That Time Britney Spears Was Behind an APT Campaign (No, Not Really)
Turla (once known as Uroburos) is a highly sophisticated advanced persistent threat (APT) campaign that has long since been suspected to have ties to the Russian government, dating back to at least 2008 and likely lasting till the world ends.
This cross-platform malware family has been seen on both Windows and Linux operating systems. It uses a wide variety of crazy tactics and strategies to infiltrate embassies, military bases, and critical infrastructure across Europe and in the Americas.
This week, researchers at ESET made an interesting discovery in the advancement of this trojan’s circus of antics that has now roped in pop idol, Britney Spears.
Once abusing Google Analytics and various other watering hole techniques, the authors of Turla have gone out of their way to implement security methods that have overprotected its ability to exfiltrate data and communicate with its control servers. Not satisfied with traditional methods of establishing back channel communication with its command and control (C2) servers, the authors decided to go with something a little stronger.
Using obscure tactics, not unlike Britney Spear’s current music career choices, the authors looked to Spears’ Instagram account to break the ice and had the APT decode the author’s C2 server address.
Astonishingly, the APT operators developed a custom algorithm that would hash every user comment written on Britney’s photos, and then turn them inside out using a regular expression engine to extract Turla’s C2 URL address. The authors of this malware managed to develop a scheme that filtered over 6500 comments on Britney’s pictures and filtered it down to a single comment:
This seemingly clumsy comment actually contains a highly sophisticated stenographic message padded using the \200d Unicode character. This unprintable character is typically used to separate alien emoji characters from normal characters in text, and when this comment is running through Turla’s code, it will result in “2kdhuHX”. This result is appended to a Bit.Ly URL shortener, and forwards the victim to an anticipating C2 server used to relay commands to the victim’s now-compromised machine.
This technological sleight-of-hand allowed the attackers to send messages to compromised machines completely under the radar, and avoid typical detection algorithms. Although researchers believe this drop dead beautiful tactic was sparingly used, many are wondering if this technique will spark a whole new era of APT communication.
Being a cybercriminal in the modern world, it is hard not to consider tactics like this in order to bypass the strict IPS and egress filtering that are making a comeback in modern environments. This is a great example of dire times for malware authors, who typically hold on tight to their customary attack methods and communication strategies. They are now scrambling to adapt new ways to innovate in the era of machine learning and next generation antivirus products.
Possible TV Hacking of Qatar News Agency
The history of TV hacking, often referred to as broadcast signal intrusion, has dated back to at least the 1960s, and over the years various hackers and miscreants have pulled off numerous pranks in order to claim their fifteen minutes of fame. Historically, these hijacks have been carried out by small groups in order to display fake news messages that cause mild panic to gullible audience members.
However, the accusations made pertaining to the possible broadcast hijacking of the Qatar News Agency (QNA) may have triggered the recent diplomatic row between Qatar and multiple countries in the Middle East and surrounding areas.
As tensions flared due to multiple accusations of Qatar supporting terrorist organizations and Trump’s recent magical visit to Saudi Arabia, on May 23rd the state-run news agency broadcast a speech by the country’s leader during a military graduation ceremony. The broadcast of Sheikh Tamim bin Hamad Al Thani, Qatar’s 37-year-old leader since 2013, was supplemented by a ticker display that reportedly depicted comments alluding to Qatar siding alliances with Israel and Iran.
These comments appear to have originated from a sophisticated disinformation campaign which hacked the ticker display to escalate the current situation in the Middle East against Qatar. Sheikh Saif Bin Ahmen Al-Thani, Director of the Qatari Government Communications Office, recently confirmed that the FBI and UK National Crime Agency are both teaming up to investigate the purported hack against QNA.
Hacked broadcasts fueling propaganda during military operations are not a new tactic, as records indicate Israel used TV hacks against Hezbollah during the 2006 Lebanon War. The Qatar hack, if valid, might potentially be the first case in which TV broadcast hacking has triggered an international incident.
Experts believe Russian hackers - who have been recently tied with planting false news ads and disinformation campaigns in the US, France, and Germany - are the likely culprits. Russian campaigns against social media and news outlets have gone on since at least 2014 and have involved a multitude of fake news topics including a power plant explosion in Louisiana, and a police shooting and Ebola outbreak in Atlanta. Looking back at these incidents, many believe they were trial runs for more serious campaigns such as the one that targeted Qatar.
In this day and age, where social-media-delivered news can be influenced by fake news articles, many companies and organizations are looking for countermeasures to protect themselves, their customers and users against harmful or misguided reports. With Facebook and Google the targets of controversy concerning delivery of fake news, the market to combat false news, internet trolling, and disinformation campaigns is just starting to take off.
One of the leading online services to validate quotes has been Storyzy, whose system fact checks the 50,000+ quotes added each day.
Regardless of the results of the investigation into the hacking of QNA, it is evident that current policies and safety precautions generated by news sources need to be re-evaluated to guard against the growing threat posed by information cyberwarfare.
Russian Interference With the U.S. Presidential Election is Discovered by DocuColor Tracing Dot
In what seems like the plotline of a bad summer movie, a NSA contractor has been swiftly shut down and arrested after leaking top secret documents pertaining to Russian interference with the US presidential election to a news outlet. The smoking gun that led investigators to the leaker? A highly sophisticated surveillance team with an arsenal of gadgets? Nope. Advanced crypto-breaking software designed to deanonymize any user? Negative. How about small, nearly invisible yellow dots on plain paper? Bingo.
DocuColor Tracing Dot, AKA Microdot encoding, is a machine-identification code technology that comes embedded in printers and has been successfully used to identify users since at least 2005. This technology can be used to identify time, date, and the unique serial number of the printer and has been used as a deterrent for printing money for years.
In what can only be described as the most ironic name in leaker history, Reality Winner has won herself a ticket to federal prison after leaking sensitive material to news organization The Intercept. The leaked documents went into great detail discussing how Russian GRU agents purportedly attacked and targeted various political entities, voting registration, and actual hardware devices that communicated with voting machines in order to influence and control the election.
The attack was initially delivered by an advanced spear-phishing campaign targeting US election software developers, under the guise of Google security alerts. These phishing emails would steal the Google login credentials of the victims and allow the attackers to log into their Gmail accounts. These credentials were then applied to the targeted company’s assets (such as VPN, internal email, and cloud services) in order to further advance into the victim’s network. The second phase of the attack leveraged malicious Microsoft Office malware with embedded malicious macros that were delivered to over 120 additional email addresses belonging to local government facilities that used the voting software.
The documents go on to further discuss how the GRU groups pivoted around networks and attacked voting infrastructure directly, supporting the now-common belief that the American election had outside influences which assisted Trump’s victory.
Reality, a 25 year old contractor based in Georgia, has been a public supporter of The Resistance and anti-Trump movements on various social media outlets. However, the events that led up to Reality’s arrest, the investigation itself, the handling of the documents by The Intercept, NSA validating these documents, and the actual reasoning for why Reality would have access to these documents have all been questioned. Many have been left wondering what will happen next as the U.S. prepares itself for bombshells when former FBI director James Comey takes the stand to testify against Trump, amid allegations of Russian collusion to control the White House.
Regardless of the outcome, many individuals have been reminded of the Orwellian nature of not just the current U.S. government, but of the technology that binds us all together, regardless of whether it’s new technology like the Internet of Things (IoT), laser printers that track their owners, or computer systems themselves.
Luckily for future would-be leakers and tin-foil hat wearers, solutions to remove the tracking technology and guides to identify printers which do not have microdots are now available.
About the Cylance Research and Intelligence Team
The Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the fore front of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats.