BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group
A very special co-host joins today’s episode of Cyber Work! Infosec founder and CEO Jack Koziol stops by to meet Eric Milam and dig into BlackBerry’s work on a massive research project about the threat actor group BAHAMUT. Eric discusses how their research found connections within a group that targets everyone from Indian oil tycoons to Middle Eastern government officials, the key skills his research team needed to do the work, and what the dinner-table conversations are like when you’re aggressively pursuing a nation-state attack group.
Eric Milam is the VP of Research Operations at BlackBerry where he and his team track malware threats and threat actors. During his time at BlackBerry, he discovered and published the details of numerous emerging threats and malware variants actively being exploited in the wild. Prior to joining BlackBerry, Eric was a highly regarded penetration tester and frequent conference speaker, widely known for his red-teaming exploits.
[00:00:00] CS: Today on Cyber Work, I’m joined by a very special co-host; Infosec CEO Jack Koziol joins me to meet Blackberry’s Eric Milam to discuss his team’s work on the massive research project about the threat actor group, Bahamut.
Eric discusses how their research found connections within a group that targets everyone from Indian oil tycoons to Middle Eastern government officials, skills that his research team had to have to do the work and what the dinner table conversations are like when you’re aggressively pursuing a nation-state attack group.
Remember that Cyber Work listeners are eligible for a free month of Infosec skills by going to infosecinstitute.com/skills and using the code CyberWork when joining. That’s 30 days of free security courses, hands-on cyber ranges, skills assessments and certification practice exams, all when you use the promo code CyberWork on signup. That’s infosecinstitute.com/skills.
Now, let’s begin the show.
[00:00:53] CS: Welcome to this week’s episode of the Cyber Work with Infosec Podcast. Each week, we talk with a different industry thought leader about cyber security trends, the way those trends are affecting the work of Infosec professionals and offer tips for breaking in, or moving up the ladder in the cyber security industry.
In October of 2020, Blackberry published an extensive game-changing report about the massive threat actor group Bahamut, targeting Indian oil tycoons, Middle Eastern government officials and Qatari, Kashmiri and Sikh political groups. Bahamut stands in a field of its own due to its unnervingly precise and targeted attacks and the deep web of seemingly real and very convincing content that draws its targets into a web of what Blackberry report calls “a vast fake empire of malicious traps.”
Today’s guest, Eric Milam is the VP of Research Operations at Blackberry, where he and his team track malware threats and threat actors. During his time at Blackberry, he discovered and published the details of numerous emerging threats and malware variants actively being exploited in the wild. Prior to joining Blackberry, Eric was highly regarded penetration tester and frequent conference speaker widely known for his red teaming exploits.
In addition, we have another special guest on Cyber Work; Infosec Founder and CEO, Jack Koziol. Jack has a special interest in the findings of this report, so we are both going to talk to Eric about different aspects of the group findings. Jack is going to be talking about the nuts and bolts of the findings, while I talk with Eric about the work of the people who put the report together and how that type of high-level cyber security investigation could be something as a career path for cyber security newcomers to study and aspire to.
Eric and Jack, thank you for uh joining me today on Cyber Work. Thanks for being here.
[00:02:26] EM: Thanks for having me. Appreciate it.
[00:02:29] JK: Great. Yeah. Thanks, Chris.
[00:02:30] CS: I want to start right at the very beginning, because I’ve been following this story a little bit, but I didn’t know all the details. Just to set the table here, how did the Bahamut Group appear on your radar, Eric? Did you start seeing interconnections between these similar attacks, or were they already known to you as an entity when you started researching?
[00:02:50] EM: Yeah, for this research, we already knew. We actually started tracking Bahamut around 2018. Back when we were Cylance, before we were purchased by Blackberry, we did research Operation Shaheen was the report and we called the threat actor The White Company. It was a three-part series around that.
What we came to find out obviously is as you continue to research, pull on strings, follow breadcrumbs, we started to understand that The White Company was actually Bahamut and the additional threat actors that were referenced in other research also was Bahamut. We were able to put all that together into a single place as we look through all these different TTPs and back-end command and control. We’re able to put that together and say, “Hey, wait. These are all the same groups.”
[00:03:47] CS: Yeah. It was at that point when you realized the size and scope of this project and decided to make it this ongoing process.
[00:03:56] EM: Yeah. I mean, so we’re always tracking large threat actors. We’re doing our best to try to stay in front of global exploits that are happening. This one obviously, since there’s been a lot of research on this group. The fact that um they have such disparate attacks against disparate targets that wouldn’t normally be connected together seems extremely interesting. Being able to look at those and tie those together is always fascinating when you see two things that appear to be the opposite end of the spectrum. You might not understand why they’re being attacked by a certain group all the time, but it was interesting to see how that they were.
[00:04:47] JK: Eric, do you think there’s other different threat actor groups out there that are Bahamut, but just haven’t been attributed yet? Do you have a sense of how much we actually know about the full scale of their operations?
[00:05:06] EM: I mean, so do I believe we have a full sense? I don’t think so. I imagine this is like a corporation, like any other corporation where they’re hired by entities and they go and they have their business meetings and they plan out. We’re actually doing research right now that’s going to be released in a couple of weeks. We we believe that this is also part of Bahamut. We couldn’t make the direct connection, but it’s also a mercenary hack for hire type situation in the same region.
Yeah, I think that they have a lot of ongoing projects. I think they have a lot of customers, I guess, if you want to use that term. I think that with the rise of ransomware as a service, phishing as a service, it makes sense obviously, that hacking as a service makes sense. As you guys know, attribution’s hard. The more you can diversify, or state actor can diversify into a company that they trust, or an entity that they trust, they’re probably going to do that.
[00:06:11] CS: I mean, the scope and sophistication of the Bahamut group’s attacks is pretty staggering. As you said, there’s a very wide reach, but it doesn’t feel wild style at all. It’s very targeted. There’s these exact spear fishing campaigns and these fully operational and realistic websites full of fraudulent news and malicious apps and what you guys called a vast fake empire designed to draw in its high value targets. In your research, what were your first steps in trying to get a full picture of the region scope of the group and their attacks?
[00:06:40] EM: Yeah. I mean, I think once we had a foothold, once we understood what we were looking for, we just started pulling strings. I know that the report mentions not just the website, but the mobile applications and things like that. I think as you mentioned, their tradecraft is exceptional.
This is another thing that lets you know they’re highly, highly trained, because they know what their target is, they know what they’re going after and they’re patient in getting it. This is not a smash and grab. This isn’t, I’m going to send a bunch of stuff out and hope I get something. This was highly targeted. The fact that that it’s easy to see that. I mean, even down to not just the websites that we explained there, but even the EULAs that they used in the mobile apps, say exactly what’s going to happen and people still accepted it.
It’s really interesting that like I said, they really know what they’re doing. There’s definitely was some missteps along the way. I don’t want to give all of them away, but the back-end, the applications talking the same command and control. Once we were able to identify command and control server, something that we knew was associated with this threat actor, we could start tying that together to say, “Okay, these are all talking to this. This is all talking to this back-end command and control.”
We know even if we look at this and say on the face, it doesn’t look like it, the back-end communications were very clear. Plus, the encryption algorithm that they used and all those types of things in communication.
[00:08:20] JK: Eric, I don’t know if you can talk to this specifically or more generally, but what counter-intel, counter-investigation practices did Bahamut take while your team was investigating them over this time? I mean, were there any real surprising things there that let you say, “Wow, this is quite a sophisticated adversary we’re working against?” Or anything specific you can share there?
[00:08:50] EM: What I would say is they were really adept at changing. I think once they realized that they are being viewed, and I’m not going to say there was anything that necessarily stood out, but they are really good at standing up and tearing down their back-end infrastructure and making changes. Again, it’s clear that they have this, they have a contingency plan, or a disaster recovery plan, or whatever you want to call it, like any other corporation would have.
I mean, they’re really set up to be successful on their end. Those types of things are really interesting, because the way in which they mimic how we also in the corporate world and government go about protecting ourselves, they had all that in place as if they had clear knowledge, or training in those areas as well.
[00:09:42] CS: Right. They built like a business statement, or like a statement purpose or whatever.
[00:09:47] JK: I think that’s pretty interesting point there. I guess, do you have any concept of how many Bahamut employees, or what their estimates of what the revenue base is? I mean, is there anything you can publicly share about that?
[00:10:07] EM: I mean, there’s definitely breadcrumbs that we’ve left. I think it’s easy to get to where people need to get to if they review the report and other researchers dig into it. You know how it is. With researchers, we publish what we’re comfortable with. We publish what we can ascertain 100%. That’s what we’re comfortable with. Then we hope that this research furthers other research. We weren’t the first ones to obviously look into them and this is the second time as a company we looked into them.
I think that it might – other researchers are in the future, we might be able to uncover that. Right now, we don’t have a full breadth of that. Like I said, I can tell you a lot of stuff we’re finding, especially in that region. Southeast Asia is looking like it’s tying back to that specific group. They’re a pretty big player, would be my guess.
[00:11:09] CS: When I think of you saying they’ve created this huge empire of content, do you have a sense of whether everyone who’s creating materials for Bahamut strikes is actually in the group, or are they using third-party vendors? Because I also manage Infosec resources here. We do a daily blog of cyber security content. Do you have a sense of whether there are people who are unaware that the material that they’re working on is actually being used in these Bahamut things, or do you think everyone – everything that’s used in these fake websites and so forth is coming from people who are down for the cause, or whatever?
[00:11:46] EM: Yeah. I mean, so that obviously, that’s an interesting question. Do they have third-party contractors working on their back-end infrastructure and things like that?
[00:11:55] CS: Yeah, because it’s so realistic.
[00:11:57] EM: Honestly, my opinion would be no. I think that they have the right people. They know what their tradecraft is. Operational security is something that they take very, very seriously. I doubt that they would want to have more people in the mix.
Maybe it happens. I can’t tell you with a 100% accuracy that someone else might be tied to it. I would think, knowing this group and knowing how pedantic they are, that they wouldn’t want to bring too many people in that might spoil that.
[00:12:35] CS: Got you. How would – oh, go ahead.
[00:12:38] JK: Yeah. There was a Reuters Reporter who was doing a little bit of follow-on research, like you mentioned after the Blackberry published the research in.
[00:12:49] EM: Was it Raf? Rafael?
[00:12:53] JK: Yeah. He published some links to – He went back and dug out some of the fake news websites that they created and dug out really interesting, a video that they created that specifically was targeted towards an incident about the golden temple. I mean, it was shocking at the – I had assumed that this stuff would be – you could very much identify it as fake just looking at it. I mean, if I didn’t know that this was made by Bahamut, I would have just thought it was someone else on the Internet out there. I guess, I don’t know, just from your perspective maybe more personally is how much can you really trust, or anything that you see or read on the Internet when you can see that a group like this can produce such high-quality, I don’t even want to call it fake news. I mean, call it fake informational resources out there.
[00:13:54] EM: Yeah. I mean, so I did an interview a couple months ago on deep fake and the technology behind that. It’s mind-blowing. My favorite one so far is where they put in I think, Tom Holland and – I can’t believe I’m missing his name. Who’s the guy who plays Ironman?
[00:14:16] CS: Oh, Robert Downey, Jr.?
[00:14:17] EM: Robert Downey, Jr., into back to the future as Marty McFly and Doc Brown. I don’t know if you guys have seen that. It looks legit, like you’re saying. The technology and the power to do this is now in the hands of everybody. When you look at something like Bahamut who’s a motivated actor, who’s probably making, being paid a lot of money to do this and has the resources to do it, like you said, I mean, what is to separate reality from fantasy? Because perception is reality. Everybody’s perception is their own reality. If you can convince them with that, it’s frightening.
[00:14:59] JK: Yeah, totally. I guess, on a little bit of a tangent here, but talking about deep fakes and content that’s being released, what’s your opinion on the recent Biden laptop release and all the content on there? I mean, do you have an opinion of – I mean, I don’t want to get political or anything, but just more from a technical, from someone who knows more about this than probably almost every human on the planet. What’s your perspective on that?
[00:15:31] EM: I mean, my question is non-repudiation of the chain of custody. I don’t think we have that. How can you say where it came from, or who did it, or whatever? Signatures can be faked, laptops can be dropped off with accounts created on them. You can go out to the dark web and probably find a bunch of accounts for me and you could set those up on a laptop, right?
In fact, one interesting thing that I’ll bring up is after this report was released a couple weeks later, someone got into my wayfarer account and ordered 30 sink faucets, like $10,000, tried to order $10,000 worth of stuff. That’s bad on me for having an old account with a crazy password. Those things do happen. They happen to even security professionals like us.
Yeah, my main thing in that whole thing is non-repudiation of the chain of custody. We don’t have that. You can’t say that it came from a certain person. Now if they do have that and then it comes out, I haven’t seen that in the news. If they have that, then sure. That’s a big deal. Somebody handing somebody a laptop and saying it came from somebody, that’s not chain of custody.
[00:16:48] JK: I think the world’s going to change as people that are very involved in cyber industry and were aware of deep fakes and all the things that can be happening. The vast majority of people don’t understand, or don’t have any concept of this. It’s just got to wait for society to catch up, I guess.
[00:17:06] EM: When Anderson Cooper’s talking about it and my grandma understands it, then I know that we’ll be there. That’s what want to cry was, for ransomware.
[00:17:18] CS: Jumping back to the research project here, I want to get a sense of the scope of your staff of researchers compiling this report. What type of tasks did they need to do to get all this information into the research document? Did any of them have to go into fairly dangerous places on the Internet to do their fact finding?
[00:17:36] EM: Yeah. I mean, so interestingly enough, you would think that there’d be an army of folks working on this. For what we call our threat hunting and intelligence team, or spear team, there’s really only 10 people and two people worked on this project. Yeah. You have a threat hunter researcher digging in and doing all the research. Then you have a threat intelligence person coordinating, amalgamating all this data into a more robust story; the geopolitical aspects, location type stuff.
Normally when we do work on these, we normally have two people and then maybe a tech writer working on it together, or a threat intel writer to try to follow stuff together. As far as going into dangerous places, not in this case. I mean, most of the stuff is hiding in plain sight. The CT are publicly available. That’s mostly how it goes. You find a lot of stuff just in places like VT or other repositories and you start, or showdown even and you go and you start pulling the strings on those and see where it takes you. Most of it is publicly available. It’s actually pretty interesting how much is just right there, if you look.
[00:19:03] CS: Yeah, just waiting for someone to actually read the fine print.
[00:19:06] EM: Yeah. I mean, it’s amazing how much stuff actually does show up on VT that people put up there and then three or four months later, you might have a hit in your thread until platform from some other hunting you did that connects the dots and then you’re off to the races.
[00:19:26] JK: That sounds like the coolest job in all of cyber security is these two people that get to do all this work. Can you tell us a little bit more about their backgrounds and just a career journey of – I mean, I imagine most listeners on this podcast, like this is a career aspiration to get – to be working on your team, or something like that. Can you tell us just about their journeys and just basically, how they got to the point of working on some of the coolest stuff you could imagine?
[00:19:57] EM: Yeah. I mean, so I actually come from the attack side of things. I did attack and pen forever back when Accuvant Labs was still around. They merged with FishNet and became optive. I have a lot of grandpa stories that I’m going to be sitting around in my rocking chair telling. A lot of fun stuff. My team has those same stories. A lot of them just fell into security. I got my degree in psychology and philosophy. I just got sick of being a poor college student and I couldn’t eat any more top ramen and pop-tarts.
This is back in the early 90s. If you were an IT, you were just a computer guy. I think you guys remember, you just did whatever. It was building a webpage, it was fixing a printer, it was whatever. You were the computer guy. Now it’s very easy and compartmentalized to be like, okay, I want to major in security and you go through your CS classes and you do that.
These folks all came up through the trade. They have 10 to 15 years of experience, coming up through different either anti-virus companies, or different consulting firms. It’s really just like – I’m going to date myself here. It’s the bad news bearers all coming together and actually winning the championship.
[00:21:19] CS: I’m always here for a bad news bear’s reference, please.
[00:21:23] EM: Right. They came here and it’s like family, and they get to do all these cool things. We separate the teams largely. It doesn’t have to be broken down this way. There’s people who like to hunt and just find stuff and just put it in the tip and just keep digging in and finding these. There’s other people who like to take that and then massage that and find a larger meaning to that. We’ve got five or six on each side and they just go through and they just do that.
Yeah, their background is mostly in the industry. They’ve been researchers, either at other antivirus companies, or consultants, but they’ve been doing this for a long, long time. Their skills are off the chart.
[00:22:10] CS: I mean, I’d like to bring this up – we bring this up often on the show. You mentioned tech writers and also, your background in psychology and so forth. I like to hammer that home all the time, because I think a lot of people want to get into cyber security. As you said, think of it as only being code jockeys, or script readers, or whatever. There’s just so many different places where you can apply your talents.
We had a computer forensics person who said, the best person on her team was a former psychologist, because if you’re sitting here going through a 100,000 text messages, you have to understand the mental game of that. In this case, if you’re sitting here finding interconnections between this data point and that data point, or that piece of fine print, you need really solid writing skills to explain to other people what you found.
[00:23:01] EM: Yeah. I mean, I love doing pen testing, but I hated writing the reports, but the report is actually the most important piece. I mean, I would tell you. It’s funny, because I know that a lot of people are like, “Ah. Well, what skills do you need and this and that?” I’ll be honest with you, my motto is humble, hungry and smart. I stole that from Patrick Valencione. He’s a writer that I really enjoy.
As you guys know, some people have intangibles that you can’t coach; drive, determination, motivation. I can’t make somebody more motivated to do this. A lot of the people who work on this team, they fit in that. You don’t need to tell them anything. They’re excited to do this every single day. Yes, we can teach you how to use tools and time will teach you to be better. If you don’t have those base criteria at the beginning, it doesn’t matter how well you know a tool, or you’re going to do what you feel you “need to do,” and then that might not be enough in a situation like this.
[00:24:07] CS: Yeah. That dog on a skateboard ferocity to be answering questions, every single day like that is going to get you a lot.
[00:24:16] EM: I’ll be honest, I look at – sorry, I didn’t mean to cut you off, Jack. I look at a lot of the work and I’m like, “Okay, this seems monotonous to me.” That’s my personality. To them, they love it. They don’t care. Every day is a puzzle, it’s a new thing. They really don’t care.
[00:24:30] CS: Some sense of accomplishment.
[00:24:32] EM: Yeah. I’m like, all right. Cool. More power to you. I’m going to keep feeding you guys whatever you need.
[00:24:39] CS: Before you assembled your team here, were you working together on other projects, or did you take these two particular threat hunters based on things they had done in the past, or their reputation, or whatever?
[00:24:53] EM: Normally, it’s whoever finds something, they run with it.
[00:24:59] CS: They brought it to you and said, “Hey, these things are happening.” You’re like, “All right. We’re putting this commission together now.”
[00:25:04] EM: They usually just tell me, “Hey, this is what I’m working on. This is what I found. This is cool.” I don’t guide them on that. It’s usually, hey, take two or three weeks. Just find something, pull on some strings, take two or three weeks. If you think it’s got legs, just give me a briefing and then go handle what you need to handle. If you find out very quickly after that that this is wasted time, stop and move on to the next one. I mean, that’s the one thing, is there’s plenty out there in the world to be researched.
[00:25:36] JK: Back to you’re talking about those intangible skills, hungry. I forget exactly –
[00:25:43] EM: Humble, hungry and smart.
[00:25:44] JK: Humble, hungry and smart. We hear this a lot from leaders in the cyber industry that they’re looking for those qualities. A question I always like to ask and find out is just, if you were to advise another hiring manager, or someone like that, how do you test for those skills in the interview process? I mean, obviously, your first 90 days you’re going to know, but I mean, how do you –
[00:26:06] EM: Before you hire them.
[00:26:09] JK: Yeah. Do you have any secrets you can share with the audience here on that?
[00:26:14] EM: I mean, the one thing I like to do is I can’t do it so much now in the COVID world, but go somewhere that’s uncomfortable, or just go for a walk somewhere that’s crowded and things like that. I grew up in the Bay Area. Taking someone on a walk around Fisherman’s Wharf in the middle of the day to do an interview, you’re going to see how they react in a crowd. There’s things that you will see that will be red flagged. I know, it might seem weird.
When you see people out of their ordinary, you see the person. Because by the time it gets to me, we already know they’re technically qualified and there’s plenty of people we’ve turned down that are way better technically qualified, but we just don’t think they’re a cultural fit. If they’re not a cultural fit, I cannot stress enough, do not hire them. Just don’t. Give them that good feedback and to adjust, but don’t hire them if they’re not a cultural fit. Like you said, 90 days later, you’re going to be regretting it.
[00:27:27] CS: Go ahead. You got something? Okay, cool. I want to talk about the scope of Bahamut. Does this suggest anything for other threat groups in the future? I mean, this seems like a fairly large and unprecedented threat actor. Does this level of ambition give future cyber espionage groups a working template to create from? Have you seen any other groups that are taking hints from this group and upping their game in that way?
[00:27:56] EM: I mean, yeah. They’ve definitely, if I was a bad guy and I was looking for a measuring stick, they would definitely be that, or they could be that. Again, wanting and understanding how execution is done, it’s really the level. I can watch how well you do a podcast, that doesn’t mean I could go do it.
[00:28:24] CS: I’m just going to say, just because you like Jordan, it doesn’t mean you can dunk like Jordan.
[00:28:27] EM: Right, right. They’ve definitely laid out. You can look at them and see – I hate to use the term role model. That’s not a good term based on what we’re talking about, but you can definitely see a path, or a blueprint as you stated to follow. Again, I know I keep saying this, but the big thing is just their patience and their operational security is above what we normally see. I mean, it’s state actor level.
Again, I think they’ve been trained in this. They could be ex-military. They could be something associated with that, but they really know what they’re doing more than most threat actors out there. I think we’re going to continue to uncover things from them. I do think, yes. I think people will look at that, or people will leave that company and go start their own and it will be cut from the same cloth for sure.
[00:29:30] CS: Go ahead. Go ahead.
[00:29:31] JK: Sorry, just on specific attack. Just on specific tradecraft, the report mentions that malware is a last resort. It’s really account takeovers and it’s pivoting. In your opinion, is this the future, or is this what all these threat actor groups are – this is the state of the art to where I mean, I guess if you can comment on that methodology, like malware as last resort and compared to other things you see in the industry and how you feel that’s going to go out and change the future?
[00:30:10] EM: They use, for the ones that we analyze, there could be other projects out there that we don’t know about where malware is key. The ones that we looked at and what this group is really good at is and I think you can see it in the report, it’s espionage and it’s psychological operations. Psyops stuff. You don’t necessarily need malware in all those cases. Maybe to gain a foothold.
One of my specialties when I was a pentester was spear-phishing, just because it’s easy. You send out a thousand e-mails, you’re going to get some stuff. Now, they didn’t do that obviously. They were highly targeted and against individuals they knew would get them in. Again, which shows another level of awareness of what their targets were and how to manipulate them, or get access.
In the white company paper that we did, they used malware after they had already done what they needed to do in a certain area and if they wanted to pivot to a different area of the organization. They set one side of the organization on fire as a diversion, while they went and took over the other part and did what they needed to do over there. That was pretty interesting.
I think, I think there’s an evolution of those types of things, even outside of that. If you look at even TrickBot, Emotet, Ryuk combination, it’s okay, get in, get information that will – that someone’s willing to pay for and then ransom that box too. I think that is going to continue to rise, because in the old days, it was just they would ransom it. Now it’s a whole campaign to get data to have it and then use that as a as a true ransom leverage point.
I mean, I do think that most campaigns of this nature, they want to be stealthy, extremely stealthy. They don’t want to use malware. Those are the things, the longer you can stay in an environment undetected, obviously, the more you’re going to find. That is their goal in these campaigns. It’s like I said, earlier, mostly espionage information gathering.
[00:32:31] JK: I mean, you and your team are publishing a report against a very sophisticated psyops espionage company. What are your dinner conversations like at home? It’s like, “What did you do today, honey?” Tell me about the personal aspect of working against Bahamut?
[00:32:59] EM: I mean, it’s definitely a lot more interesting for my co-workers than my family. I’ve been in this field for a while, so it’s like, “Oh, hey. I took over XYZ casino today. Look, I’ve got access.” They’re like, “Yeah. Whatever, dad.” They just go whatever, play their video games, or shoot basketball, or whatever. They’ve heard all the stories for a decade, so to them it’s like, “Eh.”
The one thing I can tell you is I’ve made sure that every child that I’ve had has had a computer, or an iPad, or something from the age of two on. I know a lot of probably psychologists would say that’s really bad and maybe it is, but guess what? They’re going to be the next generation and they’re going to be trained from the age of two. They think it’s really interesting. They think it’s exciting. They take coding classes and stuff now. They get it. They get what dad does, and I don’t want to compare myself again, but you brought up Jordan earlier.
I’m sure like, hey. Jordan would sit there and be like, “I’ve done 60 points today,” and the kids would be like, “Thanks, dad. That’s awesome.” Just walk away from the dinner table. It’s the same situation. I mean, I’m not Jordan, obviously.
[00:34:10] CS: I mean, are you a target now though? I mean, they obviously know about the report. Do you feel you’re in the crosshairs at all? Or is there anything that we’re talking about – I mean, I’m sure they’re going to hear this episode as well. Do you have any safeguards in mind of how not to enable them by giving things away?
[00:34:31] EM: I mean, you guys are like, “Hey, you’re poking the hornet’s nest. Aren’t you afraid of getting stung?” I think that’s what we do as researchers and I think that these groups feel the same way as well. I mean, that’s why they have contingency plans. Do I feel like a target? I mean, yeah. I mean, I guess. We’re out there. It’s not hard to find out who I am. Do I think they care about me specifically? No, I don’t think so. I really don’t.
I think they have way bigger fish to fry. They probably have a lot of work on their plate. They want to go execute that. That’s why they do this. Now, I don’t want to downplay the relevance of the report. Obviously, the report is awesome. It’s incredible what we’re able to uncover. The good thing is is that we’re giving back to the community as all researchers should do. Hopefully, this opens up more opportunities to further potentially taking them down if possible. That’s our job. That’s what we do. We love doing it and we’re going to continue to do that no matter what.
[00:35:41] JK: How much does this disrupt their operations? I mean, everything you’ve published is you’ve already taken all the actions against it. I mean, a summary report like this is like, the CEO of Bahamut, does he got a dart board with your face? You’re saying that’s probably not the situation. I mean, if someone disrupts Blackberry’s operations, executives are going to pay attention. They’re going to try to take contingency plans, or maybe strike back. I mean, how much do you think this hurts them?
[00:36:14] EM: I mean, obviously whenever you disrupt any campaign, it hurts. I think we did a good job of identifying several campaigns and bringing those to light. We definitely have those conversations at the office before we publish research like this. We tend to understand, or try to understand the risks associated. We make sure that our operation security is a little bit more heightened and obviously, put those checks and balances in place.
Yeah, it’s definitely a real thing. I do think we absolutely disrupted some of their activities. I’m sure they’re not happy about that. That absolutely could make the company potentially target. Again, these are things that we try to cover the best of our abilities before we do anything like this.
[00:37:10] CS: The question from here, I guess, you said a little bit about, but what’s to be done on a macro, or global counter-terrorism level? How do we begin to neutralize groups like Bahamut?
[00:37:20] EM: Yeah. I mean, it’s really hard, especially if the group isn’t under any type of US law, at least for us, but we definitely as you know, lots of agencies do work together. We work with different agencies to try to help provide guidance and help take things down. If we’re in a situation where we can provide that level of assistance, we’re going to do it.
I think that these things take time. I think, what was it? Somebody sent me a link about the NotPetya. We’re finally raising charges against them. It’s been three years, all right. That was a single attack. We’re talking about a really sophisticated threat actor with multiple attacks, probably tons ongoing right now. Like I said, we’re about to do some research that we believe is them as well.
[00:38:14] CS: Imagine, that’s like any other big trial case or whatever. If you’re going to go after someone big, like the head of a mafia or whatever, you need to have your case in order for a long time, right?
[00:38:25] EM: Yeah, it’s years. It’s years of digging in. Because again, we as researchers have some liberties, but law enforcement doesn’t. They have to be absolutely sure with 100% certainty. That takes different levels of folks depending on what they’re actually going after. I mean, do we participate in any of that with a country where these folks might actually live and operate out of? That’s also a concern.
[00:38:57] CS: Okay. I mean, so to move from a macro level to the micro level, do you have any lessons learned about what Bahamut does, teaching us how we teach security awareness, or create security strategies? Since a lot of it is such targeted against government officials and C-suites and things like that, do you have any takeaways from such a precise campaign like this?
[00:39:21] EM: Yeah, and it’s going to be weird, because it’s going to be a very general response, which is cyber hygiene is real. All those things that I think companies in the past have been lax about patching and doing things like that, or hey, it’s too difficult. Obviously, over the past few years, that’s changed and it’s changed a lot with ransomware. Yeah, and not the sophistication of the attack, but the ease of the attack.
It doesn’t matter how well your house is built, if the foundation’s crumbling. You really have to if you’re a CISO, you really have to understand, because as an attacker, they need one way in. You’ve got to defend against every single possibility. That’s why it’s always so easy. Then when you add people into that equation, you’re talking about thousands of entry points, potentially.
Now in this case, they went after certain individuals. I do think education is extremely important. I also think that there should be technologies in place that even if somebody did, it was on your corporate network, clicked an e-mail link, there’s five steps between the time someone clicks that link until a shell actually goes back to the command and control. If you’re not doing everything you can to protect against that, then you’re making it easy. I know that’s highly general, but I mean, that is really the –
[00:40:44] CS: Still true.
[00:40:45] EM: That’s what you can do. Yeah, and when we did attacks, like I said, I love to do spear-phishing. Yeah, that’s what I would always explain is there’s all these layers of security that you already have between here and there. Tighten those up. Let’s take a look and see what we can do there.
[00:41:03] JK: How do you feel about just in general, frameworks like miter attack, or shield, or things like that as a framework for companies to help them stop these type of attacks, or put the right defenses in place? What role do you think those frameworks play in a active defense?
[00:41:22] EM: I mean, I think they’re important. I think they’re important from taking something that’s ethereal and making it tangible and helping guide people, but I think more importantly is and I experienced this a lot on the attack side was most companies don’t understand their gaps. You have to understand your gaps before you can look at those frameworks and start applying what you need. I guess, you can look at some – I mean, if we took everything in miter and then went looked at our company, we would probably find a lot of holes. Then you also have to prioritize what is the real risk of the company? What are we doing?
I think that understanding those concepts is probably still a little distant for a lot of organizations. What it actually means and what that actual risk is. I’m thinking of places where maybe this security personnel are more junior and learning. They might not be able to – the old days, if you ran Nessus. You can take a Nessus report and to be SSL V2 critical. It’s like, “What is it?” What’s the possibility of that? I think there’s still a lot of that in our industry. A lot of learning that’s going on.
I think that companies need to understand what they believe is at your risk, or listen to those personnel that will help them understand at your risk, and then start applying those methodologies and frameworks to tighten things up.
[00:42:57] JK: Do you think framework-based cybersecurity programs, do you think it’s helping, or hurting? I mean, you’ve been in the industry for a long time.
[00:43:06] EM: I mean, anything that brings awareness is helpful. It’s having the individuals that understand again, what – Okay, this came up. Is this a true risk? How does this attack really work? Is this something that would really work against us? I mean, things like patching is easy. As far as understanding, “Okay. I need to patch this. This is vulnerability. I need to patch this.”
When you look at something like, they have automated pen-testing is getting really big, where we can remove a person from that. I think that those things are important. If your automation, or if your framework or whatever it is requires you to start as admin on a laptop with passwords, that’s already – I’m not going to say a completely unreal situation, but it’s a lot different than going in and dropping a device and having nothing and then pivoting around, which is also plausible.
I do think, anything that brings awareness is helpful. Again, it takes a person to understand this is a priority and this is what we need to work on from a top-down perspective. I don’t know that that’s always – I don’t know that that expertise is always there.
[00:44:25] JK: Yeah, it’s good. Good perspective. Thanks.
[00:44:28] CS: You said that a lot of what you learned and did was not particularly cloak and dagger-oriented or surprising, but were there any unusual, or out-of-the-box strategies or tactics that your team used to put together the facts for this report? Is there any surprises, where someone took a big chance and found something really unusual?
[00:44:50] EM: Not really, but I think that’s a good thing. That means that other researchers can repeat these steps, and look and find more. We’re in no way saying that we found everything.
[00:45:02] CS: Of course.
[00:45:04] EM: The victim lists and all those things that we found. Obviously, there’s more out there. The good thing is anybody who’s already looking into them, hopefully can take the breadcrumbs that we left, can pull on additional strings and can say, “Hey, it doesn’t look like they tried this, or I’m going to go do these different things,” and build upon it. As you guys know, that’s what research is. It’s just like research in any other industry. We do our best. We present everything we have and we hope that somebody can take that and carry it farther. Then maybe we’ll come back around for round three when we find more.
[00:45:42] CS: Do you feel changed or leveled up at all as a researcher of doing this? Was this an especially massive project for you that turned a corner for you in any way?
[00:45:52] EM: For the team, I think so. Any time you go look at these types of things, you’re going to level up. I think the way I would say it is we – and you touched on it earlier, like the boss level has taken them down. We’re another step we’re another step closer to that boss level. Definitely, anything that’s going to expand what you know and take you further is helpful. It’s really interesting. We talked earlier about just the psychology of these groups and how they work. Not always just their tool kit, but just how they go about executing is pretty fascinating, at least to me.
[00:46:37] JK: That’s cool. I guess, one thing we haven’t really touched on that I want to make sure we cover is the leveraging the app store and apps. There were nine iOS apps that you were able to attribute to that. I guess, what do you make of this strategy around apps? It seems like a broad stroke. It seems like the very opposite of spear-phishing to me. What does that tell you about their capabilities, or maybe their end-customer?
[00:47:09] EM: Yeah. Well, I mean, I think the apps were developed after they had some type of understanding of who they were going after and what they were looking to get. They were also limited to certain regions, so they knew who they were going after. The most interesting thing about the apps, at least that I found the most interesting, was their successful use of EULA’s and they had pristine websites explaining. Like I mentioned earlier, they explained everything that they were going to do in those apps, but the people who installed them didn’t understand that by giving away a certain level of privileges that it opened them up to potentially access to different things.
Like the password saver is one that we call out, where it’s like, “Hey, we’ll be your password saver. We’re the ones that’s encrypting all of your data, put your passwords in here, and so now we have access to all the data.” Obviously, that’s super smart. That’s something that’s pretty interesting.
Yeah, just the way that they were able to leverage, properly leverage the app stores to get their apps, there wasn’t in – at least the iOS ones, there wasn’t anything malicious necessarily in the app. It was more of, how did I put this when I was explaining it before? It’s social engineering, so it was more of like, I would say, phone privilege abuse, more than anything else, but the person’s giving away that level of privilege.
Again, that goes back to the whole education thing. We live on our phones all day. As they say, it’s the first thing we see in the morning and the last thing we see before we close our eyes for bed. I think mobile apps is – that’s the way to get people. Like I said, I’ve got four kids, five kids total. Four at home and they’re all on apps all the time. I have to constantly say, “Nope. You can’t download this. You can’t do that.” I put them on the guest network too, just in case.
[00:49:17] JK: You segment yourself from that. That’s pretty smart.
[00:49:22] EM: No, IoT devices. A whole separate thing for IoT, because those will probably also be the first thing owned once the apps get owned. Yeah. It’s interesting. I think we’re going to see, just continue to see more of that. I mean, that’s where we live nowadays.
[00:49:39] JK: What advice would you give to companies to prevent their employees from falling for these fake app? I mean, Chris’s phone’s not owned by Infosec. My phone is not owned by Infosec, but how do you protect the personal side of it, where you can see that’s the leverage point now? On the dark web, you can buy Facebook accounts for a dollar and Netflix accounts for a dollar, to get onto a server, or something at a major Fortune 500 company, because you have millions of dollars in research in zero day. That’s where that’s going. What do you think companies should be doing today?
[00:50:23] EM: I mean, if I was taking a hard line, I would basically say that you can’t use your personal phone for work. I know that might not be the straightforward thing, but at Blackberry, we do have that. We can get a company on phone to do company stuff. We can do BYOD, but we also have apps that we’ve created that containerize everything. I think those types of security products will continue to come out, because necessity is mother of invention.
I think, the whole looking at opportunities to containerize a work environment from a personal environment is probably going to continue to grow and do that. I guess, what I’m saying is you can’t necessarily trust the people and I wouldn’t say it’s the people’s fault. Again, if you look at what we put in the report, it’s hard to understand that those apps aren’t real. It’s hard to understand based on not just the app being in the Play Store, but the story that they put behind it. I mean, you guys mentioned the fake empire and I didn’t really touch on it, but the fact that they had accounts consistently messaging and adding content and all those types of things, when you’re up against a sophisticated threat actor, the people are going to be the weakest link, but it might not always be their fault.
We just explained also, when we do pen testing and maybe when we did social engineering, it was if I send a PDF to HR and they open it, it’s not HR’s fault, because that’s their job. Their job is to go do these things. It’s your job to protect them in case something comes in. I think that like I said earlier, those types of technologies continue to grow. I think containerization is something that’s going to be big. Zero trust. Zero trust across the board. That’s the buzzword.
[00:52:36] CS: We’re bumping up on an hour here and we want to let you go. I wanted to wrap it up. We always want to tie things back to the work of cyber security, Cyber Work. I just wanted to wrap up by asking again, we talked a little bit about the fact that you can teach tools, you can teach processes, but you can’t teach obsession, you can’t teach problem solving. Still to that area, for people who are just starting now and want to move on a track towards this type of threat hunting and this type of threat intelligence, what types of skills, or projects, or areas of study, or what should they be working on now that moves them on that path, even if they’re not necessarily doing that as a job at the moment?
[00:53:17] EM: Yeah. I mean, so the one thing that at least stands out for me, because I didn’t have a CS background is I couldn’t code. I still can’t. I’ve written a lot of things in bash, but learning Python, learning Ruby, understanding how to do that is going to help you out in a million different situations. That’s like a Swiss Army knife.
Data science is also getting to be pretty big. Obviously, we’re a data science company. I’m in the research intelligence and we do a lot of ML model creation. I think, having some understanding of that might help a bit. Yeah, I think the coding. I guess, I would also say, if you know how to fix a network, so if you’re a network admin, or a sysadmin of some kind and you know how to bring back systems from the dead that have been attacked, or networks, those are the types of skills that will greatly benefit you here.
IR is another great skill. It’s really being able to analyze, understand what’s going on and reverse those things that have been done. I think those are probably, they might not seem like a direct tie-in, but you’re solving a problem. When you do these types of research things, you’re also solving a problem and trying to find out everything that’s going on. Like I said earlier, pull on all those strings. I think those types of general criteria, I think, would be extremely beneficial for anybody who wants to get in the field.
[00:54:59] CS: Cool. Jack, you have any wrap-up questions you want to ask?
[00:55:02] JK: No. Eric, I just really want to thank you for taking some time speaking with us and I know you’re super busy thwarting all sorts of evil out there in the world, so really appreciate it coming on the podcast and really look forward to future things that you’re going to be publishing. You mentioned you got something else coming out in the future. I guess, last question is any other things we should look forward from Blackberry that we should point our audience to to stay up to date, or to learn more about things that are going to be coming out?
[00:55:35] EM: Yeah. I mean, so we have obviously a blog site threat vector. Yeah, in the next couple weeks, we have another hack for hire coming up, a report coming up we believe is tied to Bahamut. Also, we have a lot of great webinars that come out of the research intelligence team.
[00:55:56] CS: Okay. Where can people find those? Do you have a website, or a link, or something you want to suggest?
[00:56:00] EM: You know what? Just if you do a search for threat vector and Blackberry, that’ll take you to a lot of stuff. We do a lot of different things there. Obviously, whatever’s uh in the news and what’s affecting our customers, we try to do more consistently. Obviously, this type of research takes months to put together, so we’ll do that. Yeah, we try to be out there with all those non-stop, so everybody knows the coolness that we’re working on.
[00:56:27] CS: You have any social media links you want to share? Do you LinkedIn? Do you tweet?
[00:56:32] EM: LinkedIn, I’m just Eric Milam. I think Eric.Milam on LinkedIn. Obviously, there’s a Blackberry LinkedIn. I got to admit, I gave up all social media back when I was a pen tester.
[00:56:46] CS: Makes sense.
[00:56:47] EM: I was like, “Okay. I think it’s time to move on from this.” Every once in a while I’ll tweet and that’s @BravoHacks, my old my old moniker out there.
[00:56:58] CS: Cool. Jack, anything you want to share about things you got coming up?
[00:57:01] JK: No, no. Yeah, great episode.
[00:57:05] CS: Yeah, that was a lot of fun.
[00:57:05] EM: Thank you so much for having me guys. I really appreciate it. This is a good time.
[00:57:09] CS: Thank you so much Eric and thank you Jack as well for joining us.
[00:57:12] EM: Thank you. Sounds good.
[00:57:13] CS: Cyber Work with Infosec is produced weekly by Infosec and is aimed at cyber security professionals and those who wish to enter the cyber security field. New episodes of Cyber Work are released every Monday on our YouTube channel and on all podcast platforms. Just type in Cyber Work with Infosec on YouTube and you’ll find it. If you do the same on whatever you get podcasts on, you will find us. If you want to claim one free month of our Infosec skills platform, please visit infosecinstitute.com/skills and enter the promo code cyberwork, all one word, all small letters. You’ll get a free month of security courses, hands-on cyber ranges, skills assessments and certification practice exams for you to try.
Thanks once again to Eric Milam and Jack Koziol and thank you all for watching and listening. We will speak to you next week.
Cyber Work listeners get a free month of Infosec Skills.
Use code “cyberwork” to get access to hundreds of IT and security courses today.
About Cyber Work
Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with an industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to outsmart cybercrime.