A

Hello everyone, this is Tommy Wren. I'm here for a between two nodes discussion with the Gruk. G', day, Grok. How are you?

B

G', day, Tom.

A

Finding yourself very well. This week's edition is brought to you by Knock Knock. That's Knoc. Knoc IO. They make a system to only open up external network access when you authorize. So it's a vast reduction in attack service. Find them at Knock Knock IO. So in the last week or so, the Chinese MSS has made some sort of hay.

B

It's the cert. Come on. Like, you can't go blaming anything.

A

Well, there's a cert technical report, and then the Chinese Ministry of State Security also published a post on top of that. Like they actually have a video about it.

B

Oh, really?

A

Yeah, haven't you seen it? No, I haven't. I should. I'll send it to you right now.

B

Okay, let me watch that. Hang on. That. That sounds actually very amusing.

A

And the Global Times, which is the mouthpiece of the Communist Party, the Chinese English language mouthpiece of the Communist Party, published that video on Twitter as well, or X whatever it's called these days. I guess this is the time when we transition to a reaction video style YouTube channel.

B

Is this an AI? This is an AI.

A

I think that. Yeah, that's what I thought too.

B

It's. It's not a real person, right? It's. It's. Well, not an AI, but it's an avatar or something.

A

Yes.

B

Yeah, okay.

A

Yeah, a machine generated Persona or something.

B

Yeah, foreign pr. They really like that. Okay, hang on. This is funny where they're like the MSS responded effectively at every turn. It's like you were hacked from March of 22 until June of 24. Like.

A

Yeah, so that's like. So there's the MSS propaganda.

B

I've got like five seconds left on it that I just want to see at the very end in case anything shows up. The real empire of hackers. Oh, I'm glad I finished that.

A

Yeah. So we've got the MSS posted that to their Wei Shin or their WeChat, and then we've got the Global Times pushing that out internationally. But then we've also got a cert report which has got more technical detail and it's got a number of interesting features in there that we'll talk about, I guess. So the whole MSS part is, you know, the US are the worst hackers. They're attacking government and military stuff.

B

The empire of hackers. Ironclad facts have proven that the US is The true matrix and the greatest source of chaos in cyberspace because they're going over government and military institutions rather than private companies.

A

Yeah. So this is attack on the National Time Service or the National Timekeeping Service. Like, so that's interesting in the sense that it's both. Not immediately clear what the intelligence value of that is, but like personally I'd be very clear that there's either links to something that has intelligence value or it's jumping off point or like it could be a disruption type reconnaissance.

B

Yeah, I mean they emphasize that they're stealing data, so I mean, maybe the US wants to know what time it is in Beijing. Well, hang on, hang on. Here's a thought, right. They probably have their own GPS system.

A

Yeah, they don't.

B

Right, right. It's probably. The timekeeping system is probably linked to that and it would also be then used for things like the precision guided munitions. And so it might be useful to, I don't know, like maybe there's some keys or something like that that you'd have access to through this that would then allow you to read their stuff or maybe send commands, I don't know.

A

But yeah, there's definitely. Without knowing what they're after, I think you can speculate, come up with probably any number. So a while back the Australian Bureau of Meteorology was hacked. And again, I think it's the same sort of situation like by the Chinese. Allegedly the bureau sends a lot of bulk encrypted data around the world because it's exchanging like weather data. So data that doesn't really have any intelligence value.

B

Well, I mean, unless you want to know if there's a low pressure front coming in over Canberra.

A

So that could be a good place to hide comms, for example.

B

Right.

A

So, you know, maybe you have a domestic Australian network of COVID comms and then you sort of pump it internationally via the bureau or you know, the bureau's got supercomputers, who knows? I think it's very much a similar situation.

B

There's a bunch of possible resources that could be interesting and it's impossible to know which ones and it's not obvious, basically.

A

Yeah. So the technical analysis report, it's like got a lot of screenshots of stuff.

B

Probably, I think they got paid per screenshot.

A

So one of the really interesting things is they say that the NSA, so they pinned this on NSA used triangulation. So as a quick refresher, you in 2023, I think it was, Kaspersky published this report which said we were attacked by something Called triangulation. They gave it the name triangulation and it turned out that thousands of iPhones across Russia had been, or as the.

B

Chinese report puts it, non Chinese brand phones.

A

Had been hacked. What was interesting when we spoke about it is that they exploited so many and our thinking was that it was a kind of lose it or use it or lose it situation where the vulnerability was going to go away. They had this chance to use it, they may as well deploy it. Kaspersky felt like a high risk place to deploy that exploit because it is, you know, it's a security research company. They have lots, or at least they used to have lots of good people.

B

Yeah, I don't think that they were the first people hacked with it. This is probably towards the tail end when you're sort of running out of, you know, you've done your, like A tier, your B tier and you're down at the F tier and like, okay, who's left that we could just try it on to maybe get something.

A

Yeah, look like. I think I have a slightly different view in that maybe Kaspersky is a high priority target because they're a security company, but they're also a high risk target. So maybe they're one of the last ones. But what's interesting here is that Kaspersky, they reported on it in June of 2023. So they said that they found out they noticed triangulation at the beginning of 2023. So this report, they say that they were targeted. Some Chinese employees of the timekeeping centre were targeted in March 2022. So that's a whole year earlier, right? Almost a whole year earlier than Kaspersky's targeting. Nine months.

B

Yeah. Although how do they know it was the triangulation attack at that point? Because they suggest that they were hacked several times. So it might have been different exploits.

A

Yeah, I thought that there was some artifact left behind and so that's how Kaspersky knew that there were thousands, because they were able to examine phones and find evidence. That's my recollection. And I mean there's always a bit of who knows if they're telling the truth. And it says that they targeted just, I think. Is it 10 employees?

B

Right? Around 10 employees, which is around 10.

A

And that occurred over the period of almost. Was it nine months? I think. And basically that's the only thing that happened until the people's phones were being owned by triangulation. And it says illegally stealing their phone, contacts, text messages, photo albums, location information and other data.

B

The other data is the Part that's actually interesting here. I think that it was, they say in September of that year they stole credentials to gain access.

A

That was credentials to gain access, I think from an administrator. So it was some sort of privileged account on the timekeeping network. And so it seems like in this case it was triangulation to get silently onto phones and then just harvest credentials that then enabled us to get to the US Them to get to the network that they wanted to.

B

Right. So I just want to pause here for a minute to emphasize what's going on. NSA probably has a lot of ode they could use against whatever computers they have at the time. Service. Right. I don't think that they're like, oh no, we don't have a Windows remote, we'll have to use our iPhone O day. Like that seems unlikely. It's that they want something that, that has longevity and that's reliable and that doesn't have as many artifacts that get left behind. It's straightforward to clean up login information, but if you try and hack something and it fails, you end up with lots of log entries. So there's that DEFCON talk by Rob Joyce a few years ago where he talked about how most of what they do is credentials. And I think people just never believed him because it's like, yeah, come on. Like you're saying that, but you're nsa, you must have so many exploits. But I think this is a good example of like, yeah, they do have a lot of exploits and they use them to get credentials so that they could then log in.

A

Yep. So I think that's interesting and to me that makes sense. Well, before triangulation is discovered, there's a relatively small targeted.

B

This is not a thousand people who work there, it's 10 at most. Right?

A

Yeah, yeah. And so maybe in the rest of China, you add it all up and it is thousands. It's a big country.

B

Right. Like they're only publishing this one particular operation. I suspect that things other than the time service were hacked over this two and a half year period.

A

You would think so. Yeah. Yeah.

B

And they probably know about a bunch of them as well. So it's. This seems like the least consequential to expose, maybe.

A

Yeah. So the timeline is from March 22 to April 23. According to the report, the NSA is using triangulation to get secrets from more than 10 devices.

B

They're stealing nudes from Athens.

A

But by September they've got login credentials for the network administrator.

B

Right.

A

And so it seems like this is not a very fast Paced rapid. They're not.

B

Are you suggesting that maybe this was not a high priority target where people are pulling like all nighters and coming in over the weekend, canceling vacation plans to make sure it gets done?

A

Well, it seems like it, doesn't it? And sort of you would think, okay, let's come up with a list of phones in organizations that we know are of interest and we've got an exploit that we know will go away at some point.

B

Right.

A

And so let's use that, convert this.

B

Temporary capability into a more permanent capability. The credentials.

A

Yes.

B

Right. It's like trade this in now before it goes off so we can have something that we can store for a long time.

A

Yeah, let's drink the milk before the use by date and then, well, let's.

B

Turn the milk into ice cream and then keep the ice cream in the fridge very lightly.

A

Yeah. So I think it's interesting that it makes you think about triangulation where they're relatively limited number of devices a year before and then by the time Kaspersky discovers it, it's many, many devices in high risk places.

B

Right. It's the tail end of the operation, the operational use of that exploits where they're just like, let's squeeze anything we possibly can out. We've had a good run, let's just milk it up to the. Yeah. All the way to the finish line.

A

Yeah. And so I think that's like super interesting.

B

So I think the timelines here are quite interesting as well. And I think that even the fact that they went for such a small number of devices over a long time, I would suspect that that's because they only have one entry point that they know about and then they need to do SIGINT analysis on that to find basically they spider out into a network until they can find someone who has the credentials that they want. So that might be why they spend a long time and hacked a small number of devices. But you'd think if they were only going after admins, would they go after 10 people? That seems a lot.

A

It seems like you'd go after however many people you needed until you got to an administrator and then you would go, does this credential work?

B

Right. Stop.

A

And so I guess you're thinking what they had the number of someone at the timekeeping center.

B

Yeah, yeah. Like from one of their other collection points they would have, I don't know, like director of sales. If people want to buy the time, I guess.

A

Yes, yes. Can you imagine rejecting the specifics?

B

So I'm just thinking that they're calling up and they're like, we've got a number. And they call up and it's like at the sound of the tone, the time will be.

A

Yep.

B

And from there they spider out. But. Right, yeah.

A

So they hack that person's phone, get contacts, figure out who else in the organization has an iPhone.

B

Right.

A

Can I send them a blue message? Okay, yes, good.

B

Right. And then it's, you know, are they saved as network admin? Are they saved as like help desk? Like these are probably good things to go after or are they saved as like mother in law, you know?

A

Yeah. So like the idea is that there's some delay in that process of iterating.

B

Particularly because this, I don't think that this is a super high priority target. So it's probably like put into a queue and process when it's processed.

A

Yeah. And it could also be a like risk mitigation. We're not going to pump out this exploitation.

B

Don't attack all 10 people in the same two day period.

A

Yeah, right. I mean in the context of all the other operations that you're using it for. Right. You just sort of slot it in at a place where it makes sense.

B

It makes sense that they do this. And it's very interesting that they spend over a year using triangulation on these 10 people, even though they appear to have gotten the credentials in September. So I'm wondering maybe they wanted to check if there was still like, has there been a change before we try and use them?

A

Yeah, that bit is unclear to me because. So they get that administrator's credentials in September of 22, but then they don't start logging in until April of 23. So it could be that they just happened across the credentials and they never bothered trying them. And so they were like, well, we've got this, you know, we'll keep spiring out just in case that doesn't work. I don't know. That is less logical to me.

B

Like how do they know that they got the credentials in September? What is the forensics artifact that tells you that they got the credentials in September?

A

Right, right. So that could just be wrong.

B

Yes. Maybe they hacked the guy who had the credentials in September, but that doesn't necessarily mean that they, because they had access to him, they had the credentials immediately.

A

Right. I mean it actually makes sense that they didn't get credentials back then because it says that they use triangulation until April 11th of 2023, and then from April 11th they started logging into the network.

B

Right.

A

So that actually Would make sense if they didn't get them till April 11, then they immediately log in and it looks like it sounds like they're doing recon at that point.

B

Yeah.

A

Use the computer in this translation. I think you've got a better one as a base to detect the network environment of the timing center.

B

Yeah.

A

Probably says something logical.

B

Yeah, yeah. The machine translation is not quite as good, but. Yeah, like the. Like the timelines, they don't make sense on the surface because you'd be like, they hack in March of 22, but they don't log in until April of 23. Like, that's like, how over a year. And then they're there on the network for like another year and a half or something until June of 24.

A

Yeah, yeah. So what I've got is the. Looks like they're doing recon from April to August. So what's that, four months?

B

Right.

A

So they logged in over 80 times. And then in August they put it down and implant.

B

But I mean, they say logged in 80 times, but if you look at this graphic, which has.

A

It's got 13.

B

If you look at this graph, it's got like three hours of activity and there's five logins over this one period. Which to me, what that suggests is that that's when they run the script on the attacker side to then log in, run the commands that need to be run to collect whatever. Then they get it. It's like, okay, that's finished running. Now I run the next one. And it would log in and do it all again, right? Yeah. So this is like, that's three hours of someone's workday right there that you're looking at. This poor schlub has to sit there waiting for the timekeeping service to collect and upload data for him. Okay, so it looks like what happens is they spend April to August doing recon, right? They're just logging in using proper credentials and so on. And then in August, they switch over to using an implant. Like, the operation has stepped up to the. Let's start collecting data. Right. So this is kind of funny. At this stage, BAC 11, which is the implant, was not yet fully functional, and the attackers had to remotely disable the host's antivirus software before each launch. They then spent from March to April customizing and upgrading. I don't know enough about second Agency operation, but it seems like they were doing operational work starting in August. And then from March to April, they changed their tooling and then kept going until they were discovered in June.

A

I mean, I thought it was interesting beforehand you mentioned that they weren't living off the land. And so my take, or my guess was that giving you an implant allows you to do a lot of stuff that is or to automate a lot of stuff that's manual. And so that must be why they're still doing it because the trend seems to be for all sorts of cyber operators to just live off the land. But that's still, I guess you can automate scripts or stuff, but you've still got to have a connection there. Right. Whereas this is you can leave the implant to do things. There's a lot of work and it speaks about that work here in that clear memory usage and operation traces after.

B

Right.

A

And so presumably the implant is doing all sorts of things to be stealthy.

B

Right. And there's not necessarily a living off the land tool that you can use to edit the Windows event log, right?

A

Yeah, like, yeah, yeah. And so I guess from a trade offs perspective is let's do a lot more work to get an implant to do all these things and that will get us the stealth that you get or the covertness or hard to detect properties of living off the land, but we get to do more stuff.

B

Right.

A

So it's like an investment in a tool that you can use a lot to sort of scale more broadly, I guess.

B

I mean it like it makes sense to me. It's different ways of achieving stealth. Basically you can either use things that are indistinguishable from regular tools or you could use something that cannot be detected and hope that it's never detected. Just offhand I'm wondering, NSA must do living off the land stuff. They can't.

A

Well, I think that was that first several months, wasn't it, where they were logging in. The report doesn't say anything about what they were doing.

B

Yeah, connecting to the network and doing stuff. And so yeah, I think probably at that point they're doing like show me the network list, show me the ARP tables, you know, list of users, things like that, which you don't need to have a custom implant for because that sort of recon is like that's perfect for living off the land.

A

So that's what I assume is that they use those techniques to get an understanding of the network and then is it appropriate for, you know, implant A, B, C or D or you know, because of the properties of whatever, you know, the antivirus it has or the EDR or.

B

Right, because I mean you might have to log in and manually disable the antivirus before every single time.

A

Yeah. So it kind of doesn't really explicitly say it, but it implies that there is a function or module that can either evade EDR or switch it off because it says they deploy multiple new modules to achieve long term persistence and covert control. So to me that implies that without actually necessarily spelling it out.

B

Yeah. They also talk about how there's specific antivirus evasion capabilities that are very impressive. The CERT technical report lists a bunch of characteristics of NSA operations. And one that stood out to me as very interesting was that they call it patience and caution. Right. So apparently the NSA thoroughly monitored the compromised hosts throughout the operation. File changes, system shutdowns and restarts prompted a thorough investigation of the cause of any anomalies. So to me what that speaks to is they're looking for indicators that they've been detected and that there's the beginning of investigation type processes going on. Or maybe someone's installing collection tools to sort of get information from them. It's been imaging.

A

Reminds me of the story of someone who was, I think some sort of sysadmin and they were saying that of all the boxes they maintained, the ones that were hacked were the ones that never crashed because.

B

The hackers were patching.

A

The APT's, went in and cleaned it all up so that it didn't crash to raise suspicion.

B

Like what's cool about this technical report is they show why they're linking this to the nsa and it's because the implant that got installed has a lot of code similarities to the Dander Spritz implant that was leaked by the Shadow brokers back in 2016. They show why they're linking it to NSA. Like they, they sort of give the evidence, they have receipts, they show the, the code side by side. But I think that this detailed timeline is quite nice because it allows you to see sort of what's happening inside the NSA while this operation is going on to a degree. And then the operational details of how they operate on the network I find quite interesting that they are slow and cautious. Anytime something weird happens, they look into it because they want to know what's going on. Are they being investigated, have they been detected, do they need to clean up? And the implants have functionality so that if they're running in a VM or there's a debugger or whatever, they self delete immediately. It's very much this insight into the operational approach of nsa. So thank you to China for giving us that.

A

So there was actually BTN110, we spoke about NSA's 9 to 5 hacking campaign. And I think my comment at the time was that you, in particular were disappointed because there wasn't any, like, hacking magic involved.

B

Yeah, yeah.

A

I actually feel this report is more impressive in a way.

B

Well, this one does feel like magic compared to the. Well, not necessarily magic, but previously, it was very much like they sent phishing emails, they got login credentials. It was just very dull. Like, it was very pedestrian. This one seems like a real campaign. Right. They've got, like, the iOS hacking and then they convert that to credentials. They do their recon and then they do an implant, and, like, there's just.

A

But NSA's got its mojo back.

B

Thanks a lot, Tom.

A

Thanks, Greg.