Long-Lining: Reeling In the Big Fish in Your Supply Chain

Supply chain attacks are becoming an increasingly popular strategy for threat actors. According to Symantec, supply chain attacks rose by 78% in 2018, and a similar report by Carbon Black estimates that half of cyberattacks now target supply chains. From a hacker's perspective, it makes sense. Just as trusted insiders can inflict the most damage to an enterprise, compromising and exploiting a trusted business relationship can also be devastatingly effective. By targeting companies that provide outsourced services, attackers can exploit an organization with fewer security resources to get behind the firewalls of a more-secure partner.

Recently, Blue Hexagon's security researchers caught an attack in progress at a Silicon Valley firm that provides outsourced software development services. Aided by a deep learning-aided analysis of the attack, we found a number of novel aspects to the campaign that, despite being designed to appear as multiple, discrete attacks, were determined to be a sophisticated, well-designed and researched campaign carried out by a single threat actor. Through this analysis, we believe we have uncovered a previously unknown strategy by threat actors and that we have named "Long-Line," a reference to the method of offshore commercial fishing whereby a single vessel sets multiple baited hooks suspended from a cable that is miles in length.

The intent of long-lining is to catch big fish, such as swordfish and tuna. Similarly, long-line threat campaigns are carried out by a single threat actor using multiple elements designed specifically to catch high-ranking executives within the target organization. As a permutation of a supply chain attack, the goal of a long-line attack is to use the compromised organization as a platform for conducting further attacks on companies in the victim's business network, taking advantage of the trusted business relationship with the brand and the individual executive.

In our analysis of this attack, we found that the threat actor involved assumed five distinct identities, each identity created to appear as a company already engaged in a business relationship with the target organization, including two companies involved in transportation, and companies in textiles, electronics, and construction.

Correspondence directed to the targeted executive reflected a great deal of research and included subject lines and attachments consistent with the businesses and the executive's role, and did not appear to be random, over-the-transom messages. In each case, the attack vector was a weaponized document infected with Agent Tesla malware. Agent Tesla is an information stealer designed to steal sensitive information including, but not limited to, data associated with the following categories of software:

If clicked, the exploit would execute code and infect the victim's system via different Windows executables hosted on the domain tvfn.com.vn, which impersonates the Vietnamese website for a leading Japanese company that makes metal hoses and expansion joints.

Impersonated website: TF Vietnam Corp: https://tfvn.com.vn/ 

Real website: http://www.tfv.com.vn/index.php?Bcat=1&start=0&lg=vn

The "whois" information for this domain indicates that it was registered by the "Ministry of Information and Communications (Vietnam)," which is a branch of the government in Vietnam that oversees telecommunications and Internet. It is important to note that the Vietnamese government does not publish registrar information for domains registered in Vietnam. The threat actors behind this were aware of this and used it to their advantage.

Despite obvious attempts to mask the campaign's origin as coming from a single source, we were able to use deep learning to positively attribute the attack to a single threat group. We are in the process of conducting further analysis to attempt to identify the country of origin and whether the threat group is a known entity or a new group. We are also conducting further research in an attempt to learn more about this type of attack and who is behind it and will announce our findings when we do.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Playing Around' with Code Keeps Security, DevOps Skills Sharp."