You probably didn’t hear it here first but the incredibly impressive thing about modern hacking groups is how darned cheap they are – in every sense of that word.
Why pay for cloud services when you can borrow free ones from large providers? Or, for that matter, make your own malware when you can re-purpose well-engineered tools made by other, more talented people?
It’s the low-budget MO that seems to get the people behind the allegedly Chinese Gadolinium hacking group out of bed in the morning, at least according to a new Microsoft report on the group’s recent activities.
In its detecting empires in the cloud report, the company details how in mid-April the Microsoft Threat Intelligence Center (MSTIC) spotted and suspended 18 Azure Active Directory applications that were being used by the threat group for command and control.
These were connected to spear-phishing attacks pushing malicious PowerPoint attachments with appealing COVID-19 pandemic subject lines to target organizations in higher education and regional government in Gadolinium’s Asia-Pacific hunting ground.
Which brings us to the important theme of this campaign: the use and abuse of legitimate tools and infrastructure.
On an infected computer, Gadolinium’s PowerShell Empire toolkit – in fact a craftily tweaked version of the open source PowerShellEmpire toolkit – was being used to siphon off data to a OneDrive account under the attacker’s control.
While any competent threat group can compromise computers, stealing the data without that being detected is not as easy, hence the need to hide activity using what look like legitimate applications on legitimate servers.
And what could be made to look more legitimate than Azure and OneDrive? Writes Microsoft:
“From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario, no OAuth permissions consent prompts occur.”
Living off the land
According to Microsoft, Gadolinium is not alone in its interest in adapting open source toolkits instead of writing traditional malware.
It’s a trend that’s been ongoing for a while and offers attackers the hypothetical ability to hide their traffic from defenders. And it helps that someone else is doing the hard development work too. As for the cloud:
“Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings.”
This is another common wheeze, which begs the question as to why free cloud accounts aren’t more thoroughly vetted.
Microsoft doesn’t mention China by name in the report, but over a decade’s worth of shenanigans Gadolinium has been repeatedly connected to that country by US security companies.
In fact, Gadolinium has a bewildering list of aliases, depending on which company is reporting it, including Leviathan, Kryptonite Panda, Bronze Mohawk, TEMP.Periscope/TEMP.Jumper, Mudcarp, ITG09, ATK 29, and plain APT40.
It’s not hard to understand why even seasoned security watchers sometimes get lost trying to track threat groups in third-party reports.
This is not the first Gadolinium campaign disrupted by Microsoft, which documents the group’s experimentation with similar cloud attacks detected by it in 2016, 2018 and 2019.
So that’s one small stub of a single threat group taken down, leaving umpteen to go. Doubtless, many of those cost little more than the hacker’s time to get up and running too.