Advanced threat actors and other malicious cyber activity
On October 4, 2018, the MIVD held a press conference about an intercepted cyberattack on the OPCW in the Netherlands, allegedly by the advanced threat actor Sofacy (also known as APT28 or Fancy Bear, among others). According to the MIVD, four suspects were caught red handed trying to break into the OPWC’s network. Sofacy activity in the Netherlands did not come as a surprise to us, since we have seen signs of its presence in that country before. However, aside from Sofacy we haven’t seen many other advanced persistent threat (APT) groups in the Netherlands, at least when compared to other areas, such as the Middle-East. Upon further reflection, we have concluded that this is rather odd. There are quite a few big multinationals and some high tech companies located in the Netherlands. In addition, there are other potential strategic targets for threat actors. So we decided to review cyber-threat activity targeting or affecting the Netherlands.
Providing an overview of one APT’s activity can be quite difficult, let alone all the APT activity affecting a country. First, we only see what we can see. That means we can only gather data from sources we have access to, such as that shared voluntarily by our customers with Kaspersky Security Network (KSN), and those sources also need to be supplied with data related to a specific APT. As a result, like any other cybersecurity vendor, our telemetry is naturally incomplete.
One way to improve our overview is to use sinkhole data. When a domain that is used by an APT expires, researchers can register that domain and direct the traffic to a sinkhole server. This is done quite frequently. For many of the APTs we track, we sinkhole at least one domain. In comparison to other sources, such as KSN and multi-scanner services, sinkhole data has a number of advantages. For example, in some cases you can get a better overview of the victimology of the APT. The drawback is that we need to filter the results, since there can be quite a few false positives (e.g. because other researchers are investigating the malware). This filtering can be quite cumbersome, because if we base it solely on the IP and the requests, it is quite difficult to come to a verdict.
For this blogpost we gathered all the sinkhole data for Dutch IPs in the last four years (September 2014 to September 2018), which amounts to around 85,000 entries. Of course, this is far too much to verify by hand, so the first step was to filter the results, and especially all the scanners. While some of these were relatively easy to spot and filter out (e.g. all the TOR exit nodes, all the Romanian.anti-sec), others required a bit more effort.
In order to filter out the scanners, we deleted all entries where the IP matched more than four “tags” (each tag stands for a different campaign). After doing this, we were left with around 11,000. That meant 77% fewer results, but there were still too many, so we applied some more aggressive filtering.
The table below describes the number of tags that were hit per IP.
One way to determine whether a hit in the sinkhole database is a true positive (TP) or a false positive (FP), is to find out who the victim is. We thus reversed the IP and checked whether, at the time of the first entry in our sinkhole database, the DNS entry matched the entries in our passive DNS database. If this was not the case, the entry was ignored. The next step was to remove all the entries that would be difficult to investigate (e.g. IP addresses that belong to an ADSL connection). Even though this method was quite rigid and meant that some TPs might be missed, we still decided to use it, since we knew it would be too resource-intensive to investigate all the entries. The result: only around 1,000 entries remained for investigation.
The aim of this blogpost is to give an overview of which APT groups are active in the Netherlands and what they are interested in, and that requires TPs, not FPs. For each remaining entry, a reverse DNS lookup was made, and the ASN information was saved. This was checked against our passive DNS database to see whether this IP had the same domain as its first entry in the sinkhole database. If it did, the entry was kept, if it was not, we tried to find out to which organization the IP belonged.
At this point, for the entries that remained, the raw requests were retrieved against the template request made by the APT. Finally, for each of the IPs left on our list, we tried to tie them to a company or institution. If this was the case, the entry was kept and marked as a TP.
We also checked our APT reports for targets in the Netherlands and added these results to the review.
Using the methods described above, we found the following APTs that are or have been active in the Netherlands:
BlackOasis is an APT group we have been tracking since May 2016. It uses the commercially available FinFisher malware sold to law enforcement agencies (LEAs) and nation states. BlackOasis differentiates itself from other APT-groups by using a vast amount of 0-days: at least five since 2015. Victims are mostly found in Middle Eastern countries, where the group is particularly interested in politics. We have also seen it targeting members of the United Nations and regional news correspondents. Recently we have seen a shift in focus towards other countries such as Russia, the UK and now also the Netherlands. Its Dutch victims fit into its shift of interest.
Sofacy, also known as Pawn Storm, Fancy Bear and many other names is an active APT group that we have followed since 2011. It is known for using spear phishing emails to infect targets and for the active deployment of 0-days. In 2015, Trend Micro researchers reported that the group had targeted the MH17 investigation team. Last year, the Volkskrant published an article alleging it tried to infect several Dutch Ministries. Then there is the October 4, 2018 news of four alleged Sofacy members having been caught in April 2018 trying to hack the OPWC. Even though we cannot confirm these last two incidents, since we are not involved, we have observed several targets in the Netherlands infected with Sofacy. Interestingly, we observe fewer deployments of Xagent (one of Sofacy’s modules) after April 2018. Although one new Xagent deployment was noted in August 2018, it seems that the group pushed fewer, and then only new, deployments from April through June 2018.
Hades is the name given to the group held responsible for the Olympic Destroyer malware that was found targeting the 2018 Winter Olympic Games in South Korea. Our initial thought was that the malware was related to the Lazarus group, because several of our Yara rules had 100% matches with the malware. However, after careful research we found many false flags that pointed to different APT groups. A few months later, in May 2018 (not long after the OPWC incident took place), we found that Hades had returned and was now targeting financial institutions and chemical threat prevention laboratories. Given this shift of interest, it is no surprise that entities in the Netherlands were targeted as well.
Buhtrap is one of the groups that targets financial institutions with the ultimate goal of stealing money. Its tools, techniques and processes (TTPs) don’t differ extensively from those of traditional APT groups. Buhtrap is one of those (Carbanak and Tyupkin are others) that started by infecting financial institutions in Russia and Ukraine, but after a while shifted its focus to other parts of the world. We found Buhtrap activity in the Netherlands in 2017.
In March 2017, WikiLeaks published online a series of documents that they call “Vault 7”. Some of these documents feature malware that resembles that used by the Lamberts, a toolkit that has been used for several years, with most of its activity occurring in 2013 and 2014. One of The Lamberts’ variants we have been investigating is the “Green Lamberts”. We were surprised to see quite a few infections in the Netherlands, when the majority of attacks target Iran. We do not have any insight into the profile of the victims located in the Netherlands. Nevertheless, the fact that Lamberts is active in the Netherlands shows a possible shift in focus, and reminds us that for APT groups, borders do not exist.
Turla, also known as Uroboros, is a very active APT group, believed to be connected to many high-profile incidents such as the US Central Command attack in 2008 and the breach of RUAG (a Swiss military contractor). Other Turla targets include ministries and governmental organizations. Given all this, the Netherlands is a logical target for the Turla group. In fact, we would have been surprised not to have found any Turla infections in the Netherlands.
Gatak, which also goes by the names of Stegoloader and GOLD, is a group that engages in data theft using watering hole attacks. It has been active since at least 2015, and its main interest is in intellectual property. Even though the use of watering hole attacks means the group does not have full control over who it infects, it has been able to hit a couple of high profile targets. In this case, our sinkhole database enabled us to determine that one of those was a high profile target in the Netherlands.
In 2015, the Dutch chip maker, ASML was allegedly breached by Putter Panda. ASML acknowledged the breach and stated that one file was stolen. No further details are publicly available, although there was an episode of the TV program “KRO reporter“, partially dedicated to the breach. ASML is one of relatively few high-tech companies in the Netherlands. The fact that it has been breached is a clear sign that foreign threat actors are aware of and interested in industrial espionage in the Netherlands.
Animal Farm is a group that has been active since at least 2009. A relatively advanced threat actor, it has been targeting a variety of organizations over the past years. Victims include governmental organizations, military contractors, activists and journalists. Even though the group is mainly focused on French speaking countries, we still found a few infections in the Netherlands.
Although our visibility of threat actor activity in the Netherlands is incomplete, the results are nevertheless surprising. Some groups we did not expect to see appear to be active in the country (such as the Lamberts). However, upon further thought, and especially when looking at potential targets located in the Netherlands and comparing this with the interests of some of the APT groups, their activity in the Netherlands makes sense.
The presence of both expected and unexpected threat actors is a good argument for organizations staying informed of the latest developments in cyberspace, particularly through threat intelligence reports. Because if you know what APT groups are up to, which organisations they target and what TTPs they use, you can implement the protection you need to stay one step ahead of them.
Such precautions are important, because one of the most stunning findings from the review of sinkhole databases was the number of organizations infected using “ordinary cybercrime malware”. We saw infections among airlines, airports and other major companies (although it should be noted that this happens in other countries as well, not just in the Netherlands). It demonstrates again that it is not so difficult for (APT) groups to breach valuable targets and that basic cyber hygiene is important for everybody.
As a final note, one should always be careful about deriving hard conclusions from APT findings, particularly in terms of attribution. For example, even though we saw Olympic Destroyer malware being used to target chemical threat prevention laboratories shortly after the OPWC incident, this is not conclusive evidence that the groups behind these attacks are the same, or even related. However, using this fact to monitor your network for the presence of Olympic Destroyer malware if you think you might be a potential Sofacy target – and vice versa – seems like a good approach.
For more information on our private threat intelligence reporting service, please contact email@example.com
Threats in the Netherlands
I don’t quite get the “>4” row in the table with entry 938.
How can an IP address show up with more that 4 tags on the table when you stated in the paragraph just before the table that you did filter any IP which had hit more than 4 tag?