The mainstream media is bringing up the news of the F.B.I director who is conducting an investigation regarding the deploying of computer hackers to undermine the presidential campaign.
All this is happening two weeks after a dump referred as Vault 7 that reportedly the extensive hacking capabilities of the CIA: iPhones, Android devices, smart TVs and the possibility to turn them into surveillance devices.
Then Russian government and US one are deploying their APT groups: are they the only ones?
That the FHAPPI campaign was really nasty after all, it was clear to everyone: but the fact that the attacker had a political motivation was not immediately understood. Attackers operated with the intent to cause a sort of political scandal.
We have the reason to believe the attackers aimed to make the opponent losing integrity or popularity in the political landscape.
States are sponsoring cyber attacks leveraging specific kind of malware, injecting them in the computer of the victims with methods and techniques ever more sophisticated and spying on the victims to gather sensitive information and power further lethal spear phishing attacks.
It is even more clear that the National CERTs are becoming mandatory in the defence line of any States, they are assuming the role of the front line against such kind of state sponsored activities.
The real questions are:
Actually, the situation is very complex, we have states with quite different cyber capabilities. Many states haven’t an effective posture in cyber security and are not resilient to such kind of attacks.
The lack of norms of state behavior helps threat actors and rogue states that continue to invest in cyber espionage activities avoiding sanctions of the international community.
Looking at the next G7 Summit that will be held in Italy, we cannot underestimate the great importance of the cyber security issues that will be discussed by participants.
Anyway, at the same meeting we have participants with quite different cyber capabilities and in some cases with a strong long-running cyber partnership, let’s think for example at the Five Eyes Alliance.
USA, UK, and Canada are members of the Five Eyes alliance, Germany has supported the US surveillance program in past, and these countries are probably the most advanced at the G7.
Do you believe they will accept norms of state behavior?
Back to the Chinese FHAPPI campaign, we have decided to interview the popular researcher @unixfreaxjp, head of the notorious MalwareMustDie malware research team. As usual with few strokes of the brush he will show us a disconcerting reality.
A: I am not at liberty to describe any information of the victim side. But this attack is the prosecution of the long string of cyber attacks occurred in the past and that are targeting the reputation of the targets and their ability to “influence” the political dialogue.
By the way, the malware formed and wrapped tells a lot about what is happening, let’s try to summarize key findings:
A: The usage of the PowerSploit is an important sign for us, it shows that a vector to inject process under an adjustable permitted privilege can be done in Windows system (and, well, in other OS too).
But, this case shows us to be alerted to the abuse by the usage of powershell.exe (which is a good tool). The powershell.exe injected shellcode is all the PoisonIvy malware itself, that was where the fileless works are coming.
And it is not necessarily “by powershell.exe”, if you know what I mean.
For APT the countermeasure itself, it is a matter of the action time. We, in security ring in Japan know this. APT is designed not to be easily detected. When you think an APT is spotted and reported, don’t wait until security products releasing the blocking signature, but read reference analysis, historical facts and confirm those all by yourself, is a must for CERT. In this case, Yahoo Incident Team is doing SUPER great response, also our JP-CERT/CC good folks.
A: Many abuses using the malware that is used for the similar purpose nowadays. There is no specific advice except “to keep stay on alert”. Especially if your country is related or targeting to these types of abuse. The attacker(s) will keep on coming, they will improve, this type of attacks can not be stopped by some “arrests”, and we will just have to be ready to dissect them in their next level.
About the Author
Odisseus is an Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing, and development.
(Security Affairs – FHAPPI Campaign, Cyber espionage)