0:00

welcome to the cyberwire to research

0:02

saturday podcast, brought to you in

0:04

part by our title sponsor the

0:06

cybersecurity inside podcast

0:09

visit one

0:21

hello everyone and welcome to the cyber

0:23

wires research saturday i'm

0:25

dave vitner and this is our weekly conversation

0:28

with researchers and analysts tracking

0:30

down the threats and vulnerabilities solving

0:33

some of the heart problems of protecting ourselves

0:35

and our method me evolving

0:46

research was exposed obscuring

0:48

and it's response to a twenty

0:50

two when he , super

0:52

interesting for us because as we

0:55

did he a number of different ah

0:57

i are engagements cross

1:00

manufacturing healthcare organizations

1:02

and is a couple of other verticals renewed a similarity

1:06

similarity patterns of behavior that's

1:08

israel barack israel keith information

1:10

security officer at cyber reason

1:13

the research were discussing today as titled

1:15

operation cook obese cyber

1:17

reason uncovers massive chinese

1:19

intellectual property theft operation

1:31

i know a word from our title sponsor

1:34

the cyber security inside podcast

1:37

we all know the importance of cyber security

1:39

but are you up to date on the latest news

1:42

with so much that continues to change

1:44

and evolve you should check out the cyber

1:46

security inside podcast

1:49

hosts tom garrison and camille more

1:51

heart make it easy to understand today's

1:53

most important security and technology topics

1:56

the cyber security inside podcast

1:59

brings in india the three leaders to help all

2:01

of us learn about the world of cyber security

2:04

in , what that means with camille

2:06

episodes subject matter experts

2:08

cover the newest technology like confidential

2:10

computing and trusted execution environments

2:13

the ambient era of computing threat

2:15

detection and much much more with

2:18

every episode you'll walk away smarter

2:20

about cybersecurity and have fun

2:22

while you're at it check out cyber

2:24

security inside dot com slash

2:27

research saturday today research

2:29

saturday to the latest episode that's

2:31

cyber security inside dot

2:33

com slash research saturday

2:36

or search for cyber security

2:38

inside wherever you listen to podcasts

2:41

and we thank of the cyber security inside

2:43

podcast for sponsoring our show

2:51

sinek red team mission data shows

2:54

that a once a year pen test is no longer

2:56

adequate to protect sensitive missions

2:58

or meet most compliance requirements

3:01

government agencies deserve a better

3:03

way to penn post one that's scales

3:06

to find vulnerabilities that matter most

3:08

though too soon aca dot com slashed

3:11

government today government today your

3:13

better way to penn test in the sinek

3:15

fed ramp moderate environment that's

3:18

s y n a c k dot

3:20

com forward slash government

3:23

and we thanks a knack for making it possible

3:25

to bring you research saturday

3:29

well

3:33

let's walk through it together can can we go

3:35

through step by step of exactly

3:38

who these folks are in the methods that they

3:40

used to or to do the things they

3:42

do

3:43

two am absolutely in the

3:45

the didn't we have basically shows

3:47

that the saddest campaign and

3:50

, that we dumped kirby's in

3:52

worry in worry submitting to a chinese

3:55

state sponsored actor that as

3:57

others called that when i when t

3:59

or a pity one certain

4:01

at least the and twenty ninth specifically

4:05

targeted manufactured in

4:07

the as seats in europe and

4:09

asia and , in the

4:11

distance and aerospace energy

4:13

biotech and farmers sectors

4:17

or any appreciable cool of

4:19

the campaign was basically

4:21

stealing says to those are documents

4:24

blueprints formulas manufacturing

4:26

really a proprietary data some

4:29

, that we've we've seen during

4:31

the incident response and investigations include

4:34

design and manufacturing information related

4:37

to specific engine parts engine an airplane

4:39

parts so that was other

4:41

was other overarching goal of the operation

4:44

can we walked through some of the techniques

4:46

as they're using to get into systems

4:49

the first thing that we are we

4:51

identified as we sort of untangled

4:53

vr the process here is

4:56

, the initial access

4:59

that was done nom was than into

5:01

these targets networks was

5:03

typically through the exploitation of own abilities

5:07

and , ah nerve i'm

5:10

so these vulnerabilities at the time word

5:13

known vulnerabilities that were just untouched

5:15

by the users of the of year so

5:18

since some the more unknown ah

5:21

or zero day vulnerabilities of

5:24

when , were able to compromise

5:27

that earpieces and they were able to gain

5:29

that initial access into the earth he

5:31

systems the next stage

5:33

was you see to establish some sort of

5:35

persistence were mechanism that would allow

5:37

them to to coming

5:39

back in and out the most common

5:41

technique that we observed was the use

5:43

of am a tsp a

5:46

that day yeah basically embedded in

5:49

europe he web application servers so

5:52

they created they facade nem

5:56

communicating from an excellent work

5:58

with a legitimate with them new

6:00

york he a basically they were

6:03

able to send commands to

6:05

those systems that that

6:07

system than executed for them the

6:10

in the target's environment there was the the

6:12

way to get back to get in and out

6:15

that was that lynch thing thing for

6:17

us i think it's we

6:19

often think about the different ways attackers

6:22

, twenty five already pity for

6:24

one are able to find that that

6:27

access and sometimes

6:29

me though it's sad it's targeting individuals

6:32

sometimes it's targeting the supply chain in

6:34

here i think we see another common example

6:37

of how an adversary like said that as

6:39

a state a adversary

6:42

, developing proprietary

6:44

zero the sulfur of hundred bodies that

6:47

enable them to gain that initial access and to

6:50

organizations where they're soft responses

6:53

then you give us a little bit of the

6:55

background on when see themselves

6:57

i mean is is this a line with what we're

6:59

used to seeing from them and what sort

7:01

of tools to they have in their arsenal

7:03

it it does the line with the over arching

7:05

method of operation that were you seen

7:08

from when he when he is is as a group

7:11

existence for at least have

7:13

documented record us

7:15

as at least twenty or least ten

7:18

and they believed to and operating on behalf

7:21

of operating on so state interests

7:23

and these state i specifically in

7:26

cyber espionage in the

7:28

inner elixir prefer your property

7:30

says that sort of their their known

7:32

and industry as sort of east princess

7:34

as of technology secrets z

7:38

pizza to use them this operation so

7:40

the more known techniques

7:43

operation the you says fights suffer

7:46

vulnerabilities web cells

7:48

et cetera ask for this group

7:50

soon the more a lesser known to so

7:53

for example

7:54

one of the things that they used to

7:58

states sort of fly under the

8:01

radar inside the

8:03

target snow akin to stay for

8:05

his say that section for a long period

8:07

of time to suppress contributed some

8:10

those target networks for almost

8:12

three years and so on the techniques

8:14

that they used to sit fly under the radar innovate

8:16

accidents which we haven't seen

8:19

from them before is a

8:21

rare abuse of the windows

8:23

on sale assess which is a common

8:25

logs house these you're

8:27

basically it's sad to see string windows

8:30

that as a primarily designed

8:32

to to our whole damn

8:34

system logging system logging logic

8:36

information and they use that

8:38

mechanism store

8:41

pillow the way that

8:43

piece distant pieces of mauer that they were there

8:46

were using i'm in a way that

8:48

most that most technologies

8:51

or in an area where most security technologies

8:53

actually don't really scared of really looked

8:55

into interesting

8:57

so this is a hell of an area where the

8:59

system keeps them logs and answered

9:02

by putting their own stuff there oh

9:04

the to the scanners that was nothing to see

9:06

here exactly exactly and

9:08

that was so that was it that was in

9:10

this very rare to me seems

9:12

silly something that we haven't since this picture

9:15

group in , past and

9:17

the was in this in think we're at the was

9:19

enough some similarity between

9:22

some that six weeks if they used in

9:24

operations at the rim at past for

9:26

us to be able to attribute that operation

9:29

to add to that group with add fairly fairly

9:31

high level of confidence you

9:34

mention that that this group for was

9:36

able to stay within networks for

9:38

multiple years in some cases what

9:40

ultimately led to their discovery in

9:42

this case so

9:45

in the in sony says some these

9:47

engagements so we got called into some is

9:49

censor responses one ,

9:51

the things that ultimately

9:54

triggered said the suspicion of the

9:56

organization was the amount of data there

9:58

was being associated press

9:59

i'm

10:01

and so i'm

10:04

over over the years the service

10:06

adversary was able to collect

10:08

from so these organizations hundreds

10:11

of gigabytes and some some more

10:13

of , property to sign documents

10:16

manufacturing procedures blueprints

10:18

et cetera et cetera cetera

10:20

the in in some cases it raised

10:23

suspicion that something is putting

10:25

them that the organization

10:28

or the defender was just not aware not we

10:30

i called in to these these engagements and

10:32

were able to sort of unravel

10:34

that that of scene

10:36

of events that led to

10:38

what are your recommendations then a mean for

10:40

organizations to best protect

10:43

themselves from the an atp

10:45

group like wins he was sort of thing

10:47

so they haven't finished the a

10:49

great question says on the one

10:51

hand the first thing that we we recommend

10:54

you know is always is always we always

10:56

only get better fed into into basics

10:59

rights in making sure that we

11:01

we know our networks and we understand

11:03

what assets we have what's the status

11:05

of securing hygiene is in

11:07

our networks and we do have enough

11:11

to , security posture posture

11:14

always i think the best practice regardless

11:17

practice a threat or rescue ten

11:19

medicaid that's a field

11:21

day when you're dealing with a friend actor like this

11:23

actor is a far more sophisticated

11:26

adversary than what you'd typically find

11:28

what the ecosystem the

11:30

always have a way to find initial

11:33

access into an organization whether

11:35

it is compromising an individual that

11:37

has access to add to the network whether

11:39

it's compromising the supply chains of

11:43

adversary and spends weeks

11:46

months sometimes years trying

11:48

to get initial access suits targets

11:50

eventually made the meat of it despite

11:53

our best efforts in in security posture

11:56

and six reality it's one

11:58

of those one of those things that we me to

12:00

really get better in are proactively

12:04

freddy scratch read this is the sort

12:06

of a low and slow operation is

12:09

so we we need to adapt

12:11

as pro active as

12:13

, present thing prone

12:15

stray we need to be able to to

12:18

across the data or

12:20

added across the data in our inner promises

12:23

and pointed network pointed identity

12:26

and access and other sets of security

12:28

sets them and for when we

12:30

look for patterns had these

12:33

scenes of behaviors that me you

12:36

know in of themselves look legitimate but

12:38

, you look at the scene of a sense

12:41

over time they expose

12:43

a similar sense that is indicative the

12:45

malicious activity and that's something

12:47

that often claims to fade real

12:50

time destruction or provincial

12:52

mechanisms but when you adopt

12:54

a friend hunting mindset and

12:56

you can analyze data in patterns over time

12:59

specifically books to those scenes of behaviors

13:02

you're able to expose those moments slow

13:04

operations related

13:06

the early in the life cycle

13:09

and avoid the majority of the impact you

13:11

said something that is available

13:14

to those small and medium sized businesses

13:16

out there it's who you know who we're

13:18

dealing with limited budget sir are

13:21

there ways that they can use those kinds

13:23

of approaches there is a

13:26

think today there are a number of a number

13:28

of us segments and markets had offered

13:30

these type of capabilities when you look at

13:33

detection , responsibilities

13:36

responsibilities eighty or space our the

13:38

and point attacks or response peace ring the

13:40

xp or space and that detection

13:42

response to think you're seen a growing a

13:45

of technologies and solutions that

13:48

are suppressed on automating the

13:50

vast majority of vast majority

13:52

process augment on

13:55

that are experts and analyzing

13:57

that data and understanding

13:59

what these from a threat perspective i

14:02

, the other resource that is becoming

14:04

very very accessible for enterprises

14:07

of all sizes is

14:10

an analysis done by ah

14:12

the murders organization

14:14

when , annual basis bruce is made

14:17

of organization which is a non

14:19

profit profit

14:22

prime organization a deal with a contractor

14:25

the basically run at an annual exercise

14:28

that is emulating very that

14:30

as series and is evaluating

14:32

different approaches and six dollars is in

14:35

the market and their ability to detect

14:37

those minute changes and behaviors

14:39

and change of ears and expose the

14:42

type of that type of found that

14:44

set the most recent progress

14:46

and so on that information publicly available

14:49

on the matter web sites that

14:51

have since he describes what their observations

14:53

are and what technologies and capabilities

14:55

and i'm able enterprise has ruined our scientists

14:58

who went up to step of the

15:00

stuff of approach it really is

15:02

an interesting situation we find ourselves

15:04

in the demeanor a group like when

15:07

he they're not going anywhere their their

15:09

well funded of the a globally

15:11

insulated ah it's something

15:13

that we're gonna have to deal with for

15:16

the foreseeable future

15:19

green you know what full

15:21

of the things that things think is interesting and

15:23

this sam the sir in

15:25

this incident that we we reported

15:27

on his and we brief p b s the i

15:30

am a deal would say of ,

15:33

investigation and if you recall vs design their

15:35

ads on the twenty twenty false reports

15:38

and twenty ninth from the cold out for

15:40

the chinese aggressive as a sponsor

15:42

electoral sponsor and ,

15:45

process in damn

15:48

sick one aspect of the cookies incidents

15:50

aspect shows that despite that

15:53

diplomatic in another thread

15:55

to prove that behavior that

15:57

sassy thread say right at least as it pertains

15:59

who are domestic economy

16:02

that a crescent intellectual property zest

16:04

infringement strategy may have not

16:07

really taste months

16:10

the other thing as sexy as is interesting

16:12

to note about these type of these sets

16:14

of adversaries it is that

16:18

the way we need to refrain what

16:20

a when strategy is flat as

16:22

disinterest against these agencies adversaries

16:27

because a message you you

16:29

you hit the nail on the said this set of

16:31

adversary will not stop

16:34

trying to get into of targets

16:37

work just because that target

16:39

has good security in place

16:42

at , reason is that they have no motive

16:44

has to stop doing that target has something

16:47

to the one is really no

16:49

prior know from the price from the risks

16:51

for them to pay for trying again and again and

16:53

again so there's no reason why we went

16:55

to high maintenance

16:57

and the interesting thing and

17:00

when you when you try to counter the operation

17:02

as some defenders point when

17:05

you turn a corner that type of as if about

17:07

series is the wings sanity

17:10

is not too make

17:13

sure that the they're here they never

17:15

they never come back with the wind strategies

17:17

to make sure that you increase increase the

17:20

time intervals in ,

17:22

they come back so instead of last

17:24

he pushed the mouth first time usually

17:26

what you'll see as a comeback after a couple

17:29

weeks weeks you push

17:31

them out a second to handle usually try to come to

17:35

when as you offering the right program the

17:37

right strategy for your seized

17:39

you can dramatically increased of time

17:41

and resources instead of coming back in

17:43

every back weeks back and

17:45

front of back months for the

17:48

reason is me when you get very

17:50

very good at exposing what they're doing

17:52

and your network you creepy

17:54

price them because

17:57

when you exposed and listen to offers and by

17:59

was part of the the now behind us

18:01

making business information public when

18:03

, expose the method of operation you

18:06

dramatically increase their price

18:08

because now they need a rebound in

18:11

order to start executing that

18:14

is expensive and , something that

18:16

the two of my friends friends

18:19

is an expensive price to pay

18:21

for targeting a target that his

18:23

sister get a target the to expose say

18:26

that operation that as impacts

18:28

other a process of haven't of

18:31

and so when you run an effect of operation

18:33

for the ducks and response investigation

18:36

you're able to create a certain form of

18:38

deterrence against the french extra

18:40

like that that will manifests itself

18:43

in the increase manifests itself time

18:46

intervals in which it will compact so

18:48

make sure to build a very meticulous

18:50

on the road before the comeback

19:05

thanks to israel barack from cyber reason

19:07

for joining us the researchers titled

19:10

operation cuckoo bees cyber

19:12

reason uncovers massive chinese intellectual

19:14

property theft operation the

19:16

have a link in the show notes

19:20

thanks to the cyber security inside podcast

19:22

for their sponsorship visit cyber

19:25

security inside to dot com slash

19:27

research saturday or search

19:29

for cyber security inside wherever

19:32

you listen to podcasts thanks

19:35

to sinek for their sponsorship government

19:37

agencies deserve a better way to penn test

19:40

and the red team at sinek a plug your

19:42

mission to find the vulnerabilities that

19:44

matter most learn more at

19:46

sinek dot com slash government

19:51

the cyber wire podcast is proudly produced

19:53

in maryland data the started studios of data

19:55

tribes were there co building the next

19:57

generation of cyber security teams

19:59

and technology

19:59

are amazing cyberwire

20:02

team is, rachel gelven reserve

20:04

in elliot peltzman trey hester,

20:06

brandon carp, eliana, white

20:08

peru, prakash justin sebi, tim

20:10

nodar, joe kerrigan queretaro

20:12

been yelling, nick malecki gina

20:14

johnson bennett mow chris russell

20:17

john, patrick, jennifer, ivan, rick,

20:19

howard, peter kilby and i gave bittner

20:21

thanks for listening we'll see you

20:23

back here next week