Often during the investigation of sophisticated threat actors, the demarcation between the different attackers and campaigns…
The CrowdStrike Intelligence Team’s primary focus is to track adversaries associated with nation-state actors and monitor their activity. Typically one never wants to disclose one’s amassed intelligence in a way that may compromise the ability to collect more intelligence; this is clearly a losing game. However, occasionally the release of some intelligence is required or beneficial, and the loss of the intelligence collection capability is outweighed by the perceived benefit of the release. This is often characterized as ‘Intelligence Gain/Loss’ by intelligence professionals, and it is often a hotly debated calculus.
I’ll outline the current CrowdStrike position on IGL related to intelligence disclosure. (Spoiler alert: There will be a disclosure after that.)
It has become apparent in recent months, as cyber intelligence comes to the forefront of the national and community dialogs, that we have a few problems in the way we discuss and disseminate cyber intelligence information. One of the biggest points of confusion for people is the nomenclature that we use to describe adversaries and malware.
At CrowdStrike we believe firmly in focusing on the adversary. What adversary, you may ask? Well, that’s where all this is going. Some in the community refer to the adversary by the malware detection name from a specific anti-virus vendor, e.g. Hydraq. This is sometimes useful, but when the adversary is using a malware that is detected as Generic.Downloader.234, you have a much harder time communicating. Additionally, every A/V vendor uses different names, so one might have Generic.Downloader.234 and another might have Downloader.863, which makes it difficult to share intelligence with groups that don’t use the same A/V as you.
Adversaries use multiple malware packages during their attacks, and once they gain access to the victim enterprise, they use a whole other set of tools and utilities to accomplish their objectives. This is where we start categorizing adversaries by their Tools and Techniques, which is the right approach but multiple names have emerged and are inconsistently used by the community. As an example, we all know Comment Crew, A/K/A Comment Team, A/K/A APT-1, A/K/A Comment, etc, etc. This is where we are going to run into problems – we are starting to develop the same naming schemes as A/V, which will eventually lead to confusion. To attempt to help the community avert the naming dilemma, we are sharing with the research community the CrowdStrike cryptonyms for some of the more prolific and active adversaries. In addition to helping ensure we all know who these adversaries are and when they are active, we are sharing some signatures that will help identify them on the enterprises they frequent.
- Common and unambiguous nomenclature to help the community discuss these adversaries
- Ability to detect these adversaries on the wire
- More visibility to the problem of targeted attack aimed at stealing intellectual property and opportunity from governments, businesses, human rights activists, and non-profit groups
- The adversary has to change tactics, techniques, and practices which raises the cost of their espionage tradecraft
- Momentary loss of visibility on the adversary
- We have to work hard to stay on the adversary and generate more intelligence
The choice for us is clear – the Gain outweighs the Loss.
Meet Anchor Panda
We presented this information at the RSA conference several weeks ago in a presentation called ‘Hacking Exposed: PLA(N) Edition’. This is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. Not surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted. We won’t share too many details about this adversary – we don’t want to make it too easy for them – but we will share some signatures specific to Anchor Panda. These signatures will help you find Anchor Panda, just remember to change the Signature ID (sid).
alert tcp $VICTIM any -> $CONTROLLER any (msg: "[CrowdStrike] ANCHOR PANDA - Adobe Gh0st Beacon"; flow: established, to_server; content: "Adobe"; offset: 0; depth: 5; content: "|e0 00 00 00 78 9c|"; distance: 4; within: 15; sid: xxx; rev: 1; reference: url,https://www.crowdstrike.com/blog/whois-anchor-panda/index.html; )
alert tcp $CONTROLLER any -> $VICTIM any (msg: "[CrowdStrike] ANCHOR PANDA - Poison Ivy Keep-Alive - From Controller"; dsize: 48; flow: established, from_server; content: "|54 90 1d b0 18 1b 7c ce f4 5b 24 2f ec c7 d2 21|"; depth: 16; sid: xxx; rev: 1; reference: url,https://www.crowdstrike.com/blog/whois-anchor-panda/index.html; )
alert tcp $VICTIM any -> $CONTROLLER any (msg: "[CrowdStrike] ANCHOR PANDA - Poison Ivy Keep-Alive - From Victim"; dsize: 48; flow: established, to_server; content: "|af c0 bb 65 5d 07 e0 0d bf ab 75 2f 82 79 ae 26|"; depth: 16; sid: xxx; rev: 1; reference: url,https://www.crowdstrike.com/blog/whois-anchor-panda/index.html; )
alert tcp $VICTIM any -> $CONTROLLER any (msg: "[CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow: established, to_server; dsize: 16; content: "|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00|"; depth: 16; flowbits: set,toread_header; flowbits: noalert; sid: xxx; rev: 1; reference: url,https://www.crowdstrike.com/blog/whois-anchor-panda/index.html; )
alert tcp $VICTIM any -> $CONTROLLER any (msg: "[CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message"; dsize: 200; flow: to_server,established; flowbits: isset,toread_header; content: "|40 7e 7e 7e|"; offset: 196; depth: 4; sid: xxx; rev: 1; reference: url, https://www.crowdstrike.com/blog/whois-anchor-panda/index.html; )
Be sure to follow@CrowdStrikeon Twitter as we continue to provide more intelligence and adversaries over the coming weeks. If you have any questions about these signatures or want to hear more about Anchor Panda and their tradecraft, please contact: firstname.lastname@example.org and inquire about our intelligence-as-a-service solutions.