Author Archives: Jen Weedon

Putting TRANSCOM in Perspective

| By and | Threat Intelligence, Threat Research |
Comments
0

Today, the Senate Armed Services Committee released information indicating that China-based threat actors were heavily targeting TRANSCOM, the U.S. military’s logistics arm. In terms of the private sector contractors impacted, the intrusions detailed in the Levin report mirror activity FireEye has observed: we frequently see nation state threat actors target not only government, but also private sector organizations in order to obtain military intelligence.

Why Pursue Military Secrets?

FireEye believes that China-based threat actors are primarily motivated to compromise the defense industrial base – both private defense contractors and government agencies — (DIB) for data theft in order to:

  • Steal intellectual property and proprietary information capable of providing the government with a military advantage and assist the country in reaching its goals for military modernization. The Chinese government likely could use information stolen from the DIB to assess the U.S.’ military capabilities, and indigenously develop its products (as well as possibly the means to effectively counter them). This may also offer a way for the government to circumvent U.S. security restrictions and other export controls to obtain technologies that they are not able to otherwise purchase from the U.S. and its close allies.
  • Stealing data from the DIB could also provide the Chinese government with an economic advantage in the global arms market, as the government would be able to indigenously develop and then sell new and highly valued technologies. Using stolen blueprints would also allow the Chinese government to increase its market competiveness, as it would be able to skip the research and development process and thus sell the same products for a cheaper price.

Threat Actors and Targets

We have seen more than 20 unique threat groups (including almost all the China-based APT groups that we track) that have compromised corporate networks in the Aerospace and Defense industry, particularly the following subsectors:

  • Aerospace & Defense Parts Wholesalers
  • Aerospace Products & Parts Manufacturing
  • Aircraft Engine & Parts Manufacturing
  • Guided Missile & Space Vehicle Manufacturing
  • Industrial & Military Computer System Manufacturing

Common data theft includes:

  • Personal Documents
  • Research Reports
  • Organizational Charts and Company Directories
  • Testing Results and Reports
  • Product Designs/Blueprints
  • Business Communications
  • Production Processes
  • PII
  • Budget Information
  • Safety Procedures
  • General Proprietary Product or Service Information
  • Equipment Maintenance Records and Specifications
  • System Log Files

While TRANSCOM attributed all 20 intrusions that it classified as “advanced persistent threat” to China, it’s important not to lose sight of the fact that China is not the only player in this game:

  • We have also observed suspected Russia-based actors target a defense technology company, and in Operation Saffron Rose, we saw an Iranian group target US defense contractors in addition to members of the Iranian opposition.
  • We’ve also seen a number of regional conflicts, such as India-Pakistan, play out in the cyber arena, and we are seeing indications that Middle East-based hackers are tuning their skills and posing an increasing nuisance to companies around the globe.

Multiple threat groups appear to have a firm understanding of the Aerospace and Defense supply chains, including the relationships between organizations and specific projects in the industry. In multiple instances, cyber espionage groups have targeted information about specific projects across several companies. Similarly, we have observed threat groups target the entire Aerospace and Defense manufacturing production cycle, from research and development through testing and production, all the way to product launch.

Defense contractors are not the only parties who are affected by military intelligence collection. We have also seen relatively small companies—for example, technology companies that produce products for military and consumer applications—hit by probable nation-state threat actors, who appear to be collecting intelligence on the companies relationships with adversary military organizations.

The intrusions at TRANSCOM and its contractors resulted in data theft, but it’s important to note that data theft is not the only possible outcome of a breach. It’s also possible for threat actors to modify data once they have access to it, or even to destroy data, as they did in the case of Saudi Aramco. They may establish a foothold to ensure that they have access to victim networks for future use, or to conduct reconnaissance for possible, future operations.

Lessons from TRANSCOM

Of the 11 contractors impacted, eight said they were not aware of any threat activity occurring during the period in question. This hearkens back to a mantra we have at FireEye: it is not a matter of if an enterprise will be breached, but when. It is therefore critical that organizations prepare for the inevitable breach by monitoring for signs of an intrusion, sharing intelligence with industry peers, and having a strong incident response plan in place. In addition, intel sharing—more freely among government entities, as well as the threat intelligence community writ large—and contribute to better preparedness and a more effective defense against cyber threats.

Searching for the Cure: Targeted Threat Actors Pursuing the Pharmaceutical Industry

| By | Threat Intelligence, Threat Research |
Comments
0

If you visit an unsafe area, you’re probably more careful about locking your doors, right? But what if it’s well publicized that you have valuables in your possession? You’d likely not only lock doors, but maybe also use a strongbox and have security in place. Knowing that you have something of value makes you a visible – and likely – mark.

It’s no different when thieves are targeting a company’s network.

That’s exactly what the pharmaceutical industry faces. And it’s a prescription for disaster.

Advanced Persistent Threat (APT) groups are targeting the pharmaceutical realm, compromising systems and stealing vital information – and perhaps putting lives at risk.

Recent reports of threat actors swiping personal data of healthcare providers’ patients reinforces what FireEye Labs researchers have been warning our customers about: the healthcare and pharmaceutical industries are data-rich goldmines for APT actors.

When we talk to our customers about targeted threats – especially threat actors backed by nation states – we urge them to consider which information assets are beneficial to targeted actors in the long haul. Nations that use cyber threat actors to achieve their objectives often have strategic healthcare initiatives that are a key indicator of compromises to come. The pharmaceutical industry falls squarely in the crosshairs: threat actors looking to improve their country’s ability to address domestic health concerns will set their sights on stealing IP related to technologies, processes and expertise.

The Symptoms

We’ve previously worked pharmaceutical company cases where we assessed that suspected nation state threat groups targeted the victims for economic espionage. In one incident we determined two China-based APT groups gained access to the environment as long as three years prior to our involvement. The threat groups accessed or compromised more than 100 of the company’s systems and installed backdoors to facilitate continued access to the victim’s network. One of the APT groups stole IP and business data from the victim, including information on bio cultures, products, cost reports and other details pertaining to the company’s operations abroad.

It’s highly probable the stolen IP and business information ultimately assisted beneficiary pharmaceutical industry companies in gaining a competitive advantage.[1] Information on cell cultures and products could allow a company to manufacture its own versions of products, or work from the victim’s findings to advance its research into a particular area while minimizing R&D outlay. Also, an organization might use information on another company’s operational costs and prices to undercut that company’s market share by offering cheaper products.

Countries could also use targeted cyber threat activity to steal data that could help with domestic health concerns. For example, during one week late last year, we saw a China-based APT group target three different companies that provide oncology treatments and services. This activity could have dovetailed with government initiatives to deal with China’s increasing cancer rates. (According to an article in the Guardian, “Cancer mortality rates in China have increased by 80% over the last thirty years, making [cancer] the nation’s leading cause of death.”[2])

Detection

The long-term strategic view – that is, identifying, analyzing and predicting targeted threat actors’ behavior – is only part of the threat intelligence picture. From an operational standpoint, our healthcare and pharmaceutical sector customers experience much of the same targeted threat activity as other industries.

We looked at the use of malware activity directed at clients in the pharmaceutical and healthcare sectors in July and saw quite a bit of consistency across tools used by targeted threat actors. Overall that month, APT web/file/email detections for the pharmaceutical industry slightly increased compared to the prior month. We saw over 30,000 callbacks to existing command and control infrastructure, and the sector was hit by hard various RATs. Most detections came from njRAT and XtremeRAT, on which we wrote a Feburary blog post which included technical analysis. Because RATs can be publicly available, we noted that a wide range of threat actors use them, including targeted threat actors seeking to blend in with traditional cybercrime activity.

Prognosis

We suspect nation-state backed threat actors will continue to target companies in the pharmaceutical and healthcare industries for the foreseeable future, especially given the industries’ importance in both economic growth and domestic healthcare. Certainly, non-state threat actors motivated by financial gain also pose a risk. Financially motivated cybercriminals might target IP relating to drug formulation processes to facilitate the trade of counterfeit drugs, a global market that the National Association of Boards of Pharmacy estimates cost $75 billion USD in 2010.[3] Actors could breach an environment and steal information to compromise the integrity of a clinical trial. Beyond the potentially exorbitant costs to the company, there are the potential violations of privacy laws and other compliance regulations to consider. While we have not seen such a situation occur, it’s worth considering, especially as a greater understanding of potential risks is key to improving security.

[1] A recently unsealed FBI criminal complaint alleged that a Chinese national named Su Bin, along with two unnamed conspirators, colluded to conduct computer intrusions and steal data related to US military projects. The complaint gave an unusual glimpse into the mechanisms behind nation state sponsored espionage and detailed how an individual operator received targeting instructions and subsequently used those instructions to steal information. Several of the email conversations detailed in the complaint suggest that the final beneficiaries of the intrusions were Chinese state-owned companies. The FBI complaint concludes that Su and an unnamed conspirator conspired to sell the stolen aircraft information to multiple buyers, including Chinese aerospace companies, and that they sought to “match” stolen data with the most suitable buyer. We have no reason to believe that what occurred in the industry relevant to the FBI complaint is any different than the data theft flow in other industries, such as the pharmaceutical industry.

[2] Kaiman, Jonathan. “Inside China’s ‘Cancer Villages.’” The Guardian. 4 June 2013. Web. 9 July 2014.

[3] Gillette, Felix. “Inside Pfizer’s Fight Against Counterfeit Drugs.” Bloomberg LP. 17 January 2013. Web. 9 July 2014.

Mergers and Acquisitions: When Two Companies and APT Groups Come Together

| By | Targeted Attack, Threat Intelligence, Threat Research

With Apple’s purchase of Beats, Pfizer’s failed bids for AstraZeneca, and financial experts pointing to a rally in the M&A market, the last month was a busy one for mergers and acquisitions. Of course, when we first see headlines of a high profile company’s plans for a merger or acquisition, we rush to think of the strategic and industry implications of such a deal. But underneath the “what ifs” and “visions for the future,” is a darker side of M&A that doesn’t make the headlines: the routineness with which companies are breached and crucial data is stolen when two high-profile organizations look to join together.

Over the last few years, concerns over economic espionage have led to greater scrutiny of mergers and acquisitions involving foreign companies – particularly in industries with sensitive technologies and operations that could pose broader economic and security threats. However, entering into a merger or acquisition with a foreign company is not the only way nation-states conduct economic espionage via cyber means, nor are nation-states the only perpetrators of intellectual property theft.

From our experience responding to these breaches, we’ve seen targeted threat actors actively pursuing companies involved in mergers and acquisitions in two ways:

  • Breaching one of the merging or acquired company’s subsidiaries’ and/or partners’ networks to ultimately gain access to the targeted company’s environment and information
  • Compromising and stealing information from a company involved in business talks with a foreign enterprise in order to provide the other side with an insider advantage in the negotiations

From One Friend to Another: Taking Advantage of Trusted Relationships Between Companies

Some threat groups compromise an organization’s environment and then move laterally over a connected network to a partner or subsidiary, while others rely on social engineering tactics, such as the use of phishing emails that appear to be from employees at the partner company. We have seen China-based threat groups previously compromise targets by taking advantage of trusted relationships and bridged networks between companies. Regardless of their method of entry, these actors are often in search of the same thing: intellectual property and proprietary information that can provide their own constituents with a business advantage, whether through adopting a rival’s technology and products, securing advantageous prices, or any other tactic that could give them a leg up.

We investigated one incident in which two threat groups compromised a company shortly after it acquired a subsidiary. The threat actors used their access to the initial company’s network to move laterally to the subsidiary, which had recently developed a proprietary process for a significant new healthcare product. Once inside the subsidiary’s network, the threat groups stole data that included details on the product’s test results. We believe the threat groups sought to give that data to Chinese state-owned companies in that industry for fast-tracking the development of their own version of the groundbreaking product.

Cheating the System: Insider Advantages in Negotiations

We have also seen threat groups compromising organizations involved in merger or acquisition talks with Chinese entities, likely in an effort to steal data that could give negotiators and decision makers valuable insider information with which to manipulate the outcome of the proposed transaction. Unlike other types of economic espionage operations, the threat groups in this type of scenario are generally not in search of a company’s intellectual property. Instead, these actors look for data such as executive emails, negotiation terms, and business plans and information; all of which could benefit the negotiators by giving them insight into the victim company’s financial situation and negotiation strategy.

During one investigation, we found that a China-based threat group had compromised a company that was in the process of acquiring a Chinese subsidiary – a move that would have significantly increased the victim company’s manufacturing and retail capacity in the Chinese market. The threat actors accessed the email accounts of multiple employees involved in the negotiations in what was likely a search for information pertaining to the proceedings. We believe that the threat group then used the stolen information to inform Chinese decision makers involved in the acquisition process, as the Chinese government terminated the talks shortly after the data theft occurred.

What can we expect?

Companies involved in mergers and acquisitions need to be aware of the risks they face from threat actors intent on conducting economic espionage. Entering into a merger or acquisition with an organization that has unidentified intrusions and unaudited networks places a company at risk of compromise from threat actors who may be waiting to move laterally to the newly integrated target.

Similarly, companies, and the law firms representing them, involved in negotiations with Chinese enterprises face risks from threat groups seeking to provide the Chinese entity with an advantage in negotiations. Compromise and economic espionage can have profound impacts on a company’s finances and reputation at any time, but particularly when they are risking hundreds of millions to billions of dollars on M&A.

In many cases as well, there are broader issues of national security, so it’s imperative that companies seek to recognize and mitigate these risks as part of their M&A processes moving forward. Even governments sometimes attempt to mitigate these risks by conducting national security reviews and occasionally rejecting bids based on their findings.[i] Threat actors from many countries engage in economic espionage, making for a wide and varied threat landscape that cannot be handled by the government alone. For examples of just how diverse and crowded a space the targeted threat landscape is becoming, see our recent blog posts on Molerats, Saffron Rose, and Russia and Ukraine.

[i] “The Committee on Foreign Investment in the United States (CFIUS).” U.S. Department of the Treasury. 20 Dec. 2012. Web. 28 May 2014.

NGOs: Fighting Human Rights Violations and, Now, Cyber Threat Groups

| By | Threat Intelligence, Threat Research

With so many non-government organizations (NGOs) in operation today around the world, we asked ourselves a question here at FireEye Labs. Who would think about targeting NGOs? Steal from a nonprofit? It would seem unthinkable to most people. But, as we can see from a few recent examples below, this is a clear reality.

As more NGOs reach out to us, it is clear that the situation for them is not a pretty one. Based on the breaches we have observed in this space, it appears there are more than 15 distinct advanced threat groups active in NGO networks. The sheer volume and variety of threat groups active in NGO environments struck us as unusually high for a single industry and indicates the incredibly difficult threat landscape NGOs face.

Hamstrung by limited budgets to establish strong network defenses and few personnel that understand how and why these threats are materializing, NGOs make a relatively easy target. Even if they aren’t profitable, NGOs use credit cards for donations, transact with cash, store personally identifiable information (PII) and, in some cases, even house intellectual property. Many NGOs also work on political issues—an inviting target for opponents who want to monitor their communications and activities. Weak defenses and a target-rich environment make NGOs an enticing victim to maliciously motivated threat actors.

Cyber Operations at NGOs: An Intelligence Collection Pursuit?

NGOs — particularly those based in the U.S. — have long been perceived as instruments of U.S. government policy. Regimes with a less-than-favorable view of the U.S. frequently consider NGOs’ work as a rallying point for domestic unrest and political opposition. Three nations that fit this description — China, Russia and Iran — are all rumored or known to have existing and growing cyber operations to support their governments’ political agendas. Data acquired from NGOs via network compromises has the potential to grant these nation-states valuable, predictive insights on key policy topics and NGO programming, as well as intelligence on personnel and their contacts.

Over the last few years, we have observed China-based advanced persistent threat (APT) groups frequently target U.S.-based NGOs. Unsurprisingly, they were organizations with programs that touched on Chinese human rights, democratic reforms, and social issues. In these instances, data theft was not just limited to documents about NGO programming, but also included documents on grants, legal proceedings, research programs, and even employee communications. The threat actors and recipients of the stolen data were likely able to gain significant insights into the NGOs’ operations, issues, and personnel. Not only were the threat actors better positioned to understand the NGOs’ values and plans, but, more importantly, they could potentially identify in-country contacts for the NGOs. These domestic contacts could face repercussions for their collaboration with the NGO.

NGO

Figure 1: A sample breakout of the types of documents stolen from an NGO

Sought-After Financial Data Goldmine

Because NGOs are often dependent on donations from large donors and dedicated supporters, they maintain or process financial data of potentially great value to cybercriminals who seek to steal PII. This financial information could be used to perpetrate identity theft and other types of criminal exploitation, including the theft of credit card numbers, bank account information, and other PII of wealthy individuals. There are any number of cases of non-profits who were either breached via network compromise or even experienced the physical theft of devices that gave perpetrators access to databases filled with valuable information such as names, addresses and social security numbers. In one instance, a simple website misconfiguration exposed one nonprofit’s database of donors and their personal information.

The acknowledged wealth of many NGO donors likely contributes to the motivations financial threat groups would have in targeting NGOs. FireEye tracks a number of criminal threat groups who conduct network intrusions to obtain data similar to the kind NGOs manage in large quantities. These threat actors may seek financial gain from cyber operations through direct theft of funds or the resale of data they have stolen. Because NGOs maintain valuable financial data, and perhaps other data they perceive to be valuable, criminal threat actors may target these networks with the intent to profit.

Perception of Weak Defenses

When criminals are looking for an easy target, NGOs’ networks may be perceived to be easy pickings. Just as the common thief would rather steal items of value from a house without an alarm than one with, the same is true with advanced threat actors and cybercriminals. NGOs possess information of value that a variety of threat actors desire, and their networks can sometimes be far easier targets than government institutions or large commercial organizations, due to their typically limited resources when it comes to network security and defense.

Although NGOs face a unique landscape when it comes to advanced threats in terms of the sheer number of threat groups targeting them and the widely varying possible impacts of a breach, their operations and needs share many similarities with those of our small- and medium-sized (SMB) customers. To that end, FireEye Labs recommends reviewing our latest SMB-focused white paper for more insight into what the broader threat landscape looks like for NGO-like organizations. A copy of the paper can be found here: https://www.fireeyesolution.com/smb_five_reasons_wp.html.

Intelligence Analysts Dissect the Headlines: Russia, Hackers, Cyberwar! Not So Fast.

| By and | Security Perspective

Claims of cyber attacks, website defacements, sophisticated Russian malware, and even “cyberwar” have hit front pages since the conflict in Crimea heated up. With all the noise, it’s hard to know what has actually occurred, and even tougher to interpret the consequences of the potential activity.

Here’s our take on the major cyber activities that have been reported throughout the Russia-Ukraine crisis.

We anticipate that Moscow will seek to avoid the international criticism of its purported network operations that accompanied the 2008 Georgia crisis and the 2007 incident in Estonia. Instead, we think Moscow is more likely to use narrowly focused, limited operations in support of strategic state objectives.

Continue reading »

Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit

| By , , , and | Targeted Attack, Threat Intelligence, Threat Research, Vulnerabilities

Less than a week after uncovering Operation SnowMan, the FireEye Dynamic Threat Intelligence cloud has identified another targeted attack campaign — this one exploiting a zero-day vulnerability in Flash. We are collaborating with Adobe security on this issue. Adobe has assigned the CVE identifier CVE-2014-0502 to this vulnerability and released a security bulletin.

As of this blog post, visitors to at least three nonprofit institutions — two of which focus on matters of national security and public policy — were redirected to an exploit server hosting the zero-day exploit. We’re dubbing this attack “Operation GreedyWonk.”

We believe GreedyWonk may be related to a May 2012 campaign outlined by ShadowServer, based on consistencies in tradecraft (particularly with the websites chosen for this strategic Web compromise), attack infrastructure, and malware configuration properties.

The group behind this campaign appears to have sufficient resources (such as access to zero-day exploits) and a determination to infect visitors to foreign and public policy websites. The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters.

Continue reading »