ShadowTalk Update – Operation Soft Cell, Libra Cryptocurrency Impersonations, and New Cyber Espionage Activity
June 28, 2019
This week Alex and Phil join Harrison to discuss Operation Soft Cell, a campaign that has been actively compromising telecommunications organizations since early 2017. Other highlights from the week include focus on a new cyber espionage campaign, known as Operation BouncingGolf, targeting Middle Eastern individuals’ mobile devices; the Russia-associated threat group “Turla”, which has demonstrated new tools and capabilities in three campaigns; and media allegations that the United States Cyber Command has targeted Iranian espionage groups.
The team ends the week with a discussion around some new research Alex put out around Libra cryptocurrency impersonations. (Check out Alex’s blog, Facebook’s Libra Cryptocurrency: Cybercriminals Tipping the Scales in Their Favor).
Highlights from the week focus on a new cyber espionage campaign, known as Operation BouncingGolf, targeting Middle Eastern individuals’ mobile devices; the Russia-associated threat group “Turla”, which has demonstrated new tools and capabilities in three campaigns; and media allegations that the United States Cyber Command has targeted Iranian espionage groups.
Abuse of legitimate services persists despite mitigation
A recent phishing campaign exploited features in the Google Calendar service to harvest Gmail users’ personal and financial information, highlighting an ongoing trend of cybercriminals abusing legitimate services. Millions of Internet users rely on readily available legitimate tools like Google Calendar, providing attackers with a broad selection of individual and organizational targets. In the face of increased security awareness and more effective technical countermeasures, threat actors have adapted to exploit users’ trust in online services. This has boosted the likelihood of successful attacks, including ones that incorporate tried and tested tactics from traditional social engineering campaigns.
Persistent espionage attacks gather mobile-device user details
For the past two years, a highly persistent, likely Chinese-state–associated cyber espionage campaign has targeted telecommunications providers, apparently aiming to exfiltrate customer call detail records (CDRs). The campaign’s operators conducted four intermittent waves of attacks, each with similar methodologies but involving different tools and seeming tailored to suit the target system. Some tools and techniques are associated with previous activity of the Chinese nation-state group APT10, but Chinese threat groups often share tools and infrastructure, and some of the tools have also been advertised online. Given the persistence and length of the campaign, its success and impact are likely substantial, and emulative threat actors will probably take interest in the methods. The perpetrator’s infrastructure may have been taken offline (given a recent lull in activity) but attacks could be reactivated.
New BouncingGolf campaign embeds code in apps for espionage in Middle East
A new cyber espionage campaign has targeted individuals in the Middle East with malicious code embedded into apps that are masquerading as legitimate. Once users open these apps, the “GolfSpy” spyware automatically downloads. The attackers seem to be ultimately seeking military-related data alongside device and location data, and users’ PII. There is a realistic possibility that the Iranian government is linked to this campaign; there are overlaps between GolfSpy and tools used by the Iranian “Domestic Kitten” threat group. Monitoring individuals via app malware is prevalent in Iran, and elsewhere in the Middle East but originating in Iran, and this campaign fits the targeting patterns of Iran-associated groups.
Turla shows off new tools, techniques in three campaigns
Across three separate campaigns in the past 18 months, the Russia-associated threat group Turla has demonstrated new custom tools and attack techniques. Spanning multiple target geographies and sectors, but predominantly government ministries, the attacks were likely aimed at reconnaissance and/or espionage. The first campaign included the new backdoor “Neptun”, which targets Microsoft Exchange servers to passively listen for commands; the second used an adapted version of the public “Meterpreter” tool and a custom RPC backdoor; and the third included a custom RPC backdoor based on the public “PowerShellRunner” tool. By Living off the Land2, Turla can increase their capabilities by using publicly available tools and obfuscate their presence by hijacking already established threat actors’ infrastructure.
United States Cyber Command attacks Iranian espionage groups
Threat groups associated with the Islamic Revolutionary Guard Corps, as well Iranian military systems, were reportedly targeted by the United States Cyber Command during the past month. The TTPs used remain undisclosed. The cyber attacks were reportedly conducted in retaliation to one of several recent, likely geopolitically motivated attacks, such as the Iranian attack of a United States commercial ship in June 2019. Because of United States and Iran geopolitical tension, additional cyber attacks and retaliation are likely.
For more details, read the full Weekly Intelligence Summary here:
And to stay up to date with the latest from Digital Shadows, subscribe below.