015), Palo Alto Networks Unit 42: 49 Guerrero-Saade & Raiu 2014 (n. 17). https://unit42.paloaltonetworks.com/tdrop2-at- 50 Novetta 2016, (n. 1), 24–7. tacks-suggest-dark-seoul-attackers-return/ 51 K. Baumgartner, ‘Sony/Destover: Mystery 53 S. Shevchenko, & A. Nish, ‘Cyber Heist Attrib- North Korean Actor’s Destructive and Past Net- ution’ (16 May 2016). BAE Systems: work Activity’ (4 December 2014), Kaspersky: https://baesystemsai. https://securelist.com/destover/67985/ blogspot.com/2016/05/cyber-heist-attribu- tion.html

SIPA Capstone 2020 60 The Impact of Information Disclosures on APT Operations 2017-2019 address in the United States to share docu- ments containing malicious macros.59 Once Shortly before Lazarus Group released activated, these malicious documents re- WannaCry 2.0, Kaspersky published Lazarus trieved the malware Rising Sun, which shares Under the Hood, which examined the tools code with the Duuzer malware that Lazarus used Lazarus’ bank heists. In one observed used in 2015.60 incident, Lazarus infiltrated a system through an outdated version of Adobe Flash Player.54 In a similar vein to the reuse of malware In another, Lazarus launched a watering hole code, the Group continued to behave in pre- attack on a government website to gain en- dictable ways, particularly with regard to the try into European banks.55 Its spear-phishing process of securely deleting logs and cover- campaign against cryptocurrency exchanges ing its tracks.61 Kaspersky observed that it in 2018 continued to employ established wiped malware payloads from targeted sys- TTPs from 2016. The lures used in the cryp- tems if the intruder had reason to suspect tocurrency campaign targeted Korean-lan- that he had been discovered.62 This behav- guage users and exploited a vulnerability in ior recalls previous reporting from 2009, the local Hangul Word Processor.56 2013, and 2016 that showed that Lazarus self-extracted from systems when detected During this interval, Lazarus’ malware fami- by defenders or antivirus programs. lies began to overlap with each other. This development suggests that its developers DISCLOSURE EVENTS have an extensive codebase from which they can cut-and-splice malware into new itera- Lazarus Group exhibited an almost wanton tions. Consequently, identification and degree of operational carelessness since its grouping of these malware types is only pos- first attack in July 2009. Nevertheless, multi- sible when their respective codes are com- ple reports confirm and reaffirm the Group’s 57 pared. ability to conduct extended reconnaissance Lazarus Group also increased the scope of on targets and subsequently to dwell in its targets in terms of both geography and those infected systems unawares. Moreover, industry.58 During Operation Sharpshooter, despite numerous disclosures of TTPs and the group began using Dropbox with an IP

54 Kaspersky 2018 (n. 25), 14. reveals-undiscovered-links-among-north-koreas- 55 id., 22. malware-families/ 56 Guerro-Saade & Moriuchi 2018 (n. 27), 4. 58 McAfee 2018 (n. 35), 3. 57 J. Rosenberg & C. Beek, ‘Examining Code Re- 59 id., 4. use Reveals Undiscovered Links Among North 60 id., 17. Korea’s Malware Families’ (9 August 2018), 61 FireEye 2018 (n. 3), 22. McAfee: https://www.mcafee.com/blogs/other- 62 Kaspersky 2018 (n. 25), 5. blogs/mcafee-labs/examining-code-reuse-

SIPA Capstone 2020 61 The Impact of Information Disclosures on APT Operations malware, the Group has maintained this ca- Novetta’s Operation Blockbuster: February pability without retooling. 2016

McAfee’s Operation Troy: June 2013 A Novetta-led coalition of private industry partners published this landmark report in McAfee’s report into the 2013 DarkSeoul in- the wake of the Sony Pictures hack. The re- cident made significant progress toward un- port named Lazarus as the actor, connected derstanding Lazarus’ TTPs. The report the Sony hack to incidents in South Korea, expounded Lazarus’ extended attack cycle, revealed Lazarus’ forty-five families of mal- which is notable because Lazarus did little to ware, provided examples of decoy docu- change it in the sequel: the general blueprint ments and other artifacts from past of the group’s attacks has been both public campaigns, and detailed the C2 infrastruc- and unaltered since the beginning of its ma- ture. jor known operations. Similarly, the report provided a detailed breakdown of the its Kaspersky’s Lazarus Under the Hood: April early malware—NSTAR, EagleXP, HTTP 2017 Troy, Http Dr0pper, and TDrop. Lazarus im- Kaspersky’s report investigated two sepa- proved and featured several of these tools in rate cyberattacks against banks in the after- its later campaigns, making this initial analy- math of the Bangladesh Central Bank heist, sis critical. The report similarly served as an focusing on the group’s behavioral patterns. early marker for the steps Lazarus Group The stated motivation of this report was sim- would take to mislead investigators by pos- ilar to that of Operation Blockbuster, namely ing as different groups. In this case, it pre- to raise the costs for the group by revealing tended to be the NewRomantic Cyber Army and disrupting its operations. The report re- Team and the Whois Hacking Team. vealed the existence of the Bluenoroff sub- Palo Alto Networks Unit 42 TDrop2 Attacks: group, which focused on cybercrime. November 2015 Additionally, it provided details on malware, zero-days, the group’s anti-forensic tech- Palo Alto’s report demonstrated how the niques, and infection vectors. Kaspersky’s clues left behind by Lazarus can illuminate its timeline of events suggests that the initial operations and targets. Unit 42 uncovered breach of one South Asian bank coincided an updated version of TDrop2, which held with the group’s heist from the Bangladesh direct ties to Operation Troy—another side- Central Bank. effect of Lazarus’ decision not to retool. It is worthwhile to note here that, although Laza- The report concluded that Lazarus was ‘op- rus hacked Sony Pictures in 2014, most of erating a factory of malware’, and that ‘this the information concerning its involvement level of sophistication is something that is in the hack was not yet public. This gave the not generally found in the cybercriminal false impression that it had been dormant world. It’s something that requires strict or- since March 2013. ganization and control at all stages of the

SIPA Capstone 2020 62 The Impact of Information Disclosures on APT Operations operation. That’s why we think that Lazarus U.S. DoJ - Park Complaint: June 2018 is not just another APT actor’.63 The indictment identified an individual Recorded Future’s South Korean Cryptocur- member of Lazarus Group, Park Jin Hyok. It rency Users and Exchange: January 2018 detailed the group’s activities and infor- mation on Hyok’s activities in dark web fo- Recorded Future disclosed Lazarus’ cam- rums and his work for a North Korean front paign against South Korean cryptocurrency company, Chosun Expo, which allowed him exchanges shortly before a dialogue be- to visit Dalian, China. The indictment re- tween the two Koreas began. The campaign vealed additional heist campaigns that were was notable (to this report’s authors, at any undertaken in Africa but previously undis- rate) because the spear-phishing stage tar- closed. It painted a complete picture of the geted college students interested in foreign group’s TTPs, including reconnaissance, affairs. The malware used in the campaign spear-phishing, and ransom attempts. had code similar to the Destover malware, which Lazarus used in both the Sony Pictures Kaspersky’s Operation AppleJeus: August hack and the first WannaCry incident from 2018 February 2017. The malware also used a Operation AppleJeus detailed Lazarus’ foray Ghostscript exploit that specifically targeted into the development of malware and ex- Hangul Word Processor users. ploits for OSX. Lazarus sent out emails that Notably, the report outlined Lazarus’ effort recommended a third-party cryptocurrency to mislead investigators into concluding that trading platform, but the application to a Chinese APT was responsible.64 which it linked was a malicious version that infected systems with an old Lazarus tool, McAfee’s Lazarus Resurfaces: February 2018 Fallchill. McAfee announced the start of a new cam- McAfee’s Operation Sharpshooter: Decem- paign by Lazarus Group in January 2018. ber 2018 The campaign used DropBox to disseminate a malicious document which, upon opening, Lazarus Group’s 2015 backdoor malware deployed an implant that collected and Duuzer returned in the form of Rising Sun. transmitted system data to a C2 server. Yet This updated version of the implant was again, researchers identified Lazarus as the used to target nuclear, defense, energy, and culprit due to similarities with previous cam- financial companies across the world, affect- paigns. ing eighty-seven organizations in total. The report outlined the methodology of the

campaign, which used DropBox servers with an obfuscatory IP addresses.

63 id., 24. 64 Guerro-Saade & Moriuchi 2018 (n. 27), 8.

SIPA Capstone 2020 63 The Impact of Information Disclosures on APT Operations Check Point - North Korea Turns Against U.S. DoJ - Indictment of Chinese National in New Targets?!: February 2019 North Korea Crypto Scheme: March 2020

Check Point discovered a campaign against Although the indictment did not specifically Russian firms that matched Lazarus’ known mention Lazarus or Hidden Cobra, it de- TTPs. The campaign used KeyMarble, a mal- tailed the exfiltration of funds by North Ko- ware previously affiliated with the group. rea’s Chinese partners—Tian Yinyin and Li Despite the gap after Operation Sharp- Jiadong—and explained Lazarus’ focus on shooter, Lazarus did not change its behavior. accruing wealth for the North Korean gov- ernment.

SIPA Capstone 2020 64 The Impact of Information Disclosures on APT Operations APT28 (RUSSIA)

Timeline: Activity Levels and Disclosures

2019 U.S. DoJ Indictments

Luckystrike Attacks Palo Alto Report 2018

EternalBlue attack FireEye report 2 2017 ThreatConnect Attack on Attack of Anti- Report GermanCDU Doping Agency

Attack on DNC 2016 Kaspersky Report: Microsoft Report (SIR v.19) Root9b Report Spear-phishing Attack on TV5 campaign Monde 2015 FireEye Disclosure report

Attack on Polish Govt 2014

2013

IMPACT OF DISCLOSURES

SIPA Capstone 2020 65 The Impact of Information Disclosures on APT Operations INTRODUCTION and St. Petersburg and is generally on Rus- sian language platforms.1

APT28 is a cyberthreat actor linked to the As the number of APT28’s campaigns have Main Intelligence Directorate of the Russian increased over time, so too has the number General Staff (GRU). Its campaigns have en- and diversity of its victims. Its initial cam- compassed strategic espionage, property paigns began in 2007 and primarily targeted theft, and influence operations that align Eastern European nations, notably Georgia. with Russian strategic and political objec- From 2008 to 2014, it expanded into West- tives—specifically, providing the Russian ern military and defense firms. 2 Most re- government with decision advantage in dip- cently, APT28 has conducted major lomatic negotiations and undermining the disinformation operations against the U.S. West’s trust in the liberal democratic princi- and European nations during the 2016 and ples and institutions. Numerous disclosures 2017 election seasons as well as intrusions have revealed APT28’s activities since its first and disruptions against international organi- operations in 2007. Nevertheless, APT28’s zations such as the World Anti-Doping campaigns continue, and it does so against Agency. an increasing range of targets, from military and defense espionage to information oper- TIMELINE ations during democratic elections. APT28 was first observed in 2007 while con- ducting espionage against political and mil- THE GROUP itary targets in Georgia and Eastern Europe.3 That would prove to be typical: APT28 pri- APT 28 (Fancy Bear, Strontium, Tsar Team, marily seeks defense and geopolitical intelli- Sofacy) is a Russian threat actor, active since gence to benefit the Russian state. During at least 2007, whose objectives align broadly these early operations, APT 28 used the typ- with Russian state interests. The group is ical combination of spear-phishing emails known for its large-scale information opera- and targeted malware to secure themselves tion campaigns against U.S. and European a position on the networks they attacked. Its elections, Western security organizations malware evolved over the next seven years and defense firms (especially NATO affili- to accommodate a revolving host of targets. ated), and Eastern European countries and Its focus fundamentally shifted toward the their militaries. Its activity primarily occurs political in 2016, when it began conducting during regular working hours for Moscow

1 ‘APT28: A Window into Russia’s Cyber Espio- 2 ‘APT28’, FireEye: https://www.fireeye.com/cur- nage Operations?’ (27 October 2014), FireEye: rent-threats/apt-groups.html#russia https://www.fireeye.com/content/dam/fireeye- 3 FireEye 2014 (n. 1). www/global/en/current-threats/pdfs/rpt- apt28.pdf

SIPA Capstone 2020 66 The Impact of Information Disclosures on APT Operations information operations against the citizenry 2014 APT28 conducts strategic web of the U.S. (and later, France and Germany) compromise attacks against the in order to disrupt federal elections. The Polish government and energy heavy activity which began in 2016 contin- company Power Exchange using ued until the FBI indicted twelve GRU mem- Sednit, ultimately to deliver their 8 bers for their role in disrupting the U.S. custom Sofacy malware. election in July 2018.4 The pronouncement 2015 APT28’s Coreshell malware is of this indictment coincides with a hiatus in found on the networks of TV5 their activity, which resumed in late 2018 Monde following a website de- 5 with a series of attacks on think-tanks. It facement incident for which the continued operations through 2019 and into Cyber Caliphate claimed respon- 2020 with attacks against the defense sector sibility. Registration data associ- and political targets. ated with APT28 infrastructure is 2007 APT28 is formed.6 also found. This is believed to be 9 2007-2014: Trend Micro pub- an attempt at misattribution. lishes findings on Operations Spear-phishing campaign against Pawn Storm, APT28’s spear- multiple German political parties; phishing campaign against gov- network of the Bundestag is com- ernment and political organiza- 10 tions that used Sednit, a custom promised. backdoor and information steal- ing malware.7

4 ‘Grand Jury Indicts 12 Russian Intelligence Of- https://forum.anomali.com/t ficers for Hacking Offenses Related to the 2016 /apt28-timeline-of-malicious-activity/2019 Election’ (13 July 2018), U.S. Department of Jus- 8 P. Paganini, ‘APT28: Cybercrime or State- tice, Office of Public Affairs: https://www.jus- Sponsored Hacking?’ (4 June 2015), Infosec In- tice.gov/opa/pr/grand-jury-indicts-12-russian- stitute: https://resources.infosecinsti- intelligence-officers-hacking-offenses-related- tute.com/apt28-cybercrime-or-state-sponsored- 2016-election hacking/#gref 5 Think tanks included the Aspen Institutes in 9 S. Lyngaas, ‘Lawmakers Call for Action Follow- Europe, the German Council on Foreign Rela- ing Revelations that APT28 Posed as ISIS tions, and the German Marshall Fund. See S. Online’ (9 May 2018), CyberScoop: Lyngaas, ‘As Europe Prepares to Vote, Microsoft https://www.cyberscoop.com Warns of Fancy Bear Attacks on Democratic /lawmakers-call-action-following-revelations- Think Tanks’ (20 February 2019), CyberScoop: apt28-posed-isis-online/ https://www.cyberscoop.com/european-think- 10 A. Shalal, ‘Germany Blocked Russian Hacking tanks-hack-microsoft-fancy-bear-russia/ Attacks in 2016’ (24 March 2017), Reuters: 6 FireEye (n. 2) https:// 7 Anomali Threat Research, ‘APT28 Timeline of www.reuters.com/article/us-germany-elections- Malicious Activity’, Anomali:

SIPA Capstone 2020 67 The Impact of Information Disclosures on APT Operations Registration of nato-news.com malicious macros and the Sednit and bbc-press.org; these do- malware.14 mains host an Adobe Flash zero- 2017 day that is used against the Af- Spear-phishing campaign against ghan Ministry of Foreign Affairs, hotels in the Middle East and Eu- Pakistani military, and NATO.11 rope; use of EternalBlue to move laterally through networks.15 2016 Spear-phishing campaign against 2018 Clinton campaign chairman John Use of open-source program Podesta, the Democratic National Luckystrike to generate malicious Committee, and the Democratic documents for a global campaign Congressional Campaign Com- against ministries of foreign af- 16 mittee; emails subsequently fairs; Sofacy and Carberp used. leaked online via DC Leaks and 12 WikiLeaks. 2019 Scanning operation to locate vul- Compromise of the World Anti- nerable email servers, specifically Doping Agency; medical data of targeting vulnerable webmail and athletes are released after accu- Microsoft Exchange Autodiscover sations of doping against Russian servers 13 athletes. Credential-harvesting campaign Phishing campaign against mem- against Burisma bers of the Christian Democratic Union; attempts made to gain ac- count credentials through

russia/germany-blocked-russian-hacking-at- Encyclopedia’ (19 June 2019), 212: tacks-in-2016-idUSKBN16V2FW https://www.thaicert.or.th/ 11 Anomali Threat Research (n. 7). downloads/files/A_Threat_Actor_Encyclope- 12 ib. dia.pdf 13 A. Baldwin & J. Finkle, ‘Anti-Doping Agency 15 ‘2018 Global Threat Report’ (Feb/March Says Athlete Data Stolen by Russian Group’ (13 2018), CrowdStrike, 59: September 2016), Reuters: https://www.reu- https://go.crowdstrike.com/rs/281-OBQ- ters.com/article/us-doping-wada-cyber/anti- 266/images/Report2018GlobalThreatReport. doping-agency-says-athlete-data-stolen-by-rus- pdf sian-group-idUSKCN11J26T 16 Z. Bederna & T. Szadeczky, ‘Cyber Espionage 14 Thailand Computer Emergency Response Through Botnets’, Security Journal 33 (2020), Team, ‘Threat Group Cards: A Threat Actor 53–6.

SIPA Capstone 2020 68 The Impact of Information Disclosures on APT Operations TYPOLOGY OF ATTACKS thought to be ongoing. In 2013 it compro- mised the Georgian Ministry of Internal Af- APT28 consistently uses spear-phishing to fairs (MIA) with a malicious Excel file. gain initial access to networks. It has also Subsequent attacks against the MIA illus- used watering-hole style attacks to steal or trated its sophisticated spear-phishing tech- spoof user credentials, most recently to help niques: the malicious emails referenced its influence campaigns in 2016 and 2017. legitimate aspects of the MIA network and As a threat actor, APT28 is unlikely to be af- were deceitfully signed by an actual sysad- 19 fected by public disclosures. APT28 devel- min in Tbilisi. ops its malware within a flexible framework 2014 through Early 2016 that enables developers to alter code APT28 conducted a watering-hole attack quickly and often enough to hinder the ef- that enabled it to infect the fectiveness of reverse en- networks of the Polish gov- gineering. 17 Moreover, it APT28 develops its malware ernment and the energy has a quality-control re- within a flexible framework that company Power Exchange gime to ensure that its enables developers to alter with the Sofacy malware. malware is systematically code quickly and often enough The Sourface malware updated. These efforts downloader also made an render its malware more to hinder the effectiveness of appearance as the payload versatile than usual, which reverse engineering. of a malicious document further complicates efforts that compromised the to detect the malicious attachments in its Georgian Ministry of Defense.20 phishing emails. Such software-develop- mental and operational sophistication is ex- FireEye published a report that implicated pected, given that APT28 is an established APT28 in the modification of DNS records to unit in the GRU and it functions to further re-route the email traffic of the Kyrgyzstan Russian state interests.18 Ministry of Foreign Affairs.

2007 through Mid 2013 In 2015 APT28 used two zero-day vulnerabil- ities in Adobe Flash to compromise the Pa- Since its detection in 2007, APT28 has con- kistani military, Afghan Ministry of Foreign ducted a campaign dubbed Operations Affairs, and NATO.21 It also began to encrypt Pawn Storm, which broadly encompasses its the files and data for exfiltration from a tar- geopolitical-themed spear-phishing emails get network.22 that contain Sednit. This operation is

17 FireEye 2014 (n. 1). 20 U.S. Department of Justice 2018 (n. 4). 18 FireEye (n. 2). 21 FireEye (n. 2). 19 FireEye 2014 (n. 1). 22 Anomali Threat Research (n. 7)

SIPA Capstone 2020 69 The Impact of Information Disclosures on APT Operations Early to Mid 2016 upcoming European elections. It registered an email server that appeared to be associ- In coordination with APT29 and the broader ated with the Christian Democratic Union (a Russian effort to disrupt the 2016 U.S. presi- German political party) and from it they sent dential election, APT28 conducted a large phishing emails to legitimate CDU mem- phishing campaign against individuals and bers. These emails contained attachments institutions affiliated with, inter alia, the with false hotel reservation information and Democratic Party—the Clinton campaign’s malicious macros. Its Sednit malware and the chairman John Podesta, the DNC, and open-source Responder tool facilitated lat- DCCC.23 APT28 used an URL-shortening ser- eral movement through CDU networks. vice to trick recipients into visiting malicious APT28 continued to use public exploits, in- sites, where their credentials were subse- cluding EternalBlue, in a spear-phishing quently stolen. After compromising these campaign against the European and Middle secure networks and accounts, APT28 stra- Eastern hospitality sector.26 tegically released documents through the DC Leaks website and the threat actor Guc- Early 2018 cifer 2.0.24 APT28 continued to target Ministries of For- Late 2016 eign Affairs across the world with malicious Excel documents created by Luckystrike. APT28 compromised the World Anti-Doping Once enabled, the dropper installed and ran Agency in retaliation for barring Russian ath- the primary payload—a variant of the letes from participating in the Olympic group’s custom SofacyCarberp backdoor.27 games. A successful spear-phishing attack The backdoor gathered system information yielded APT28 a legitimate user account and and forwarded it to C2 servers, from where other credentials that allowed them to log it was determined which additional malware into the Agency’s Administration and Man- would be needed to achieve its objectives. agement database. It then escalated its net- work privileges until it could access an In March 2018 it altered its spear-phishing International Committee account, whence it tactics: it now sent Word documents with an downloaded athlete data to publish.25 Adobe Flash exploit. This new exploit re- quired the victim to scroll through the entire Late 2016 to Mid-2017 three-page document before executing, as Following the success of the 2016 interfer- ence campaign, APT28 turned toward the

23 Paganini 2015 (n. 8). intelligence.senate.gov/sites/default/files/hear- 24 U.S. Senate Select Committee on Intelligence, ings/S%20Hrg%20115-40%20Pt%201.pdf ‘Disinformation: A Primer in Russian Active 25 Shalal 2017 (n. 10). Measures and Influence Campaigns’ (30 March 26 ib. 2017): https://www. 27 Anomali Threat Research (n. 7).

SIPA Capstone 2020 70 The Impact of Information Disclosures on APT Operations opposed to executing upon the document APT28 also spent 2019 scanning the internet being opened. for vulnerable email servers. Specifically, it searched for vulnerable webmail and Mi- By the middle of the year APT28 had crosoft Exchange Autodiscover servers on launched a new phishing campaign that uti- TCP ports 445 and 1433. Although its intent lized the tool Zebrocy. Using the same attack was unclear, APT28 likely used the compro- vector of macro-enabled documents, mised servers to harvest credentials and cre- Zebrocy prepared the infected machine with ate more targeted and authentic spear the second and third-stage malware needed phishing campaigns.31 to move laterally throughout target net- 28 works. DISCLOSURE EVENTS Late 2018 to Early 2019 Numerous cyber threat intelligence groups In September 2018 APT28 was found using have reported on APT28’s operations, TTPs, a custom rootkit called Lojax, which is itself and tooling since 2014. Nevertheless, a variant of the legitimate anti-theft software APT28 continues to operate with impunity Lojack.29 This new rootkit targeted the uni- and without significant disruption from these fied extensible firmware interface and could publications. Its TTPs and network/host arti- maintain persistence on a machine even it facts have, however, evolved over time—al- shut down. beit not for the desired reasons. These 2019 to Present changes supervene on its general opera- Beginning in mid-November, APT28 used tional processes rather than any direct re- spear phishing and a watering hole attack to sponse to the disclosure event. That is to harvest credentials of Burisma employees. say: disclosures have had a limited impact Burisma is the Ukrainian gas company on because they encourage APT28 to do some- whose board Hunter Biden served; and thing that it had already planned to do. APT28 targeted it to find sensitive infor- Namely, they encourage APT28 to change mation to use in operations against former its TTPs and modify its malware. Further- Vice President Joe Biden’s 2020 presidential more, APT28’s persistence in cyberspace campaign.30 and the growing scale of its campaigns offer additional signs that public disclosures have little to no effect. That makes sense—as a

28 Baldwin & Finkle 2016 (n. 13). https://www.nytimes.com/2020/01/13/us/poli- 29 Not to be confused with the anti-theft plat- tics/russian-hackers-burisma-ukraine.html form for cars, though in essence they do the 31 C. Cimpanu, ‘APT28 Has Been Scanning Vul- same thing. nerable Email Servers for More Than a Year’ (20 30 N. Perlroth & M. Rosenberg, ‘Russians Hacked March 2020), ZDNet: https://www.zdnet.com/ar- Ukrainian Gas Company at Center of Impeach- ticle/apt28-has-been-scanning-and-exploiting- ment’ (13 January 2020), New York Times: vulnerable-email-servers-for-more-than-a-year/

SIPA Capstone 2020 71 The Impact of Information Disclosures on APT Operations part of the Russian government, APT28 acts Root9b Report: May 2015 with the support of the Russian state. Result- Root9b released a comprehensive report on ingly, members of APT28 do not have to APT28’s campaigns against the financial sec- worry about a government crackdown or an- tor. It listed the numerous domains regis- ything approaching a criminal investigation. tered for APT28’s watering hole attacks and Whether indictments and disclosures have a the hashes related to the zero-day exploits negative effect rather than the absence of a used in its attacks. The report also detailed positive one remains to be seen. the procedure used by APT28 to create fake FireEye Report: 2014 identities for their internet registration activ- ity.33 Ultimately Root9b recommended that FireEye released the first major report on financial institutions specifically monitor APT28. In it, they detailed the motivations, their networks for spear-phishing cam- targets, TTPs, and timeline of the major in- paigns. trusions that APT28 had con- ducted against military, Disclosures have had a Microsoft Report (SIR v.19): defense, and foreign affairs limited impact because Summer 2015 networks. It contrasted they encourage APT28 to Microsoft’s Malware Preven- APT28’s campaigns with the do something that it had tion Center released further objectives of the Russian gov- already planned to do. details on APT28’s threat ac- ernment; and the contrast was tor profile, including its TTPs slight. APT28 had gathered and domains along with more geopolitical intelligence from Eastern Euro- technical indicators. The report covered pean nations and the Caucasus, military and APT28’s use of spear-phishing and exploita- defense firms, and NATO—all of which cul- tion of zero-days, which appeared to be the tivated decision advantage for the Russian group’s two main vectors of attack. It also government. The report noted that over listed the legitimate domains hijacked by 89% of the malware attributed to APT28 was APT28 and its more plainly spurious do- compiled during regular work hours for Mos- mains. There was also a specific focus on cow and St. Petersburg and in a Russian-lan- APT28’s use of Mimikatz and PassTheHash guage build environment. 32 Lastly, the for credential theft and lateral movements report analyzed APT28’s three key pieces of between computers.34 malware—Sourface, EvilToss, and Chop- stick. It included a detailed appendix on the Kaspersky Report: Winter 2015 Sourface and Chopstick families of malware. Kaspersky published research on the zero- days in Office, Java, Adobe, and Windows that APT28 used in their campaigns. No less

32 FireEye 2014 (n. 1). 34 FireEye 2014 (n. 1). 33 FireEye (n. 2).

SIPA Capstone 2020 72 The Impact of Information Disclosures on APT Operations important, Kaspersky analyzed the Azzy im- analysis capabilities; (4) that its malware was plant that hit air-gapped machines in the compiled during regular weekday working networks of high-profile defense contrac- hours for Russia.38 The report also covered tors.35 Notably, then, the report found that APT28’s strategic operations, though it Azzy was delivered through a known piece omitted technical indicators such as domain of malware rather than a zero-day.36 names and IP addresses.

ThreatConnect Report: Fall 2016 Palo Alto Report: Spring 2018

ThreatConnect released a report on APT28’s Palo Alto analyzed APT28’s spear-phishing attack against the World Anti-Doping campaigns against the ministries of foreign Agency. The report included two of the do- affairs of various states. The report also out- mains used to compromise the agency’s net- lined its use of the custom payload Sofaacy- work, and further noted that these domains Carberp for initial network reconnaissance were the same as those used in the cam- and C2 server beaconing.39 There was also paign against the DCCC.37 The procedure discussion of APT28’s use of Luckystrike to used to register these domains was also generate the malicious documents, and the found to be similar, if not identical, to how report provided the usual list of indicators of APT28 had historically registered domains. compromise associated with these cam- paigns. FireEye Report: January 2017 U.S. DoJ Indictment: July 2018 FireEye released a second, more detailed re- port on APT28’s activity of during the 2016 The U.S. Department of Justice indicted 12 U.S. election and against the World Anti- members of the GRU who are affiliated with Doping Agency. The report covered the four APT28 for actions taken in support of the in- key characteristics of its TTPs: (1) a flexible terference campaign during the 2016 U.S. framework to accommodate the evolution of presidential election. The indictment carried its toolset over time; (2) the use of a formal eleven charges that ranged from identity coding environment to create and deploy theft and money laundering to conspiracy to custom modules within its backdoor pro- commit computer crimes against U.S. gov- grams; (3) the incorporation of counter- ernment systems.40

35 U.S. Department of Justice 2018 (n. 4). 38 Paganini 2015 (n. 8). 36 FireEye (n. 2). 39 U.S. Senate (n. 24). 37 Anomali Threat Research (n. 7). 40 Shalal 2017 (n. 10).

SIPA Capstone 2020 73 The Impact of Information Disclosures on APT Operations APT29 (RUSSIA)

Timeline: Activity Levels and Disclosures

2020 ESET report: Operation Ghost

Phishing campaign on U.S. orgs 2019

Deploys new malware including 2018 RegDuke Dutch Ministry Attacks on Norway disclosure Post-election 2017 Volexity disclosure attacks CrowdStrike disclosure

Hack of Joint Chiefs 2016 FireEye report: Symantec SeaDuke attack on of Staff email F-Secure disclosure disclosure the DNC Hammertoss

2015 Kaspersky Deploys disclosure CosmicDuke malware 2014

2013

IMPACT OF DISCLOSURES

SIPA Capstone 2020 74 The Impact of Information Disclosures on APT Operations INTRODUCTION THE GROUP

APT29 (Cozy Bear, Office Monkeys, Co- APT29 is a Russian threat actor with sus- zyCar, The Dukes, Cozyduke) is a Russian pected ties to the Russian Foreign Intelli- threat actor known for campaigns against gence Service (SVR) or the Federal Security U.S. and European government depart- Service (FSB). APT29 has conducted multi- ments and agencies, think tanks, research ple high-level campaigns that have primarily organizations, and NGOs. Although F-Se- focused on thinktanks, government organi- cure has traced APT29’s activity back to mid- zations, foreign ministries, and elections. It 2008, 1 APT29’s first disclosure event oc- was a cause célèbre in 2016 for its involve- curred in 2014, when Kaspersky Labs re- ment in the hack of Democratic National ported on the evolution of the MiniDuke Committee servers and became the fre- malware into the CosmicDuke backdoor. 2 quent subject of disclosure events. Most of Nevertheless, APT29 continued to elude these reports were issued from cyberthreat major attention until the summer of 2015, intelligence companies, and so they tended when the DNC breach occurred and a to focus on indicators of compromise; how- FireEye report tied the group to the Ham- ever, in 2018, Dutch intelligence (AIVD) at- mertoss backdoor.3 tributed its actions with high-confidence to the Russian SVR. Yet, the effects of these dis- The DNC hack evinced two highly disquiet- closures are hardly forthcoming. Consistent ing qualities to find in a cyberthreat, aggres- with suspected Russian APTs, disclosures siveness and sophistication. The attack used have failed to produce a discernible differ- a complex backdoor based on the SeaDuke ence in APT29’s behavior. The initiation and implant that leveraged Windows Manage- conclusion of its campaigns occur independ- ment Instrumentation to persist in the net- ent of disclosures: some campaigns begin work. 4 Moreover, APT29 maintained a before disclosures and carry through them, presence in DNC networks and servers for some start and end during, and every other over a year, which is significantly longer than possible variation. its counterpart APT28—perhaps suggesting an association with more persistent

1 F-Secure Global, ‘The Dukes: 7 Years of Rus- 3 ‘Hammertoss: Stealthy Tactics Define a Russian sian Cyber-Espionage’ (17 September 2015), F- Cyber Threat Group’ (July 2015), Special Re- Secure: https://blog.f-secure.com/the-dukes-7- port, FireEye: https://www2.fireeye.com/rs/848- years-of-russian-cyber-espionage/ DID-242/images/rpt-apt29-hammertoss.pdf 2 Kaspersky Global Research & Analysis Team 4 R. McCombs, ‘Bear Hunting: Tracking Down (GReAT), ‘Miniduke is Back: Nemesis Gemina COZY BEAR Backdoors’ (27 September 2016), and the Botgen Studio’ (3 July 2014), Secure- CrowdStrike: List: https://securelist.com/miniduke-is-back- https://www.crowdstrike.com/blog/bear-hunt- nemesis-gemina-and-the-botgen-studio/64107/ ing-tracking-cozybear-backdoors/

SIPA Capstone 2020 75 The Impact of Information Disclosures on APT Operations objectives. In the aftermath of this incident, OnionDuke, which quickly superseded Co- CrowdStrike posited a connection to either zyDuke and MiniDuke after Kaspersky re- the FSB or SVR, 5 whereas AIVD firmly at- ported on them in July 2014.7 Two potential tributed the group to the SVR.6 conclusions thus arise. APT29 could consist of an ingenuous team of hackers whose soft- The timing of the attack is no less significant ware development capacity renders disrup- than the DNC hack itself. APT29’s election tions nearly impossible—what one may interference efforts occurred after the disclo- expect from a military cyber unit or from a sure of the Office Monkeys campaign just a sophisticated criminal organization. At the year before. Its activity increased both dur- same time, the group may prepossess an ar- ing and after the DNC campaign, with multi- senal of toolsets, increasing in sophistica- ple campaigns occurring concurrently tion, that await deployment. Both against the Pentagon, think tanks, and Nor- possibilities, or a combination of the two, wegian and Dutch ministries. Attributable concede that highly capable adversaries are activity disappeared after this string of cam- less vulnerable to disruption from disclosure paigns, though it eventually resumed with a events. spear-phishing campaign during the second half of 2019. TIMELINE To reiterate a previous point about APT29’s sophistication and their tooling. Researchers Despite the frequent contemporaneity of have been taken aback by the insidiousness APT29’s campaigns, its activity profile neatly and quality of its TTPs and platforms, and its divides into three distinct periods from 2014 8 ability to develop advanced, bespoke tool- to the present. The first block of activity re- sets in rapid succession. This trend or char- volved around the Office Monkeys cam- acteristic has been evident since paign, which targeted a private research organization in March 2014. 9 The malware

5 The Editorial Team, ‘CrowdStrike’s Work with Aren’t Back—They Never Left’ (October 2019), the Democratic National Committee: Setting ESET Research White Papers: the Record Straight’ (22 January 2020), https://www.welivesecurity.com/wp-content/up- CrowdStrike: https:// loads/2019/10/ESET_Operation_Ghost_ www.crowdstrike.com/blog/bears-midst-intru- Dukes.pdf sion-democratic-national-committee/ 7 Anomali Threat Research, ‘APT29: A Timeline 6 R. Noack, ‘The Dutch Were a Secret U.S. Ally of Malicious Activity’, Anomali: https://fo- Against Russian Hackers, Local Media Reveal’ rum.anomali.com (26 January 2018), Washington Post: /t/apt29-a-timeline-of-malicious-activity/2480 https://www.washing- 8 N.B. APT29 activity can be traced as far back tonpost.com/news/worldviews/wp/2018/01/26/ as 2008, though without great significance dutch-media-reveal-country-to-be-secret-u-s- given the lack of reporting. ally-in-war-against-russian-hackers/; M. Faou, M. 9 A. L. Johnson, ‘“Forkmeiamfamous”: Seaduke, Tartare, T. Dupuy, ‘Operation Ghost: The Dukes Latest Weapon in the Duke Armory’ (13 August

SIPA Capstone 2020 76 The Impact of Information Disclosures on APT Operations used, CozyDuke, was a custom backdoor, timeframe owes partly to the stealth and and phishing was its primary method of dis- complexity of APT29’s new toolsets, and tribution. Most notably, APT29 revised the partly to the uncertainty of whether it ever code of CozyDuke within twenty-six days of truly ceased activity in late 2016. 11 This its disclosure—a telling sign of minimal dis- round of activity began in January 2017 with ruption. a spear-phishing campaign against the Nor- wegian Government and the Norwegian La- Summer 2015 to the autumn of 2016 encom- bor Party. There has been considerable passed the second period of activity. In June difficulty since then in discerning where, or 2015, the SeaDuke malware penetrated the if, any new activity is taking place. But the DNC servers and propagated through the appearance of four new families of mal- network via Mimikatz. This attack persisted ware—PolyglotDuke, RegDuke, FatDuke, for over a year. Major disclosures from Sy- and LiteDuke—would suggest that APT29 is mantec, FireEye, and F-Secure all failed to far from retired.12 disrupt APT29’s activity: the email server of the Joint Chiefs of Staff was compromised 2014 Feb: Malware evolution occurs, just two months later in August 2015. That deploying CosmicDuke, an up- campaign continued to 2016, when it ended grade from MiniDuke and Co- with a flurry of post-election spear-phishing 13 zyDuke. attacks against U.S. think tanks and NGOs. Mar: APT29 compromises a U.S. These attacks used a different toolset and 14 private research group. TTPs, with Microsoft Word and Excel docu- ments, RATs, and steganography becoming Jul: Kaspersky releases a report 15 the preferred media to upload a new back- on APT29; APT29 revises Cos- door named PowerDuke.10 micDuke code to bypass detec- tion systems, twenty-six days after The third spell of activity is believed to Kaspersky’s abovementioned dis- stretch from January 2017 through the pre- 16 closure. sent. The difficulty in establishing this

2015), Broadcom: https://community.broad- https://www. com.com/symantecenterprise/communi- volexity.com/blog/2016/11/09/powerduke- ties/community-home/library post-election-spear-phishing-campaigns-target- documents/viewdocument?Docu- ing-think-tanks-and-ngos/ mentKey=6ab66701-25d7-4685-ae9d- 11 M. Faou et al. 2019 (n. 6). 93d63708a11c&CommunityKey 12 id., 5. =1ecf5f55-9545-44d6- 13 GReAT 2014 (n. 2). N.B. This occurred before b0f44e4a7f5f5e68&tab=librarydocuments any significant disclosure. 10 S. Adair, ‘PowerDuke: Widespread Post-Elec- 14 Johnson 2015 (n. 9). tion Spear Phishing Campaigns Targeting Think 15 GReAT 2014 (n. 2). Tanks and NGOs’ (9 November 2016), Veloxity: 16 F-Secure Global 2015 (n. 1), 10.

SIPA Capstone 2020 77 The Impact of Information Disclosures on APT Operations Oct: APT29 develops SeaDuke Sep: First known deployment of malware.17 FatDuke.25

Nov: Volexity discloses the post- 2015 Jun: APT29 uses SeaDuke to election spear-phishing cam- breach the DNC and Mimikatz for 26 18 paigns. lateral movement.

Jul: FireEye publishes a report on 2017 Jan: APT29 conducts attacks Hammertoss.19 against the Norwegian Ministries of Defense and Foreign Affairs Aug: APT29 hacks Joint Chiefs of 27 20 and the Norwegian Labor Party. Staff email server; Symantec dis- closes APT29 activity.21 Feb: Norwegian police attribute attacks to APT29;28 Dutch minis- Sep: F-Secure discloses APT29 22 tries disclose APT29 attacks activity. against them.29 2016 Jun: CrowdStrike discloses DNC Mar: FireEye reveals APT29’s new 23 hack details. ‘domain fronting’ techniques.30

Aug: APT29 post-election spear- Aug: First in-the-wild sighting of phishing campaign is underway RegDuke.31 against U.S. based think tanks and NGOs.24

17 Johnson 2015 (n. 9). 27 ‘Norge utsatt for et omfattende hack- 18 CrowdStrike 2020 (n. 5). erangrep’ (3 February 2017), Norsk rikskring- 19 FireEye 2015 (n. 3). kasting: https://www. 20 B. Starr, ‘Official: Russia Suspected in Joint nrk.no/norge/norge-utsatt-for-et-omfattende- Chiefs Email Server Intrusion’ (7 August 2015), hackerangrep-1.13358988 CNN: https://edition.cnn.com/2015/08/05/poli- 28 ib. tics/joint-staff-email-hack-vulnerability/ 29 P. Cluskey, ‘Dutch Opt for Manual Recount 21 Johnson 2015 (n. 9). After Reports of Russian Hacking’ (3 February 22 F-Secure Global 2015 (n. 1). 2017), The Irish Times: 23 CrowdStrike 2020 (n. 5). https://www.irishtimes.com/news/world/ 24 Adair 2016 (n. 10). europe/dutch-opt-for-manual-count-after-re- 25 ESET Research, ‘Operation Ghost: The Dukes ports-of-russian-hacking-1.2962777 Aren’t Back–They Never Left’ (17 October 30 M. Dunwoody, ‘APT29 Domain Fronting with 2019), WeLiveSecurity: https://www.welivesecu- TOR’ (27 March 2017), FireEye: rity.com https://www.fireeye.com/ /2019/10/17/operation-ghost-dukes-never-left/ blog/threat-research/2017/03/apt29_do- 26 S. Adair 2016 (n. 10). main_frontin.html 31 ESET Research 2019 (n. 25).

SIPA Capstone 2020 78 The Impact of Information Disclosures on APT Operations network connections to look like requests 2018 Nov: APT29 conducts phishing from commonly visited websites. 38 It also campaign against several U.S. or- 32 recompiles and modifies its code to bypass ganizations. detection semi-regularly, and uses different 2019 Oct: ESET releases report on Op- C2 infrastructure for different victims, lest eration Ghost, disclosing multiple the compromise of one operation lead to new toolsets which suggest that the discovery of others.39 That organizational APT29 never ceased activity.33 decision allows it to conduct multiple cam- paigns without aggregating the usual risks TYPOLOGY OF ATTACKS involved in running several concurrent oper- ations. APT29 is known to have a wide range of be- November 2008 – January 2010 spoke malware variants and complex C2 ar- rangements. This includes its ever-evolving APT29’s initial campaigns began in Novem- “Duke” series of backdoors and C2 sys- ber 2008 and used a bespoke trojan, tems 34 and the hijacking of Twitter and PinchDuke, which it delivered via spear- GitHub cloud servers for use as storage de- phishing. Targets included Western organi- vices.35 APT29 primarily uses phishing and zations like NATO and certain think tanks. spear-phishing campaigns to deliver its mal- Without the impediment of a disclosure, ware variants. Lures are often malicious Mi- PinchDuke evolved to another custom vari- 40 crosoft Word and Excel documents that ant, GeminiDuke. contain the usual falsities alongside authen- Spring 2010 tic information harvested from other organi- Attacks against organizations associated zations. 36 The group sometimes employs with foreign affairs continued into March steganography to mask these downloads.37 2010. The toolset evolved from the Once inside the target network, APT29 gen- PinchDuke trojan to the CosmicDuke toolset erally uses Mimikatz to achieve lateral move- focused on compromising and stealing infor- ment. mation.41 APT29 possesses a wide range of alternative 2011 techniques. In 2017 FireEye/Mandiant re- ported on a new technique being used, ‘do- APT29 added MiniDuke and CozyDuke to its main fronting’, which spoofs outbound arsenal. MiniDuke was a simple backdoor

32 ib. 36 Anomali Threat Research (n. 7). 33 M. Faou et al. 2019 (n. 6), 5. 37 ib. 34 For further information on the current versions 38 FireEye 2015 (n. 3). of the “Duke” malware: ESET Research 2019 (n. 39 ib. 25). 40 F-Secure Global 2015 (n. 1). 35 FireEye 2015 (n. 3). 41 id., 6.

SIPA Capstone 2020 79 The Impact of Information Disclosures on APT Operations that enabled remote code execution. Co- an advertisement from the 2007 Super zyDuke was a modular designed malware Bowl.45 That suggests a distinct evolution in platform connected to a C2 server that was TTPs. used to select which modules to deploy. Co- October 2014 - February 2015 zyDuke was notably written in C++, signify- ing a major evolution in its design and October 2014 marked the debut of Sea- complexity compared to past variants.42 Duke, a new toolset developed solely in Py- thon and designed to work both in Linux and February 2013 – July 2014 Windows environments. In January 2015, APT29 consistently delivered MiniDuke APT29 unveiled yet another new technique through spear-phishing emails containing a to unload multiple malware variants on a tar- PDF exploit. As awareness of MiniDuke get for enhanced network persistence. grew, OnionDuke appeared in an ostensibly APT29 also added HammerDuke to its arse- separate campaign. OnionDuke’s targets nal. This malware used an algorithm to were not immediately clear because the vec- change Twitter accounts periodically, which tor of delivery was Torrents.43 it leveraged to communicate with its C2 servers unsuspiciously.46 July 2014 June 2015 – August 2016 APT29 modified the code for CosmicDuke and the loader for both MiniDuke and Cos- Spear-phishing emails delivered SeaDuke to micDuke. It completed the recompilation, the DNC. These e-mails redirected recipi- which allowed both to bypass security de- ents to a malicious website with a dropper tection systems, three weeks after the disclo- that would subsequently download one of a sure event that precipitated such a change.44 series of RATs.47 APT29 also returned to us- Other campaigns remained active while re- ing malicious Microsoft Excel and Word doc- coding was completed, which suggests the uments that contained previously-harvested disclosure had a limited impact. authentic information. These documents dropped another malware variant, Pow- July 2014 erDuke. The attacks used steganography to APT29 began the Office Monkeys cam- deploy components of the backdoor. paign, its first large operation with Co- November 2016 zyDuke. This campaign did not use the standard lure of a malicious PDF document, APT29 commenced a new spear-phishing instead opting for unique ones: a standard campaign with PowerDuke. The lures were message mimicking an e-fax and a video of well crafted—somewhat the standard for

42 id., 7. 45 id., 11. 43 id., 9. 46 id., 13. 44 id., 10. 47 CrowdStrike 2020 (n. 5).

SIPA Capstone 2020 80 The Impact of Information Disclosures on APT Operations APT29—and they exploited the post-elec- modifies toolsets ad libitum, with new mal- tion environment with email subjects like ware generally being built before any disclo- ‘The Shocking Truth about Election Rigging sure event has revealed its last campaign. As in the United States’. These emails con- mentioned, when Kaspersky Labs released tained a Microsoft shortcut file that in turn the first major disclosure of its activity in executed PowerShell commands to plant a 2014, APT29 recompiled the code for Co- backdoor.48 zyDuke within twenty-six days. Further, the group did not halt its ongoing campaigns. January 2017 – Present APT29’s resilience to disclosure events is es- APT29’s crosshairs shifted to European elec- pecially apparent during the period of May tions and ministries, though it continues to 2015 to November 2016. This interval saw target U.S.-based think tanks. Its techniques an interwoven series of attacks, disclosures, remain somewhat consistent, albeit with and toolset evolution; however, campaigns heightened sophistication. It developed an primarily leveraged the well-known Co- insidious four-stage system that drops in- zyDuke and SeaDuke malware. That is tell- creasingly harmful malware. First, it drops its ing. It may indicate a new tool, Polyglot Duke, to circumstantial preference communicate with C2 serv- APT29’s resilience to disclosure for objective-completion ers. The C2 servers then events is especially apparent over stealth; alternatively, drop another new tool, during the period of May 2015 it could mean that disclo- RegDuke, which acts as a to November 2016. sures do not engender a recovery tool. That, in turn, significant enough facilitates the deployment amount of change to “burn” elements of the of a new but very similar version of group’s toolkit. At the very least, it raises MiniDuke. Finally, it deploys its newest back- doubts about the preclusive value of disclo- door, FatDuke. It again conducts lateral sures if the effect on the APT is null or negli- movement through credential harvesting. gible. Well-crafted spear-phishing emails are the chosen attack vector. 49 This is not to suggest that all disclosures in- effectual and fruitless. Indeed, the F-Secure DISCLOSURE EVENTS report from September 2015 apparently prompted a pause in activity. Nevertheless, APT29 appears to operate irrespective of it remains uncertain whether the disclosure disclosure events, even going so far as to directly or predominately caused this lull. leave taunting messages for defensive oper- The pause may well have occurred because ators in some cases. 50 It develops and resources were needed for another

48 Adair 2016 (n. 9). 50 F-Secure Global 2015 (n. 1), 7. 49 Faou et al. 2019 (n. 6), 11.

SIPA Capstone 2020 81 The Impact of Information Disclosures on APT Operations objective, or because the campaign itself September 2015 was over and another had already begun un- F-Secure released a detailed disclosure that detected. The present study of APT29, how- chronicles APT29’s tool development, TTPs, ever, concludes that the F-Secure disclosure and campaigns from 2008 to 2015. It in- was not the likely cause for the break in their cluded detailed hashes, indicators of com- activity: the F-Secure disclosure was too sim- promise, network infrastructure and artifacts, ilar to other disclosures which themselves and a thorough timeline of campaigns. The failed to induce any clear behavioral change. report attributed APT29 to Russia.54 It may July 2014 be argued that this disclosure caused disrup- tion, given the subsequent intermission in Kaspersky released the first major disclosure APT29 activity. But the apparent disruption against APT29. It included details on the more likely resulted from pure chance: sev- MiniDuke malware and identified old and eral other campaigns also ended around new variants. The report was written inde- that time. pendently of F-Secure’s report on the same malware (which they dubbed “Cos- June 2016 micDuke”), and it detailed all associated CrowdStrike released a forensic analysis of TTPs, and toolsets. 51 APT29’s campaigns the DNC hack, which they attributed to continued as normal. APT29. They provided the indicators of com- July 2015 promise and TTPs and opined that SeaDuke compromised the DNC—despite all the re- FireEye released the Hammertoss report, ports that had been published beforehand. which disclosed the innerworkings of the This suggests, if nothing else, that APT29 tool and its associated TTPs, and which at- was confident enough in the sophistication tributed it to Russia and APT29.52 APT29 at- of its malware to continue using it even after tacked the Pentagon with a different toolset the world had been notified of its existence. the next month. It also attests to the lack of disruption caused August 2015 by Symantec’s disclosure on SeaDuke. Symantec released a report on MiniDuke Lastly, CrowdStrike offered attributive evi- and CozyDuke as well as the TTPs used in dence to connect APT29 to the FSB or SVR.55 the Office Monkeys campaign. Symantec A new campaign of post-election spear- also uncovered and provided details on Sea- phishing began two months later. 53 Duke. APT29 had already taken action on November 2016 the related objectives.

51 GReAT 2014 (n. 2). 54 F-Secure Global 2015 (n. 1). 52 FireEye 2015 (n. 3). 55 CrowdStrike 2020 (n. 5). 53 Johnson 2015 (n. 9).

SIPA Capstone 2020 82 The Impact of Information Disclosures on APT Operations Volexity published a report that detailed the March 2017 post-election spear-phishing campaigns. FireEye released a report naming the group The disclosure provided details on the new as ‘Russian nation-state actors APT29’. The PowerDuke toolset. report detailed an advanced backdoor that February 2017 used ‘domain fronting’ by leveraging TOR, in addition to disclosing the expected TTPs Norwegian and Dutch governments re- and toolsets.57 vealed that APT29 attacked them, and they attributed the attack to the Russian SVR.56 October 2019 These events unfolded while APT29 devel- ESET published a major disclosure of APT29 oped a new toolset, and they may have pre- activity. They asserted that APT29 had not cipitated or otherwise encouraged a recess been inactive or underground, as many be- in its activity. Yet the reality lieved. Instead, it was actively of the disruption remains APT29 often exploits the campaigning with a new set of unclear as before. It seems immediate post-disclosure advanced tools—Poly- entirely possible that environment, actively using glotDuke, RegDuke, FatDuke, APT29 had already moved the news and disclosures LiteDuke. Its targets and TTPs on to another campaign, about itself to create new were found to be consistent making use of a new and lures. with past objectives and tech- advanced toolset. Moreo- niques, with a focus on govern- ver, instead of being halted by disclosures, ment entities and Western think tanks. An APT29 often exploits the immediate post- upgraded variant of MiniDuke also debuted disclosure environment, actively using the as part of the abovementioned four-stage news and disclosures about itself to create delivery system.58 new lures.

56 ‘Norway Institutions “Targeted by Russia- 57 Dunwoody 2017 (n. 29). Linked Hackers”’ (3 February 2017), BBC: 58 Faou et al. 2019 (n. 6). https://www. bbc.com/news/world-europe-38859491

SIPA Capstone 2020 83 The Impact of Information Disclosures on APT Operations COMPARISON AND ANALYSIS

DIFFERENCES BETWEEN ACTOR reputation, and therefore wanted to manage RESPONSE any global fallout that might come with the report’s release. After the DoJ indicted sev- Both Chinese groups, APT1 and APT10, dis- eral of APT1’s members fifteen months later, appeared completely. The Cobalt Group it ceased operating entirely. Although the in- was not affected by disclosures, which al- dictment appears to be successful because ways came after its operations had finished. the group was disbanded, remaining mem- Amongst the Iranian groups, APT33 appears bers and targets were likely reassigned to to act independently of disclosure events, other groups. That renders the strategic im- while APT34 was disrupted for a maximum pact of the indictment difficult to ascertain. of eight to ten weeks. The North Korean group, Lazarus, continued to operate using APT10, which was affiliated with the Chinese the same tools despite the disclosures and Ministry for State Security, was the subject of indictments. One Russian group, APT28, several high-profile disclosures. Following a ceased operations for three months follow- 2013 report by FireEye, APT10 ceased oper- ing an indictment, while the other Russian ating for several months while it retooled. group, APT29, was not impacted by disclo- After its return, disclosures did not seriously sures. affect the group again until the 2017 Cloud Hopper report and the 2018 U.S. Depart- China ment of Justice indictment because it had continuously retooled and prepared for fu- APT1, which was affiliated with the Chinese ture campaigns. The Cloud Hopper report People’s Liberation Army, was the subject of halted operations for eight to ten weeks one high-profile private sector disclosure while the group retooled, and its success and a subsequent U.S. Department of Jus- may stem from the multi-stakeholder re- tice Indictment. The Mandiant APT1 report sponse that accompanied the report. APT10 was the first of its kind; and following Man- disappeared entirely after the indictment. diant’s release of the report, APT1 halted ac- tivity for over a month. When it resumed operations, it took nearly six months to re- turn to pre-report levels of activity. The effi- Criminal Groups (Cobalt) cacy of this disclosure is attributed to two Cobalt, a criminal group that targets finan- main factors. First, APT1 relied on custom cial institutions, has been the subject of malware that needed to be rebuilt in its en- many disclosures but continues to operate. tirety. Second, the Chinese government had Disclosures on Cobalt’s activities tend to be concerns about its appearance and after-the-fact: the Group (and its dedicated

SIPA Capstone 2020 84 The Impact of Information Disclosures on APT Operations development team) moves so quickly farm out its cyber operations, Iran can more through operations, tooling, and tactics that plausibly deny its connections to APT33 and it stays ahead of cybersecurity vendors. It re- so absolve itself of responsibility. lies on single-use, institution-specific, cus- APT34, which is likely a government proxy tom malware and an attack style that is group, has been the target of over twenty- difficult to detect and stop, coopting normal five major reports since 2016. Reports have bank processes and workflows to siphon impacted the group, as it continuously up- money out of banks. Driven by its profit-mo- dates old malware, infrastructure, and tactics tive, Cobalt is unincentivized by disclosures to defeat detection. It nonetheless continues that do not affect its ability to steal. to operate. The one notably effective disclo- sure was the large Lab Dookhtegan leak, which halted APT34’s operations for a full Iran eight to ten weeks. This leak distinguished APT33, which is likely a government proxy itself from other disclosures through its sheer group, has continued its operations despite quantity of information, the possibility that it several comprehensive disclosures by pri- was an insider job, and the correlation of in- vate cybersecurity vendors. Since its first ma- dividual members to their cyber persona. jor operation in 2016, it has consistently APT34 can quickly resume its activities after conducted a new campaign every few each disclosure due to its use of bespoke months; and pauses in its activity have not tools and techniques that can be easily up- necessarily aligned with the timing of disclo- dated and its use of social engineering. sures. It has grown stronger and more so- phisticated over time, and it has increased the scope of its targeting. APT33’s opera- North Korea tions have continued for a variety of reasons, APT38 is affiliated with North Korea’s state including its ability to switch between com- intelligence apparatus, the Reconnaissance modity and bespoke tools with relative ease, General Bureau. Despite several disclosures its sophisticated spear phishing tactics, and on its activities, it has conducted numerous its status as a proxy group. Although Iran high-profile attacks since the 2014 breach of should, under international law, take respon- Sony Pictures, including the 2016 Bank of sibility for non-state actors operating within Bangladesh heist and the deployment of its borders, APT33’s status as a proxy group WannaCry in 2017—a malware developed raises the bar for the international commu- to raise money or hell, unclear which. APT38 nity if it wants to issue indictments, retor- appeared similarly unphased by the 2018 sions, and countermeasures against the U.S. Department of Justice indictment that Iranian government—or otherwise incentiv- outlined its organizational details: it contin- ize Tehran to pressure the group to cease its ued to target crypto exchanges and conduct operations. By using the contractor model to ransomware attacks, though it did remain

SIPA Capstone 2020 85 The Impact of Information Disclosures on APT Operations out of the news until the recent U.S. govern- has been the subject of many public disclo- ment statement that it is offering its cyber- sures, APT29 appears unaffected. Reporting crime services for hire. The group remains does not stop its campaigns, even when said resilient to public disclosures by frequently reporting covers an active campaign. More- updating its custom toolset and spawning over, disclosures sometimes appear to em- subgroups for different types of campaigns bolden APT29, as its activity level has and targets. Additionally, although the increased following public reporting and group originally found notoriety for its polit- taunting messages have been left in its mal- ically motivated campaigns, APT38 has tran- ware for American investigators. APT29 is sitioned to a more cybercriminal model and aided in these endeavors by a highly ad- now appears to be financially motivated. It vanced arsenal of tools and a demonstrated has displayed an intent to remain in the ability to create new ones with remarkable realm of financial crimes so long as it can rapidity. earn money for the North Korean govern- ment.

CONTRIBUTING FACTORS TO

Russia SIMILARITIES AND DIFFERENCES

APT28 is affiliated with the Main Intelligence Disclosure by Private Vendor vs. by U.S. DoJ Directorate of the Russian General Staff Indictment (GRU). It has continued to operate despite Private cybersecurity vendors release private several disclosures on its activities; and, in reports to paying customers on the activities some instances, its activity level has in- of relevant threat groups, but these reports creased following the release of reports. Its are not the focus of this research project. We operations temporarily ceased following the are primarily concerned with public disclo- U.S. Department of Justice indictment in sures, and they do not appear to have had a 2018, though it resumed targeting in a few lasting effect on any group. Disclosures have months. Over time, APT28 has increased the compelled each of these groups to become sophistication and scope of its campaigns. more sophisticated over time, and they have Its operations have continued for a variety of not caused the APTs under consideration to reasons, including a flexible operational and cease operation. Only APT1 and APT10 development framework that allows its mal- were stopped by vendor disclosures, albeit ware developers to evolve quickly—not to temporarily; and neither outfit shut down un- mention encouragement by the Russian til the DoJ issued indictments. Even then, government to continue operating. their personnel and targets were probably APT29 is affiliated with the Russian Foreign shifted to other Chinese groups. The APT1 Intelligence Service (SVR) or the Russian report, being a public disclosure by a private Federal Security Service (FSB). Although it vendor, likely had its particular effect

SIPA Capstone 2020 86 The Impact of Information Disclosures on APT Operations because it was the first report of its kind: the determine their effects on these actors. Co- equally comprehensive Cloud Hopper re- balt may be affected by indictments, but it port on APT10, released a few years later, will likely continue to operate so long as it lacked the same long-lasting effect. Moreo- can make a profit and its members are not ver, PwC UK issued that report in conjunc- jailed.1 Iran may be angered by indictments, tion with the affected managed service but the Iranian proxy actors we reviewed providers, specifically to coordinate an effort have yet to be indicted. to extirpate APT10 from their networks and Of the non-Chinese state actors included in force the group to resume operations da this report, only North Korea operates well capo. And while the report does seem to outside the bounds of normal diplomacy. have engendered several weeks of disrup- The international community has exhausted tion, APT10 was operating sanctions against the North at a normal capacity approx- Korean regime, which has left imately ten weeks later—de- Indictments should have a them with little left to lose. spite the coordinated more deterrent effect on Hence their lack of motivation actions of many stakehold- contractors than they do on to cease operations on ac- ers. government employees, as count of indictments. 2 North The effects of indictments contractors may have other Korean operators also do not on groups in other countries commercial and travel inter- travel to places that have mu- is unclear due to lack of per- ests that state agents lack. tual extradition treaties with tinent evidence. In theory, the United States, and so they indictments should have a more deterrent face little chance of ever seeing the inside of effect on contractors than they do on gov- a courtroom. It also seems plausible that ernment employees, as contractors may they are given little choice by the authoritar- have other commercial and travel interests ian government but to continue carrying out that state agents lack. Indictments could operations. The Russian groups present a hamper the ability of a contractor to do busi- similar story, insofar as Russian APTs are ness, while civilian and military intelligence thinly veiled tools of the state. Nevertheless, operators have little choice but to follow the Russian APTs have shown themselves to be orders handed down by their superior offic- unmotivated by fears of diplomatic backlash ers. and will therefore likely remain unaffected by indictments in the long term. At present, there is not a large enough sam- ple size of non-state and proxy APTs that Publicity of the Disclosure have been the subject of indictments to

1 Interview with an unnamed source. and Dmitri Alperovitch (co-founder, former Chief 2 As noted in the interviews with Jenny Jun (PhD can- Technology Officer, CrowdStrike). didate at Columbia University, North Korea focus)

SIPA Capstone 2020 87 The Impact of Information Disclosures on APT Operations The high publicity of public disclosures ap- different goals. Chinese groups have fo- pears to have affected both Chinese groups, cused on economic espionage, which entails but publicity did not seem to have lasting ef- that stealth and a general dearth of con- fects on any of the other APTs. This may be spicuity redound to their continued success: due to China’s interest in saving face and its Russian APTs have engaged in large scale strategy of extending its global influence. disruption and destabilization campaigns The Chinese government does not want to across Europe and the U.S., which have been appear out of control, so its groups are af- somewhat louder affairs. And not without fected more by disclosures. APTs in other good reason. Such publicity inspires fear of countries and contexts have also been the Russian power and calls the legitimacy of subject of small disclosures and of large re- democratic elections into question, which ports, but their operations all continued be- supports their objectives. Finally, the Krem- cause their motivations are different. Purely lin might even welcome some hostility in or- criminal groups, like Cobalt and North Ko- der to bolster their narrative that Russia is rea’s Lazarus (post-Sony), care primarily under assault from a hostile West. about making money. Iran wants to deter Financial motivation other threats, but not at the cost of plausible deniability, which it assid- Although Lazarus has a history of conducting uously maintains even strategic and political cam- when disclosures receive The high publicity of public dis- paigns against North Ko- great publicity. closures appears to have af- rea’s adversaries, much of its focus in recent years has One interview subject fected both Chinese groups, been to generate cash. The contends that Russia re- but publicity did not seem to profit motive may affect the acts differently to China in have lasting effects on any of efficacy of information dis- the face of highly public the other APTs. closures because a group disclosures because it that is trying to make money wants to relive its glory days as a world would plausibly continue to operate until its power. Public disclosures serve as free press, costs exceed its revenue. It seems unlikely, giving it the illusion of being bulletproof and then, that indictments would affect profit- unstoppable. 3 This behavioral difference motivated actors unless they are followed up could also be explained by Russia’s muted by an arrest. Cobalt’s ringleaders in Eastern presence in the global economy when com- Europe and APT38’s technicians in North pared to China. Beijing has a strong interest Korea have little to fear in that regard. in promoting China as a good place for for- eign investment and business. No less sig- nificant, Russian and Chinese APTs pursue

3 Interview with an unnamed source.

SIPA Capstone 2020 88 The Impact of Information Disclosures on APT Operations Group Adaptability The Human Factor

Among the groups to continue operating Many APTs have continued to operate in the despite disclosures, all increased in capabil- face of numerous public disclosures because ity and technical prowess over time. This dy- they exploit the human elements of the net- namic is circular and self-helping: works they attack. If network defenders heightened sophistication feeds into the make mistakes and do not implement ability to remain unaffected by public disclo- proper controls on their networks, public dis- sures because these improvements manifest closures do not matter because APTs can as the ability to adapt and modify infrastruc- still gain access. Additionally, when mem- ture, TTPs, and toolsets that combine single- bers of targeted organizations are tricked by use, commodity, and bespoke tooling to suit social engineering and unwittingly reveal different needs. The shift to continuous tool credential or proprietary information, these development seems to explain the effective groups are still able to access target net- difference of disclosures on numerous works after network defenders implement groups beginning around 2014, when public strong technical controls. reporting generally stopped having serious effects on APTs. For instance, APT10 was disrupted by FireEye’s first report in 2013, but later reports in 2015 and 2016—after it had diversified its tools and started the con- tinuous development of new ones—had lit- tle effect. Lazarus’ behavior also instantiates this trend.

SIPA Capstone 2020 89 The Impact of Information Disclosures on APT Operations MEASURING THE SUCCESS OF great effect on the least-senior technicians DISCLOSURES who merely carry out orders from above. In general, disclosures to embarrass have not The success of a disclosure can ultimately be been successful outside of the Chinese con- determined from its intent. 4 If the disclo- text. Iran is not embarrassed because its sures discussed in the case studies were in- proxies give it plausible deniability. North tended to deter similar future behavior, they Korea is beleaguered by financial sanctions unequivocally failed. Each group continued and trade restrictions, so disclosures on its to operate apart from the nominal excep- cyber activities carry little weight. Russia is tions of APT1 and APT10; and even then, politically focused and emboldened by the other Chinese groups still target countries free publicity, excited to appear powerful to and companies globally. Were the intent to the rest of the world.5 cause friction, then the hiatus seen in APT While some disclosures may not operations would suggest that have any meaningful impact on disclosures were successful. But Naming-and-shaming APT operations, their intent may those were merely pauses, not disclosures that call be to add to the public record or definitive ends; and every out a group’s low-level to contribute to defensive cyber- group under consideration re- 6 operators have been security. They can be good for sumed operations in one ca- largely ineffective. public relations, allowing the pacity or another, generally not discloser to build relationships much longer than two months within the private sector and after a disclosure. with the government. They may serve as If the intent is to humiliate and shame the proof that vendors or government entities nation-state sponsoring or supporting the are doing something to prevent cyberat- group, success is actor-specific. The reports tacks, or to justify government sanctions on and later indictments of Chinese groups em- other governments, foreign entities, and in- barrassed the Chinese government and dividuals. Sanctions can be an important should be considered successful, though not tool to influence other states’ behavior, and successful enough to convince the Chinese they can be used to promote norms of con- to halt operations completely. Naming-and- duct. Unlike denunciation and statements of shaming disclosures that call out a group’s attribution, sanctions must adhere to legal low-level operators have been largely inef- standards and present credible evidence of fective against non-Chinese groups, likely wrongdoing. because public naming does not have a

4 As discussed in an interview with Max Smeets, Sen- 5 Interview with an unnamed source. ior Researcher at the Center for Security Studies at 6 Interview with an unnamed source. ETH Zurich

SIPA Capstone 2020 90 The Impact of Information Disclosures on APT Operations Disclosures also make post hoc misrepresen- operations against APT groups, they provide tation of APT operations difficult because utility for network defenders, who can take they create a timeline of APT operations. the information released in the reports and Additionally, although these reports might use it to build stronger controls to keep ad- not have any long-lasting effect on offensive versaries out.

SIPA Capstone 2020 91 The Impact of Information Disclosures on APT Operations IMPLICATIONS OF OUR RESEARCH

FOR PERSISTENT ENGAGEMENT networks, thus defending itself by acting in a AND FORWARD DEFENSE space forward of its own perimeter. Addi- tionally, Cyber Command engages in its own Persistent engagement is the current U.S. form of information disclosure, uploading Department of Defense strategy to counter malware indicators of compromise to web- adversaries in cyberspace. The strategy was sites like VirusTotal.3 All of this action is in- designed to reflect the perspective that cy- tended to cause friction for adversaries, berspace has unique structural and opera- making it harder for them to target U.S. en- tional characteristics that differentiate it from tities and interests, and occurs below the the other domains of conflict (land, air, and level of armed conflict.4 sea): namely, the characteristics of intercon- Persistent engagement is based on the con- 1 nectedness and of constant contact. Oper- cept of tacit bargaining. Explicit and overt ationally, persistent engagement has two bargaining between nations on norms and objectives: first, to “disrupt or halt malicious rules occurs through diplomacy and negoti- cyber activity at its source,” and second, to ations, in which all sides make clear what “provide public and private sector partners they want and then work together to reach a with indications and warnings (I&W) of mali- satisfactory agreement that is reflective of 2 cious cyber activity.” wants, needs, and power dynamics. Tacit DoD’s Cyber Command (USCYBERCOM) bargaining theory states that all nations are carries out persistent engagement by de- self-interested and want to avoid conflict es- fending forward. Its cyber forces are in a con- calation, so they reach informal agreements stant state of contact in which they on which actions are and are not acceptable maneuver, outmaneuver, and react to adver- by acting and reacting to each other. Over saries who are also in their own constant time, states’ actions and reactions to others state of maneuvering, outmaneuvering, and slowly delineate what they find to be ac- reacting. This means that Cyber Command ceptable behaviors. It is a process of trial and is engaged with adversaries on their own error. With persistent engagement, states

1 ‘Summary: Department of Defense Cyber Strategy’ 3 See www.virustotal.com (2018), Department of Defense: https://media.de- 4 J. G. Schneider, ‘Persistent Engagement: Founda- fense.gov/2018/Sep/18/2002041658/-1/- tion, Evolution, and Evaluation of a Strategy’ (10 May 1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF 2019), Lawfare: https://www.lawfareblog.com/persis- 2 M. P. Fisherkeller & R. J. Harknett, ‘What Is Agreed tent-engagement-foundation-evolution-and-evalua- Competition in Cyberspace?’ (19 February 2019), tion-strategy Lawfare: https://www.lawfareblog.com/what-agreed- competition-cyberspace

SIPA Capstone 2020 92 The Impact of Information Disclosures on APT Operations communicate through their behavior in cy- disclose behaviors of other actors that they berspace as they maneuver and outmaneu- find to be unacceptable. ver each other. The interactive process leads Notably, declassified documents reveal that to all states having a tacit understanding of this is exactly how Cyber Command intends what each state will allow in cyberspace.5 its public disclosures to work. They serve In theory, information disclosures and indict- both offensive and defensive purposes. The ments should complement persistent en- documents note that Cyber Command’s gagement and forward defense in three “objectives of VirusTotal uploads are to im- ways that are themselves complementary.6 pose cost on adversar[ies]…and increase the First, information disclosures by the U.S. resiliency of vulnerable networks.” Both of government give private sector defenders these objectives are key to the strategy of more information on adversary operations persistent engagement.7 by disclosing their actions, thereby giving Our research suggests that public disclo- them more chances to thwart adversary at- sures can be effective at achieving both of tempts to disrupt, degrade, destroy, or steal Cyber Command’s objectives with respect from their targets. Second, disclosures to persistent engagement. Defenders bene- should create friction for adversaries, com- fit from any additional information they re- plicating their operations. By revealing their ceive on adversary TTPs, tools, and plans before they can be put into action, or indicators of compromise. Additionally, pub- by showing the world how they operate, lic disclosures do have some disruptive ef- these disclosures should slow down APT op- fect on APT operations. However, our erations as they change their infrastructure, research also suggests that some nuance is tools, and TTPs in order to not get caught. If necessary. We find that the disruptive effect information disclosures continue at a quick- of public disclosures varies significantly enough pace, APTs may never get a chance based on a number of factors, including the to carry out a full attack. Indictments should scope of the disclosure and the disclosing play a role here too, serving as a form of for- actor. A simple public disclosure from a mal information disclosure that also releases cyber threat intelligence firm or a posting of names and comes with diplomatic and legal indicators of compromise VirusTotal is much consequences. Third, it contributes to the less disruptive than an indictment. Further, process of tacit bargaining as nation-states the impact of indictments themselves is

5 M. P. Fisherkeller & R. J. Harknett, ‘Persistent En- 6 Interview with Natasha Cohen, Senior Cyber Opera- gagement and Tacit Bargaining: A Path Toward Con- tions Planner and Strategist at DHS-CISA. structing Norms in Cyberspace’ (9 November, 2018), 7 J. Cox, ‘Internal Docs Show Why the U.S. Military Lawfare: https://www.lawfareblog.com/persistent-en- Publishes North Korean and Russian Malware’ (25 gagement-and-tacit-bargaining-path-toward-con- February 2020), Vice: https://www.vice.com/en_us/ar- structing-norms-cyberspace ticle/5dmwyx/documents-how-cybercom-publishes- russian-north-korean-malware-virustotal

SIPA Capstone 2020 93 The Impact of Information Disclosures on APT Operations dependent on the APT in question. In most sophisticated. There is a chance that infor- cases, regardless of disclosure type, an APT mation disclosure may be a more effective is only disrupted for a short period of time. strategy against less capable groups that are unable to quickly adapt to new circum- We must consider these questions of effi- stances. Additionally, disclosures aimed at cacy in direct relation to specific objectives. causing adversaries friction are less effective As mentioned, disclosures do have some if network defenders do not take the time to disruptive efficacy and are thus somewhat implement new controls or update existing useful in achieving the objectives of persis- ones based on released information. tent engagement. The usually-short duration of this disruptive effect makes them much Ineffective information disclosures contrib- less useful for other purposes, such as deter- ute very little to the concept of tacit bargain- ring malicious cyber activity. The level of ing, a key component of persistent cost imposed by disclosure events is simply engagement. While they do allow other na- not high enough to change the risk calculus tion-states and nonstate actors to gain a of adversaries conducting cyber activity be- general sense of actions that the U.S. does low the level of armed conflict. and does not find acceptable, they do not appear to be able to stop those groups from The impact of information disclosures on acting. Tacit bargaining aims persistent engagement may to outline what can and can- also be country-dependent. In most cases, regardless of not be done with the inten- Chinese APTs, for example, disclosure type, an APT is tion that everyone then sticks appears to be affected by only disrupted for a short to the set boundaries. If other highly public information dis- period of time. actors in cyberspace do not closures from private vendors respect those restrictions on and by indictments, so information disclo- action, the process of setting them cannot sure could be an effective part of a China- be considered a success. It is important to specific cyber strategy. APTs from other note here that public disclosures that are not countries and contexts appear less affected, consistent with, or backed up by, the disclos- or unaffected, by information disclosures, ing state’s behavior can therefore greatly un- implying that disclosures might not be an ef- dermine the norm-setting purpose of tacit fective component of an offensive cyber bargaining. Thus, a state that indicts adver- strategy against them. In some cases, like sary personnel for economic espionage but Russia, disclosures might have the opposite then engages in economic espionage itself effect and encourage further activity. contradicts the very norms that it is trying to The efficacy of disclosures as a component set. of persistent engagement may be affected Further, information disclosures on a single by both APT and network-defender sophis- group at a time should not be considered a tication. All of the groups outlined in our uniquely and independently effective case studies are quite capable and

SIPA Capstone 2020 94 The Impact of Information Disclosures on APT Operations component of persistent engagement, perfect, there has been a significant amount which is a nation-state strategy to counter of research on the effect of leadership re- other nation-states. Disclosures might be moval in the counterterrorism context. Aus- more effective if they involved coordinated tin Long, for example, argues that releases of mass information on every known institutionalized organizations are resilient APT group an adversarial nation-state spon- against leadership decapitation. He deter- sors; otherwise, one group can make up for mines institutionalization based on “whether lost activity of another. In the case of Russian an organization exhibits functional speciali- groups APT28 and APT29, both groups sim- zation, hierarchy, and bureaucratic pro- ultaneously targeted the DNC in 2016. Had cesses for conducting operations,” 8 a disclosure intended to get the Russians out characteristics possessed by most APTs. of the DNC networks been operationally While institutionalized organizations should successful at halting the activity of one be more resilient to leadership removal, re- group, the presence of the other would ren- moving (or simply disrupting) key opera- der the disclosure a strategic failure. How- tional personnel may be more effective, ever, disclosures may be an effective tool to particularly in a domain in which technical introduce friction within a state adversary’s expertise is vital. Information disclosures intelligence services if multiple APTs, partic- that are a part of a broader strategy of per- ularly those serving different state agencies, sistent engagement should target each are operating against the same target while group’s operational center of gravity. They unaware of their compatriots’ activity. By re- should not be released without careful con- vealing their activity to the others working sideration of the cultural and political con- the same target, disclosures can lead to in- text in which the APT operates, and they fighting that pulls resources away from their should be designed specifically to maximize operations. pain for that particular group. For example, With disclosures or indictments that reveal numerous Chinese APTs might have central- personas, the differing roles of compro- ized tool development, so disclosures tar- mised individuals might create differences in geting individual groups will be less effective effect. It is worth exploring the potential dif- than disclosures that target the activities of ferences in the disruptive effect of remov- the high-level developers.9 ing—or revealing the identities of— leadership versus operators, developers, or others. While the analogy is certainly not

8 A. Long, ‘Assessing the Success of Leadership Tar- 9 ‘Supply Chain Analysis: From Quartermaster to Sun- geting’ (November 2010), CTC Senti- shop’ (November 2013), nel: https://ctc.usma.edu/assessing-the-success-of- FireEye: https://www.fireeye.com/con- leadership-targeting/ tent/dam/fireeye-www/global/en/current- threats/pdfs/rpt-malware-supply-chain.pdf

SIPA Capstone 2020 95 The Impact of Information Disclosures on APT Operations FOR PRIVATE CYBERSECURITY FOR THE FINANCIAL SECTOR VENDORS For the time being, the financial sector is not From the standpoint of network defense, pri- an offensive actor in cyberspace. Conse- vate vendors should continue to release in- quently, members of the financial sector formation when necessary to boost the should continue doing what they are already collective security of all. They should also ex- doing: monitoring public reporting and in- plore information sharing channels that do formation disclosures on threat groups and not necessitate public disclosure. working with private cybersecurity vendors as appropriate to defend their networks. However, private cybersecurity vendors that When information is disclosed, they should publicly disclose information as an offensive promptly take the necessary steps to update tool to cause pain to APTs need to consider their network defenses in line with cost and context and intent. As discussed, the social, risk appetites. They should not grow com- cultural, and political contexts in which APTs placent when a specific threat group is not operate are complicated and vary by coun- targeting the financial sector, because capa- try, so disclosure efficacy will change for ble APTs evolve and can shift their sights to- each group. Disclosures should be individu- ward the financial sector in ally crafted to maximize fric- the future. tion and pain. Doing this Disclosures should be individ- That being said, many pri- requires deep non-technical ually crafted to maximize fric- vate and commercial finan- understanding of each APT, so tion and pain. private vendors should retain cial institutions maintain non-technical talent with back- strong ties to governments grounds in the social sciences. Additionally, around the world. They must work with reg- vendors should consider the technological ulators in the countries in which they operate trends that reduce the value of malware dis- to ensure the legality of their actions, and closures over time, such as the use of com- they sometimes collaborate with govern- modity malware that groups can afford to ments and central banks on finance and in- lose and the use of social engineering, which frastructure projects. All financial institutions cannot be stopped with signature-based should consider aspects of their state collab- threat detection. oration that may make them a target for in- trusive and disruptive attacks, both by the country with which they collaborate and by its adversaries. While financial institutions should meet regulators’ disclosure require- ments, they should also factor these consid- erations into their risk calculus when choosing to publicly reveal, or not to

SIPA Capstone 2020 96 The Impact of Information Disclosures on APT Operations publicly reveal, attacks against their infra- ROOM FOR FURTHER RESEARCH structure and networks. Although such reve- lations may embarrass or stop the actions of Our findings should be understood within some APTs, they could invite opportunist the context of the scope of our project and and retaliatory attacks by others. our ability to measure APT activity. We measured activity through public disclo- sures. There were many periods for APTs when we did not record any ongoing cam- paigns, but that does not mean that these groups were not operating. Similarly, even in cases where we could not ascertain an im- pact resulting from a disclosure, groups may have still undertaken change at the com- mand level.

More research with a larger and more repre- sentative sample is necessary to determine whether our findings hold true across larger sample sizes and to examine the causal mechanism behind our findings, as these outcomes are affected by the unique charac- teristics of each group itself, the country in which it is based, and the geopolitical situa- tion in which it operates. Additionally, fur- ther research should include discussions with members of the financial sector on steps they might take to use information disclo- sures in an offensive manner in the future, should the sector choose to move in that di- rection.

SIPA Capstone 2020 97 The Impact of Information Disclosures on APT Operations

ACKNOWLEDGEMENTS

The team would like to thank the many experts – Dmitri Alperovitch, Kris McConkey, Natasha Cohen, Max Smeets, Ben Read, Luke McNamara, Jenny Jun, and others that asked to remain anonymous – who agreed to be interviewed for this project and who shared and explained their unique insights into these numerous APT groups. This project could not have existed without the voluminous cyber threat intelligence collection and analysis conducted by the cybersecurity community over the years. Jason Healey's enthusiasm for and promotion of the project helped push us forward. Our greatest thanks go to our client sponsor Ken Wolf for making this project possible and our advisor, Neal Pollard, who provided valuable insight and suggestions through- out the research process.

SIPA Capstone 2020 98 The Impact of Information Disclosures on APT Operations ABOUT THE TEAM

Matthew Armelli School of International and Public Affairs. John received his commission into the Matthew Armelli is a second year Master of United States Navy after graduating from International Affairs student at Columbia’s George Washington University. He has School of International and Public Af- served for nine years and was most recently fairs. His studies focus on International Fi- stationed on board USS STETHEM (DDG 63) nance and Economic Policy as well as homeported out of Yokosuka, Japan. Cybersecurity. While attending SIPA, he in- terned on the Foreign Policy team at the Max Eager Clinton Foundation and on the Online Secu- Dr Eager is a candidate for the Master of In- rity Team at Facebook. Prior to attending ternational Affairs, with a concentration in in- SIPA, he worked in Technical Security at the ternational security policy and a Cleveland Clinic after receiving his Bache- specialization in business management. He lor’s in German Studies at Miami Univer- has worked for the Information Security Divi- sity. Matthew was born and raised in sion of the NYPD, and is presently Senior Re- Cleveland, Ohio. searcher at GMG Strategic Advisers, a Stuart Caudill boutique technology and telecommunica- tions consultancy based in NYC. Prior to Stuart is a Master of International Affairs can- SIPA, Dr Eager was College Tutor in Classics didate studying international security and and Philosophy at Oriel College, Oxford. He cyber policy. Prior to graduate school, Stuart holds a DPhil in Ancient History from the Uni- spent over five years leading intelligence versity of Oxford, and is the author of the and cyber operations for the U.S. Army. Stu- monograph "Seneca's Influence with Nero" art co-authored the first public analysis of documents captured in the raid on Usama (Oxford, 2018). A native of New York City, Bin Ladin's compound in Abbottabad, Paki- Max has lived in Princeton, Rome, and Ber- stan, and his work on cyber policy has been lin. Currently he resides in Brooklyn with his published in War on the Rocks and Strategic partner Claire and chihuahua Banana. Studies Quarterly. Stuart received a B.S. in Jennifer Keltz International Relations and Arabic from the Jennifer Keltz is about to graduate from SIPA U.S. Military Academy at West Point and is a with her Master of Public Administration. At 2019 Tillman Scholar. SIPA, she studies International Security Pol- John Patrick Dees icy and Technology, Media, and Communi- John Patrick Dees studies International Se- cations. Immediately prior to graduate curity Policy and Data Analytics and Quanti- school, she was a Peace Corps Volunteer, tative Analysis at Columbia University’s first in Burkina Faso and then China. After

SIPA Capstone 2020 99 The Impact of Information Disclosures on an Adversary’s Operations finishing school this May, she will start work- summer, John interned as a Cyber Threat In- ing as a cyber risk consultant. She earned her telligence Analyst at BlueVoyant. After grad- undergraduate degree at the University of uation, John will begin a Fulbright research Virginia, where she majored in Government grant in Athens, Greece, where he will con- and minored in French. duct research on the European Union’s Agency for Cybersecurity (ENISA). Ian Pelekis Virpratap Vikram Singh Ian is an accomplished geo-political analyst, formerly working with the Canadian govern- Virpratap is a Master of International Affairs ment and a variety of think tanks, before de- candidate focusing on cybersecurity and ciding to focus on cybersecurity. Previously, tech policy. Prior to graduate school, he Ian's research and work focused on proxy worked as the digital media and content warfare and influence operations naturally manager for Gateway House, a foreign pol- leading Ian to the world of cybersecurity. icy think tank in India. His writing has been During his time at SIPA, Ian has focused on featured in OODA Loop. He holds a Bache- cyber security, cyber conflict, and cyber lor in Liberal Arts from the Symbiosis School threat intelligence while working with the for Liberal Arts, majoring in Media Studies New York City Cyber Task Force. Ian now and minored in International Affairs. works at Next Peak as a cybersecurity ana- Katherine von Ofenheim lyst, where he heads the creation of the Geo- Cyber Risk platform, a service combining Katherine von Ofenheim is a candidate for a geo-political and cyber risk to help identify Master of International Affairs, with a con- and mitigate cyber risk. centration in international security policy and specializations in technology, media, John Sakellariadis and communications and the Middle East re- John Sakellariadis is a second-year Master of gion. Prior to SIPA, Katherine spent six years International Affairs candidate studying In- working in the humanitarian response and ternational Security Policy with a focus on cy- international development across the Mid- bersecurity. Prior to SIPA, John worked as a dle East. She earned her undergraduate de- Research Assistant in U.S. Foreign Policy at gree at the University of Oregon, where she the American Enterprise Institute. At SIPA, majored in international affairs and geogra- he serves as the Editor in Chief of the Journal phy. After graduation, Katherine will begin a of International Affairs, a student-run, peer- Presidential Management Fellowship at the reviewed international affairs journal. Last Department of State.

SIPA Capstone 2020 100 The Impact of Information Disclosures on an Adversary’s Operations