.SIAK-Journal – Zeitschrift für Polizeiwissenschaft und polizeiliche Praxis Braganca, Maschenka Pocket Spies. Advanced Persistent Espionage Campaigns Go Mobile SIAK-Journal − Zeitschrift für Polizeiwissenschaft und polizeiliche Praxis (3/2018), 19-29. doi: 10.7396/2018_3_B Um auf diesen Artikel als Quelle zu verweisen, verwenden Sie bitte folgende Angaben: Braganca, Maschenka (2018). Pocket Spies. Advanced Persistent Espionage Campaigns Go Mobile, SIAK-Journal − Zeitschrift für Polizeiwissenschaft und polizeiliche Praxis (3), 19-29, Online: http://dx.doi.org/10.7396/2018_3_B. © Bundesministerium für Inneres – Sicherheitsakademie / Verlag NWV, 2018 Hinweis: Die gedruckte Ausgabe des Artikels ist in der Print-Version des SIAK-Journals im Verlag NWV (http://nwv.at) erschienen. Online publiziert: 12/2018 3/2018 .SIAK- JOURNAL Pocket Spies Advanced Persistent Espionage Campaigns Go Mobile Mobile advanced persistent threat (APT) campaigns are simply the natural evolution of an attack type. It was just a matter of time before attackers would focus on exploiting a device that is so critical to our digital life. Threat actors always try to be ahead of the game, and advancements in tactics, techniques and procedures (TTPs) used shouldn’t come as a surprise. While we notice massive changes in the way malware is written, developed and new techniques pioneered that help leave infiltration unnoticed (hardware embedded malware or fileless malware, etc.), little attention has been paid to the mobile front, although it certainly is the one electronic device no one can function without. Over the past year, we have been observing how attackers use a device that is so ubiquitous in everyone’s daily life, together with the sophistication of serious malware authors that Maschenka Braganca, Sr. Program Manager of threat aren’t just trying to siphon off a few bucks. This has given rise to what some security research communications with research classify as a new category of advanced attacks that some even call “Mobile a security firm. APTs” with a clear nation-state component. APT actors have traditionally operated on PC platforms, but are now rediscovering the mobile segment through evolving tactics. This article will explore these “mobile APTs” and place them in the context of recent changes in the general threat landscape. Unintentional spy gadgets introduction of mobile as a key compo- Our entire private and professional digital nent of the APT world these days, and life is happening on the mobile device, show how threat actors are moving toward from emails to contact lists to mobile bank- multi-platform APTs. With so-called “mo­ ing and security tokens that are required bile APTs”, mobile devices are becoming for accessing sensitive information on our not just targets for espionage campaigns primary device, such as the work PC. We with a political context, but will also very carry it around everywhere and read and likely become the primary target for any hear about cyber-related intrusions every type of intrusion for enterprises as well. day. And we still barely use proper cyber- Inf iltrating an individual’s device or a security1 on our mobile devices, even at company’s doesn’t just serve the purpose the executive level. of stealing data or intellectual property. Threat actors are evolving their tactics Many of these highly resourceful, sophisti­ and exploiting less-expected avenues for cated threat actors utilize this to leverage a maximum effect. The examples that will foothold in any company’s infrastructure to be discussed in this article illustrate the later target government organizations and/ 19 . SIAK- JOURNAL 3/2018 or critical infrastructure. Leveraging the actors that have been transitioning and/or mobile devices of the individuals targeted expanding into “mobile APTs”. Most of is now an additional or even quicker path­ these cases use a combination of run-of­ way to accessing the enterprise environment. the-mill phishing techniques (either via As the threat landscape changes and social media, straightforward text messag­ evolves, it simultaneously creates a dy­ ing or chat apps) to drop the payload on the namic of overlap between threat actors and victim’s device, mostly by prompting the a blurring of lines between traditional roles user to download an app. Looking through and modi operandi. Espionage (or more indicators of compromise (IOCs) and mal­ broadly, intelligence) in its essence used ware analysis, the different research teams to refer to the ways in which “sovereign often thought what they were seeing were powers create, exploit and protect secret low-level threat actors employing rela­ advantages against other sovereignties” tively simple cyber-espionage tactics prob­ (Warner 2014, 4). The tools of the trade ably for criminal endeavours, but were used for this purpose used to be the nation­ surprised to discover more purposeful and state actor’s prerogative. Now these same persistent behaviours in most threat ac­ tools are suddenly widely available to a tors. Also, while some incidents initially number of threat actors with various – in seemed incidental, some of the campaigns part, conflicting – agendas. were operational for a lot longer than ini­ tially expected.2 the daWn oF the MoBile espionage caMpaigns pegasus Researchers have been observing mobile malware campaigns that are highly targeted, Profile: using social network services and popular Discovered in: August 2016. apps to deploy the malware (typically spy­ Functionality: It’s functionality can be ware) onto the mobile device. The trojan­ broken down as follows: Starting with a ised apps function like the legitimate apps phishing scheme via SMS, the attack re­ and fulfil their regular functions, but they lies on the human weakness. Through will divert the user to download a payload. SMS, the user is prompted to click on a The difficulty lies in figuring out whether link, which starts the browser and loads an app is legitimate or masquerading. How a page. Pegasus exploits three critical do you establish anomalous behaviour? iOS zero-day3 vulnerabilities that form How did the mobile apps make it into an an attack chain that subverts even the official app store? The malicious apps are tightly controlled security of the Apple designed to pass the initial screening and Store and environment.4 Once in the de­ be available in the official app store by vice, malware is installed in order to bundling most of the malicious function­ perform the assigned tasks (gathering ality into second-stage components that information, etc.) and maintains persis­ are downloaded only after victims have tence to ensure that it stays installed. installed the rogue apps and interacted Pegasus uses encryption to remain with them. stealthy and fly under the radar of tradi­ In the following passage, a few recent tional security detection tools. examples of mobile espionage campaigns Threat Actor: The security researchers will be described to illustrate the methods identified NSO Group behind these op­ and tactics being used by the various threat erations, connecting it to a product that 20 3/2018 .SIAK- JOURNAL NSO Group sold as “Pegasus solution”. highlights the susceptibility to high-level NSO Group sells surveillance technology (corporate) espionage. like weaponized software that targets mobile phones and is often character­ Viperrat ized as a “cyber-arms dealer”. NSO Group was operating on behalf of various Profile: clients, among whom were also nation­ Discovered in: February 2017. state clients. Functionality: ViperRAT has been spe­ Victims and Targets: The goal of Pega­ cifically designed to exfiltrate informa­ sus was espionage with large-scale geo­ tion of high value from compromised graphical reach. Among the victims devices. It comes in two variants. As is identified in early reports on this attack often the case, social engineering is at were political dissidents and human the beginning of this attack. The victims rights defenders based in UAE, Mexico, were contacted via social media by Uzbekistan and other countries across good-looking women from Western the world, but the type of malware used countries to lure the user into download­ here indicates that any high-value vic­ ing a trojanised app disguised as a chat tim could be targeted, in political and or game app. This app will do some corporate settings alike. basic profiling of the device and then download the second component/vari­ Security f ir m Lookout describes the ant of ViperRAT that has a more com­ Pegasus campaign, discovered in 2016, as prehensive surveillance and intelligence “the most sophisticated attack” (Citizen gathering function. It includes a dropper Lab and Lookout 2016) they have yet which, in order to be installed, requires seen on any endpoint (not just on mobile). the user to grant permissions and can Like other similar mobile spyware, it takes then exfiltrate image data and audio advantage of the combination of the unique content and use the device camera. In features available with a mobile device 2018, samples belonging to this mobile (such as 24/7 WiFi, 5G, microphone, malware family resurfaced as chat apps video, contact lists, applications, email, in the Google app store (Flossman 2018; SMS, messaging, GPS, etc.). What is spe­ Flossman 2017). ViperRAT has been cial in this case is that in this attack the operating since late 2015 and was likely adversary can effectively jailbreak an iOS used a test application at first. device, exploiting three iOS zero-days, and Threat Actor: There are many theories then remain under the radar spying on its about potential threat actors, but no con­ victim. A tailor-made exploit sequence for clusive evidence that could point toward iOS devices (like this one based on not one one specific actor with a fair amount of but three zero-days) is typically very costly certainty. What can be said is that re­ because it is relatively difficult to achieve. search indicates the actor behind it has a Threat actors will typically use this kind of well-developed cyber-capability as well targeted and expensive spyware to attack as an active interest in the geopolitics of “high-value” individuals who give them the Middle East.