14 DAY TRIAL // The Cylance Threat Intelligence Team unearthed a new cyber-espionage group using sophisticated tools and techniques to evade detection during a large-scale and year-long espionage campaign targeting the Pakistani military and government.
The APT was dubbed "The White Company in acknowledgment of the many elaborate measures the organization takes to whitewash all signs of its activity and evade attribution" and, according to Cylance, it shows all the signs of being an advanced persistent threat group sponsored by a nation-state.
Cylance's threat research team observed The White Company APT during a series of covert operations they named "Operation Shaheen," and it has shown during their research that it has "access to zero-day exploits and exploit developers."
Moreover, just as in the case of other similarly complex threat operations, The White Company is capable of developing both malware and exploits specifically tailored for each of their targets, has advanced target reconnaissance capabilities, and it also uses automated exploit build systems.
Cylance followed the APT's espionage efforts during a year-long campaign which targeted Pakistan's military and government, and it allowed them to create an APT profile which does not match the ones of any other active APT group active at the moment.
The White Company APT has access to nation-state level resources
"The profile we have drawn does not resemble that of the U.S., Five Eyes, or India - nor any known Russian, Chinese, North Korean, Iranian, Israeli groups," says Cylance.
The White Company APT uses a multitude of elaborate methods of escaping attribution such as antivirus evasion (it was observed maneuvering around the likes of Sophos, BitDefender, ESET, Kaspersky, Avira, Avast!, AVG, and Quick Heal), and malware designed to detect if it's analyzed and to clean all traces from the target computing system.
Furthermore, the threat group has been observed using highly obfuscated malware with payloads stored in matryoshka doll-like containers, as well as using already comprised infrastructure to bypass APT fingerprinting tools and techniques.
Also, "this threat actor has a keen awareness of the typical methods, biases, and assumptions held by many in the security research and investigative communities," says Cylance, "and they have demonstrated an ability to use that common approach against that community by deliberately undermining those assumptions and leaving contradictory bits of evidence that effectively distract, delay and degrade the ability to analyze their work."
Detailed information on the methods and tools used by The White Company APT during Operation Shaheen is available in Cylance's "The White Company: Operation Shaheen, Inside a New Threat Actor’s Espionage Campaign" report.