InSecurity Podcast: Inside the White Company’s Operation Shaheen Espionage Campaign

Applying a new, comprehensive approach to threat intelligence, Cylance researchers profiled a new and likely state-sponsored threat actor dubbed The White Company in a set of recently published reports. The report details Operation Shaheen, a year-long espionage effort directed at the Pakistani government and military – in particular, the Pakistani Air Force.

The “genetic mapping” of more than 40 unique shellcode features allowed the researchers to track the development, modification, and evolution of the White Company’s tool kit over time. This worked to tie this threat actor to other previously unidentified or misattributed campaigns, and to understand a larger corpus of their activity more deeply.

Two technical chapters of the Operation Shaheen report delve deeply into the exploit kits, malware, and infrastructure employed – the keys that unlocked the doors and the tools used to steal what’s inside. The third chapter lays out how the campaign worked, situating the technical findings in geopolitical context, and explains why it all matters.

The White Company is the first threat actor our researchers encountered that had the ability to evade eight different antivirus products before deliberately surrendering to them on specific dates in order to distract, delay, and divert the targets’ resources.

In today’s episode of InSecurity, Matt Stephenson talks with Operation Shaheen researchers Ryan Smith, Jon Gross, and Kevin Livelli. Their report unravels the mystery of a campaign in which traditional approaches to analysis, focused primarily on the malware and infrastructure, yielded few clues yet many misleading attributes.

About Ryan Smith

Ryan Smith is a member of the Cylance Advisory Board. Prior to that, he was the Vice President of Research at Cylance, where he led teams performing both internal and external research.

He has spent the last decade leading such teams for consulting, product, and Fortune 50 organizations. As an (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Podcasts. Read the original post at: