Nation-state hacking teams increasingly are employing open-source software tools in their cyber espionage and other attack campaigns.
For some of these threat groups, it's a cost-saving move and a more efficient early-stage attack method. Using the same hacking tools used by security researchers and penetration testers to root out security weaknesses and exploit holes in enterprise networks saves on development costs. For others, it's purely for camouflaging purposes, providing cover as a legitimate penetration test, for instance.
Kurt Baumgartner, principal security researcher for Kaspersky Lab's Global Research and Analysis Team, says he noticed a spike over the past year or so in the use of open-source hacking tools by some infamous APT groups. Tools such as Metasploit Meterpreter, Cobalt Strike, BeEF (Browser Exploitation Framework), Mimikatz, Pupy, and Unicorn, have all been spotted in use by nation-state hackers.
"APT actors are incorporating more open source into their tooling, and in some cases, abandoning custom and private toolsets in favor" of open source, Baumgartner said in an interview at Kaspersky Lab's Security Analyst Summit in St. Martin last week, where he gave a presentation on a yearlong snapshot he took of this trend.
Newscaster - aka NewsBeef and Charming Kitten - the nation-stage hacking group believed to be out of Iran, in the past year has relied heavily on several open-source hacking tools: BeEF for exploiting holes in browsers, on Unicorn for PowerShell-type attacks, and on Pupy, for planting a remote administration tool, or RAT. This represents a major shift in MO for the attack group, which traditionally had relied on social engineering accounts to target its victims. "They gave up on their old techniques," Baumgartner says. "Now they're using spear phishing with email lures using these toolsets … NewsBeef is not well-resourced, so this enables them to up their game."
Interestingly, one of the most sophisticated and well-oiled attack groups, the Russian-speaking Sofacy, aka Fancy Bear/APT28/Pawn Storm, also has taken a liking to BeEF. Baumgartner says Sofacy/Fancy Bear has employed BeEF to rig a watering-hole attack on a website likely frequented by its targets. In one big attack campaign in July of 2016, they targeted geopolitical targets in the former Soviet republic with a malicious but realistic-looking Adobe Updater on the site, he says. "They were serving their own backdoor from this domain to visitors," he says. The group, which is reportedly linked to the Russian military unit GRU, even included a progress bar with the phony Adobe updater.
Researchers at CrowdStrike and FireEye say they've seen a similar spike in open-source hacking tool usage by nation-states. "It's becoming fairly commonplace," says Adam Meyers, vice president of intelligence at CrowdStrike.
"We've seen a fair amount from Cozy Bear in the past couple of weeks" as well as Charming Kitten using Pupy heavily, he notes. Iranian nation-state group Rocket Kitten also has been spotted running CORE Impact, a commercial pen-testing tool.
Meyers says not only are these groups using open-source hacking tools for obfuscation, but they're also using them to fill gaps in their own toolsheds or as a phase-one attack tool. "Some actors are using this as Phase One" for recon, and then executing their own custom tools for the next phases of the attack, he says. "Their [custom] implants are for collecting and pulling data and long-term continuous monitoring," of the target, he says.
In some cases, it may be more that the attackers are merely leveraging their own training on open-source hacking tools, he says. "They may be receiving commercial-style training."
John Hultquist, manager of the cybersecurity analysis team at FireEye, says the Iranian nation-state Newscaster group also runs Metasploit, and other groups, Cobalt Strike, an emulation tool that mimics red-team operations and attacks. FireEye has seen Iranian, Chinese (APT19), and Palestinian nation-state groups relying on open-source hacking tools for their attacks. "Some actors never created their own tools, so they've relied on outside tools," Hultquist says.
Some notorious Chinese nation-state groups historically have employed open-source tools like Poison Ivy, Ghost Rat, and others, later moving on to PlugX and custom tools. The recent wave of relatively newcomer nation-state groups likely has contributed to the popularity of open-source hacking software, he says.
"The biggest advantage of using those [open source] tools is they forgo tremendous amounts of development time, energy, and money. And from an intel perspective, they provide another level of obfuscation. There's no permanent attribution because these tools are passed around," Hultquist says.
The typical next step for a young nation-state attack group is customization of an off-the-shelf tool. "We've seen Mimikatz customized on many occasions," he says.
Mimikatz, which has been used frequently by the Chinese APT10 cyber espionage group, is used for pilfering credential information from Windows.
Seasoned nation-state attackers have been known to use open-source software as the basis for their hacking tools, building out custom versions. Take the recent finding by researchers from Kaspersky Lab and Kings College of a link between the 1990's cyber espionage attacks against NASA, the US military, Department of Energy, and other government agencies, and the stealthy Russian-speaking attack group Turla. The thread that ties the two attack groups together: the use of the open-source data extraction tool LOKI2, albeit each with their own custom versions of the tool.
Open Source Unmasked
There's some risk to nation-states using open-source tools, however. Take BeEF: its logging feature is very chatty and relatively detailed, so it can inadvertently expose intelligence on the attacker. "Logging is fairly verbose. It keeps track of geolocation" and IP addresses, for instance, Kaspersky Lab's Baumgartner notes.
"The dilemma for [attackers] is they may not realize how much logging is going on," he says. "It's a double-edged sword."
Targeted organizations also can more easily spot and block those tools, which aren't as stealthy as a custom tool. "One of the biggest disadvantages is that we [defenders] know your tool very well… We can build a signature for it," FireEye's Hultquist says.
On the flip side, it's difficult to discern whether a Meterpreter exploit is a legitimate penetration test, a cyber espionage attack, or a financially motived cyberattack. "It's really going to be a problem for attribution and understanding who's targeting your network," he says. "The same actor interested in one employee's credit card may be using the same tool as an actor there to take millions of dollars in intellectual property. Every incident is not equal; sometimes it's clean the machine and move on with your life, and the other can change your life and they can look pretty similar."