North Korea's "Vibes-Based" Targeting

PLUS: Iran Cries Havoc and Lets Slip the Dogs of Cyber

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

Photo by Chase McBride on Unsplash

The 3CX supply chain attack this March was enabled by a prior supply chain attack against a company named Trading Technologies. We're not that surprised that the supply chain hackers did other supply chain hacking. If anything, we think the real angle here is what this incident teaches us about North Korea's expansive targeting priorities and operations.

Trading Technologies, a company that facilitates futures trading, was compromised some time in 2021 and the firm's X_Trader software package trojaned. Even though X_Trader had already been discontinued, the malicious version remained available on the firm's website and a 3CX employee subsequently downloaded and installed it on their personal computer. The attackers/operators used this access to steal the employee's work credentials which granted them administrator-level access to 3CX systems.

Mandiant has attributed the activity to a financially-motivated North Korean APT group it calls UNC4736.

Kim Zetter's Zero Day has a far more comprehensive description of the "threaded" or "double" supply chain attack and also a timeline of the incident.

When compared to tightly scoped Five Eyes operations, this kind of voracious "access begets access" approach looks crazy. But using one access to develop another is just logical if you don't have DoD lawyers hassling you over the scope, proportionality and precise targeting of your operations.

We expect this kind of "spidering out" behaviour is standard procedure for North Korean actors and this case is a great case study. When they compromised Trading Technologies they served browser exploits from its website as well as Trojaning its software. Access begets access!

Symantec says at least four other organisations were compromised by the X_Trader trojan, two critical infrastructure organisations in the energy sector and two organisations involved in financial trading.

Espionage is normally target driven, not access driven, even when there's a supply chain compromise component to campaigns. Russia's SolarWinds campaign was almost certainly kicked off as a way to gain access to US Government targets, not just as a "suck it and see" exercise.

Five Eyes agencies might use supply chains as a vector, but we promise you the meetings involved to make this happen are from hell and the scope is very, very tight.

North Korea, by contrast, operates on vibes.

And vibes get you places! 3CX doesn't have anything to do with cryptocurrency exchanges, but it helped the North Koreans to get access to those places.

We shouldn't be fooled into thinking this approach will be limited to the DPRK's revenue raising activities. When you can go wide with a supply chain compromise and then harvest deeper access into the places you're most interested in, why limit yourself?

Expect to see North Korea collecting intelligence this way in the future, as well as bitcoins. Let's just hope they're not kicking off a trend that will be mimicked by others. Iran, we're looking at you. Speaking of…

Iran Cries Havoc and Lets Slip the Dogs of Cyber

Microsoft has published two reports this month that signal a worrying shift in Iran's policy on cyber operations.

On April 7 it published a report on destructive attacks carried out by MERCURY, or Mango Sandstorm, against on-prem and cloud environments. The attackers wreaked havoc in the target's Azure environment, which was somewhat novel.

And now there's more. On April 18, Microsoft published another report on an Iranian state-sponsored actor. This one is targeting US critical infrastructure "potentially in support of retaliatory destructive cyberattacks".

The responsible party is a subgroup of what Microsoft now calls Mint Sandstorm, formerly PHOSPHORUS, aka APT42 or Charming Kitten, a group officially linked to the Iranian Revolutionary Guard Corps. The subgroup usually focuses on stealing information from high-value targets and Microsoft says it has previously seen it focus on "individuals affiliated with high profile think tanks or universities… with ties to the security and policy communities".

From late 2021 to mid-2022, the subgroup directly targeted "US critical infrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity". Given that list, worrying about destructive attacks makes sense as it is hard to see what else you'd use that kind of access for.

Microsoft thinks it likely the change in targeting is in response to a series of cyber attacks in Iran:

This targeting was likely in response to Iran’s attribution of cyberattacks that halted maritime traffic at a major Iranian seaport in May 2020, delayed Iranian trains in July 2021, and crashed gas station payment systems throughout Iran in late 2021. Of note, a senior cybersecurity-focused IRGC official and others close to the Iranian Supreme Leader pinned the attack affecting gas station payment systems on Israel and the United States.

These attacks were carried out by Predatory Sparrow, an Israeli group with a penchant for sending messages to Iran about how to behave responsibly in teh cyberz.

Predatory Sparrow also takes pains to minimise collateral damage. In a destructive steel mill attack, for example, it sent warnings via Telegram and also made efforts to ensure that no one was injured. Its behaviour and signalling may be intended to influence Iran, but it doesn't look like the message is getting through.

Microsoft first reported on this round of Iranian targeting of US critical infrastructure in its 2022 Digital Defense Report in November last year, but it released further details last week because the activity continued and became more sophisticated.

Microsoft says it's "publishing details on known tradecraft alongside corresponding detections and mitigations to help organisations protect against this and similar threats".

That's good, but we think Microsoft's publication also serves another, perhaps more important purpose — it  tells Iranian leadership that its cyber activities targeting critical infrastructure are being detected and attributed.

NOTE: This week's Between Two Nerds podcast is relevant and it mentions Predatory Sparrow as we examine whether cyber operations are any good for deterrence. This earlier episode focussed on Predatory Sparrow and its obsession with upholding norms of responsible behaviour.

Team Cymru Is Not the Cyber Villain You’re Looking For

Privacy concerns about the purchase of netflow from Team Cymru are massively overblown, but government purchases of commercially available data should still be subjected to privacy assessments and decent oversight.

Netflow is summary data of how traffic flows across the internet. It records how much data flowed from one IP address to another and typically includes the protocol and port used, which can hint at the type of data being sent. Threat intelligence firms collect and aggregate netflow data from various sources, including ISPs, to produce a view of how traffic flows across the internet. Privacy concerns here stem from bulk netflow potentially providing a comprehensive "eye of sauron" view of activity across the entire internet.

Vice Motherboard has reported several cases where the US government has purchased or tendered for netflow data. Various parts of the US military and the FBI's Cyber Division have bought it from Team Cymru and the Internal Revenue Service (IRS) at least tendered for it.

We think these concerns are vastly overstated.

The Team Cymru netflow data is based on samples of internet traffic and is not comprehensive. David Monnier, CIO at Team Cymru, told Seriously Risky Business that the netflow data packaged by the group is either sampled or selectively ingested to narrow focus on to cyber threats.

Monnier told us that netflow is selected for ingest based on "entirely or likely malicious activities" based on threat intelligence feeds and malware analysis, among other things.

These various selection and filtering processes make it unlikely that commercially available netflow would be useful in any mass surveillance scenarios.

Despite that, Monnier told us that Team Cymru still has a customer vetting process and end user licence that restricts both who can buy the data and what they can use it for. When it comes to advertisers, for example, Monier said "that's not a market that we serve".

When it comes to cyber security applications, on the other hand, the utility of this type of netflow is clear. In our previous look at netflow, Joe Slowik, then Principal Security Manager at Gigamon and now at Huntress, told this newsletter it could be "exceptionally valuable" for understanding malware command and control.

Even if Team Cymru's netflow isn't a realistic potential privacy violation, we still  think government agencies should do a privacy risk assessment before they buy this kind of stuff.

What is the data for, and how will it be used? Are there any potential invasive privacy implications and how are they either authorised or mitigated? Any questions about the propriety of the data purchase could be answered by releasing the risk assessment.

It's probably going to be a while before the US Government passes comprehensive data protection and privacy legislation into law. Until then, perhaps a policy forcing agencies to spell out — publicly — what type of data they're buying, why they're buying it, and what the privacy impacts are can serve as a stopgap.

Three Reasons to be Cheerful this Week:

  1. Turning malware against itself: cyber security firm eSentire says it's taken advantage of GootLoader's own anti-security researcher protections to prevent it from delivering malware. GootLoader is an initial-access-as-a-service operation that focuses on compromising legal professionals.
  2. Google Authenticator Syncing: Google has updated its one-time password 2FA Authenticator app so it backs up to customers' Google accounts. This means a user will be able to back up 2FA codes and recover them if the device holding them is lost, stolen or breaks. There are some trade-offs here, and it makes a person's Google account more important than ever, but if you lose control of that account you're screwed anyway, so we think the benefits outweigh any negatives.
  3. US pivoting to disrupt cybercrime: in a "fireside chat" discussion at the RSA conference, US Deputy Attorney General Lisa Monaco has confirmed that the government is pivoting to focus on disrupting cybercrime. Monaco said that prosecutors and investigators have been directed to have "a bias towards action, to disrupt and prevent, to minimise that harm if it’s ongoing".

Seriously Risky Business is supported by the Hewlett Foundation's Cyber Initiative and corporate sponsor Proofpoint.

Tines No-code Automation For Security Teams

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In this video demo, Tines CEO and co-founder, Eoin Hinchy, demonstrates the Tines automation platform to host Patrick Gray.


Cyber Command Discloses Disruption of Iranian Election Interference

The US government has shared an example of election-related systems being compromised by an Iranian-linked hacking group in the lead-up to the 2020 presidential election. The hacking group gained access to a city website that published voting results, so disruption could have made it look like the vote had been tampered with.

This was detected by US Cyber Command while operating in what The Record described as "foreign cyberspace". The breach was remediated before any damage was done, but in a way this feels like a lucky break rather than the result of well-executed defence.

This is a tricky space for the government. It wants to highlight real examples that demonstrate that the threat to election infrastructure is real, but doing so may well feed people trying to undermine confidence in election results.

Even inconsequential breaches may be used to feed perceptions of election insecurity. But transparency is the only sustainable policy and conspiracy theorists don't need real information to create discord anyway.

Chinese Hackers! In Space!

The US government believes the PRC is building cyber capabilities to "deny, exploit or hijack" satellites, according to a leaked US intelligence report. This reinforces our view that it makes sense for space systems to be labelled as critical infrastructure.

EU Cyber Solidarity Act

The European Commission has published draft legislation intended to improve cybersecurity across EU member states. It intends to improve communication between national Security Operations Centres, improve emergency response mechanisms and also select a pool of trusted private companies to provide security services. [much more at Risky Biz News]

Spyware is a Thing!

The UK NCSC has released a report warning of the proliferation of commercial cyber services such as spyware and hackers for hire. It's short and very readable.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss whether cyber operations are any good at deterring adversaries.

From Risky Biz News:

FSB raids Moscow police: Officers with the FSB and the MVD have raided multiple Moscow police departments on suspicion that officers sold personal information of Russian citizens to Ukrainian entities. According to reports in RBC and TASS, searches have been going on for weeks, multiple police officers were detained, and more are being questioned. According to the Baza Telegram channel, the FSB is specifically investigating the sale of personal data of Russian judges and security forces.

Dutch MIVD yearly report: The Dutch Military Intelligence and Security Service (MIVD) says that Chinese private companies facilitated several cyber-espionage campaigns by Chinese military hackers against Dutch targets last year. MIVD officials believe that such operations were set up to help Chinese hackers remain anonymous and avoid public attribution. Dutch intelligence officials also say that Chinese universities currently play an important role in China's cyber-espionage operations by training personnel and developing tooling used in PLA offensive cyber operations. The revelations were part of the MIVD's public annual report for 2022. The same report also confirmed that GRU hackers hijacked Cisco routers across the Netherlands as part of an operation first revealed this week by UK and US authorities.

UN North Korea report: The United Nations Security Council has published its yearly report on North Korea, and this year's report notes a significant increase in North Korean cyber activity, with DPRK groups stealing more cryptocurrency in 2022 "than in any previous year." The report also covers North Korea's 2022 cyber-espionage operations as well.