When a Belgian locksmith attacked the Pakistani Air Force, researchers at Cylance sat up and took notice. The locksmith probably never knew his website had been taken over by a nation-state hacking group as a command-and-control server, nor that exploit-laden Microsoft Word documents crafted to spear-phish Pakistani Air Force officers were hosted there for more than six months.
The Belgian locksmith was just a pawn in a global game of cyberespionage fought by a new nation-state hacking group, and while the target in this operation was Pakistan — both nuclear-armed and a haven for terrorists in the region — the incredibly sophisticated layers of misdirection used by the malware to mislead and delay forensics analysis worries security researchers, who say these attack tools could be deployed against anyone else in the world at any time.
This heralds the advent of a major new nation-state player on the cyber domain, Cylance researchers speculate, who rule out all the usual suspects — Five Eyes, Israel, India, China, Russia, and North Korea. While hesitant to attribute to any particular nation, researchers told CSO the new APT is likely Middle Eastern, but whose tactics, techniques and procedures (TTPs) are indicative of US-trained intelligence operatives, raising the possibility that ex-US intel folks have turned mercenary and are building a new APT group for a Middle Eastern nation.
The new APT group takes the cat-and-mouse game between attackers and defenders to a new level, and blue teams around the world should pay attention to the tactics used here, Cylance researchers say.
Meet the White Company
The new APT’s malware goes to extraordinary lengths to evade detection and includes the ability to detect and hide from eight different antivirus products, including Sophos, Kaspersky, AVG and BitDefender. Additional layers of obfuscation and misdirection led Cylance researchers to dub the group the White Company. “The name is an acknowledgment of the many elaborate ways this threat actor goes to whitewash all signs of its activity, and to evade attribution,” Kevin Livelli, director of threat intelligence, tells CSO.
The malware didn’t just evade antivirus detection, however, it let itself be discovered by different antivirus vendors on preprogrammed dates, likely as a distraction tactic. “What we’ve got here in this case is a threat actor who has figured out how to determine what antivirus is running on your system and deliberately trigger it in an attempt to distract you,” Josh Lemos, vice president of research and intelligence at Cylance, says. “That should be concerning organizations outside of Pakistan.”
Kill switches in malware have been seen before, such as in Stuxnet, but Cylance researchers say they’ve rarely seen a campaign that deliberately surrenders itself to investigators in this manner. “The White Company…wanted the alarm to sound,” their report concluded. “This diversion was likely to draw the target’s (or investigator’s) attention, time and resources to a different part of the network. Meanwhile, the White Company was free to move into another area of the network and create new problems.”
What makes the White Company especially dangerous, however, is its keen understanding of how security researchers study malware, and their sophisticated attempts to foil automated forensics analysis.
Hacking security researchers’ brains
Malware researchers use automated analysis systems, like FireEye’s, to examine potentially malicious files. The White Company’s malware evades such systems by including anti-debugging code inside their shellcode — an extreme measure rarely seen.
“While anti-debugging code is routinely observed inside malware,” the report said, “it’s unique to find it inside shellcode…If a system is employed that detonates documents…and a debugger is used to detect malicious behavior, then the malware would not be available for analysis and the notion that the document is malicious would never register.”
The White Company also used commodity malware to confuse security researchers looking for exotic nation-state malware. “With publicly available malware, an analyst can’t be sure of authorship,” the report wrote, “which in turn has the effect of impeding attempts at attribution. In this context, it also undermines the assumptions of analysts who conduct taxing reviews of complex shellcode and are expecting fancy, custom malware samples.”
The great pains the White Company took to hinder forensic analysis of their malware seems likely to increase the cost to defenders, at least in the short term. “This is a threat actor that has a key understanding of the typical way security researchers go about attacking these things,” Livelli says. “They left deliberately contradictory pieces of evidence to essentially hack the methodology, the thinking of the people that would be coming after them to investigate them.”
“That to me is very concerning,” he adds. “It means that your way of going about responding to these incidents has to be challenged.”
U.S. personnel involved?
The White Company is a new nation-state APT, Cylance tells CSO, likely a Middle Eastern country, and is not a U.S. or Five Eyes threat group. However, there are flags that suggest that some of the technical personnel were trained by the U.S. or previously worked for U.S. intelligence.
“There are certain hallmarks of the style here that reminded us of the U.S. style of attack, all these extensive lengths they go to evade attribution reminded us of that,” Livelli says.
The conspicuous absence of any U.S. antivirus vendors among the eight antivirus products targeted by the malware also raises eyebrows. Is an American mercenary reluctant to attack a U.S. antivirus product? Or is it because few Pakistanis use American-made antivirus products? Cylance contacted Pakistan’s CERT in an effort to find out but received no response.
Regardless of provenance, a new major APT group is flexing its muscle on the world stage, and their tactics will soon be imitated by others. Defenders take note.