Security researchers at Cylance have unearthed a sophisticated cyber-espionage campaign being run by a state-sponsored hacker group dubbed The White Company which has been targeting Pakistani government organisations as well as the country's air force for over a year.
In a detailed research work, termed as the White Company project, the researchers have revealed how hackers belonging to the state-sponsored White Company are not only targeting the Pakistan Air Force and other government organisations, but are also using sophisticated tools and techniques to evade attribution and to eliminate all signs of their activities.
Even though the researchers have not yet determined the nationality of the hackers or which country has been sponsoring the year-long cyber-espionage effort, dubbed Operation Shaheen by the Cylance Threat Intelligence Team, they are sure that the hacker group's profile and techniques do not match or resemble techniques employed by established state-sponsored groups or known Russian, Chinese, North Korean, Iranian or Israeli hackers.
The fact that the hacker group running Operation Shaheen has access to zero-day exploit developers, access to a complex, automated exploit build system, has the capability to carry out reconnaissance of targets, and the ability to modify, refine and evolve exploits to meet mission-specific needs, indicates that the operation is certainly state-sponsored.
Specifically, the White Company has the ability to effectively evade as many as eight popular antivirus solutions such as Sophos, ESET, Kaspersky, BitDefender, Avira, Avast!, AVG and Quick Heal. According to Cylance researchers, the hackers can also surrender to such antivirus solutions at will to "distract, delay and divert the targets’ resources".
The White Company uses an un-attributable network infrastructure for command and control, can wipe Word documents and replace them with dummy ones, can place surveillance payload within a series of nesting-doll layers, and uses five different obfuscation techniques to avoid the detection of custom malware during the campaign.
"Our comprehensive approach to examining The White Company and one of their campaigns has shown that this threat actor has a keen awareness of the typical methods, biases and assumptions held by many in the security research and investigative communities – and they have demonstrated an ability to use that common approach against that community by deliberately undermining those assumptions and leaving contradictory bits of evidence that effectively distract, delay and degrade the ability to analyse their work," the researchers noted.
Commenting on the techniques employed by The White Company, Martin Jartelius, CSO at Outpost24, told SC Magazine UK that the primary motive of the hacker group is not to cause a disturbance at this time but to understand the adversaries’ weaknesses and to launch attacks strategically when needed.
Adding that it is extremely hard to defend against a motivated attacker with large sets of resources, an organisation need to introduce defence in depth and implement good cyber-hygiene that includes procuring equipment only from established vendors with a set update process, maintaining an asset inventory and auditing cyber-security as much as possible by automation.
According to Sam Curry, chief security officer at Cybereason, attribution is very hard on the Internet as the latter is a fundamentally anonymous place and it is easy for anyone to use proxies, cut-outs and long chains of systems to evade detection or attribution. False flag operations carried out by hackers not only make attribution difficult but can also influence a state's diplomatic agenda by turning allies against each other.
"We’re in a multi-polar world, not bi-polar. As in politics when you have more than two parties, the sophistication of connections becomes tangled and unpredictable. The only things that can change the equation are stronger authentication (without violating net neutrality of course) or making defenders stronger so they enjoy the asymmetries of cyber-conflict instead of being the victim as they all too often are.
"The good news, however, is that attribution doesn’t matter. There’s no super-national court that will ultimately deliver justice, and thinking you’ve identified the bad guy and dealt with them could leave you open to a second attack by copy cats, another attacker, the original attacker who ran a false flag and so on," he adds.