B (5:14)

Well, let's dig into some of their tactics and capabilities here. Is there anything that stands out about their tactics, techniques and procedures compared to some of the other Chinese ABT groups we're used to seeing out there?

A (5:27)

Yeah, so there are actually a number of things that we've noticed and really set them apart from other threat actors. So first and foremost I think it's their level of persistence and they're quite tenacious. Right. They put the P in apt, as we like to say, when it comes to persistence. Most groups, when they get caught or when the operation is blown, they'll try to stay away, hide for a bit, regroup, and then come back after a few months, a few years. We've seen them coming back in a matter of days, sometimes hours. So they really persistent. You could see the level of commitment, if you will, that they have for getting the intelligence that they're after. So like very persistent group, they have their own homegrown tools, so they don't use the generic tools that we've come to seen and known. And they do develop their own malware and their own tools which are quite sophisticated, state of the art tools. We have the Net Star suite that we just discovered and prior to that there was the Spectre malware suite and they are really well engineered, designed for extra stealth and we haven't observed these type of tools being used anywhere else or by any other threat actor. So that also what makes them special. And when it comes to their techniques or tactics, what is interesting to see is that they are not the sort of a threat actor that goes after individuals so much in terms of like we haven't seen spear phishing or elaborate social engineering attacks. They are like their hallmark activities is going after vulnerable infrastructure. So they go straight to the jugular or they go straight to the crown jewels, be it database servers, email exchange servers. So instead of trying to target an individual, let's say the Prime Minister or a minister of a said country, they'll go for the main server of the Ministry of Foreign affairs. And so they can have access to diplomatic cables, correspondence and other type of sensitive documents and information.

B (8:35)

One of the things I noted in the research is you highlight how the group's data collection strategies have evolved over time. You point out them shifting from email servers to databases, for example.

A (8:48)

That is correct. And again, I don't think it's necessarily mutually exclusive, either or. I think that they can still do both. We have noticed that in the last year they haven't been targeting exchange servers or email servers as much as they used to. And most of their current activity revolves around trying to get into databases, really backend databases which aggregate or contain so much more information than just email correspondence, if that makes sense. So it's really about. They're looking for, I guess, a good, in a sense you can say that they're looking for a good roi. So where they can find the most, where they can get the most buck for their bang for buck, what's the expression? Or yeah, exactly. Like how can they get their hands on as much information with the least effort?

B (10:08)

We'll be right back. And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. AllowListing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. Think your certificate security is covered. By March 2026 TLS certificate lifespans will be cut in meaning double today's renewals and in 2029, certificates will expire every 47 days, demanding between eight and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy. Cyberark proven in identity security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale Security. Visit cyberark.com 47day that's cyberark.com the numbers 47day. Well, can you take us behind the scenes a little bit of your own process? I mean, how did you, your colleagues determine that this was a distinct new actor rather than activity from an Existing group?

A (12:09)

Wow. It's a really good question. It's been two and a half years of really, it's been a journey, two and a half years of investigative work. Because when we first started observing this activity, we didn't know what we were looking at. We, we try to characterize it. So the first process was understanding, trying to, or at least try to understand the motivation and the playbook of the attackers. And we quickly realized, okay, these guys are not there for financial motivation. It's not a ransom work group. So what we could glean from their activities it is, was that they were really after collecting information or stealing information, which so we quickly understood that we're looking at an espionage group. Okay, that's fine. But there are dozens, if not hundreds of APT groups operating in this sphere, not just Chinese. You have so many other countries spying on each other. So. And then we started collecting a lot of data points and connecting the dots and slowly but surely we were able to cope it better and to notice patterns in their activity that coincided or pointed us to the conclusion that we're about talking, looking at a, probably looking at a Chinese threat actor. And then we, over the course of two and a half years we implemented our attribution methodology, which is a long term, it's based on a long term monitoring of a given activity or a threat actor. So we started with a cluster without assigning any attribution, saying hey, we are noticing an activity that is repeated in different regions of the world on different organizations. We started clustering it. Then after a year of monitoring this activity, we had enough evidence and enough data to elevate it to a temporary group. Now we were able, with all the information that we were able to collect for over a year, we were able to say, hey, this looks like a Chinese activity. We still don't know if it's a new group or if it's like a spin off or a subgroup of a known group. But what we do see here is a really distinct activity, repeated patterns that we're not able to tie to any other sort of activity that we're seeing. And we're tracking and monitoring over 20 APT groups, just like coming from China, and nothing really stuck. We really tried to do these matchings and clustering and after two and a half years of reviewing, carefully reviewing the information again and again and again and trying to really look for any connection for any known groups, we were, we were not able to find such groups. And that's why we were pretty confident in coming up with a new threat actor. As threat intelligence or threat researchers, we are probably the last people who want to throw a new name into the already growing pile of mix of threat actors. It's not something that we like to do, but we really took a lot of time and effort to make sure that this is a new threat actor and we're not just like adding a new name to the pile.

B (16:25)

Well, I mean, you talk about Phantom Taurus persistence. It sounds to me like you and your colleagues had to have a certain amount of persistence yourselves.

A (16:35)

Yes, it did become a bit of a baby project for some of the team, especially a researcher called Leo Rockberger. She was the main force behind the investigation. She led the investigation. She's currently honeymooning, so that's why she's not on the call. But she was the main researcher. There were other collaborations with other researchers, but she was the main speedboat and she is an extremely persistent researcher and an extremely capable one.

B (17:14)

You speak to an interesting aspect here, which is, I think it's important. My perception anyway, and correct me if I'm wrong, is that it's important that groups like yours have the leeway to chase down these sorts of things. And they might not always pay off, but in this case it seems like it did. But that's part of the culture of your research organization.

A (17:40)

That is correct. You have to understand that our research is not done for academic purposes. The reason that we invest so much in tracking the various groups that we are tracking, be it cybercrime or nation state threat actors, is that at the end of the day, our entire research is being translated to actionable intelligence. And namely it helps us a feed our product, making sure that we have all the right IOCs and all the right identifiers, be it malware, hashes, domains, IPs for a given threat. But more than that, it's really about when you monitor threat actors so closely, you get to learn their mobile and we quickly start to learn how they think and how they react and you can anticipate their next moves. And all of this knowledge and insights, we try to bake it into the product, trying to come up with behavioral rules and try to come up with train our machine learning algorithms for detection and prevention. So that's why it really pays off to track these threat actors and group for a long time.

B (19:16)

Well, what are the takeaways here? When we're speaking to defenders and security teams who are checking out your research, what do you hope they come away with here when it comes to Phantom Taurus?

A (19:26)

I think, I mean, it's going to sound a bit like a cliche, but it's still it is still true. I think that one of the reasons that Phantom Taurus was able to penetrate so deep into so many organizations has to do with the more trivial stuff rather than like fancy zero days or like fancy exploits. The root cause of 90% of their success in penetrating organizations has to do with patch management or lack thereof, outdated versions, unpatched servers and I think it's I'm not going to say anything that will shock I think the audience, but I think good IT hygiene will it goes a long way. And again, I'm not saying that a skilled and highly motivated threat actor would not find a way to circumvent or bypass things or even use like heavier exploits like zero days and such to get to where they need to get. But sometimes it seems like almost too easy because the servers or Internet facing systems are not guarded enough, be it with having sufficient security tools and mitigations put in place. And also, yeah, as I mentioned, like the outdated systems.

B (21:38)

Our thanks to Assaf Dahan from Palo Alto Networks for joining us. The research is about Phantom Taurus, a New China apt uncovered by UN unit 42. We'll have a link in the show notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next time.

A (22:48)

And Doug Limu and I always tell you to customize your car insurance and.

B (22:51)

Save hundreds with Liberty Mutual.

A (22:52)

But now we want you to feel it.

B (22:54)

Cue the emu music.

A (22:55)

Limu Save yourself money today. Increase your wealth. Customize and save with we see that may have been too much feeling.

B (23:07)

Only pay for what you need@liberty mutual.com Liberty Liberty Liberty Liberty Savings Fairy underwritten by Liberty Mutual Insurance Co. Affiliates excludes Massachusetts Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with Uncle Unfiltered insights and panels on securing tomorrow's technology in the afternoon, the 8th Annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.