Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
welcome to the cyberwire to research
0:02
saturday podcast, brought to you in
0:04
part by our title sponsor the
0:06
cybersecurity inside podcast
0:09
visit one
0:21
hello everyone and welcome to the cyber
0:23
wires research saturday i'm
0:25
dave vitner and this is our weekly conversation
0:28
with researchers and analysts tracking
0:30
down the threats and vulnerabilities solving
0:33
some of the heart problems of protecting ourselves
0:35
and our method me evolving
0:46
research was exposed obscuring
0:48
and it's response to a twenty
0:50
two when he , super
0:52
interesting for us because as we
0:55
did he a number of different ah
0:57
i are engagements cross
1:00
manufacturing healthcare organizations
1:02
and is a couple of other verticals renewed a similarity
1:06
similarity patterns of behavior that's
1:08
israel barack israel keith information
1:10
security officer at cyber reason
1:13
the research were discussing today as titled
1:15
operation cook obese cyber
1:17
reason uncovers massive chinese
1:19
intellectual property theft operation
1:31
i know a word from our title sponsor
1:34
the cyber security inside podcast
1:37
we all know the importance of cyber security
1:39
but are you up to date on the latest news
1:42
with so much that continues to change
1:44
and evolve you should check out the cyber
1:46
security inside podcast
1:49
hosts tom garrison and camille more
1:51
heart make it easy to understand today's
1:53
most important security and technology topics
1:56
the cyber security inside podcast
1:59
brings in india the three leaders to help all
2:01
of us learn about the world of cyber security
2:04
in , what that means with camille
2:06
episodes subject matter experts
2:08
cover the newest technology like confidential
2:10
computing and trusted execution environments
2:13
the ambient era of computing threat
2:15
detection and much much more with
2:18
every episode you'll walk away smarter
2:20
about cybersecurity and have fun
2:22
while you're at it check out cyber
2:24
security inside dot com slash
2:27
research saturday today research
2:29
saturday to the latest episode that's
2:31
cyber security inside dot
2:33
com slash research saturday
2:36
or search for cyber security
2:38
inside wherever you listen to podcasts
2:41
and we thank of the cyber security inside
2:43
podcast for sponsoring our show
2:51
sinek red team mission data shows
2:54
that a once a year pen test is no longer
2:56
adequate to protect sensitive missions
2:58
or meet most compliance requirements
3:01
government agencies deserve a better
3:03
way to penn post one that's scales
3:06
to find vulnerabilities that matter most
3:08
though too soon aca dot com slashed
3:11
government today government today your
3:13
better way to penn test in the sinek
3:15
fed ramp moderate environment that's
3:18
s y n a c k dot
3:20
com forward slash government
3:23
and we thanks a knack for making it possible
3:25
to bring you research saturday
3:29
well
3:33
let's walk through it together can can we go
3:35
through step by step of exactly
3:38
who these folks are in the methods that they
3:40
used to or to do the things they
3:42
do
3:43
two am absolutely in the
3:45
the didn't we have basically shows
3:47
that the saddest campaign and
3:50
, that we dumped kirby's in
3:52
worry in worry submitting to a chinese
3:55
state sponsored actor that as
3:57
others called that when i when t
3:59
or a pity one certain
4:01
at least the and twenty ninth specifically
4:05
targeted manufactured in
4:07
the as seats in europe and
4:09
asia and , in the
4:11
distance and aerospace energy
4:13
biotech and farmers sectors
4:17
or any appreciable cool of
4:19
the campaign was basically
4:21
stealing says to those are documents
4:24
blueprints formulas manufacturing
4:26
really a proprietary data some
4:29
, that we've we've seen during
4:31
the incident response and investigations include
4:34
design and manufacturing information related
4:37
to specific engine parts engine an airplane
4:39
parts so that was other
4:41
was other overarching goal of the operation
4:44
can we walked through some of the techniques
4:46
as they're using to get into systems
4:49
the first thing that we are we
4:51
identified as we sort of untangled
4:53
vr the process here is
4:56
, the initial access
4:59
that was done nom was than into
5:01
these targets networks was
5:03
typically through the exploitation of own abilities
5:07
and , ah nerve i'm
5:10
so these vulnerabilities at the time word
5:13
known vulnerabilities that were just untouched
5:15
by the users of the of year so
5:18
since some the more unknown ah
5:21
or zero day vulnerabilities of
5:24
when , were able to compromise
5:27
that earpieces and they were able to gain
5:29
that initial access into the earth he
5:31
systems the next stage
5:33
was you see to establish some sort of
5:35
persistence were mechanism that would allow
5:37
them to to coming
5:39
back in and out the most common
5:41
technique that we observed was the use
5:43
of am a tsp a
5:46
that day yeah basically embedded in
5:49
europe he web application servers so
5:52
they created they facade nem
5:56
communicating from an excellent work
5:58
with a legitimate with them new
6:00
york he a basically they were
6:03
able to send commands to
6:05
those systems that that
6:07
system than executed for them the
6:10
in the target's environment there was the the
6:12
way to get back to get in and out
6:15
that was that lynch thing thing for
6:17
us i think it's we
6:19
often think about the different ways attackers
6:22
, twenty five already pity for
6:24
one are able to find that that
6:27
access and sometimes
6:29
me though it's sad it's targeting individuals
6:32
sometimes it's targeting the supply chain in
6:34
here i think we see another common example
6:37
of how an adversary like said that as
6:39
a state a adversary
6:42
, developing proprietary
6:44
zero the sulfur of hundred bodies that
6:47
enable them to gain that initial access and to
6:50
organizations where they're soft responses
6:53
then you give us a little bit of the
6:55
background on when see themselves
6:57
i mean is is this a line with what we're
6:59
used to seeing from them and what sort
7:01
of tools to they have in their arsenal
7:03
it it does the line with the over arching
7:05
method of operation that were you seen
7:08
from when he when he is is as a group
7:11
existence for at least have
7:13
documented record us
7:15
as at least twenty or least ten
7:18
and they believed to and operating on behalf
7:21
of operating on so state interests
7:23
and these state i specifically in
7:26
cyber espionage in the
7:28
inner elixir prefer your property
7:30
says that sort of their their known
7:32
and industry as sort of east princess
7:34
as of technology secrets z
7:38
pizza to use them this operation so
7:40
the more known techniques
7:43
operation the you says fights suffer
7:46
vulnerabilities web cells
7:48
et cetera ask for this group
7:50
soon the more a lesser known to so
7:53
for example
7:54
one of the things that they used to
7:58
states sort of fly under the
8:01
radar inside the
8:03
target snow akin to stay for
8:05
his say that section for a long period
8:07
of time to suppress contributed some
8:10
those target networks for almost
8:12
three years and so on the techniques
8:14
that they used to sit fly under the radar innovate
8:16
accidents which we haven't seen
8:19
from them before is a
8:21
rare abuse of the windows
8:23
on sale assess which is a common
8:25
logs house these you're
8:27
basically it's sad to see string windows
8:30
that as a primarily designed
8:32
to to our whole damn
8:34
system logging system logging logic
8:36
information and they use that
8:38
mechanism store
8:41
pillow the way that
8:43
piece distant pieces of mauer that they were there
8:46
were using i'm in a way that
8:48
most that most technologies
8:51
or in an area where most security technologies
8:53
actually don't really scared of really looked
8:55
into interesting
8:57
so this is a hell of an area where the
8:59
system keeps them logs and answered
9:02
by putting their own stuff there oh
9:04
the to the scanners that was nothing to see
9:06
here exactly exactly and
9:08
that was so that was it that was in
9:10
this very rare to me seems
9:12
silly something that we haven't since this picture
9:15
group in , past and
9:17
the was in this in think we're at the was
9:19
enough some similarity between
9:22
some that six weeks if they used in
9:24
operations at the rim at past for
9:26
us to be able to attribute that operation
9:29
to add to that group with add fairly fairly
9:31
high level of confidence you
9:34
mention that that this group for was
9:36
able to stay within networks for
9:38
multiple years in some cases what
9:40
ultimately led to their discovery in
9:42
this case so
9:45
in the in sony says some these
9:47
engagements so we got called into some is
9:49
censor responses one ,
9:51
the things that ultimately
9:54
triggered said the suspicion of the
9:56
organization was the amount of data there
9:58
was being associated press
9:59
i'm
10:01
and so i'm
10:04
over over the years the service
10:06
adversary was able to collect
10:08
from so these organizations hundreds
10:11
of gigabytes and some some more
10:13
of , property to sign documents
10:16
manufacturing procedures blueprints
10:18
et cetera et cetera cetera
10:20
the in in some cases it raised
10:23
suspicion that something is putting
10:25
them that the organization
10:28
or the defender was just not aware not we
10:30
i called in to these these engagements and
10:32
were able to sort of unravel
10:34
that that of scene
10:36
of events that led to
10:38
what are your recommendations then a mean for
10:40
organizations to best protect
10:43
themselves from the an atp
10:45
group like wins he was sort of thing
10:47
so they haven't finished the a
10:49
great question says on the one
10:51
hand the first thing that we we recommend
10:54
you know is always is always we always
10:56
only get better fed into into basics
10:59
rights in making sure that we
11:01
we know our networks and we understand
11:03
what assets we have what's the status
11:05
of securing hygiene is in
11:07
our networks and we do have enough
11:11
to , security posture posture
11:14
always i think the best practice regardless
11:17
practice a threat or rescue ten
11:19
medicaid that's a field
11:21
day when you're dealing with a friend actor like this
11:23
actor is a far more sophisticated
11:26
adversary than what you'd typically find
11:28
what the ecosystem the
11:30
always have a way to find initial
11:33
access into an organization whether
11:35
it is compromising an individual that
11:37
has access to add to the network whether
11:39
it's compromising the supply chains of
11:43
adversary and spends weeks
11:46
months sometimes years trying
11:48
to get initial access suits targets
11:50
eventually made the meat of it despite
11:53
our best efforts in in security posture
11:56
and six reality it's one
11:58
of those one of those things that we me to
12:00
really get better in are proactively
12:04
freddy scratch read this is the sort
12:06
of a low and slow operation is
12:09
so we we need to adapt
12:11
as pro active as
12:13
, present thing prone
12:15
stray we need to be able to to
12:18
across the data or
12:20
added across the data in our inner promises
12:23
and pointed network pointed identity
12:26
and access and other sets of security
12:28
sets them and for when we
12:30
look for patterns had these
12:33
scenes of behaviors that me you
12:36
know in of themselves look legitimate but
12:38
, you look at the scene of a sense
12:41
over time they expose
12:43
a similar sense that is indicative the
12:45
malicious activity and that's something
12:47
that often claims to fade real
12:50
time destruction or provincial
12:52
mechanisms but when you adopt
12:54
a friend hunting mindset and
12:56
you can analyze data in patterns over time
12:59
specifically books to those scenes of behaviors
13:02
you're able to expose those moments slow
13:04
operations related
13:06
the early in the life cycle
13:09
and avoid the majority of the impact you
13:11
said something that is available
13:14
to those small and medium sized businesses
13:16
out there it's who you know who we're
13:18
dealing with limited budget sir are
13:21
there ways that they can use those kinds
13:23
of approaches there is a
13:26
think today there are a number of a number
13:28
of us segments and markets had offered
13:30
these type of capabilities when you look at
13:33
detection , responsibilities
13:36
responsibilities eighty or space our the
13:38
and point attacks or response peace ring the
13:40
xp or space and that detection
13:42
response to think you're seen a growing a
13:45
of technologies and solutions that
13:48
are suppressed on automating the
13:50
vast majority of vast majority
13:52
process augment on
13:55
that are experts and analyzing
13:57
that data and understanding
13:59
what these from a threat perspective i
14:02
, the other resource that is becoming
14:04
very very accessible for enterprises
14:07
of all sizes is
14:10
an analysis done by ah
14:12
the murders organization
14:14
when , annual basis bruce is made
14:17
of organization which is a non
14:19
profit profit
14:22
prime organization a deal with a contractor
14:25
the basically run at an annual exercise
14:28
that is emulating very that
14:30
as series and is evaluating
14:32
different approaches and six dollars is in
14:35
the market and their ability to detect
14:37
those minute changes and behaviors
14:39
and change of ears and expose the
14:42
type of that type of found that
14:44
set the most recent progress
14:46
and so on that information publicly available
14:49
on the matter web sites that
14:51
have since he describes what their observations
14:53
are and what technologies and capabilities
14:55
and i'm able enterprise has ruined our scientists
14:58
who went up to step of the
15:00
stuff of approach it really is
15:02
an interesting situation we find ourselves
15:04
in the demeanor a group like when
15:07
he they're not going anywhere their their
15:09
well funded of the a globally
15:11
insulated ah it's something
15:13
that we're gonna have to deal with for
15:16
the foreseeable future
15:19
green you know what full
15:21
of the things that things think is interesting and
15:23
this sam the sir in
15:25
this incident that we we reported
15:27
on his and we brief p b s the i
15:30
am a deal would say of ,
15:33
investigation and if you recall vs design their
15:35
ads on the twenty twenty false reports
15:38
and twenty ninth from the cold out for
15:40
the chinese aggressive as a sponsor
15:42
electoral sponsor and ,
15:45
process in damn
15:48
sick one aspect of the cookies incidents
15:50
aspect shows that despite that
15:53
diplomatic in another thread
15:55
to prove that behavior that
15:57
sassy thread say right at least as it pertains
15:59
who are domestic economy
16:02
that a crescent intellectual property zest
16:04
infringement strategy may have not
16:07
really taste months
16:10
the other thing as sexy as is interesting
16:12
to note about these type of these sets
16:14
of adversaries it is that
16:18
the way we need to refrain what
16:20
a when strategy is flat as
16:22
disinterest against these agencies adversaries
16:27
because a message you you
16:29
you hit the nail on the said this set of
16:31
adversary will not stop
16:34
trying to get into of targets
16:37
work just because that target
16:39
has good security in place
16:42
at , reason is that they have no motive
16:44
has to stop doing that target has something
16:47
to the one is really no
16:49
prior know from the price from the risks
16:51
for them to pay for trying again and again and
16:53
again so there's no reason why we went
16:55
to high maintenance
16:57
and the interesting thing and
17:00
when you when you try to counter the operation
17:02
as some defenders point when
17:05
you turn a corner that type of as if about
17:07
series is the wings sanity
17:10
is not too make
17:13
sure that the they're here they never
17:15
they never come back with the wind strategies
17:17
to make sure that you increase increase the
17:20
time intervals in ,
17:22
they come back so instead of last
17:24
he pushed the mouth first time usually
17:26
what you'll see as a comeback after a couple
17:29
weeks weeks you push
17:31
them out a second to handle usually try to come to
17:35
when as you offering the right program the
17:37
right strategy for your seized
17:39
you can dramatically increased of time
17:41
and resources instead of coming back in
17:43
every back weeks back and
17:45
front of back months for the
17:48
reason is me when you get very
17:50
very good at exposing what they're doing
17:52
and your network you creepy
17:54
price them because
17:57
when you exposed and listen to offers and by
17:59
was part of the the now behind us
18:01
making business information public when
18:03
, expose the method of operation you
18:06
dramatically increase their price
18:08
because now they need a rebound in
18:11
order to start executing that
18:14
is expensive and , something that
18:16
the two of my friends friends
18:19
is an expensive price to pay
18:21
for targeting a target that his
18:23
sister get a target the to expose say
18:26
that operation that as impacts
18:28
other a process of haven't of
18:31
and so when you run an effect of operation
18:33
for the ducks and response investigation
18:36
you're able to create a certain form of
18:38
deterrence against the french extra
18:40
like that that will manifests itself
18:43
in the increase manifests itself time
18:46
intervals in which it will compact so
18:48
make sure to build a very meticulous
18:50
on the road before the comeback
19:05
thanks to israel barack from cyber reason
19:07
for joining us the researchers titled
19:10
operation cuckoo bees cyber
19:12
reason uncovers massive chinese intellectual
19:14
property theft operation the
19:16
have a link in the show notes
19:20
thanks to the cyber security inside podcast
19:22
for their sponsorship visit cyber
19:25
security inside to dot com slash
19:27
research saturday or search
19:29
for cyber security inside wherever
19:32
you listen to podcasts thanks
19:35
to sinek for their sponsorship government
19:37
agencies deserve a better way to penn test
19:40
and the red team at sinek a plug your
19:42
mission to find the vulnerabilities that
19:44
matter most learn more at
19:46
sinek dot com slash government
19:51
the cyber wire podcast is proudly produced
19:53
in maryland data the started studios of data
19:55
tribes were there co building the next
19:57
generation of cyber security teams
19:59
and technology
19:59
are amazing cyberwire
20:02
team is, rachel gelven reserve
20:04
in elliot peltzman trey hester,
20:06
brandon carp, eliana, white
20:08
peru, prakash justin sebi, tim
20:10
nodar, joe kerrigan queretaro
20:12
been yelling, nick malecki gina
20:14
johnson bennett mow chris russell
20:17
john, patrick, jennifer, ivan, rick,
20:19
howard, peter kilby and i gave bittner
20:21
thanks for listening we'll see you
20:23
back here next week
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More