A Little Modern-Day Story
Eric: This is going to be a great part two with JAGS. The stories from last week continue. We're going to move to the Middle East, and talk about a little modern-day story that just happened in July of 2021. It's going to be fabulous.
Rachael: I've so many questions, too. It's been so hard to wait a week for this episode. I've been so excited for this one to come out. I often don't wait for things anymore because when you do though, it's horrible and painful.
Eric: With that, let's kick off part two with JAGS from SentinelOne.
Rachael: What we're talking about are attackers finding their rhythm or finding their way. You recently wrote about this Iranian train attack, and I love that you guys called it the MeteorExpress.
Juan: It's the last bastion of creativity in threat intel, to sneak in a nice name.
Eric: I love the naming. The creative naming just gets me going.
Rachael: I love everything about this. I don't want to steal your thunder but there’s this epic trolling by the attacker in who they were directing to call with plates and the signage. Please tell our listeners more about what you learned about this.
Juan: It's a complicated story and a really interesting one. I don't know when this is going to go out, but it continues to develop. There's some things in there that I want to touch on that are not in the report. It'll probably keep evolving by the time that folks listen to this.
Eric: How much time do you need? We'll record it, we'll sign the NDAs, we’ll release it when you let us know.
This Thing About MeteorExpress
Juan: I'll be as forthright as I can be, but I think this is going to keep evolving beyond today. We got into this thing about MeteorExpress. There's a wiper attack in Iran in the railway system. It's particularly funny in a sense because you mentioned this epic troll. They wipe all these systems, they take down the ability to coordinate these trains. All of the displays have a picture that says, "Trains delayed due to cyber attack. For more information, call this number." I think it's 64411. It turns out that it's the Supreme Leader's office in Iran. So epic troll, absolutely hilarious.
Now, that being said, I try to keep the glibness in check because the other element of this is somebody just deployed a wiper on critical infrastructure somewhere. That's the part where we're laughing and it's Iran, so everybody finds everything acceptable. When it's Iran, North Korea, certain places you're like, "Oh, fair game." But I feel like, in a sense, if someone was willing to do something, that had it happened here, we would have been very upset about it.
Eric: We'll be pretty pissed off.
Rachael: I guess that's a question, too. Why there? Is this like a test kitchen activity?
Juan: I don't think so. Let's cover the basic ground and then we're going to go into what's going on with this. There was a report out of an Iranian AV company of some of the components that they saw. Just based on some of that, I was able to rebuild the entire attack chain. Thankfully, we were able to find all the files and figure out what happened.
A Disadvantageous Position
Eric: Wait a minute, there's an Iranian AV company?
Juan: There is. I believe it's called Amnpardaz or something like that. If you have to think about it, most companies can't do business with Iran.
Eric: They got to create their own.
Juan: It puts them in a particularly disadvantageous position, to be honest with you. This is AV inside ball, but most countries want to develop their own AV because nobody trusts foreigners. Then they try to do it and they realize it's a monumental task.
Eric: It's really hard.
Juan: Yes, they clawback.
Eric: Who's buying Iranian AV software? There's probably not a huge market either.
Juan: Probably only around a few other Middle Eastern partners.
Eric: Who thought their trains would run on time if run at all.
Juan: They've gotten their teeth kicked in enough for the past few days. Again, there's the glib side of this. There's the funny end of it, and then there's a really serious one. They're being ravaged by COVID. They have this horrible political system that's showing all kinds of terrible abuse of folks and so on. This story actually transcends into that. So again, getting to the basics, we rebuild this toolkit. It's an interesting wiper.
I sort of got to detail everything and the wiper is called Meteor. That's why we called it MeteorExpress. It's particularly important, if you discover something, to put your stake in the ground and name it artistically. So we called it MeteorExpress, and it's a really interesting set of activities. First of all, it doesn't relate to any known threat actor we had seen at the time. Also, it's oddly clunky and poorly deployed, and yet there are elements of it that are very well done.
Advanced, Sophisticated Threat Actor
Juan: So to me, it's not clear-cut to say this is a very advanced, sophisticated threat actor. It is not. But it's definitely not somebody that just came out of the woodwork and figured out how to use a computer yesterday. There's something happening here.
Eric: Probably an Israeli college class's final project or something.
Juan: This is where we get into some of the complicated parts of threat intel. It's very easy for this to get politicized. It is very easy to misstep. I've written a couple of papers about this because it causes a lot of anxiety for folks.
I don't know how many people had seen this activity before I wrote on it, but I do know of some folks that looked at it. They said, "This is probably Israel," and they backed off. I personally don't like that. I've worked on American stuff. I have worked on European stuff. I've worked on Israeli stuff in the past. I really don't like the idea of just backing away from something because you think that it's a friendly country.
In this case, I'll be honest with you, if you asked me for my gut instinct, I don't think it's them. It's underestimating the diversity of threat actors in the Middle East to think that every semi-sophisticated attack is Israel. And to be honest with you, the quality of stuff coming out of Israel is drastically higher.
Eric: Maybe it was like a middle school class's project. I saw it in the press, and as far as I'm involved, I only know what's in the press. Probably not even half of what's in the press because I'm not spending a lot of time on this.
Who Decides the Attacks
Eric: The first thought that comes to mind is, who decides to attack the Iranian train system? Who even thinks about Iran and the trains?
Rachael: That's why I wonder, was it a test kitchen kind of scenario? Kind of low-hanging fruit to go after just to see how it goes.
Eric: It seems like an oddball target.
Juan: It absolutely is an oddball target. I put out my research, and then, I believe, Itay Cohen and a couple of other folks over at Check Point picked up on it. They wrote their own follow-up, and they found something interesting. Based on this MeteorExpress stuff, they are able to find earlier versions of that wiper that are called Stardust and Comet by the attacker. Let's try to follow along here because it gets complicated.
Eric: I'm doing my best because I'm a podcaster. We'll do okay.
Juan: I just wish we had a whiteboard. The timeline is really important. Check Point finds these, and they realize that, in the code, there's a reference to a group called Indra. Indra is a "hacktivism" group that's interested in attacking Syria, and they claim a couple of Syrian hacks. They're really interesting targets.
It's like a company that does money exchange services that they accused of laundering money for the Quds Force. And a private airway company that's doing private jets for Soleimani and other folks in Iran. Very interesting, very well chosen targets. Then I like to point this out because if you ask me, and this is where CheckPoint and I stand in direct opposition, they think it's hacktivism. I do not.
Nation-State Groups Pretending To Be Hacktivists
Juan: We have seen a lot of examples of nation-state groups pretending to be hacktivists. The North Koreans did it. They've done it several times with Guardians of Peace for Sony. They used to do the team, the New Romanian Cyber Army. They've created a bunch of fake fronts for their activities.
And so have the Russians. The Russians did 2.0, and Poland, Cyber Califate, Yemeni Cyber Army. They've created a bunch of these things where they make it look like it's organic hacktivism. In reality, it's the same old threat actors that you can think of. They're using fake fronts to justify their hack and leak operations. Rather than saying, "Look, we're the GRU providing you with stolen info," it's "We're patriotic hackers out of Ukraine" or whatever.
Maybe I'm overly primed to look at it this way, but to me this has all the markings of a fake hacktivism front. The reason I said this is a story that continues to develop. It will probably develop further beyond when this podcast is revealed or released. Because what CheckPoint finds to me is a specific time-delimited campaign. You see a couple of attacks in Syria with this toolkit under the banner of Indra.
In November 2020, Indra goes dark. They stopped posting on Twitter, on Facebook, and they stopped using Stardust and Comet the way that they were coded. Instead, we see Meteor being coded with no reference to Indra in January of 2021. Deployed in July of 2021, along with a couple of other mysterious hacks in Iran that we haven't been able to investigate. The latest of which is Evin prison.
One of the Darkest Places on Earth
Juan: I don't know if you guys got to see the news out of this. It’s really interesting and kind of terrifying. A "hacktivist group" hacks Evin prison, which is believed to be one of the darkest places on earth. It's basically where the Iranians take political prisoners and what-not.
They steal tons of footage from the security cameras inside of this prison, publicly release it, then lock up and wipe the machines. In that footage, you can see the machines being locked up and wiped. You can watch the operators in that prison see this happening. Frankly,
I can't make a solid assessment because I'm not doing IR on those systems. I don't have any samples. It looks like the same functionality as MeteorExpress.
That’s not enough for anybody to make a solid assessment. I'm not going to put my hands in the fire about it, but it looks very similar. The day this attack is announced, we get a new account called Adalat Ali. A new hacktivism front that claims the Evin prison hack and does the same mega dot NC massive dump of stolen stuff. It continues to have a social media presence and promises more attacks.
My speculation is we're seeing a group adopting fake hacktivism fronts, first for a campaign in Syria, now for a campaign in Iran. To me, that's foreign influence. That's an established group of some sort that is white washing their exfil through seemingly organic hacktivism.
People have had enough. They've decided to do this hack. We would all love to believe that hacktivism is alive and well, and maybe it is in places like Belarus. But I don't think that that's the situation here. That's my honest take on it.
Who Attacks an Iranian Train System
Eric: Who attacks an Iranian train system, an Iranian prison? I'm trying to put that together. What's the motivation? Disruption?
Juan: Let's put it this way. Folks tend to immediately think about, for example, Israel in this context. But not only is Israel there, but the United Arab Emirates is there, Bahrain, Jordan. Lebanon has been shown to have their own cyber espionage capabilities. There are quite a few well-resourced groups. In particular, we've been seeing a lot come out about the Emirati cyber program. Between stuff with dark matter and everything that happened post-CyberPoint contract.
The amazing stories that Chris Bing put out on Reuters about Karma. How former NSA contractors have basically been helping them build capabilities in the Emirates. I'm not pointing at them in particular. But I'm saying we're oversimplifying the Middle East if we think that
it's really one attacker and a one victim in either direction. The Iranians have been pissing plenty of people off with their own wiper attacks for years now, including the Southeast.
Eric: Who do you hurt if you hack the prison and the train system? Why would you do it?
Juan: In a sense what you are doing is chipping away at the legitimacy of that government. It's not that you are really going to disable them. You're essentially showing this general uncoordinated weakness that comes along with being unable to stand up to some ephemeral force. Worse yet when you can claim that it's locals. The idea that your own people are against what you're doing is part of the propaganda force that comes along with a hacktivist group.
The Powerlessness of Leadership
Eric: Then if you take the train system, which a lot of people use, I'm assuming the administration, the people running the company of private cars and planes and helicopters and things. But the people are on the train system, they use 64411, the phone number for the Supreme Leader's office, I understand that. The prison showing what's going on in this very dark place, maybe you start to pull it together. I guess you're right. It does make him look bad.
Juan: You're putting into question the legitimacy of it. It's important in a sense because it's a lot easier to deny obscure hacks that happen inside of the ministry. Apparently they also have the Ministry of Urban Development and Roads. Who knows? They can just say nothing happened, and the Iranians often do. That government will either come out and say, "Oh, my god. We are being pummeled by cyberattacks, and it turns out to be nothing."
Or they'll say, "Nothing happened here," and it turns out that a whole ministry got taken down. In a way, targeting something that normal everyday people rely on is a fantastic way of just showing egg on their face. This is not an administration.
Eric: The powerlessness of leadership.
Juan: It's something that began with Stuxnet then. I hate to invoke the ghost of Stuxnet because it's brought up in every conversation, but part of the power of Stuxnet was psychological. Kim Zetter wrote such a fantastic book on this. If folks haven't read it, Countdown to Zero Days, probably the best threat intel story out there. Kim Zetter is just a fantastic journalist for this. Part of the effect of Stuxnet was they were doubting their own competence.
A Psychological Effect
Juan: They were firing scientists, they were chasing their own tails, replacing equipment. It's a psychological effect to say, "Oh, god. We just can't get our act together to get this done." Now we've got something similar. We're experiencing it in the U.S. too. The ransomware epidemic for enterprises is definitely making us look like this horrible, "roided-out sitting duck." We're the most powerful cybernation on earth, but we're also just getting slammed all day. And we can't do anything about it.
Eric: They're incredibly vulnerable, easy targets, and we can't do a lot about them.
Juan: It's a sad situation to have what is arguably the most power in cyberspace and to have your hands the most tied out of anybody else.
Eric: We're probably the most vulnerable, too.
Juan: It comes down to dependence on technology. It is such an enabler. It's such a source of our power. We have the largest corporations. Economically, the largest corporations on the planet, they're all technology companies. That shows that the great promise of
America is largely built on the tech sector right now. So if you can chip away at our ability to depend on that, that's part of the ridiculousness of the arguments that we have about cyber war, in particular cyber on cyber. It's like, "If we get hit, then we're going to retaliate with cyber. If you take down some systems in Russia, or in Iran or in China, the trains aren't working, we'll walk." They're fine. If you do that in the U.S., look at what happened with Colonial, they didn't even hit the OT system. They just took down the billing. I have to pay $75 to fill up my tank here in Miami even though that pipeline doesn't even reach here.
Eric: What was it like putting gasoline into plastic bags? It goes to show some problems.
Juan: Our collective wisdom is not what we'd like it to be.
Rachael: There was someone in Texas that had filled a trash can in the back of a pickup truck. There wasn't even a top on it. I'm like, "How do you drive it now?"
Juan: You're just getting high on the way out, aren't on you? High on fumes.
Eric: Just one spark though, you're firework.
Juan: I don't know what to tell you.
Eric: We're not going to fix that one today. So, Jags, I think we're going to turn this into a two-parter. These stories are awesome. How'd you get into this career path? How did you say, "This is where I want to go?"
Juan: My career path is super unlikely. I'm incredibly fortunate to have ended up where I did, I was a philosophy major, and that was my whole thing. I was just going to stick to really obscure German philosophy that nobody ever wants to read. Somehow that turned into a lot of intelligence analysis work, which I really enjoyed.
Eventually being on the receiving end of a lot of cyber attacks and having no local expertise develops into a fascination for something that was not immediate to my skill set. But that was interesting enough to be worth the dedication and devotion to try to learn and learn .
I credit my time at Kaspersky a great deal. I’ve had the pleasure of working in the global research and analysis team for some years with amazing researchers like Costin Raiu, Kurt Baumgartner, and Brian Bartholomew.
Some Really Interesting Roads
Juan: All of these fantastic folks who took the time to teach a lowly analyst how to do things. It's just been getting into trouble ever since. Like I mentioned, I lack the common sense or at least the survival instinct to not look at certain things. It has led me down some really interesting roads.
Eric: But you're not getting a job as an obscure German philosopher at Kaspersky on that. Where you're working, you determined that path. We have a tremendous amount of need for people like you. How do you get started? A lot of people want to know, how do I get into the business? What's that journey?
Juan: My journey isn't necessarily the one that I would immediately prescribe for others. I’d say I am definitely not an outlier in the threat intel research space. I know a lot of folks that never graduated high school. They got their GED and they just went into this because it's what they love. I know people that are PhDs in physics. People that are just all over the spectrum would just love puzzles and love doing this kind of research.
That should be encouraging particularly to folks who have a mind for critical thinking. Who has a mind for everything that would make you a good intelligence analyst, or somebody who's into international relations and geopolitics. To say, "Look, just because you don't have the technical formation right now doesn't mean you are barred from the space." I did this at a Carnegie Mellon lecture, which was probably not the nicest thing to do for a purely technical department.
The Talent War
Juan: But I've gone on the record to say that I would rather hire a really smart international relations or intel analyst. Teach them the technical stuff the way it was taught to me rather than take a CS grad and try to get them to think more broadly. And try to understand motivations, cui bono, international relations, and what happens between Iran and the Emirates and so on. It's so much harder to broaden a technical person's thinking than it is to take a broad-minded individual and teach them technical things.
Eric: It reminds me, we had George Randle a year and a half, two years ago probably. He's from the HR talent acquisition perspective. He wrote a book on the talent war. One of the major themes is hire for characteristics, train for skill. Don't hire for skill. One of the stories they use in the book is a Navy Seal story. Every Navy Seal who's a Navy Seal already went through BUD/S, the Navy Seal training program. You can't get non-Navy seals with BUD/S qualifications, so you've got to look for the characteristics. You can't say looking for a
Navy Seal to be a Navy Seal because they already are.
You've got to look for the people like you out there that have those characteristics. When you say you're an obscure German philosopher, that was your interest. To me having actually worked with and overseeing an advanced malware lab capability, they were all over the place. We provided Xboxes, Nerf guns, crazy wacky lunches, but the spread of a variety of the people in the lab. You're working with Marco Figueroa right now. Marco is not normal, let's be honest. But he's amazingly capable and brilliant.
A Good Talent Pipeline
Eric: You got to look for people who have characteristics. We're not going to put a job ad out looking for obscure German philosopher. It doesn't work. That's why I ask about your journey because it's something that there are a lot of people across the globe who would be really good at this business.
Juan: There's a couple of things here. One of them is it's a shame that we don't have a good talent pipeline. A lot of universities are failing to put this together. It's a shame that we don't have a way to really churn out talent because we need it. I am not worried about job security. Nobody in this space should be worried about job security. We have enough work for 10 times the amount of people that we have here. So please bring them along.
The issue is right now we're living in the apprenticeship model. If you're lucky enough to go somewhere with great folks, then you learn from them how to do things. Then someday, you pay it forward and you teach somebody else how to do things. That's tough.
The corollary for me is look at something like Bellingcat. Bellingcat is fantastic. It's brilliant. Bellingcat is a UK collective of citizen journalists. Basically people who really are passionate about some obscure subject. They decide to use open source intelligence to figure out what is going on. They've done a really notable work investigating the downing of MH 17, the poisoning of the Skripals in the UK. They've done a lot of very significant work. They're also helping to track human trafficking victims.
Open Source Intelligence
Juan: Anything that they can basically take some leads of information. Use open-source intelligence to just figure out what's really going on. Identifying videos of victims in Africa. What country is this? Who did this? It's fantastic because honestly, there really isn't any gatekeeping about who can be a part of this effort. It's very easy for folks to come in and say, "You know what, I just really care about this. I'm going to learn the OSINT tools and techniques, and I'm going to contribute. Other folks are going to check my work, and if it's
worthwhile, we're going to publish it.”
There should be a similar mentality when it comes to threat intel and InfoSec, which is to say, "Look, start your blog. Start your journey. Tell us what you're working on. Show us what you're learning." Yes, you're not going to put out a job requirement for someone who's into obscure German philosophy. But I think it's much easier to extend the hand to somebody who has a blog.
You're like, "Wow. They don't know everything, but this person, they're a student or whatever, or they're just a random individual who really cares about this. They are onto something. Let's help them." That's an easier way to get a foot in the door, to show your curiosity and show what you can do on your own. Good hiring managers should be able to say, "If they can do this on their own, imagine what they'll do with our tools and our mentoring."
Eric: Right, when we're mentoring them and working with them. So one of the pieces of advice then is get creative, get out there. But also when you look for that first or second job, find a good mentor. Find somebody who can teach you because it is an apprenticeship model. I would argue with that. The only difference is, you can look at things like DHS, but definitely NSA, Cyber Command, CIA in the States, GCHQ in the UK. I'm sure the Iranians have a good training program too over there.
The offensive work, in my experience anyway, it does make good defensive people. That's probably the most structured training program. You're not going to go to a college necessarily and figure this stuff out overnight. But if you're doing the offensive stuff, you get to think like the adversary and then can defend somewhat against them.
Juan: That's an interesting argument for folks to consider going the government route. Obviously, great to be able to serve your country. To be honest, even though you're going to be underpaid, you are going to get opportunities to do things you're never going to be able to do anywhere else. I can't hire you and say, "Hey, go pop those command and control servers and let me know what you find."
There's definitely something to be said for that. From the industry, we have to admit that, for example, Unit 8200 has figured out how to turn out amazing talent. They’re on to something that the rest of us aren’t. They just churn out a massive amount of great people. We should probably ask them how to set up a talent pipeline.
Flourishing Cybersecurity Industry
Eric: Look at the flourishing cybersecurity industry in Israel. I believe much due in part to the work that's done over there.
Juan: There's something to be said for there is a way to do this. Maybe we're being failed by the rigidity of the academic space not to set up better programs for it. But in any case, this is also a space where knowledge isn't obscure. You can find most of the great tutorials for learning how to reverse and debug are freely available online. Back from the late '90s, early 2000s, when people were just trying to crack software because they lived in Eastern Europe. They couldn't buy it.
Most of the stuff you need is freely available. No Starch Press does sales on their books basically every month. If you are a starving artist and you really can't pick that up, even probably steal them online, forgive me, Bill Pollock. But I'm saying you can get your start. You can do it. It's more about dedication. That's something that we really shouldn't underestimate, even for people that already have their foot in the door.
If you are purely an intel analyst, find the time to learn the technical side of the house. The more that you need to depend on other people for your technical end, the more you're missing parts of the picture. Not to preach against work-life balance or whatever. But if this is your passion, there's a lot of room to grow.
Eric: Great advice. Reach out to famous published researchers. I'm betting nine times out of 10, if somebody reaches out and says, "I have a question about the industry," people answer.
Diversity of Skills
Juan: There's a reason why DMs are open to a lot of folks. Twitter has given everyone a voice for better or worse. You can reach out to amazing individuals, and half the time they'll answer, so might as well try.
Eric: What a way to end the week. Bet you didn't have this on the set with All My Children.
Rachael: No, it was quite different.
Juan: We've given her such a hard time about her. It's like a diversity of skills. It has a wide range of skills represented.
Rachael: Exactly, and cyber takes all comers.
Eric: Rachael is amazing at what she does. A couple of years ago, we were at RSA, and we did a show. Rachael was going to listen in one of the podcasts and we surprised her. I was with our CTO at the time. We’re doing a show about RSA, and Rachael was the featured guest. She’s supposed to listen in, she had no prep or anything. We're huddled around a little Blue Yeti mic in a room right off of Moscone Center. We put Rachael on the spot, and she was freaking amazing. I don't know the podcast episode.
If you're in marketing, if you're in PR, and you're running shows and things, go listen to it. She talks about what it takes to put the show on. Anyway, she was a pro day 1. She came in live about 30 seconds into the show. We announced you as the feature guest, and she just rolled with it. That's her acting experience. She's a pro.
Rachael: It helps when you have good people to talk to. It's fascinating to people with all these amazing stories. It makes it really easy to have a really good conversation.
So Many Great Stories
Juan: Thank you for the opportunity. Honestly, I don't get to nerd out about these things often enough. You're running, looking at the next case, but there are so many great stories in this space.
Eric: There are great stories that we can't wait to hear. Are you working on anything next?
Juan: There is a bit of a competitive streak and we all try to impress each other and come up with new things.
Eric: Throw the challenge out there now. Lay the gauntlet down for everybody in the business.
Juan: I'm working on some special techniques to analyze go malware. I like to do something that we've nicknamed cyber paleontology, I like to look back at stuff. The industry tends to be very now-focused, monster of the week. Oh, my god, SolarWinds. Every week is a different thing. The truth is that we don't have the resources to ever fully analyze any of these incidents. Me, Costin Raui, a few other folks really like to take old incidents and say, "What can we understand now?"
In the vein of the Moonlight Maze, what do we understand now? I'm working on a really old school operation now. Honestly, I'm just waiting for the in-person conferences to really come back so that I can have a good venue. To be like, "All right, this is the thing I'm going to work on."
Eric: Now, you're hitting my area of expertise. Guess what? They're shutting down. We just had another government conference shut down today. I don't think you're going to be back in person until probably second half of '22 at this point.
Rachael: Put January.
Selling Myself a Dream
Eric: Maybe April. I'd put a dollar down, not January. But anyway, JAGS, I don't want to bust your bubble. I just want to be honest with you. We're seeing them cancel.
Juan: I'm selling myself the dream just because my inner attention whore can't take it. I need to get on stage and show off a little bit.
Eric: Come back on the podcast.
Juan: I’d love to. We have a lot more stories to cover.
Rachael: Well, everyone, thanks again for joining us for this week's podcast with Juan Andres Guerrero-Saade. Better known as JAGS, but what an amazing conversation. Thank you so much for joining us today. We can't thank you enough.
Juan: Thank you both. That was fantastic. I appreciate it.
Rachael: I don't even want to ruin it, but you have to put the plug-in smash the subscription button, get a fresh episode every single week in your email. It's like Eric and I are just showing up at your doorstep and having a nice conversation.
About Our Guest
Juan Andrés is a Principal Threat Researcher at SentinelOne and an Adjunct Professor of Strategic Studies at Johns Hopkins School of Advanced International Studies (SAIS). He was Chronicle Security’s Research Tsar, founding researcher of the Uppercase team.
Prior to joining Chronicle, he was Principal Security Researcher at Kaspersky’s GReAT team focusing on targeted attacks and worked as Senior Cybersecurity and National Security Advisor to the Government of Ecuador. His joint work on Moonlight Maze is now featured in the International Spy Museum’s permanent exhibit in Washington, DC.