Russian Hacking Tools Codenamed WhiteBear Exposed

Kaspersky Labs exposed a highly sophisticated set of hacking tools from Russia called WhiteBear.

From February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related organizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively rare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the WhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate development efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules.

The exact delivery vector for WhiteBear components is unknown to us, although we have very strong suspicion the group spearphished targets with malicious pdf files. The decoy pdf document above was likely stolen from a target or partner. And, although WhiteBear components have been consistently identified on a subset of systems previously targeted with the WhiteAtlas framework, and maintain components within the same filepaths and can maintain identical filenames, we were unable to firmly tie delivery to any specific WhiteAtlas component. WhiteBear focused on various embassies and diplomatic entities around the world in early 2016—tellingly, attempts were made to drop and display decoy pdf’s with full diplomatic headers and content alongside executable droppers on target systems.

One of the clever things the tool does is use hijacked satellite connections for command and control, helping it evade detection by broad surveillance capabilities like what the NSA uses. We’ve seen Russian attack tools that do this before. More details are in the Kaspersky blog post.

Given all the trouble Kaspersky is having because of its association with Russia, it’s interesting to speculate on this disclosure. Either they are independent, and have burned a valuable Russian hacking toolset. Or the Russians decided that the toolset was already burned—maybe the NSA knows all about it and has neutered it somehow—and allowed Kaspersky to publish. Or maybe it’s something in between. That’s the problem with this kind of speculation: without any facts, your theories just amplify whatever opinion you had previously.

Oddly, there hasn’t been much press about this. I have only found one story.

EDITED TO ADD: A colleague pointed out to me that Kaspersky announcements like this often get ignored by the press. There was very little written about ProjectSauron, for example.

EDITED TO ADD: The text I originally wrote said that Kaspersky released the attacks tools, like what Shadow Brokers is doing. They did not. They just exposed the existence of them. Apologies for that error—it was sloppy wording.

Posted on September 1, 2017 at 6:39 AM27 Comments

Comments

Matthias U September 1, 2017 7:28 AM

I don’t think it’s odd. If your aim is to discredit Kapersky and/or to paint a suitably black-and-white picture WRT Russian and/or “Russian” cyber attacks, this story doesn’t fit your narrative, thus you you quietly ignore it.

Ryan Dennis September 1, 2017 8:10 AM

TuTu App for Android is a Chinese third party app store app available for both iOS and Android platforms. It contains most of the applications available on the Google Play Store and the Apple App Store.

ShavedMyWhiskers September 1, 2017 8:27 AM

Since exploits (the flaws they depend on) can be used in both directions the in the someplace in the middle May is likely.
Three parts: a took kit, the flaws it depends on and the signature of the exploit.

Ross Snider September 1, 2017 9:04 AM

Hopefully there will be cultural awareness that this happened and the associated vulnerabilities (pdf dropper and malware system) get patched quickly. Here’s hoping that various nation states, criminal organizations and intelligence agencies burn each others hacking tools so the layman has a chance.

From what I’ve seen, military and intelligence tools are broadly the same level of capability as the state of the art within the criminal and research world but highly developed and supported.

Also, given the reliability of phishing and spearphishing with very basic levels of open source intelligence – doing it with the broad investigative powers of the GRU or the CIA is frightening. They know exactly what communications you are expecting and from what systems and people.

Quick question fielded to anyone who knows: how exactly does using hijacked satellite communications evade detection? Presumably many of the same network paths would be used to route into satellite networks. Unless they are using RF from satellites for out of band? But that seems impossible as the antenna systems are not tuned for the right frequencies and they would need to rely on getting onto systems with the right modems already there. And actually, surveillance captures an incredible amount of satellite communications “on the wire” (air). I guess I’ll need to do a lot of reading to understand exactly how that is supposed to work.

ShavedMyWhiskers September 1, 2017 9:20 AM

“I forgive them for not using secure e-mail. It’s hard to use and confusing.”

It not just the journalists but also the sender where hard and confusing apply.
This might be the first time such tools are used.

For the whistle blower there is a need to share a key with the journalist. That key is irrevokeable proof that identifies the whistle blowers securecontacts.

Keys are meta data better than most meta data for linking a circle of “conspirators”. Key management is harder to grock than sending a secure passage to a public journalist with a published public half of a key pair.

One take is to gather as many public keys as possible by many just in case the key is needed in the future.

Responsible government offices and even FBI, DHS, TLA offices need it publish public keys for their hot lines if only to ensure correct routing and handling.

CC: and BCC: copies are not well served by current encryption tools.

ab praeceptis September 1, 2017 9:29 AM

Vesselin Bontchev

Didn’t they explain you the “evil Russia”(tm) phenomenon?

OK, there is nothing in that kaspersky “report” that actually offers any basis for attributing that thing to Russia, but anyway, Russia is evil. Everybody knows that. Just ask cnn or the nato speaker!

OK, that “proof” document is actually in turkish (or similar) and not Russian, and OK, turkmenistan isn’t Russia, but anyway, Russia is evil and obviously guilty!

OK, they speak about (some of) the developers as seeming to have a british spelling, but anyway Russia is evil. Them evil Russians ™ know no bounds in their evilness and hence clearly british spelling proves evil Russia is behind it!

I have to stop now and refill my coffee mug. Because, you probably already guessed it, evil Russia ™ somehow made my mug empty. Just ask kaspersky; they’ll come up with a funny “proof” story in no time. If you are lucky, there will even be some turkmenistan document scan *g

Clive Robinson September 1, 2017 9:38 AM

@ Bruce,

Given all the trouble Kaspersky is having because of its association with Russia, it’s interesting to speculate on this disclosure.

As you note without “facts” it is all speculation.

However Kaspersky is known to have had troubles with the current Russian leadership prior to certain self intrested US Politicians trying to use the fact they are a Russian Company as a way to score even more political mileage (especially as it was their colleagues insistance that the US .mil etc used COTS suppliers for all things ICT related in the first place, so created the mess in the first place).

Thus to try to be impartial it can be seen that Kaspersky is “caught between a rock and a hard place”. It appears it can not keep either political side happy and thus has become subject to the issues with “Layer 11” in the computing stack.

As others have noted they appear to ony have published a report not released tools.

The thing about tools is as we should know by now it’s mostly conjecture as to who designed and produced them, even their usage is ambiguous at best due to other toolkits we know that the CIA and similar have.

Thus it could be the crazy case that what Kaspersky has reported on is in fact a CIA disinfomation campaign, or the NSA runing a faux story to cover their embarrassment at having had their own toolkit not just reported on but released and used against the US and US interests.

We don’t have any facts and in the “Smoke and Mirrors” game Intelligence is we are unlikely to find out in any sensible time frame.

Thus even crazy supposition is as valid as any other type. In fact with “Red Flag Ops” being a standard tactic the “crazy” is probably more likely to be true than the “sane”… After all whilst the US had it’s “War on Drugs” atleast onepart of the US IC was actively “drug running” to raise capital for operations…

So time yet again to get out the “lazyboys” and this time ten pounds of sugar, maize corn kernals and ten sticks of butter, fire up the popcorn machine, as this looks like a “10 bucket” entertainment not the usual bowl or two.

Clive Robinson September 1, 2017 9:54 AM

@ Ross Snider,

Quick question fielded to anyone who knows: how exactly does using hijacked satellite communications evade detection?

It depends on the satellite…

So I’ll just mention the simple case, in which the satellite has a broadband receiver on one frequency and a broad band transmitter on another. What the satellite transponder does is simply “RF mix” the input down or up to the output nothing more. Thus this sort of transponder will relay any signal transmitted at it in it’s receiver input footprint and broadcast it out to it’s entire output footprint. Such footprints can be as large as the whole of Africa, Russia, Europe, Continental America etc.

Trying to find the uplink transmitter especially if it is in very short infrequent bursts is as best time consuming and difficult, at worse by luck only. It’s even worse trying to find the downlink receiver.

I used to pirate such transducers years ago using Direct Sequence Spread Spectrum systems designed to operate at the “band edge” or across the entire band width. Examining the transmitted output on a Spectrum Analyser you would be hard pressed to see the very slight rise in the noise floor.

More sophisticated satellites need more sophisticated tricks but broadly the “needle in a haystack” issue of the footprint coverage remains.

Chairman Mao September 1, 2017 11:26 AM

LOL. It’s Russian because the programmer intentionally misspelled words? What ever happened to the Russian Keyboard theory.

There are some interesting, juvenile, and non-native English-speaker debug messages compiled into the code:
– i cunt waiting anymore #%d
– lights aint turnt off with #%d
– Not find process
– CMessageProcessingSystem::Receive_NO_CONNECT_TO_GAYZER
– CMessageProcessingSystem::Receive_TAKE_LAST_CONNECTION
– CMessageProcessingSystem::Send_TAKE_FIN

I know for a fact that it was written using US/En keyboards in Langley.

Fredric September 1, 2017 12:41 PM

Kaspersky Labs — you’re quoting from what cyber security and intelligence agencies consider to be a Russian asset company whose credibility is allegedly absolute zero.

I wouldn’t trust Kaspersky Labs with my box of rubber bands leave alone computer security. Might as well ship one’s hard drive to the Kremlin.

Bruce Schneier September 1, 2017 1:39 PM

“Goddamn it, Bruce! Kaspersky did not release the tools themselves, of course! (Thank goodness.) They only published a report.”

You’re right. Sorry. Fixed.

Sancho_P September 1, 2017 5:35 PM

@Igor
”I am puzzled why you state it’s “a set of hacking tools from Russia”.”

Well, guess that’s obvious:
[ IF (!) spying on ‘embassies and consular operations around the world’ is true
THEN … ]
Spying on sensible targets ==> Russia
Spying on Mother Theresa, Red Cross, Youporn ==> gUeSsAnystate

Also mind the quality of this “highly sophisticated” set of hacking tools,
finally discovered in 2017:
The Russians know better, they have invented the Internet just to destroy America.

InBruges September 1, 2017 6:33 PM

Does Kaspersky play ball with the Russian gov anymore than US tech co’s do with US LE/IC?
Does Symantec detect US police ware or TAO hacking tools?

65535 September 2, 2017 3:20 AM

@ Ross Snider, Clive and others

A question echoed from Ross Snider:

“…how exactly does using hijacked satellite communications evade detection? Presumably many of the same network paths would be used to route into satellite networks. Unless they are using RF from satellites for out of band? But that seems impossible as the antenna systems are not tuned for the right frequencies and they would need to rely on getting onto systems with the right modems already there. And actually, surveillance captures an incredible amount of satellite communications “on the wire” (air).”- Ross Snider

I’ll add one question:

How many satellites are hijacked? Or, an estimation of the number hijacked satellites?

@ Clive Robinson

[answer]

“…I’ll just mention the simple case, in which the satellite has a broadband receiver on one frequency and a broad band transmitter on another. What the satellite transponder does is simply “RF mix” the input down or up to the output nothing more. Thus this sort of transponder will relay any signal transmitted at it in it’s receiver input footprint and broadcast it out to it’s entire output footprint. Such footprints can be as large as the whole of Africa, Russia, Europe, Continental America etc. Trying to find the uplink transmitter especially if it is in very short infrequent bursts is as best time consuming and difficult, at worse by luck only. It’s even worse trying to find the downlink receiver… I used to pirate such transducers years ago using Direct Sequence Spread Spectrum systems designed to operate at the “band edge” or across the entire band width.”

What role does the hijacked satellite play in the dropper, linker, CnC or additional components added to the White Bear hacking bundle – other than non-detection?

I do see pdf files being a huge wide spread platform for malware of all varieties but what can be done about it [see my other post on pdf’s’]?

PS: I hope Clive did not hack active orbital satellites.

Delirium Tremens September 2, 2017 3:42 AM

“That’s the problem with this kind of speculation: without any facts, your theories just amplify whatever opinion you had previously.”

People are saying those Dunning and Kruger fellas knew what they were talking about, okay?
Great couple of guys, very classy, very reinforced. Huge effect. Big. Big effect. Not compared to myself but you know, for just academics they nailed it, let me tell you that.
Everyone can see how they nailed it.

Let's get down to brass impeachment September 2, 2017 3:51 AM

“you’re quoting from what cyber security and intelligence agencies consider to be a Russian asset company whose credibility is allegedly absolute zero.”

I don’t think anyone has said that anywhere though.

They’ve had some questions about secret and semi-secret dealings they’ve had with the government in the country from which they operate an international security firm, but there’s really been no publicly disclosed information proving K-sky is doing anything but aiding law enforcement. I don’t want to make too many obsequious comparisons between the US, UK, China, Germany, Russia, Australia, Spain, France, or anywhere else… but they all do that much, to varying degrees of that much.

If you’re going to say Kaspersky is not to be trusted, why should we trust you or anyone else saying so without a pretty solid reason for it? Evidence. Analysis. All.

The proposed “net good” for western companies would be to be rid of the threat altogether on an impenetrable multinational front, were there solid evidence that this were state-sponsored malware used worldwide under the guise of near-top-tier security software.

It would be more than just a rumor and innuendo campaign which is what I seem to see now.

Sure there are secret reasons, but they can’t find one public one suitable for justifying the security shade they’re throwing? I find that less credible than the prospect of some people in various places musing for various reasons in various ways.

Specifics, or as they say in Russia and other places, GTFO.

Clive Robinson September 2, 2017 10:12 AM

@ 65535,

PS: I hope Clive did not hack active orbital satellites.

It depends on what you mean by “hack”. Think of it like an open WiFi AP in a cafe across the road from where you are sitting and your smart phone ascociates with it…

The earlier transponders were designed to have a wider bandwidth than they needed to alow for doplar and other effects. Piggy-backing their “open access” to put through a low data bandwidth LPI DSSS signal did not realy cause any problems. The same is far from true these days, but that does not stop commercial opperators exploiting amateur satellites… So you could argue “swings and roundabouts”. Me I’ll just say society moves forward and what you could do legaly when I was young you can only do criminally these days.

ab praeceptis September 2, 2017 10:42 AM

Let’s get down to brass impeachment

I have a simple solution: Just replace “kaspersky” with <insert us-american or french or german or … company> and “Russia” with “us of a, france, germany, …” and see whether you still feel that “of course a suspect (because <country>) company in <country> is part of deep state and certainly acting in evil ways as an arm of their intelligence service!”

From what I see kaspersky is one of the better companies mainly in the snakeoil business and has to find and maintain whatever balance they deem OK with their state. Moreover, kaspersky makes by far more money in the western world than in Russia, so unless one wants to consider them as being somewhere in between idiotic and suicidal one will have a hard time thinking that kaspersky is “oh, you know, just another arm of evil KGB”.

Guns are banned September 2, 2017 12:53 PM

Yep. Trump got too cozy with Russia.

They’re pulling the same old Russian political tricks in the USA. I’m transgender. Because of this, and because of my political opinions, not only am I excluded from joining the military, but I cannot even own a firearm “legally,” because I have been permanently and irrevocably adjudicated as a mental defective: that is, they locked me up, drugged me, and served me legal paperwork, “You’re mentally ill for the rest of your life. Turn in your guns.”

There is no legal defense to such a maneuver, and no way to get your guns back or your rights back in the US. They say there is some sort of court process or petition for “restoration” of gun rights, but that is a lie.

I cannot get a passport or leave the country, either, specifically because I am transgender. Oh, yes, I need gender transition and sex reassignment surgery, but I cannot get any bona fide medical care in a nation so hostile to its own citizens. Russian politics have taken over the USA.

Filthy Nazi pig coppers stopped me for a “safety check” last night. A “safety check.” Do you have any knives or weapons in your car? Since I did not, and there was no warrant for my arrest, the cops were trying to work up a “medical necessity” — a substitute for “probable cause” to have me locked up and drugged at the mental hospital rather than merely locked up in jail — but the consequences are even worse — lifelong loss of gun rights, just as if I were convicted if a felony. Oh, yeah. They were hoping to “impound” my car, too.

I just hope those cops hang (as the Nazi war criminals they are) for even suggesting I am mentally ill or that I need a “safety check” as if I were a danger to myself or others, or I couldn’t take care if myself. Is it any wonder people are killing cops? Serves them right when they pull dirty tricks like that.

Anyone who takes away my rights or my freedoms without cause deserves to die.

Dirk Praet September 2, 2017 1:36 PM

@ Guns are banned

Yep. Trump got too cozy with Russia.

Welcome back, @AnonymousE and @My Info.

It would seem the sock puppets are really taking over the asylum 😎

Vesselin Bontchev September 3, 2017 2:53 PM

@ab praeceptis, Kaspersky, being professionals, do not play the attribution game. They never attribute directly when describing state-sponsored malware in their reports, although it is often quite obvious which country is meant.

In this particular case, the people behind Turla are widely known to be Russian intelligence from previous incidents that have been happening over several years (it’s clearly an active and ongoing operation) and that were reported by other companies.

ab praeceptis September 3, 2017 3:19 PM

Vesselin Bontchev

Now, for the sake of fairness: Russia would have to considerably extend the human resources in the SVD (and other services) just to achieve about a quarter of what is alleged as being Russian attacks.

My personal take: Russias intelligence service work intelligently, quietly, and professionally – just as it should be and quite the opposite of certain other countries who make lots of noise and usually have empty hands.

Btw, isn’t it shockingly strange that a russian snakeoil company obviously can criticize something – allegedly – done by evil Russia ™ intelligence agencies? Shouldn’t we assume that the KGB (whose demise many years ago has escaped most us americans) in evil Russia ™ would immediately wet job the kaspersky people, of course on direct order of evil dictator Putin ™? I’m bewildered. Those cunning Ivans seem to not know the rules of the script written in washington for evil Russia ™. There are even rumors that democracy in evil Russia ™ works better than in the “lighthouse of democracy” country. Certainly the cunning Russians created a quite fine working democracy just to confuse us.

65535 September 3, 2017 9:25 PM

@ Clive

“…I’ll just say society moves forward and what you could do legaly when I was young you can only do criminally these days.”

Ha ha. I see.

Critical Reading Skills October 20, 2017 6:33 PM

@ Johnberg,

No.

Once you make use of [rented Instagram followers], it appears to anyone who lands on your posts that you are extremely phony and that they should pay no attention to what you are saying.

In fact, people with reasonable suspicion on security-related topics are likely to dismiss you as a (possibly Russian) trollbot, and are likely to report your posts as abuse of the terms of service.

A poster with fake followers is probably deceptive and unreliable on everything else too.

Leave a comment

All comments are now being held for moderation. For details, see this blog post.

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.