The White Company: Inside the Operation Shaheen Espionage Campaign
In a new collection of extensive research reports, the Cylance Threat Intelligence Team profiles a new, likely state-sponsored threat actor called The White Company - in acknowledgement of the many elaborate measures they take to whitewash all signs of their activity and evade attribution.
The report details one of the group’s recent campaigns, a year-long espionage effort directed at the Pakistani government and military – in particular, the Pakistani Air Force.
Cylance calls this campaign Operation Shaheen.
The White Company project consists of three chapters within a single report, applying a new, comprehensive approach to threat intelligence research to unlock insights into this threat actor and its operations, and which combines detailed technical research with accessible storytelling.
Two technical chapters delve deeply into the exploit kits and malware and infrastructure used – the keys that unlocked the doors and the tools used to steal what’s inside. The third chapter lays out how the campaign worked, situates the technical findings in geopolitical context, and explains why it all matters – all in language that is easy to read and understand.
What the Research Uncovered
Cylance research has enabled the identification and tracking of a new and likely state-sponsored threat actor whose profile does not match any of the established, so-called APT groups. The profile we have drawn does not resemble that of the U.S., Five Eyes, or India - nor any known Russian, Chinese, North Korean, Iranian, Israeli groups.
The White Company has considerable resources at its disposal indicative of a state-sponsored group. We uncovered evidence that establishes that the White Company possesses the following:
◦ access to zero-day exploit developers and, potentially, zero-day exploits
◦ a complex, automated exploit build system
◦ the ability to modify, refine and evolve exploits to meet mission-specific needs
◦ the capacity for advanced reconnaissance of targets
The White Company is the first threat actor Cylance has encountered that targets and effectively evades no less than eight different antivirus products – Sophos, ESET, Kaspersky, BitDefender, Avira, Avast!, AVG, and Quick Heal – before turning them against their owners by deliberately surrendering to them on specific dates in order to distract, delay, and divert the targets’ resources.
The antivirus evasions are just one of a number of measures employed by The White Company to escape attribution. Other methods we uncovered include:
- Within the exploit: four different ways to check whether the malware was on an analyst’s or investigator’s system; the capacity to clean up Word and launch a decoy document to reduce suspicion; and the ability to delete itself entirely from target system
- Within the malware: five different obfuscation (packing) techniques that placed the ultimate payload within a series of nesting-doll layers; additional ways to check whether the malware was on an analyst’s or investigator’s system; anonymous, open-source payloads and obfuscation techniques; the use of compromised or otherwise un-attributable network infrastructure for command and control
An all-encompassing breakdown of the malware and infrastructure used illuminates a disturbing trend in threat actor behavior, where publicly available tools and techniques are employed by a sophisticated, well-resourced actor, almost surely for the purpose of removing identifiable fingerprints and avoiding the detection of custom malware early on in the campaign.
Our comprehensive approach to examining The White Company and one of their campaigns has shown that this threat actor has a keen awareness of the typical methods, biases, and assumptions held by many in the security research and investigative communities - and they have demonstrated an ability to use that common approach against that community by deliberately undermining those assumptions and leaving contradictory bits of evidence that effectively distract, delay and degrade the ability to analyze their work.
That means the White Company isn’t just exploiting vulnerabilities in software and security solutions. They’re exploiting vulnerabilities in security researchers’ thinking and methodologies.
Innovative Research Methodologies Employed
The White Company project benefitted from an innovative, new approach to analyzing a large portion of a threat actor’s exploit kit, which in this case involved a painstaking examination of the machine-language shellcode instructions embedded within a sample of roughly 30 exploits.
Our genetic marking and mapping of more than 40 unique shellcode features allowed us to track the development, modification and evolution of the White Company’s tool kit over time. This has helped us to tie this threat actor to other, previously unidentified or misattributed campaigns and to understand a larger corpus of their activity more deeply.
Why This Report Matters
Pakistan, the nation at the center of Operation Shaheen, is a pivotal country not just in South Asia’s regional affairs, but in global affairs. It is a key player in the U.S. and NATO counterterrorism efforts in Afghanistan, and a key economic partner in China’s sprawling One Belt, One Road initiative. The country hosts a large number of nuclear weapons – and terrorists. It has been subject to ongoing pressure and occasional open violence as a result of border disputes, terrorist attacks, separatist movements and military coups.
In our judgement, the Pakistani Air Force was specifically targeted by Operation Shaheen. Pakistan’s military has historically demonstrated its outsized influence on both domestic and foreign policy – often eclipsing the country’s own elected, civilian leadership. A successful espionage operation targeting Pakistan’s military could yield significant tactical and strategic insight to a range of foreign powers, including those whose interests do not always align with those of the West.
The Pakistani Air Force is not just an integral part of the country’s national security establishment – including its nuclear weapons program – but it is also the newly announced home of the country’s National Centre for Cyber Security.
What’s Coming Up
In our Exploit report, we examined a set of files that included those used in Operation Shaheen, but also additional files that were used in other, unexplored campaigns.
Readers can expect future reports similar to those seen in Operation Shaheen, which will delve deeply into the malware and infrastructure associated with those campaigns, tell their story, and conduct sophisticated analysis of the underlying technical research.