Cylance researchers discover powerful new nation-state APT | Tech Industry

When a Belgian locksmith attacked the Pakistani Air Force, researchers at sat up and took notice. The locksmith probably never knew his website had been taken over by a nation-state hacking group as a command-and-control server, nor that exploit-laden Microsoft Word documents crafted to spear-phish Pakistani Air Force officers were hosted there for more than six months.

The Belgian locksmith was just a pawn in a global game of cyberespionage fought by a new nation-state hacking group, and while the target in this operation was Pakistan — both nuclear-armed and a haven for terrorists in the region — the incredibly sophisticated layers of misdirection used by the malware to mislead and delay forensics analysis worries security researchers, who say these attack tools could be deployed against anyone else in the world at any time.

This heralds the advent of a major new nation-state player on the cyber domain, Cylance researchers speculate, who rule out all the usual suspects — Five Eyes, Israel, India, China, Russia, and North Korea. While hesitant to attribute to any particular nation, researchers told CSO the new is likely Middle Eastern, but whose tactics, techniques and procedures (TTPs) are indicative of US-trained intelligence operatives, raising the possibility that ex-US intel folks have turned mercenary and are building a new group for a Middle Eastern nation.

The new APT group takes the cat-and-mouse game between attackers and defenders to a new level, and blue teams around the world should pay attention to the tactics used here, Cylance researchers say.

Meet the White Company

The new APT’s malware goes to extraordinary lengths to evade detection and includes the ability to detect and hide from eight different antivirus products, including Sophos, Kaspersky, AVG and BitDefender. Additional layers of obfuscation and misdirection led Cylance researchers to dub the group the White Company. “The name is an acknowledgment of the many elaborate ways this threat actor goes to whitewash all signs of its activity, and to evade attribution,” Kevin Livelli, director of threat intelligence, tells CSO.

The malware didn’t just evade antivirus detection, however, it let itself be discovered by different antivirus vendors on preprogrammed dates, likely as a distraction tactic. “What we’ve got here in this case is a threat actor who has figured out how to determine what antivirus is running on your system and deliberately trigger it in an attempt to distract you,” Josh Lemos, vice president of research and intelligence at Cylance, says. “That should be concerning organizations outside of Pakistan.”

Kill switches in malware have been seen before, such as in Stuxnet, but Cylance researchers say they’ve rarely seen a campaign that deliberately surrenders itself to investigators in this manner. “The White Company…wanted the alarm to sound,” their report concluded. “This diversion was likely to draw the target’s (or investigator’s) attention, time and resources to a different part of the network. Meanwhile, the White Company was free to move into another area of the network and create new problems.”

What makes the White Company especially dangerous, however, is its keen understanding of how security researchers study malware, and their sophisticated attempts to foil automated forensics analysis.


You might also like More from author

Comments are closed.