The Russian APT group known as Cozy Bear doesn’t hibernate for long, and in late October Microsoft warned that the nation-state actor was trying to replicate the success of its SolarWinds supply chain attack — this time by compromising IT resellers and tech/cloud service providers and then impersonating them in order to target their customers.
On the heels of that report, researchers from Israeli cyber assessment and optimization firm CYE released their own findings, which show that Cozy Bear — aka Nobelium or APT29 — is not putting all its eggs in one basket. CYE reported what it claims is previously unreported Nobelium activity involving an unknown C2 malware, along with new TTPs and IOCs.
Lionel Sigal, head of the CTI division at CYE, spoke with SC Media about these latest findings. Before venturing into the private sector, Sigal served as the former head of the Israeli Ministry of Defense’s Cyber Bureau, and was also head of the Internet Skills Training Branch at the Office of the Prime Minister.
Let’s start with a little background on CYE’s new CTI team and what it’s focus is?
We started the intelligence services as part of a bigger division called the Critical Cyber Operations Division. … We also have an IR department for forensics and advanced architectures. So this is an entirely new group that a few months ago was established at CYE.
We brought in people, including myself, with extensive experience from the Israeli security services — people that actually engaged with state actors and above in the offensive arena and also in the defense arena. … So what we're what we're trying to do now is to put into context, the different threats that exist to our customers … and to actually explain them and try to create a story or a flow.
And apparently in the short time you’ve been in existence you have already encountered Nobelium and uncovered part of a campaign. Can you take me through that experience?
Knowing the possible targets and possible TTPs of state actors, we try to give our customers some tips and some basic tools to try to find abnormal behaviors in their networks. And that's what happened in these cases that we engaged with APT29. We started by seeing something that didn't look too right. It looked strange. And once engaging, we applied our suspicions and our knowledge of our how a state actor operates.
The customers that we engaged with were all supply chain companies. It's important to note that they were not the [final] targets of APT29. … As much as we understand and we can assess, they were they were used [to get to] the real targets or more valuable targets.
What we saw was an interesting TTP where APT29 receive a target somewhere across Europe. And then in a very systematic and long process — we assess it can take a year or so — they gather as much intelligence as they can about the suppliers of that target. And then, once they focused on one or two suppliers, they attacked those companies, they compromised the networks … and then mapped the very specific people at the suppliers that are relevant to the target and that have connections to the target — network connections or working connections or both.
And then they use the knowledge that they gathered in order to attack the next target. … They do that in order to gain more intelligence and more attack surface [to reach their final target].
Was the activity similar to the SolarWinds attack?
It’s very different than the SolarWinds attack. Because in the SolarWinds attack, they actually changed [the supplier’s] source code. They basically used the fact that SolarWinds is a supplier of many, many entities and they put some kind of malware in the supplier [software update]. Here in this case, they didn't.
And the tool that we found that appears in the report is only a C2 tool … to gain lateral movement in the network to map the people, the relevant people. … It doesn't collect information.
The C2 tool uses legitimate websites for C2 [communications], so it's nearly impossible to detect. The other thing is that we know APT29 did not execute the attack on the target directly from our customers. They gathered the information they needed, and then they attacked [from] somewhere else. We don’t know [but] we have assessed more or less what the targets were and we can say that they were highly sensitive entities in Europe. But that's because we know who the customers of the [suppliers] are — not because we saw the actual attack on the target.
The malware was new to us — completely new. The TTPs were relatively new. We've seen something a little bit similar before. And … the IOCs gave us the hard connection to APT29.
The supply chain companies that you observed Nobelium trying to compromise — were they IT resellers and tech/cloud service providers, similar to the malicious activity that Microsoft reported on last month?
The reason I say that it's not necessarily IT companies is because we understand that state actors look for what we call hub companies. A hub company is actually a very simple idea. It's a company that has many suppliers and many customers and has connections with them. It can be an IT provider, it can be an insurance company, it can be a bank, it can even can be the water supplier, or the cleaning company. Companies that are not necessarily interesting by themselves, but they do create an extensive attack surface and provider really good cover for the attacking groups to get to their targets. And this M.O. [modus operandi] is very hard to detect.
You worked in Israel’s Office of the Prime Minister — specifically as head of its Technology and Cyber Academy’s Internet Skills Training Branch. What would be your advice for putting together a training program that helps organizations protect themselves from SolarWinds-type supply chain attacks?
The message should be that companies … need to put their suppliers in the cyber defense programs and planning. Many times we see that companies don't in a way don't care about the security the cybersecurity of their suppliers. But we’ve arrived at a point where companies should care and should understand that they need to protect this part as well.
They don't need to look at it as part of their network but they need to protect it. For example, maybe the usage of only site-to-site VPN connections. Obviously, the usage MFA and stuff like that, but maybe the usage of whitelists. … Maybe when I have a connection to a supplier, I need to put it in a specific area of my network that's in a specific VLAN or something like that, so that even if I get an attack from that side, my entire network is not compromised.
What I'm saying is that the required steps are first to understand that the supplier can cause me damage. And then to look at the connection between me and my suppliers — all of them — as potential routes to be attacked. And then protect them. I'm not saying that [companies] should be responsible for the cybersecurity of all of its suppliers. I do say that they need to protect the connections, the last mile.