Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:15 PM
Connect Directly

Nation-State Hackers Go Open Source

Researchers who track nation-state groups say open-source hacking tools increasingly are becoming part of the APT attack arsenal.

Nation-state hacking teams increasingly are employing open-source software tools in their cyber espionage and other attack campaigns.

For some of these threat groups, it's a cost-saving move and a more efficient early-stage attack method. Using the same hacking tools used by security researchers and penetration testers to root out security weaknesses and exploit holes in enterprise networks saves on development costs. For others, it's purely for camouflaging purposes, providing cover as a legitimate penetration test, for instance.

Kurt Baumgartner, principal security researcher for Kaspersky Lab's Global Research and Analysis Team, says he noticed a spike over the past year or so in the use of open-source hacking tools by some infamous APT groups. Tools such as Metasploit Meterpreter, Cobalt Strike, BeEF (Browser Exploitation Framework), Mimikatz, Pupy, and Unicorn, have all been spotted in use by nation-state hackers.

"APT actors are incorporating more open source into their tooling, and in some cases, abandoning custom and private toolsets in favor" of open source, Baumgartner said in an interview at Kaspersky Lab's Security Analyst Summit in St. Martin last week, where he gave a presentation on a yearlong snapshot he took of this trend.

Newscaster - aka NewsBeef and Charming Kitten - the nation-stage hacking group believed to be out of Iran, in the past year has relied heavily on several open-source hacking tools: BeEF for exploiting holes in browsers, on Unicorn for PowerShell-type attacks, and on Pupy, for planting a remote administration tool, or RAT. This represents a major shift in MO for the attack group, which traditionally had relied on social engineering accounts to target its victims. "They gave up on their old techniques," Baumgartner says. "Now they're using spear phishing with email lures using these toolsets … NewsBeef is not well-resourced, so this enables them to up their game."

Interestingly, one of the most sophisticated and well-oiled attack groups, the Russian-speaking Sofacy, aka Fancy Bear/APT28/Pawn Storm, also has taken a liking to BeEF. Baumgartner says Sofacy/Fancy Bear has employed BeEF to rig a watering-hole attack on a website likely frequented by its targets. In one big attack campaign in July of 2016, they targeted geopolitical targets in the former Soviet republic with a malicious but realistic-looking Adobe Updater on the site, he says. "They were serving their own backdoor from this domain to visitors," he says. The group, which is reportedly linked to the Russian military unit GRU, even included a progress bar with the phony Adobe updater.

Researchers at CrowdStrike and FireEye say they've seen a similar spike in open-source hacking tool usage by nation-states. "It's becoming fairly commonplace," says Adam Meyers, vice president of intelligence at CrowdStrike.

"We've seen a fair amount from Cozy Bear in the past couple of weeks" as well as Charming Kitten using Pupy heavily, he notes. Iranian nation-state group Rocket Kitten also has been spotted running CORE Impact, a commercial pen-testing tool.

Meyers says not only are these groups using open-source hacking tools for obfuscation, but they're also using them to fill gaps in their own toolsheds or as a phase-one attack tool. "Some actors are using this as Phase One" for recon, and then executing their own custom tools for the next phases of the attack, he says. "Their [custom] implants are for collecting and pulling data and long-term continuous monitoring," of the target, he says.

In some cases, it may be more that the attackers are merely leveraging their own training on open-source hacking tools, he says. "They may be receiving commercial-style training."

John Hultquist, manager of the cybersecurity analysis team at FireEye, says the Iranian nation-state Newscaster group also runs Metasploit, and other groups, Cobalt Strike, an emulation tool that mimics red-team operations and attacks. FireEye has seen Iranian, Chinese (APT19), and Palestinian nation-state groups relying on open-source hacking tools for their attacks. "Some actors never created their own tools, so they've relied on outside tools," Hultquist says.

Some notorious Chinese nation-state groups historically have employed open-source tools like Poison Ivy, Ghost Rat, and others, later moving on to PlugX and custom tools. The recent wave of relatively newcomer nation-state groups likely has contributed to the popularity of open-source hacking software, he says.

"The biggest advantage of using those [open source] tools is they forgo tremendous amounts of development time, energy, and money. And from an intel perspective, they provide another level of obfuscation. There's no permanent attribution because these tools are passed around," Hultquist says.

The typical next step for a young nation-state attack group is customization of an off-the-shelf tool. "We've seen Mimikatz customized on many occasions," he says.

Mimikatz, which has been used frequently by the Chinese APT10 cyber espionage group, is used for pilfering credential information from Windows.

Seasoned nation-state attackers have been known to use open-source software as the basis for their hacking tools, building out custom versions. Take the recent finding by researchers from Kaspersky Lab and Kings College of a link between the 1990's cyber espionage attacks against NASA, the US military, Department of Energy, and other government agencies, and the stealthy Russian-speaking attack group Turla. The thread that ties the two attack groups together: the use of the open-source data extraction tool LOKI2, albeit each with their own custom versions of the tool.

Open Source Unmasked

There's some risk to nation-states using open-source tools, however. Take BeEF: its logging feature is very chatty and relatively detailed, so it can inadvertently expose intelligence on the attacker. "Logging is fairly verbose. It keeps track of geolocation" and IP addresses, for instance, Kaspersky Lab's Baumgartner notes.

"The dilemma for [attackers] is they may not realize how much logging is going on," he says. "It's a double-edged sword."

Targeted organizations also can more easily spot and block those tools, which aren't as stealthy as a custom tool. "One of the biggest disadvantages is that we [defenders] know your tool very well… We can build a signature for it," FireEye's Hultquist says.

On the flip side, it's difficult to discern whether a Meterpreter exploit is a legitimate penetration test, a cyber espionage attack, or a financially motived cyberattack. "It's really going to be a problem for attribution and understanding who's targeting your network," he says. "The same actor interested in one employee's credit card may be using the same tool as an actor there to take millions of dollars in intellectual property. Every incident is not equal; sometimes it's clean the machine and move on with your life, and the other can change your life and they can look pretty similar."

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patche...
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to remote code execution.
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The count in MultiSvGet, GetAttributes, and MultiSvSet is not checked in the HiQnet Protocol, leading to remote code execution.
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A type confusion issue affects MultiSvSetAttributes in the HiQnet Protocol, leading to remote code execution.
PUBLISHED: 2021-05-13
An issue was discovered in HERMES 2.1 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The SH2 MCU allows remote code execution.