Operation Silent Watch [CPRadio] - podcast episode cover

Operation Silent Watch [CPRadio]

CPradio
Apr 19, 202320 min
--:--
--:--
Listen in podcast apps:
Apple Podcasts
Spotify
Download
YouTube
Overcast
Pocket Casts
Episodes.fm
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

In July 2021, several prominent human rights activists in Azerbaijan received the same phishing email that delivered them spyware, capable of causing significant harm to their personal and professional lives. But that was only the beginning of a story in which the domestic surveillance toolbox is fired in the midst of a small-scale cyberwar in the South Caucasus, the site of one of the most contentious political disputes on the planet.

Transcript

Produced by PI Media July seventh, twenty twenty one. According to secure hosting provider quarium Quote, several prominent human rights and political activists in Azerbaijan end quote all received the same email, perpetrating to come from the NGEO Human Rights Watch. The sender was maybe a little on the nose human rights do invoicer at gmail dot com. The body of the mail began quote, we present a

new project for Azerbaijani political and human right activists end quote. The message prompted targets to download an invoiced document, which, upon being extracted, presented an error message unsupported Microsoft word version file corrupted with an error number. If it weren't already obvious that this was an attack, the multiple misspelled words like unsupported

with two ohs and number without B might have given it away. Any victim that reached this point had, perhaps unbeknownst to them, downloaded malware to their computer, Malware with the ability to remotely execute commands, steal or upload files, and record their screens or webcam feeds. Perhaps because the fishing was so simplistic enough activists cut on before they got to that point. But this campaign was merely a harbinger of worse things to come. High listeners, I'm rand

Levy. Welcome to a somewhat unique episode of CP Radio to give people some sense of the gravity of this situation of why is it that we are distorting our voice for this episode. So we're going to discuss sensitive topics that potentially involve nation state actors. So we want to protect the identity of all the researchers that are involved in this. We've covered nation state attacks plenty of times

on this podcast. Perhaps some precaution is warranted in this case. However, because of how commonly the individuals who speak out on this conflict find themselves targeted for it. We're talking about a highly charged environment. So the political context of the story we're going to talk today about is based on the conflict,

which is not a very known outside the region. It at all involves Azerbaijan and Armenia, the two countries in South Caucuses between the Caspian and Black Sees, just east of Turkey and north of Iran, both our former Soviet Union republics. They gained independence after the dissolution of the Soviet Union, and the conflict is around the Republic of Arts are also known as Nagorno Karaba. It's a breakaway region in the South Caucasus, with a majority of population being Armenians,

but internationally it's recognized as a part of Azerbaijan. A land area which, despite being mostly Armenian, is almost entirely encapsulated by Isaiahbaijan, so it's de facto is an enclave with Azerbaijan, and the only route from Armenia to Nagona Karba is through Latching Corridor, which is currently under the Peacemaker's Russian Peacemakers control. This tiny little livery of land is a primary locus of the years

long conflict. The situation in Arta is pretty tense. There are a lot of military conflicts there in the area and all kinds of cease fire relations and sporadic violence. And this is the conflict of that largely affects the relationship between the two countries for more than twenty years. Tensions flared late last year when Azerbaijani citizens working for the Azerbaijani government blocked off the Little Lashing Corridor, thereby

disconnecting Artac from Armenia and the rest of the world. Azerbaijanian side claims it is peaceful, Echo protests. Armenian side claims there is the blockade by Azerbaijanians in order to cut the region from the supplies. The stage protest at Lashing was very significant, but it wasn't the only action taken by the Azerbaijani government at the time. In late November, one of the major banks in the region got a malicious email, art Zach Bank, an Armenian bank with eleven

branches in the disputed region. A suspicious email delivered to art Zach Bank included a pf document for the Wikipedia page of a man named Alexander Lapshin. Alexander Lapshin is Russian Israeli blogger. His pro Armenian in a relation to the Armenians

Reiginia conflict and he talks openly about that. So in twenty sixteen he was detained in Belarus and was extradited to Azerbaijan by the request from Azerbaijanian government, and there he was accused of visiting the territory of Azerbaijan, which is Arza back in twenty eleven twenty twelve without getting the permission from Azerbaijani authorities. Lapshin was sentenced to three years in an Azerbaijani prison, and a few months after

his detention as Erbijan, something happened. Azerbijinian side claims that it was a suicide attempt. Lapshin himself claims that it was an attempt to kill him. So he was hospitalized and then a few days later he was pardoned by the President of Zerbijan and sent back to Israel. Then he started a court case

against Azerbaijan in the European Court of Human Rights. On May twenty, twenty twenty one, in the case of Lapshin versus Azebeijan, the court ruled that Azerbaijani authorities violated Laphin's right to life and ordered them to pay him thirty thousand

euros. To celebrate his victory, Laptin had a bit of fun. So the next day after this decision, what he did is on his Facebook account he published a picture of a credit card for the bank account that he opened specifically to get this money from the Azerbaijanian government, and he kind of mocked the Azerbaijinian government by opening this account in Artabank. Azerbaijan didn't take kindly to

being trolled. This was the context for a suspect PDF delivered to ARTSA Bank just a couple of weeks before the blocade of the art SAC which so it's kind of pretty much nice way to lure the employees of the banquet to open something that came with his name and use it. The idea was that while the employee was only seeing debate quietly in the background of their computer, a

malicious backdoor was borrowing into the network. In August twenty twenty one, a month after a phishing campaign was deployed against az a Baijanny activists, computer in Armenia uploaded a mailware sample to virus Total website for detecting mailware in files and u r els. The file was aptly named Report on the Azebaijanny Military Aggression Final Update twenty twenty one do SCR. Despite being a screen saver file,

it was presented on screen with a PDF icon. Upon execution, the file presented victims with a document titled quote report on the Bay Johnny Aggression against Arzac, Nagono, Kabach and Armenia end quote. Evidently, in the months that passed between attacks, the hackers didn't improve their spelling forgetting a G in aggression,

but they clearly had improved in other ways. The lure was more specific, more enticing to the particular kind of target they were after compared with the more general Human Rights Watch invoice, and the malware too was being iterated on. The first version of this malware was used around July twenty twenty one, and it was much more simpler. It had much less commands. It's basically

knew just how to collect the recordings and run additional commands. Then we've seen it once again in February twenty twenty two, with much more advanced features like collecting the files in different ways February twenty twenty two. This time the email pretended to come from the BBC and required a password for decryption, a clever little adjustment since anti virus programs without knowing the password to a file can't actually

read and interpret whether they're safe or not. The attackers were working on their tactics, techniques, and procedures for over a year, probably two years, and we lead up to late twenty twenty two, when, for at least the fourth time, and for the very first time against a commercial organization they deployed their mailware. So we call the smaller oxter rat oxta rat as in remote excess Trojan. Oxter Rat is based on out to it a perfectly legitimate

computer language for automating the Windows user interface. It's a legitimate administrative tool in order to allow the ite administrators to perform their tasks, but it's often abused by all kinds of malicious activities. A decade ago, trend micro analyzed why so many hackers were choosing out to it. As one expert explained, quote out too, it is scalable, very similar to basic, and is outrageously easy to code. In will Hood said, this ease of use takes the

learning curve of learning more complex languages such as Python. This opens up a wide array of possibilities to hackers that may not otherwise expose themselves to a scripting language. In other words, out to it can make your job easy if you're in a rush, maybe, or if you're not particularly good hacker, like perhaps the folks behind oxterat, I would say that technically it's not very

complicated, but it works. Although it's not some fancy, super stealthy thing, it does a job however simplistic it might be, oxter Ret is nonetheless dangerous years in the making, with many different types of components, which allows to run additional code on the machine, search and exfiltrate for different types of files and data on the machine, to perform active surveillance activity by a recording video from a desktop from web camera, by performing screenshots, also installing additional

software for remote access control such as TITVNC, basically anything an attacker could imagine wanting to do a victim computer and also to collect all different kinds of information about the machine itself, the processes, the drives, the system information, and also it allows to perform port scunning and use this compromised machine in order to pivot inside the network. By the time of their late twenty twenty two attack, the hackers had also improved on their tactics for hiding Oxterret. First

among them was out to it itself. Hackers like to use commercial software to trick computers into thinking that their behavior is legitimate. These hackers used outoit to compile malicious code and run it as seemingly legitimate automation on a Windows computer. Scireding anti virus engines along the way, and also the actors improved their sec They gat offense their servers, meaning only those who come from the specific IP ranges. In our case, the payloads were received only from IP addresses in

Azerbajan and Erminia. Only those can get the actual payload and be infected. This is done in order for researchers not to find it easily and find it and revealed culpabilities easily. And lastly, in their efforts to evade detection, they did a small trick, perhaps their most clever tactic. They hide the code in the image, like regular PN image which is run by dogs encoding malware into an image file. These types of files are called polyglot files,

meaning they might be legitimate picture and something else. So in this case, if you open this as a picture, let's say, with your picture editor, then you will see it as a picture. But if you run it with the two that's supposed to run it as a script, then it will run as a script. What's the purpose of all this. It's probably done in order to hide the artifacts on the machine from those who are going to investigate it later, because you will just see in the file system an image

and you won't even think that it's somewhere inside of it. There is a script hidden, and it's hidden in compiled forms, so even if you open it in text editor of then you will just see a lot of gibberish that does make any sense. Oxter Rat has many components to it, many mechanisms to prevent detection and functions to carry out malicious deeds, but at the end of the day, its focus is clear. The main intention of the smaller

is just to sit patient and collect all different kinds of the information. Multiple functions in this backdoor are actually related to collecting the data in the most effective way possible, search for the data on the machine with the many different kinds of tools, then compress it and send it to the attack or control server.

So if we talk about using this malware incorporate environments, then it might lead to potential compromise of the customers personal data, and then it can be used in order to facilitate any other different kind of attack starting from social engineering to all kind of more advanced operations, or just lick their data to some other third parties. Ultimately, this attack probably wasn't about gathering bank account numbers

or rout consumer data. The hackers were clearly politically motivated and likely wanted to attack certain specific people. When we talk about the individuals, the effects of surveillance on them is much more serious. First, we've seen the cases when the usage of this malware eventually brought to the destruction of the work of people who were targeted by that. For example, when actors gain access to the journalists media social media accounts, then they just deleted all their posts or basically

just through into part of their work. Another thing is that surveillance operations usually not only involve the target itself themselves, but also all the people around them. So if you read the stories about for example, Pegasus, the Israeli NSO group developed spyware used against activists, politicians, and others around the globe, you will hear the victims being a shock that they found out that not only them were being targeted, but also their relatives or their partners, and

it's a little bit scary. Fortunately, at the end of our story, the employees of ARTSA Bank escaped compromise. But as our guest and her colleagues noted in a blog post quote, due to the infrastructure revealed, we believe that there might have been other targets of this campaign in Armenia as well. Exactly who else was targeted and whether they fell into the attackers trap remains unknown, and based on the evidence of recent years, we can only expect that

these adversaries will be back again soon. Our goal as the security community is to make this world a little bit better, So I think it's important to raise awareness of the text like this because they affect individuals and their relatives, and we really hope that this research will inspire also other vendors to talk more about this region, about this conflict and what's going on there. That's it

for this episode. Thank you for listening. For past episodes, visit Checkpoints Research blog at research dot checkpoint dot com, and you can follow Checkpoint Research on Twitter or follow me at Ryan Levy. That's r A n l e v I. CEP Radio is produced by PI Media, written by Nick Neilson, produced by Hila Shemish, and edited and narrated by me Ran Levy. See you next episode. Bye bye,

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android