The White Company: Inside the Operation Shaheen Espionage Campaign

In a new collection of extensive research reports, the Cylance Threat Intelligence Team profiles a new, likely state-sponsored threat actor called The White Company – in acknowledgement of the many elaborate measures they take to whitewash all signs of their activity and evade attribution.

The report details one of the group’s recent campaigns, a year-long espionage effort directed at the Pakistani government and military – in particular, the Pakistani Air Force.

Cylance calls this campaign Operation Shaheen.

The White Company project consists of three chapters within a single report, applying a new, comprehensive approach to threat intelligence research to unlock insights into this threat actor and its operations, and which combines detailed technical research with accessible storytelling.

Two technical chapters delve deeply into the exploit kits and malware and infrastructure used – the keys that unlocked the doors and the tools used to steal what’s inside. The third chapter lays out how the campaign worked, situates the technical findings in geopolitical context, and explains why it all matters – all in language that is easy to read and understand.

What the Research Uncovered

Cylance research has enabled the identification and tracking of a new and likely state-sponsored threat actor whose profile does not match any of the established, so-called APT groups. The profile we have drawn does not resemble that of the U.S., Five Eyes, or India – nor any known Russian, Chinese, North Korean, Iranian, Israeli groups. 

The White Company has considerable resources at its disposal indicative of a state-sponsored group.  We uncovered evidence that establishes that the White Company possesses the following:

◦   access to zero-day exploit developers and, potentially, zero-day exploits

◦   a complex, automated exploit build system

◦   the ability to modify, refine and evolve exploits to meet mission-specific needs

◦   the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Blog. Read the original post at: