Cylance discovers new Middle East APT threat actor: The White Company

0

Research uncovers a new, well-resourced group targeting Pakistan’s air force

Cylance has released the first in a series of research reports that explores the identification and tracking of a new—and likely state-sponsored—threat actor whose profile does not match any of the established advanced persistent threat (APT) groups.

The preliminary findings detail one of the group’s recent campaigns, a year-long espionage effort directed at the Pakistani Air Force. Cylance calls the campaign Operation Shaheen and the organisation the White Company—in acknowledgement of the many elaborate measures the organisation takes to whitewash all signs of its activity and evade attribution.

The Pakistani Air Force is not just an integral part of the country’s national security establishment—including its nuclear weapons program—but it is also the newly announced home of the country’s National Centre for Cyber Security. A successful espionage operation against such a target could yield significant tactical and strategic insight to a range of foreign powers.

Cylance researchers uncovered evidence indicating the White Company possesses considerable resources that support the likelihood that the organisation is part of a state-sponsored group:

  • Access to zero-day exploit developers and (potentially) zero-day exploits
  • A complex, automated exploit build system
  • The ability to modify, refine, and evolve exploits to meet mission-specific needs
  • The capacity for advanced reconnaissance of targets

The Cylance threat intelligence team analysed a large portion of the White Company’s exploit kit, which in this case involved a painstaking examination of the machine-language instructions embedded in a sample of roughly 30 exploits. Genetic marking and mapping of 42 unique features allowed researchers to track the development, modification, and evolution of the exploit kit over time, allowing Cylance to link White Company to other previously unidentified or misattributed campaigns.

The White Company is the first threat actor Cylance has encountered that targets and effectively evades multiple antivirus products—including Sophos, ESET, Kaspersky, BitDefender, Avira, Avast, and Quick Heal—before turning them against their owners by deliberately surrendering to them on specific dates in order to distract, delay, and divert resources.

Antivirus evasions are just one of a number of measures employed by The White Company to escape attribution. Other methods include:

  • Within the exploit: Four different ways to check whether the malware was on an analyst’s or investigator’s system; the capacity to clean up Word and launch a decoy document to reduce suspicion; and the ability to delete itself entirely from target system
  • Within the malware: Five different packing techniques that housed the ultimate payload in a series of nesting-doll layers; additional ways to check whether the malware was on an analyst’s or investigator’s system; anonymous, open-source payloads and obfuscation techniques; the use of compromised network infrastructure for command and control

Future reports in the series will delve deeply into the malware and infrastructure associated with these and other White Company campaigns while sharing sophisticated analysis of the underlying technical data.

The full report can be downloaded here.

About Cylance® Inc.
Cylance develops artificial intelligence to deliver prevention-first, predictive security products and smart, simple, secure solutions that change how organisations approach endpoint security. Cylance provides full spectrum predictive threat prevention and visibility across the enterprise to combat the most notorious and advanced cybersecurity attacks. With AI-based malware prevention, threat hunting, automated detection and response, and expert security services, Cylance protects the endpoint without increasing staff workload or costs. We call it the Science of Safe. Learn more at www.cylance.com

Share.