DeepSec 2021 Talk: Do you have a PlugX? Artem Artemov, Rustam Mirkasymov
Deep overview of a tool used by the Chinese nation-state APTs based on a real-life Incident Response case with a big industrial company. Investigation yielded the presence of PlugX in the infrastructure. This presentation gives a full overview of the tools functionality, its past versions, and nowadays usage (Thor is a new version of plugX). We show why it is hard to find and why it’s important for big industrial companies. And also we talk about our assumption that all recent big attacks – first Sunburst and then Exchange exploits (proxylogon related to Hafnium) are links of one chain.
We asked Artem and Rustam a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- It’s about pro-government APT
- The described threat is silent
- The threat target is unusual – industrial companies
- Story based on a real-life case
- We’ll give you direct recommendations how to hunt it
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
One day in April or May, we sat with colleagues and talked about the ransomware pandemic. Suddenly we realized that all attention is riveted on this topic. Ransomware is featured in the news and it’s everything that we see in the Incident Responses. But where are the big guys?
Then we came to understand that the big boys are still working. Year after year. And the ransomware pandemic could be a smokescreen for their operations. So we decided to make that talk, to share our knowledge and to warn everyone about deep silent threats that could be already inside your company.
Why do you think this is an important topic?
I think this is important now, because there is no time left! You can buy a lot of security solutions, do a penetration test, but there is a 90% chance that you will miss this threat. And so this summer we see that PlugX has been improved! A huge “update” has come out. That means that APTs are working. They have time, money and patience. What is more important for a company? More than money and user data? Their inventions, new developments and patents. Drawings and technical data. Information about a merger or an imminent release of a new product. This is the main target of cybercriminals using the described tool.
Is there something you want everybody to know – some good advice for our readers maybe?
Our talk can cause paranoia. But it is better to know about the threat than to remain in the dark. And even better – know exactly how to find a threat, and what methods will help you with this. Please don’t rely on old remedies.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
We are already seeing that the methods and tools of pro-government APTs are becoming more and more sophisticated. At the same time, we see more and more countries using cyber armies for espionage. The number of such silent threats will continue to grow. If you want to be safe, remember that you are the target. Not only for ransomware groups but also for big brothers.
Artem Artemov: Head of DFIR Lab Group-IB Europe. More than 14 years in DF, last 10 years in Group-IB. Incident responses all over the world, I take part in investigations and arrest of cybercrime groups like Carberp, Buhtrap, Corcow, Cobalt, Cron, Moneytaker and others. Also I provide tailored DF courses at several universities.
Rustam Mirkasymov: Head of Cyber Threat Research, Group-IB Europe. 8 years in cyber threat research and threat intelligence. Strong skills in reverse engineering, knowledge in exploit development and understanding software vulnerabilities mechanisms. Author / co-author of numerous APT threat reports (including Lazarus, Silence, Cobalt, MoneyTaker, RedCurl). Experienced speaker at key cyber security media & events.