Written by Shannon Vavra
When U.S. Cyber Command warned last week that a hacking group was using a Microsoft Outlook vulnerability previously leveraged by an Iran-linked malware campaign, it appeared to be signaling just how much the military knows about those operations. But the alert was significant in other ways: behind-the-scenes details uncovered by CyberScoop show that it is an example of how the U.S. government has built up its use of the information-sharing platform VirusTotal so the private sector gets more information sooner.
Along with Cyber Command’s warning, which also was shared in a tweet, the Department of Homeland Security (DHS) released its own private warning to industry, CyberScoop has learned. The department’s traffic light protocol (TLP) alert covered the same threat that Cyber Command would eventually post to VirusTotal.
In going public with the malicious files, Cyber Command appears to have revealed new information about how Iran-linked actors leveraged another malware family, known as Shamoon, as recently as 2017, according to Chronicle, which owns VirusTotal. Not only is it believed to be the first time Cyber Command has documented Iranian activity in a VirusTotal upload, but former Pentagon and intelligence officials also say the specific details of the upload show that the military wants to enhance its information sharing in a way that supports the cybersecurity mission of the entire U.S. government.
The goal, the experts say, is to demonstrate agencies’ visibility into attacks in order to discourage adversaries from launching more. In this case, the military publicly released key technical details through Cyber Command, while a civilian agency — DHS — reached out directly to the government agencies and other organizations through the TLP.
Cyber Command’s shift to highlighting Iran-linked activity — the majority of the command’s samples on Virus Total appear to have originated from Russia — comes as U.S.-Iran relations have grown tense over the past few weeks. Iran attacked two ships and downed an American drone in June, according to the Trump administration. Cyber Command — which is closely tied to National Security Agency (NSA) — launched a retaliatory cyberattack against the spies believed to be behind the ship attacks, as Yahoo News reported.
Dave Weinstein, who served in Cyber Command between 2010 and 2013, tells CyberScoop if Chronicle is correct in linking the evidence on VirusTotal to Iranian-linked hackers, it could cause other nefarious actors to backtrack.
“This type of information sharing can potentially revise the current calculus of malicious cyber actors who by default assume they are operating under a high degree of stealth,” Weinstein said.
The Shamoon connection
Some of the files Cyber Command uploaded to VirusTotal may be tied to vulnerabilities long ago discovered by private cybersecurity companies, according to Chronicle.
The vulnerability Cyber Command warned about, CVE-2017-11774, was patched by Microsoft in 2017, but the group known as APT33 — which researchers have linked to Iran’s government — has used it as part of an effort to deploy backdoors and launch malware on web servers as recently as last year, according to cybersecurity company FireEye. As with most vulnerabilities, the existence of a patch doesn’t guarantee that users have applied it.
The best known version of Shamoon was used in a 2012 attack on oil giant Saudi Aramco that destroyed data on tens of thousands of computers. An updated version, Shamoon 2, emerged in November 2016 in another campaign against Saudi targets. Last year, malware resembling Shamoon also infected an Italian oil firm that does business in Saudi Arabia, crippling hundreds of the firm’s servers.
The information Cyber Command posted on VirusTotal last week does not overtly show the connection between the tools and previous versions of Shamoon. But an analysis of the files shows that the campaigns have significant similarities in their infrastructure, Brandon Levene, head of applied intelligence at Chronicle, told CyberScoop.
“Within each of these malware downloaders, actually the intermediate downloading IP addresses have very heavy overlap with the Shamoon 2 infrastructure,” Levene told CyberScoop.
Levene says the overlaps may add insight into how Shamoon malware operates.
“We don’t know for sure that this particular exploit was used in this activity, but [Cyber Command] seems to be making a link,” Levene told CyberScoop. “They seem to be alleging that this particular Outlook security bypass was linked to these malware files.”
The link could add details to what researchers know about Shamoon’s ability to gain access to targets, Levene says. Although it has been speculated that spearphishing played a role, this link reveals an exploit may have been the initial vector into attack networks, Levene said.
Cyber Command would not comment on the origins of the samples.
A familiar RAT
The uploaded files — compiled PowerShell downloaders — are meant to load PUPY RAT, a piece of open source malware that APT33 has used before. According to cybersecurity companies Sophos and Avast, which also detected uploaded files, the executables were intended to look like legitimate software installers. Both companies said one of the executables was disguised as a legitimate Citrix certificate, while the other posed as an Adobe Flash player update.
Lotem Finkelsteen, the Threat Intelligence Group manager for cybersecurity company Check Point, told CyberScoop the samples uploaded are “associated” with attacks from APT33 against Saudi Arabia, including Shamoon.
The companies CyberScoop talked to were not the first to identify the ties to APT33. FireEye attributed the Outlook vulnerability to APT33 based on evidence from an attack the firm identified in late 2018 and an attack last month.
Kaspersky Lab says a group it calls Newsbeef is linked to the files in the upload. Newsbeef has had access to Shamoon source code and has used a PUPY backdoor in the past, like APT33, Kaspersky says. The Moscow-based company told CyberScoop it also has attributed one of the executables uploaded to VirusTotal to the group, but the company says it’s unclear if APT33 and Newsbeef are comprised of the same people.
The three other samples Cyber Command posted were web shells or upload scripts. According to Levene, each tool has a slightly different purpose, but allows for attackers to perform various tasks on servers that have been attacked.
“There is a clear capability on the part of the attacker to interact with servers they may have compromised,” Levene said.
Andrew Brandt, a principal researcher at Sophos, said the web shell in the VirusTotal upload includes database commands, which allow attackers to manipulate the file system of the machine where the web shell is deployed.
Publishing the samples may push hackers linked to the Iranian regime to once again change the way they conduct their business. A cyber-espionage group associated with Iran updated its tools following Symantec reports detailing their activity earlier this year. In another case, Cisco Talos researchers found Iran-linked hackers have changed their tactics as a result of publicly-published research.
Cyber Command’s endgame
Weinstein, who now works as Claroty’s chief security officer, says Cyber Command’s latest upload shows the military may be moving to use Virus Total to ward off adversaries.
“This is a deliberate and strategic effort by Cyber Command … to partner with the security research community to root out malicious cyber-activity,” Weinstein told CyberScoop. “I think it could make our adversaries think twice about their operations — be more selective.”
The release of samples with links to one of Iran’s most high profile attacks, Shamoon, comes right after Cyber Command released samples that highlighted not just former attacks, but active attacks linked with Russia, as CyberScoop first reported.
Levene told CyberScoop at the time “that may mean [Cyber Command] could be looking to burn more active operations” moving forward.
Bob Stasio, who previously spent time at both the National Security Agency and Cyber Command, tells CyberScoop the uploads show a change in the way the Department of Defense thinks about its adversaries. In the past, the U.S. government would refrain from showing its hand publicly, fearing that public information could jeopardize intelligence operations.
“That’s a well-held thing at NSA — they’re not going to burn their access,” Stasio said. “As soon as you show … that you have your cards, the adversary knows that they’re compromised and they’re going to start changing the way they operate. That’s the worst thing for intelligence collection because it compromises the entire thing. And you want to avoid that at all costs.”
Stasio posited that Cyber Command likely now has enough plausible deniability — with help from the private cybersecurity companies previously identifying linked campaigns — to upload these samples without revealing sources and methodology.
The NSA declined to comment on the latest upload.
DHS jumps in
While Cyber Command only began uploading samples to Virus Total last year, Jay Healey, former White House Director for Cyber Infrastructure Protection, tells CyberScoop that such practices have been a long time coming.
“[Cyber Command] has, since its birth a decade ago, wanted to work directly with the private sector to defend the nation, rather than through [the Department of Homeland Security],” Healey said. “The pessimists will see [Cyber Command] using Virus Total — and issuing tweets to warn about adversary activity — as a land grab against DHS.”
Private sector officials say that DHS knew something was coming, though. The department released the TLP alert in advance of the VirusTotal post being made public, says Neil Jenkins, chief analytic officer for the Cyber Threat Alliance, a consortium of companies that shares its own threat information. The alert was designated “Amber,” the second-highest of four TLP levels, Jenkins said. TLP: Amber designates that the information can be shared between concerned parties, but not publicly.
Jenkins told CyberScoop that DHS gave his group a heads-up on July 1 that information regarding a threat was going to be released by an agency on July 2. Initially DHS did not say which agency was behind the announcement, but later confirmed to the alliance that Cyber Command would be uploading samples to VirusTotal, Jenkins said.
“They wanted us to make sure that we knew this was going to happen and that we had protections in place,” Jenkins told CyberScoop.
DHS did not comment on details about what it knew and when. An official for DHS’s Cybersecurity and Infrastructure Security Agency told CyberScoop last week’s release is an example of the department working to boost collective security by working with industry and government alike.
“CISA works with USCYBERCOM, the intelligence community and private sector partners to monitor cyber activity and share information to help keep America and our allies safe,” the official said. “Last week’s announcement is another example of the close collaboration between government and industry to share information and defend our systems collectively.”
When reached for comment on the TLP alert, Cyber Command deferred to DHS.
Timing is everything
The VirusTotal post went live around 3 p.m. ET on July 2. DHS requested companies hold publicly detecting these samples until 1 p.m. ET that day, a member of the CTA told CyberScoop.
“The thing is you’re doing this based on trust,” Jenkins said. “If somebody gives you this information and says, ‘You can’t act on this until Wednesday,’ and you act on it early and that messes something up, then you probably won’t get this information the next time.”
Jenkins, who formerly served as the chief of policy and planning at the DHS’ National Cybersecurity and Communications Integration Center, also told CyberScoop the agency wanted feedback from the private sector, such as, for example, the last time the alliance saw active hashes — which are the unique identifiers, like fingerprints, for each malware sample.
“[DHS] wanted to know based on our telemetry, based on the information we have, when was the last time we saw these hashes fire, how often have we seen them active,” Jenkins said, for example. “‘Once we take this action on Tuesday … What happens after that? Do we still see these file hashes continue to work? Can you provide us back with information as we move forward to see what happens?’”
Stasio said that in the past, the different mandates at DHS, the NSA and Cyber Command often worked against one another in information sharing.
“DHS is not living in the same world as NSA,” Stasio said. “[DHS’s] motivation is to work with the public, work with states, work with other agencies that don’t work in the top secret world, they just want to get that information out there, to say ‘Hey, you guys are sitting on these golden nuggets of information … why don’t you give it to us?’ ”
The potential to burn intelligence operations often prevented this type of information sharing, Stasio says.
“I was in situations with some actor groups where we knew everything that the adversary was doing — who they were targeting, how they were doing it, and they were actually targeting private sector entities in the U.S. — and we were not allowed to reveal the indicators about that information,” Stasio said.
Moving forward, Jenkins said he hopes the DHS continues sharing information about Virus Total uploads with the private sector.
“We would like to see it come from multiple agencies, but through DHS because DHS has that network defense mentality that CTA’s members do,” he said. “This was a good opportunity for us to start testing that, seeing how it works, provide lessons learned back to the government, they can provide lessons learned back to us. And we’ll take this as a first step.”