.SIAK-Journal – Zeitschrift für Polizeiwissenschaft und polizeiliche Praxis

Braganca, Maschenka

Pocket Spies. Advanced Persistent

Espionage Campaigns Go Mobile

SIAK-Journal − Zeitschrift für Polizeiwissenschaft und polizeiliche Praxis (3/2018), 19-29. doi: 10.7396/2018_3_B

Um auf diesen Artikel als Quelle zu verweisen, verwenden Sie bitte folgende Angaben:

Braganca, Maschenka (2018). Pocket Spies. Advanced Persistent Espionage Campaigns Go Mobile, SIAK-Journal − Zeitschrift für Polizeiwissenschaft und polizeiliche Praxis (3), 19-29, Online: http://dx.doi.org/10.7396/2018_3_B.

© Bundesministerium für Inneres – Sicherheitsakademie / Verlag NWV, 2018

Hinweis: Die gedruckte Ausgabe des Artikels ist in der Print-Version des SIAK-Journals im Verlag NWV (http://nwv.at) erschienen.

Online publiziert: 12/2018 3/2018 .SIAK -JOURNAL

Pocket Spies Advanced Persistent Espionage Campaigns Go Mobile

Mobile advanced persistent threat (APT) campaigns are simply the natural evolution of an attack type. It was just a matter of time before attackers would focus on exploiting a device that is so critical to our digital life. Threat actors always try to be ahead of the game, and advancements in tactics, techniques and procedures (TTPs) used shouldn’t come as a surprise. While we notice massive changes in the way malware is written, developed and new techniques pioneered that help leave infiltration unnoticed (hardware embedded malware or fileless malware, etc.), little attention has been paid to the mobile front, although it certainly is the one electronic device no one can function without. Over the past year, we have been observing how attackers use a device that is so ubiquitous in everyone’s daily life, together with the sophistication of serious malware authors that Maschenka Braganca, aren’t just trying to siphon off a few bucks. This has given rise to what some security Sr. Program Manager of threat research communications with research classify as a new category of advanced attacks that some even call “Mobile a security firm. APTs” with a clear nation-state component. APT actors have traditionally operated on PC platforms, but are now rediscovering the mobile segment through evolving tactics. This article will explore these “mobile APTs” and place them in the context of recent changes in the general threat landscape.

Unintentional spy gadgets introduction of mobile as a key compo- Our entire private and professional digital nent of the APT world these days, and life is happening on the mobile device, show how threat actors are moving toward from emails to contact lists to mobile bank- multi-platform APTs. With so-called “mo­ ing and security tokens that are required bile APTs”, mobile devices are becoming for accessing sensitive information on our not just targets for espionage campaigns primary device, such as the work PC. We with a political context, but will also very carry it around everywhere and read and likely become the primary target for any hear about cyber-related intrusions every type of intrusion for enterprises as well. day. And we still barely use proper cyber- Inf iltrating an individual’s device or a security1 on our mobile devices, even at company’s doesn’t just serve the purpose the executive level. of stealing data or intellectual property. Threat actors are evolving their tactics Many of these highly resourceful, sophisti­ and exploiting less-expected avenues for cated threat actors utilize this to leverage a maximum effect. The examples that will foothold in any company’s infrastructure to be discussed in this article illustrate the later target government organizations and/

19 . SIAK -JOURNAL 3/2018

or critical infrastructure. Leveraging the actors that have been transitioning and/or mobile devices of the individuals targeted expanding into “mobile APTs”. Most of is now an additional or even quicker path­ these cases use a combination of run-of­ way to accessing the enterprise environment. the-mill phishing techniques (either via As the threat landscape changes and social media, straightforward text messag­ evolves, it simultaneously creates a dy­ ing or chat apps) to drop the payload on the namic of overlap between threat actors and victim’s device, mostly by prompting the a blurring of lines between traditional roles user to download an app. Looking through and modi operandi. Espionage (or more indicators of compromise (IOCs) and mal­ broadly, intelligence) in its essence used ware analysis, the different research teams to refer to the ways in which “sovereign often thought what they were seeing were powers create, exploit and protect secret low-level threat actors employing rela­ advantages against other sovereignties” tively simple cyber-espionage tactics prob­ (Warner 2014, 4). The tools of the trade ably for criminal endeavours, but were used for this purpose used to be the nation­ surprised to discover more purposeful and state actor’s prerogative. Now these same persistent behaviours in most threat ac­ tools are suddenly widely available to a tors. Also, while some incidents initially number of threat actors with various – in seemed incidental, some of the campaigns part, conflicting – agendas. were operational for a lot longer than ini­ tially expected.2 the daWn oF the MoBile espionage caMpaigns pegasus Researchers have been observing mobile malware campaigns that are highly targeted, Profile: using social network services and popular Discovered in: August 2016. apps to deploy the malware (typically spy­ Functionality: It’s functionality can be ware) onto the mobile device. The trojan­ broken down as follows: Starting with a ised apps function like the legitimate apps phishing scheme via SMS, the attack re­ and fulfil their regular functions, but they lies on the human weakness. Through will divert the user to download a payload. SMS, the user is prompted to click on a The difficulty lies in figuring out whether link, which starts the browser and loads an app is legitimate or masquerading. How a page. Pegasus exploits three critical do you establish anomalous behaviour? iOS zero-day3 vulnerabilities that form How did the mobile apps make it into an an attack chain that subverts even the official app store? The malicious apps are tightly controlled security of the Apple designed to pass the initial screening and Store and environment.4 Once in the de­ be available in the official app store by vice, malware is installed in order to bundling most of the malicious function­ perform the assigned tasks (gathering ality into second-stage components that information, etc.) and maintains persis­ are downloaded only after victims have tence to ensure that it stays installed. installed the rogue apps and interacted Pegasus uses encryption to remain with them. stealthy and fly under the radar of tradi­ In the following passage, a few recent tional security detection tools. examples of mobile espionage campaigns Threat Actor: The security researchers will be described to illustrate the methods identified NSO Group behind these op­ and tactics being used by the various threat erations, connecting it to a product that

20 3/2018 .SIAK -JOURNAL

NSO Group sold as “Pegasus solution”. highlights the susceptibility to high-level NSO Group sells surveillance technology (corporate) espionage. like weaponized software that targets mobile phones and is often character­ Viperrat ized as a “cyber-arms dealer”. NSO Group was operating on behalf of various Profile: clients, among whom were also nation­ Discovered in: February 2017. state clients. Functionality: ViperRAT has been spe­ Victims and Targets: The goal of Pega­ cifically designed to exfiltrate informa­ sus was espionage with large-scale geo­ tion of high value from compromised graphical reach. Among the victims devices. It comes in two variants. As is identified in early reports on this attack often the case, social engineering is at were political dissidents and human the beginning of this attack. The victims rights defenders based in UAE, Mexico, were contacted via social media by Uzbekistan and other countries across good-looking women from Western the world, but the type of malware used countries to lure the user into download­ here indicates that any high-value vic­ ing a trojanised app disguised as a chat tim could be targeted, in political and or game app. This app will do some corporate settings alike. basic profiling of the device and then download the second component/vari­ Security f ir m Lookout describes the ant of ViperRAT that has a more com­ Pegasus campaign, discovered in 2016, as prehensive surveillance and intelligence “the most sophisticated attack” (Citizen gathering function. It includes a dropper Lab and Lookout 2016) they have yet which, in order to be installed, requires seen on any endpoint (not just on mobile). the user to grant permissions and can Like other similar mobile spyware, it takes then exfiltrate image data and audio advantage of the combination of the unique content and use the device camera. In features available with a mobile device 2018, samples belonging to this mobile (such as 24/7 WiFi, 5G, microphone, malware family resurfaced as chat apps video, contact lists, applications, email, in the Google app store (Flossman 2018; SMS, messaging, GPS, etc.). What is spe­ Flossman 2017). ViperRAT has been cial in this case is that in this attack the operating since late 2015 and was likely adversary can effectively jailbreak an iOS used a test application at first. device, exploiting three iOS zero-days, and Threat Actor: There are many theories then remain under the radar spying on its about potential threat actors, but no con­ victim. A tailor-made exploit sequence for clusive evidence that could point toward iOS devices (like this one based on not one one specific actor with a fair amount of but three zero-days) is typically very costly certainty. What can be said is that re­ because it is relatively difficult to achieve. search indicates the actor behind it has a Threat actors will typically use this kind of well-developed cyber-capability as well targeted and expensive spyware to attack as an active interest in the geopolitics of “high-value” individuals who give them the Middle East. access to sensitive information. In political Victim and Targets: Likely espionage and corporate settings alike, the amount of against Israeli Defense Force (IDF) per­ sensitive information that is being carried sonnel. on or accessed from mobile devices clearly

21 . SIAK -JOURNAL 3/2018

gnatspy anubisspy

Profile: Profile: Discovered in: December 2017. Discovered in: December 2017. Functionality: The distribution vector Functionality: AnubisSpy uses a “water­ starts with sending malicious files contain­ ing hole” technique. It comes disguised ing the malware directly to users with as an app, published on Google Play and legitimate sounding titles such as “An­ third-party app stores, and was even droid Setting” or “Facebook Update”. signed with fake certificates.6 It uses The goal is to steal images, messages, socio-political themes as social-engi­ contact information, call history, and neering hooks for phishing attacks with other sensitive data from infected de­ the goal of stealing messages (SMS), vices. The research (like shared C2 do­ photos, videos, contacts, location, email mains) suggests that GnatSpy is likely an accounts, calendar events and browser improved version of the so-called VAMP histories, and to take screenshots and malware by the same threat actor, indi­ record audio, including calls. The col­ cating that these threats are connected.5 lected data is encrypted and sent back to However, GnatSpy has a much more the C2 server. It is also constructed to modular set-up as opposed to VAMP, self-destruct to cover its tracks.7 The which suggests that the developer must research suggests that it might be linked have knowledge in good software design to the Sphinx threat actor group that also compared to previous authors. GnatSpy employs PC/desktop-targeting malware, uses Java annotations and reflection meth­ based on shared file structures and C2 ods to evade detection and encrypts its server and seemingly has expanded the C2 server (Xu 2017) and can, in addition platform being served (Xu/Guo 2017). to the images, text messages, contacts AnubisSpy’s first activity dates back as and call history that VAMP would re­ early as April 2015. move, also pull information from the in­ Threat Actor: APT-C-15 (also known as fected device, such as battery, memory “Sphinx”). and storage usage, and SIM card status. Victim and Targets: Mostly, the victims Threat Actor: APT-C-23 (also known as have been linked to countries in the “Two-Tailed-Scorpion”). Middle East. The treat actor is likely Victim and Targets: Mainly countries in Sphinx, targeting government and mili­ the Middle East. tary organizations.

GnatSpy, detected by Trend Micro in AnubisSpy is one of the more devious 2017, was likely developed by the threat mobile espionage malware types, coming actor APT-C-23 (or “Two-Tailed-Scorpi­ disguised as a legitimate app, and was on”) that was also behind the VAMP mal­ available on the Google app store.8 It also ware. GnatSpy is evidence to the fact that marks the current trend of a transition in some threat actors are remarkably persis­ threat actor tactics from the PC to the mo­ tent even if their activities have been ex­ bile platform. posed and documented by researchers in the past. The threat actor is not just con­ tinuing its activities, but really improving their technical capabilities.

22 3/2018 .SIAK -JOURNAL

darkcaracal DarkCaracal indicated it initially looked like a criminal endeavour but turned out to Profile: be traceable to a nation-state intelligence Discovered in: January 2018. agency. The tools employed for this cam­ Functionality: DarkCaracal also starts paign are not sophisticated and simply with a simple phishing message like require luring the user into granting certain “How are you?” or trojanised Android application permissions (Perlroth 2018). apps disguised as secure chat apps to This threat actor is the exact opposite of direct potential victims to the watering Pegasus, which shows us the entire spec­ hole. It retains full functionality, exfiltrat­ trum of the espionage game. Mobile plat­ ing sensitive data without the victim forms are appealing to APT actors because noticing. Victims granted attackers the they have less security measures or are left right to access the private data by grant­ unsecured by users, and are often cheaper ing permissions when they installed the for attackers to work around. app. DarkCaracal’s attack profile shows that the threat actor is operating on Zoopark multiple platforms. The mobile com­ ponent of DarkCaracal was one of first Profile: observed glb espionage campaigns with Discovered in: May 2012. global reach, according to security re­ Functionality: Zoopark spreads via two searchers (Electronic Frontier Founda­ main distribution channels. 1) drive-by tion and Lookout 2018). downloads (watering holes)9 from web­ Threat Actor: The first attack using sites and 2) it mimics the chat app Tele­ DarkCaracal that was identified and gram. Several samples observed re­ analysed seems to emanate from the portedly mimicked a voting application Lebanese General Directorate of Ge­ for Iranian Kurdistan. Zoopark has been neral Security (GDGS) according to around at least since June 2015. Four security researchers. The malware has variations are claimed to have been been around since early 2012. found that also show gradual improve­ Victims and Targets: Among the targets ments in their functionalities. The latest connected to DarkCaracal were journal­ version is the most advanced and can ists, activists, government officials, exfiltrate a wide range of data, including military personnel, financial institu­ contacts, GPS location, text messages, tions, defence contractors and other in­ call audio, key logs and browser data dividuals and groups in the US, China, (among others); it also has backdoor Germany, India, Russia, Saudi Arabia, functionality that allows it to make South Korea and within Lebanon. The phone calls, send messages and execute goal seems to have been acquiring enter­ shell commands. As is often the case, it prise intellectual property as well as begins with a watering hole attack lever­ personally identifiable information. aging Telegram channels and compro­ mised legitimate websites. Not every campaign necessarily utilizes Threat Actor: The current research does sophisticated tools such as iOS zero-days not indicate a specific threat actor. such as in the case of Pegasus. There is evi­ Victims and Targets: Among the victims dence for surprisingly low-budget options identified were individuals in the Middle as well. The same f irm that discovered East e.g. Iran, Morocco, Egypt, Jordan

23 . SIAK -JOURNAL 3/2018

and Lebanon, but also political organi­ Threat Actor: The attacks have been as­ zations such as United Nations Relief sociated with threat actor “Sun Team” and Works Agency for Palestine Refu­ hacking group. Further investigation gees (UNRWA). has shown that there have been multiple versions of the malware. It seems Sun Zoopark trojan spyware is an example Team’s only goal is to extract informati­ of mobile spyware that is able to remotely on from devices, since all of the mal­ control a device and steal all sorts of con­ wares are spyware. fidential information from it. It was dis­ Victims and Targets: For the most part, covered by vendor Kaspersky Labs, who victims are Korean-speaking users, pos­ state that they found four different itera­ sibly North Korean defectors and jour­ tions of the Zoopark malware apparently nalists. developed between 2015 and 2017, each one expanding on the previous (Kaspersky The most recent case is RedDawn. 2018). The latest version shows massive The campaign was discovered by vendor improvement and advancement in com­ McAfee in May 2018 (Min 2018b). It is the parison to its predecessors, which only had second campaign by this threat actor within basic functionality10 and incrementally this year; the f irst was targeting North added features. This leads the research Korean defectors and journalists using a team to believe that the threat actor might chat app as a delivery vector. According to have outsourced development or purchased the analysis, the apps used in this campaign from specialist vendors. There is a huge are multi-staged and typically use multiple (black) market for specialist (surveillance) components, starting with a reconnais­ tools and it is not an uncommon practice sance phase that sets the foundation for today to purchase them instead of going the next steps (Min 2018a).11 The threat through the process of developing in-house. actor seems to be using modified (public­ ly available) exploits which, according to reddawn McAfee, might indicate a lack of in-house technical expertise. Profile: Discovered in: May 2018. What Makes this neW kind Functionality: RedDawn uses multi­ oF MoBile attacks an component malware. The attackers “adVanced” threat? planted three unreleased beta apps in When it comes to describing cyber attacks Google Play. They have legitimate or cyber operations, the word sophisticated sounding content such as food and is used very quickly. But not every opera­ security, but behind the scenes steal data tion or campaign is “advanced” or even “so­ like contacts, messages, call recordings phisticated”. Does the anatomy of the attack and photos, and have remote command classify mobile malware as an APT rather capability and additional executable than just another piece of malware that can (.dex) files from a C2 server. After being steal information or disrupt a system? Very installed, the malware uses e.g. Face­ often this marks a marketing tactic by ven­ book to infiltrate the contact list and dors, but in some cases, adding this attribute prompt users to install the app (through tells a bit of the story of method or tech­ phishing techniques). RedDawn has nique that is not entirely well understood been reportedly operating since 2017. at the time it has been discovered.

24 3/2018 .SIAK -JOURNAL

The term “Advanced Persistent Threat” plies to the campaigns discussed before. In has a history of its own and its use in de­ some cases, the nation-state aspect might scribing specific attacks is not undisputed justify the APT terminology but in some among security researchers (Bejtlich cases the level of “sophistication” might be 2010). In very simple terms, the term “ad­ questionable. In fact, the attribution often vanced persistent threat” originated from goes the other way round – after looking at the US Air Force around 2006 and denotes the samples, many threat actors have been an attack where the adversary systemati­ identified as APT actors that have started cally targets and infiltrates a system and re­ adding the mobile vector to their previous mains there for an extended period of time PC-targeting operations. One example is without being detected. It originally and, the famous Lazarus group13 that was found perhaps most significantly, meant an attack utilizing mobile operations as part of their by a nation state. Advanced persis tent repertoire (Han 2017), or the aforemen­ threats typically have several phases, which tioned Sphinx group. often leads to confusion with so-called When we look at the modus operandi of “targeted attacks” because of the many many of these groups, it usually begins in shared attributes – such as selective targe­ quite the unspectacular way with a simple ting of victim organizations, maintaining email or SMS, which very often is one a foothold in the environment for future of the most effective malware delivery use and control, technical sophistication12 mechanisms. Only at the infiltration stage and many others (Genes 2015). Not every do we see what tools are really being used advanced threat or well-designed piece and what can be achieved with them. As of malware necessarily emanates from a the cases discussed show, there is a broad nation state actor. There is a host of other range of tools with varying degrees of skilled threat actors from which to choose. sophistication – from low-budget trojans Quelle: Braganca to pre-made toolkits to costly zero-day exploits. Perhaps the most signif icant factor is that these actors, who have been 1. Initial Compromise operating for many years while going un­ noticed (and those that were discovered 6. Complete 2. Establish and reported on), continue to improve their Mission Foothold tactics and procedures.

threat actors and the eVolUtion oF Methods and tactics 5. Maintain 3. Escalate Presence Privileges APT attacks are the handiwork of threat actors with substantial resources and spe­ cific motivation, and that description typi­ 4. Internal Reconnaissance cally fits nation states with a strategic inter­ est. APTs have been around for decades. It is not really surprising to see APT threat Fig. 1: Typical APT/targeted attack lifecycle actors increasingly adopting the mobile platform. At the beginning stage, the mo­ Most of the attacks that follow this pat­ bile operations were most likely offshoots, tern are targeted attacks, and this also ap­ extensions, or separate but related opera­

25 . SIAK -JOURNAL 3/2018

tions of their desktop/PC counterparts. What Makes MoBile espio­ They are now well underway to becoming nage so attractiVe as the primary attack vector. a target and What is In today’s threat landscape, we are faced diFFerent? with a plethora of threat actors, from script The “smartphone” is the perfect pocket kiddies and hacktivists with a political spy tool due to its features and its ubiquity motive to cybercriminal syndicates and in our personal and professional lives. nation states as well as combinations of The modern workforce is reliant on these these different groups that occasionally devices to be more flexible and BYOD work together. A factor that is contributing culture in the corporate world has brought to the cur rent threat landscape is also its own set of concerns. There also is no directly related to the major leaks we have shortage of sensitive information stored on seen in past years (Vault7, Shadowbrokers, a smartphone and it functions as a control et al). Those leaks have led to a surge of node in our digital life, hosting not just cyber weaponry on the black market, volumes of interesting data, but options which now makes very sophisticated tools to gain access to enterprise/other sensitive available for purchase. Any threat actor can networks. leverage advanced weaponry and doesn’t Mobile espionage is not just an evolution need to painstakingly develop and test it. in cyber techniques, but the logical continu­ Naturally, the new market offerings also ation of old-school espionage techniques create new actor profiles and enrich these (wiretapping to listen in on conversations, groups with capabilities that before would HUMINT aspects of following individuals have been impossible. Among these are and their transactions, etc.) All this can nation states previously without significant be very conveniently accomplished since offensive or high-tech capabilities and/or everyone basically volunteers to be exposed resources who are now taking the stage as to all these options by car rying a phone they are able to access the tools necessary with them wherever they go. Using mobile for such (wide-ranging) espionage cam­ devices for longer-term espionage cam­ paigns. As history has shown in other in­ paigns is a step in the natural evolution. stances, this is a result of the proliferation of a highly unregulated type of good and Using mobile platforms for cyber-crime introduces new dynamic geostrategic con­ or data theft is not new. The mobile attack stellations. vector has been known for years. But we The other side of the diversity in threat like to forget that this little handheld device actors is that nation states can practically we use for everything is the easiest way to “outsource” the work to vendors that offer access anyone’s entire digital life. In 2017, these tools and services. This has many the mobile landscape was most notably advantages: A nation-state actor can on the riddled by a surge of (mobile) ransomware, one hand pass off the time and investment the usual vector; banking trojans are still required for the development of effective active, and mobile threats are joining in on espionage tools (especially smaller states), cryptocurrency mining. One slightly dis­ but more crucially avoid incrimination and turbing pattern is that legitimate services attribution for certain interferences, and such as the Google Play Store have been publically distance themselves from APTs. abused at a rapid pace. These threats are harder to detect because they hide behind legitimate and encrypted traffic and seem­

26 3/2018 .SIAK -JOURNAL

Quelle: Braganca

CAMPAIGN DISCOVERED IN OPERATING SINCE VICTIM/TARGET THREAT ACTOR SCALE/SCOPE Pegasus August 2016 Various high-value indivi - NSO Group, on Worldwide dual, among the first were behalf of various political dissidents in UAE, clients, among Mexico, Uzbekistan etc. which there are nation-state clients ViperRAT February 2017 Since late 2015 Israeli Defense Force (IDF) unclear Middle East personnel GnatSpy December 2017 Countries in the APT-C-23 (also Middle East Middle East known as “Two- Tailed-Scorpion”) AnubisSpy December 2017 As early as April Countries in the Middle APT-C-15 (also Middle East 2015 East; it is likely Sphinx has known as “Sphinx”) targeted government and military organizations DarkCaracal January 2018 Since early 2012 From USA to China, Possibly the Global scale, Germany, India, Russia, Lebanese Gener- very broad Saudi Arabia, South Korea al Directorate of span, 21+ coun- and within Lebanon; enter- General Security tries, easily prise Intellectual property (GDGS), according 2,000 victims as well as PII are targeted to the security firm Zoopark May 2018 At least June 2015, Countries in Middle East unclear Middle East; up four variations e.g. Iran, Morocco, Egypt, to 100 victims claimed found Jordan and Lebanon, (the low number political organizations indicates very such as UNRWA selective targeting) RedDawn May 2018 2017 Korean-speaking users, Possibly “Sun Korean pen- likely North Korean defec- Team” insula, around tors and journalists 100 victims

Fig. 2: What can smartphones gather ingly normal app functionalities and are by side and increasingly contribute to a essentially exploiting the trust people have blurring and blending of the “old system”, in the official app store and their screening in which espionage was the stronghold of measures (Trend Micro 2017). only nation-state actors. Instead, we are now seeing an overlap of various actors conclUsion with varying motivations and goals that The mobile threat surface is not new, exist side by side or in mutual coexistence. but until recently, persistent and stealthy The focus on the mobile device also espionageware has been and still is an highlights the importance of a proactive underrated problem for the mobile plat­ security philosophy that is agile and forti­ form. While there might have been suspi­ f ies the mobile frontier adequately. The cion that these techniques are being used mobile front doesn’t allow for the luxury and possible on mobile devices, the scope of analysing after the event to start thinking was unclear and the cases described in this about defences. There isn’t enough time. article often have shown more activity than Perhaps one somewhat comforting aspect initially thought. of the mobile mouse trap, however, is that Cyber threat actors are motivated to almost every attack starts with a phishing utilize every possible angle and tool avail­ attempt/social engineering message, and able to them. The use cases highlight not that is where the education would need to just geopolitical constellations and shifts begin. Organizations and enterprises alike thereof, but also the evolution of new need to put in the resources to safeguard actors that (thanks to new opportunities their employees’ devices and deploy an and available resources) can operate side effective mobile security strategy. Mobile

27 . SIAK -JOURNAL 3/2018

threat defence (MTD) is no easy task14 , power of the little handheld device. Seeing seeing as the technology must cover appli­ the f irst use cases as a part of politico­ cations, networks and device-level threats strategic espionage is only the beginning. to iOS and Android phones as well as other It won’t be long until the same tactics will handheld devices to be effective.15 be adopted on larger scales and in enter­ The question is not about who will be prise environments. Securing the mobile using these options and exploiting a de­ endpoint must become an imperative not vice as ubiquitous as a smartphone that only to executives and businesses, but any we forget to protect, or how long it will user at this point. As the reliance on de­ take more attackers to realize, develop and vices grows, the threat landscape is evolv­ exploit our negligence. The real question ing. Mobile will be cybersecurity’s next is what it will take to realize the full fire­ main frontier.

1 Proper securing of handheld devices was collecting and uploading information advantage of, building a very targeted would mean at the bare minimum secure every ten minutes. piece of code that allows him to execute practices and a cybersecurity solution 8 According to the researchers, seven very specific processes without being installed on it. apps were actually found to be AnubisSpy, detected. 2 Some were around for many years, even and they were in Arabic. 13 The Lazarus group has been found dating back to 2011. 9 Watering hole attacks/tactics are very using mobile platform. 3 Also called “Trident Exploit Chain”. often used as stepping stones to conduct 14 Within an enterprise environment, the 4 Apple fixed these three vulnerabilities in espionage attacks. In watering hole at­ task of protecting mobile devices is now its 9.3.5 patch. tacks, the goal is not to serve malware to more difficult than in a traditional setting 5 Shared command/control infrastructure. as many systems possible. The attacker because employees exercise more con­ The structure of GnatSpy is more modu­ instead infects a specifically chosen, trol (often using personal devices), and lar and has additions such as receivers usually well-known and trusted resource it’s impractical to try to police every and services. The research team thinks like a website that potential victims will individual, their movements and traffic – this it indicates that it was developed by a eventually come to. The ultimate goal is the solution must cover applications, skilled author with good software design to infect a targeted user’s computer and networks and device-level threats to iOS practices. gain access to the network, a common and Android phones and tablets to be 6 According to the researchers, there tactic in targeted attacks. effective. were seven apps found to actually be 10 Such as stealing contact and accounts 15 Mobile threat defense means first and AnubisSpy. The apps have been taken registered on the victim device. foremost detecting and then mitigating down from the Google Play Store. 11 The threat actor was using a popu­ attacks on mobile devices e.g. by the 7 It can run commands and delete files on lar chat app used in South Korea called means of scanning for risky apps and the device, as well as install and uninstall “KakaoTalk” and social engineering insecure WiFi networks. At a minimum, Android Application Packages (APKs). techniques to drop the malware. How­ having a security app installed on the The self-destruct command happens ever, the would-be-victim had to go out endpoint. when expire_team is reached or on com­ of their way to download it outside of mand. The position module retrieves the Google Play. Sources of information device’s location and uploads it to the 12 Technical skills mean the adversary Bejtlich, Richard (2010). What Is APT and C2 in pre-determined intervals. Accord­ can build custom exploits or find zero­ What Does It Want?, Tao Security Blog, ing to the analysis, the position module days (undisclosed vulnerabilities) to take Online: https://taosecurity.blogspot.

28 3/2018 .SIAK -JOURNAL

com/2010/01/what-is-apt-and-what-does-it­ Perlroth, Nicole (2018). Lebanese Intelligence want.html (16.01.2010). Turned Targets’ Android Phones Into Spy De­ Citizen Lab and Lookout (2016). Sophisticated, vices, Researchers Say. New York Times, Online: persistent mobile attack against high-value tar­ https://www.nytimes.com/2018/01/18/technology/ gets on iOS, Online: https://blog.lookout.com/ lebanese-intelligence-spy-android-phones.html trident-pegasus (25.08.2016). (18.01.2018). Electronic Frontier Foundation and Lookout Trend Micro (2017). 2017 Mobile Threats Lands­ (2018). Dark Caracal. Cyber-espionage at a cape, Online: https://www.trendmicro.com/ Global Scale, Online: https://info.lookout.com/ vinfo/us/security/research-and-analysis/threat­ rs/051-ESQ-475/images/Lookout_Dark-Caracal reports/roundup/2017-mobile-threat-landscape. _srr_20180118_us_v.1.0.pdf. Warner, Michael (2014). The Rise and Fall of Flossman, Michael (2017). ViperRAT: The mo­ Intelligence. An International Security History, bile APT targeting the Israeli Defense Force that Georgetown. should be on your radar, Online: https://blog. Xu, Ecular (2017). New GnatSpy Mobile Mal­ lookout.com/viperrat-mobile-apt (27.02.2017). ware Family Discovered. Dec 18. https://blog. Flossman, Michael (2018). mAPT ViperRAT Found trendmicro.com/trendlabs-security-intelligen in Google Play, Online: https://blog.lookout. ce/new-gnatspy-mobile-malware-family-dis com/viperrat-google-play (16.04.2018). covered/?_ga=2.252235849.1355112915.1526 Genes, Raimund (2015). Targeted Attacks 149945-561099954.1526149945. versus APTs: What’s The Difference?, Online: Xu, Ecular/Guo, Grey (2017). Cyberespionage https://blog.trendmicro.com/trendlabs-security­ Campaign Sphinx Goes Mobile with AnubisSpy. intelligence/targeted-attacks-versus-apts-whats­ Technical Brief, Online: https://documents.trend the-difference/?_=2.203871888.1652628051. micro.com/assets/tech-brief-cyberespionage­ 1526942729-561099954.1526149945 (14.09.2015). campaign-sphinx-goes-mobile-with-anubisspy. Han, Inhee (2017). Android Malware Appears pdf (19.12.2017). Linked to Lazarus Crime Group, Online: https:// securingtomorrow.mcafee.com/mcafee-labs/ Further literature and links android-malware-appears-linked-to-lazarus­ Goodman, Marc (2015). Future Crimes. Inside cybercrime-group/ (20.11.2017). the Digital Underground and the Battle for Our Kaspersky Lab (2018). Who’s Who in the Zoo. Connected World, New York. Cyberespionage Operation Targets Android Johnson, Loch/Wirtz, James (2011). Intelligence. Users in the Middle East, Online: https://media. The Secret World of Spies, New York. kasperskycontenthub.com/wp-content/uploads/ Laqueur, Walter (1985). A World of Secrets. The sites/43/2018/05/03114450/ZooPark_for_ Uses and Limits of Intelligence, New York. public_final_edit.pdf (03.05.2018). Krebs, Brian (2014). Spam Nation. The Inside Min, Jaewon (2018a). North Korean Defectors and Story of Organized Cybercrime – from Global Journalists Targeted Using Social Networks and Epidemic to your Front Door, Naperville, IL. KakaoTalk, Online: https://securingtomorrow. Naor, Ido (2017). Breaking The Weakest Link Of mcafee.com/mcafee-labs/north-korean-defec The Strongest Chain, Online: https://securelist. tors-journalists-targeted-using-social-networks­ com/breaking-the-weakest-link-of-the-strongest­ kakaotalk/ (11.01.2018). chain/77562/ (16.02.2017). Min, Jaewon (2018b). Malware on Google Play Washington Post (2012). Zero Day – The Threat Targets North Korean Defectors, Online: https:// in Cyberspace. A Washington Post Special securingtomorrow.mcafee.com/mcafee-labs/ Report, Online: http://www.washingtonpost.com/ malware-on-google-play-targets-north-korean­ investigations/zero-day. defectors/ (17.05.2018).

29