Bears and Kittens, and Startup Cybersecurity Companies
On any other day under normal circumstances, the New York Times’ sensational account of collaboration between Russian hackers and the Iranian government would have been the talk of D.C. foreign policy circles. In its Monday article, the NYT writes in the language of trench warfare about attacks conducted against a military contractor (n.b.: in the Executive Summary the victim is described as a “government office installation”) waged by Iranians armed with a “tool set developed by a known Russian hacker-for-hire and sold in underground Russian forums.” Worse yet, the same malware found in attacks against Ukrainian power plants. But on any other day, so too would the focus have also been on the events in Syria, Venezuela, and any number of the controversies of the new administration. And so the article ended up on Page B5, immediately trampled over by that day’s unprecedented and unimaginable action by the Trump Administration.
In absence of meaningful attention, the assertions made by TrapX Security never received their due scrutiny and linger in the ether, bound to be picked up in the next Congressional sanctions bill or think tank publication on cybersecurity.
It would not be unimaginable that the two countries cooperate on cyber warfare, after all their defense ties are so close that Russia violated a half-century political norm regarding the use of Iranian military bases by foreign powers. Ever since the Iranian Cyber Army defaced the sites of Voice of America, commentators and former government officials have recurrently suggested foreign support from Russia or North Korea. However, in a forthcoming Carnegie Endowment paper on Iranian cyber warfare we argue that every documented case of espionage or destructive attacks is commensurate with the sorts of tactics that we would expect of the country. Even if only a tenth of the diaspora talent that is scattered across Silicon Valley and Europe were to stay in Iran, that’s more than enough to run a sufficient cyber warfare operation. On the other side of the claim, as FireEye has documented, Russia — interested in its ally’s foreign policy position and nuclear program — has engaged in its own cyber espionage against Iran. It’s difficult to see the two countries as dependent on each other in the “cyber domain.”
TrapX’s revelations are timely. Over the past six months, Iran has engaged in offensive cyber attacks against Saudi Arabian institutions, coupled with improved attempts at espionage across and outside the region. There’s reasons to pay attention to Iran’s recent moves in cyber warfare.
In its 53 page document (thirty of which being appendixes, which are a bit padded for show), the security firm does provide a unique contribution to research on Iranian threats. The actors, dubbed “Oilrig,” that were involved in the intrusion of its client are one of the most professional and prolific groups that appear to be connected to Iran. Palo Alto Networks, ClearSky and FireEye, among others, have written several articles on the group over the past year. Taken together these technical publications describe a professionalization and improvement of an ambitious threat actor developing over a short period of time. TrapX meaningfully contributes to this line of work by thoroughly describing the behavior of the group once they are in the network. They are keen to mention that contribution, and its true. In fact, it is as though pages 14 and 15, the origin of all the following problems, were written by a completely different person (although the whole report could have used a copy edit with mistakes like “total virus”). While this is awkwardly documented through the lens of their proprietary network defense equipment, there’s no shame in salesmanship.
The problem with TrapX’s “Iranian Nation State Interdiction, Threat Actor: OilRig” is everything after, which roughly follows two lines:
- the claimed links with Russian threat groups fail in merit; and,
- the overall analysis itself is problematic and laden with errors.
Inherent within the disclosure is a self-serving information asymmetry that is an impediment to scrutiny: TrapX can claim it has other more compelling evidence that cannot be disclosed. This arises within the NYT piece and the actual report, where they are often circumspect about certain details. Thus, their ability to evaluate their own technical information is relevant to this critique and whether we should trust more opaquely-sourced claims.
The Faulty Foundation
To start with the second thematic critique as a framework for scrutiny, let me make some short pedantic points on errors that begin to accrue across the paper. I lead with this not because they are the report’s Achilles Heel, but because they accessible examples of the types of errors that cast a shadow of the overall edifice of the research to any independent reviewer.
In its analysis of a malware sample used to remotely control victims’ computers, TrapX provides a list of domain names used to communicate back to the attackers. Most of these active domain are well known based on ClearSky’s previous writings about the group, however, some ‘newly discovered’ domains offered in the report are quite strange. First, bc2.jp has been registered by a Japanese individual since October 2011. Second, the remaining three domains, supposedly using the country-code domains of Venezuela, Republic of Congo, and Benin, are impermissibly short under the rules of those registrars and have registration terms that require presence in the country. They also cost hundreds to thousands of dollars and take weeks to register — not ideal for malware. Although maybe there’s a buddy system for authoritarian countries.
But more importantly, what has clearly occurred is that TrapX or its partner have done static analysis of the malware to search for meaningful strings of characters. This is common and reasonable, but a first step. These particular strings must have matched a list of existing top-level domains, and were immediately thrown into the report as indicators of compromise. They were searching in a haystack for anything that could conceivably look like a domain, and when they found something, it was put in uncritically. The irregular capitalization in these supposed domains is further indication of that hypothesis these indicators are nothing more than random text. All of this should have been obvious–it’s an extremely basic mistake.
Where the salesmanship and intent of TrapX’s report starts to surface is in the description of this remote access tool — which they describe as a “weaponized backdoor advanced threat.” Great adjective use, but forgot persistent. The report then goes on to describe the malware as a “enhanced (new) version of the ‘ Flying Kitten RAT’ tool that was leveraged by the Iranian threat actor.” The call back to Flying Kitten, one of the first well-documented Iranian threats groups, is quite compelling on its own because from all indications they have not been active since Summer 2014. For a new version of their old malware, called “Stealer,” to resurface and progress from high-school project quality to “weaponized with an anti-reversing and anti-debugging techniques” would be quite impressive. But this is the first and last appearance of Flying Kitten in the report, with no proof of the connection.
That, as they note, “antivirus companies recognize this file as malware” is a hint that is strangely acknowledged and then pushed aside by TrapX: their “weaponized backdoor advanced threat” is the agent for the well-known penetration testing software Cobalt Strike. Again, fairly common with Iranian actors, who either use the trial version of the software or pirated copies. Why write your own malware, when excellent toolkits are freely available?
The Russia Connection
The errors are worth note because they start to show a failure to check basic claims, compounded by tendency to exaggerate their findings. There’s no shame in making mistakes, especially with respect to Iranian campaigns, which are so fluid and chaotic that no one seems to completely understand the ecosystem. This was a fact that I was reminded that same day when I was privately called out on an attribution claim that became weaker over time.
But, asserting cross-national cooperation is a strong statement that requires strong evidence, and TrapX overall offers us the following:
This combined with the Russian C&C domain registered to a known for-hire Russian hacker leads us to the conclusion that Russian contractors are supporting the Iranian OilRig attackers.
TrapX’s evidence is both extremely weak, and technical incorrect, reliant on two pillars: an IP address and an email address.
The IP Address
The first hint of Russian involvement arises in the context of the Cobalt Strike sample, to quote TrapX:
During the TrapX labs investigation, we identified indicators that point to Russian hacker involvement. Once the malicious code is executed and injects itself in to a legitimate process, and then tries to communicate with multiple IPs …[t]his IP is part of the black energy attack that was linked to the Russian government.
Once the malware is run, it begins to engage in network activity, and TrapX began to look into who owned those Internet resources to find hints of who was behind the campaign. One of the addresses found had also apparently shown up in an evaluation of samples of the BlackEnergy malware agent associated with Russia. With the overlap, TrapX starts to build its case and implies the malware is BlackEnergy.
Rather uniquely for an Iranian group, the VPN client malware used to target TrapX’s client was signed with a security certificate that is supposed to provide some assurances that the software is trustworthy. This is a particularly helpful resource for attackers to acquire because Windows will not display a warning about the software being untrusted if it is signed. Oilrig had managed to get its hands on the code signing credentials for the Vermont-based company Ai Squared, which — while not Juniper–sufficed to skip the dialogue for fake Juniper software (it’s a weak arrangement). This backstory is crucial because it provides a counter hypothesis.
When Windows runs signed software it automatically contacts the company responsible for issuing that certificate to make sure that it was still valid (this is called a CRL Request). The company that provided this certificate for the fake Juniper client is Symantec. Symantec, a global company that is dependent on their services being fast and globally accessible, hosts these services with the prominent content distribution network Akamai. Thus, when the client ran the malware, the first thing it did was contact one of Akamai’s servers, specifically one behind the IP address 23.4.187.27. An example of the same malware sample running in the VirusTotal sandbox confirms this chain of events.
(n.b.: this IP claim does appear in a different section of the report than the signed malware, but if it was not the fakeJuniper client triggering the CRL, it was almost certainly another legitimate request–PCAPs showing it wasn’t a CRL request or it didn’t happen.)
The Russian IP link is normal Internet background noise. It would not be inconceivable to estimate that almost every computer on the Internet generates a request to Symantec (and thus those Akamai servers) as least once a day. What followed was a comedy of errors: previous investigations into BlackEnergy mistook this request for malware functions without validating the address, and then TrapX saw the request and mistook it for BlackEnergy without validating the address.
The Akamai IP is not a Russian government resource.
The Hacker
The second piece of evidence is a bit harder to engage because it’s fairly unclear what TrapX is asserting and where it sources its supportive evidence. Essentially the claim is that there is a supposedly a Russian darknet figure that uses an alias “alen,” and on the basis of the domain used in a malware command and control, there’s a direct link to the two:
The Russian hacker has been observed to use several e-mails with the combination of the name of alen.martin. It was determined that part of the C&C domain used the name alen (e.g. alenupdate.info) and additional C&C domain were registered under this name with corresponding e-mail addresses of martin.alen@mail[.]ru and alen@mail[.]ru.
Trapx Labs performed extensive research specifc to this threat actor and determined that “alen” uses additional e-mail addresses that correspond to a known Russian hacker that is continuously active within the Russian darknet network.
The first two sentences of TrapX’s statement are correct and echo ClearSky’s report: the domain used for malware communications was “alenupdate.info” registered to “martin.alen@mail[.]ru” — which had also also registered another fake VPN domain. That’s where the trail stops. Firstly, in none of the indicators provided is there indication of a “alen@mail[.]ru” address — and the extremely useful DomainTools search service does not return any historically registered domain for that address.
TrapX then tosses out a few more addresses without making clear the source: “alen130687@yandex[.]ru”, “ alenbost@yandex[.]ru” and “a10435536@nepwk[.]com,nchity@mail[.]ru” (sic). Again, no domains in DomainTools, and only one shows up on a search — within a list of username and passwords from a site compromise.
That’s it. That’s the end of the trail.
To be clear, the use of Russian email services does not stand out beyond what we might expect of someone attempting to avoid scrutiny, such as using a provider that does not require phone numbers to register or does not comply with U.S. law. In fact, Iranian and other Middle Eastern groups have been observed using Russian email accounts, including Yandex and Mail.ru, for years now, so this is within the norm. We will publish something that illustrates this case at length in the coming week or so.
(By the way, are we really to believe that an international conspiracy between Russia and Iran communicates back to a domain with the attacker’s alias?)
Conclusion
So, this is where we stand: the assertion that Iran and Russia are collaborating on cyber warfare in the newspaper of record is build on a false claim and an unsubstantiated one. Detection of the BlackEnergy agent turns into a report of a vaguely similar IP addresses that is core Internet infrastructure with no actual samples of the Russian malware. The authors then say “trust us” and describe a persona is difficult to substantiate. But with so many errors, why should we trust TrapX?
The types of skepticism offered to the New York Times report are generic issues in attribution that actually don’t relate to the claims in the paper. This even calls into question whether there was any outside scrutiny of the report prior the NYT piece. This is important because the technical barriers to entry on such a report make evaluation of significant claims difficult for all but a select group of professionals. Most people when they read “single vulnerability probing technique searching for a specific Windows XP dll vulnerability” will gloss over this text mildly impressed with the technical language, rather than end up disappointed with the attacker being dependent on old vulnerabilities. And the story persists without critique or accountability. In the end, strange cybersecurity equipment is sold and the public record is distorted.
Deception technology, indeed.
