image of breaking badness
Breaking Badness
Breaking Badness

162. Animal Bot Farm

Coming up this week on Breaking Badness: Ride out the Storm-0558, Nothing Bot Net, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

Ride Out the Storm-0558

  • Earlier in July, Microsoft shared two blogs regarding the threat actor tracked as Storm-0558. They have since been mitigated, but the investigation continues. Today we’re talking about the observed techniques the group used to obtain unauthorized access to email data, tools, and unique infrastructure characteristics
  • This is a China-based threat group, based on the time stamps when they’re working
    • The targeting actions are also a giveaway – they are committing more espionage rather than a group deploying ransomware 
  • Over the last few days, there are groups looking at the report Microsoft shared thinking there’s more to the story
    • This group used an acquired MSA key to forge tokens 
    • It’s curious as to how someone could get that key to look at dozens of government-related accounts 
    • Not a ton of other detail, but there is detail on how they discovered it rather than how the threat group gained access 
  • One of the malware families this group uses is Cigril
    • There’s not a lot of data on this actually
    • Lots of powershell script and python script 
  • This has been mitigated, but are there next steps?
    • According to Microsoft, there are no next steps for customers to take 
    • They did say there will be additional steps they’re taking, but we don’t know what those are at this point in time

Nothing Bot Net

  • The Cyber ​​Police Department of the National Police of Ukraine dismantled another massive bot farm linked to more than 100 individuals after searches at almost two dozen locations.
  • This is at least the fourth time since the invasion
    • Unsurprisingly, Russia seems not to just give up and do the right thing when these bots get taken down
    • Other occasions were in August and September of last year, and there was another takedown before then as well
    • In one of those takedowns last year there were at least a million bots. Bots are EVERYWHERE
  • Bot farms have been around for years
    • We did talk about them on a fairly recent episode—they are how DDoS attacks are carried out
    • Bot farms are like real farms in that there are various objectives—like various crops—that they are intended for
    • There was a benevolent bot farm that Tim participated in one time
      • That one was SETI—the networked computing resources that were consensually obtained in order to pore through vast amounts of data from radio telescopes, trying to identify anomalies that could represent an intelligent civilization
  • As far as we can tell, these bot farms are run by Russians
    • There certainly may be some Ukrainians who are sympathetic to Russia involved here, but overwhelmingly that seems not to be the case
  • Is dismantling a bot farm always a physical act?
    • In this instance, several cities in Ukraine were searched and they seized computer equipment, mobile phones SIM cards, etc.
    • It’s not always a physical takedown, but it’s not surprising that it often does—because there aren’t always effective ways to either mimic individual entities like SIMs (so that each bot appears to be a genuinely unique account) or users
  • While we should celebrate this win for Ukraine, we also realize this will likely not be the last bot farm they need to dismantle

This Week’s Hoodie/Goodie Scale

Ride Out the Storm-0558

[Taylor]: 4.3/10 Hoodies
[Tim]: 3/10 Hoodies

Nothing Bot Net

[Taylor]: 4.5/10 Goodies
[Tim]: 5/10 Goodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!