In November AI cybersecurity provider Cylance announced the discovery of an advanced persistent threat (APT) actor quite unlike any other.

Targeting and successfully evading a host of leading antivirus products, the organisation turns them against their users, before deploying a host of methods to eliminate evidence of their existence.

While Cylance has evidence of a number of the White Company’s campaigns, it has published details of one it is confident is being targeted at a government organisation: the Pakistani Air Force. Not only is the air force responsible for Pakistan’s nuclear weapons programme, but is host to the recently announced National Centre for Cybersecurity.

Dubbed Operation Shaheen, the campaign focused on espionage, and ran for a year. Such attacks have the potential to provide significant intel for foreign powers. As a result, it is thought that the White Company may be a state-sponsored organisation, and it seems the group may have targeted other countries.

“The set of more than two dozen exploits we analysed included those used in Operation Shaheen as well as those used in other campaigns,” explains Kevin Livelli, director of threat intelligence at Cylance.

“Some of those other exploits launched decoy documents with file names that invoked Chinese, Turkish, US, and Pakistani themes. However, we are still in the very early stages of investigating that evidence, so we cannot with confidence draw any conclusions or assert that any of those countries are targets of The White Company at this stage.”

How the White Company differs from other APT groups

While the White Company is suspected to be a state-sponsored organisation, its approach differs from any other group that is publicly known about.

“The White Company’s approach and style of attack does not resemble any of the publicly known state or state-sponsored threat actors, though it is possible that the group is aligned with one of the known actors but engaged in activity that has not been written about publicly yet,” explains Livelli.

The level of obfuscation the organisation deployed is particularly unusual – although there are some signs that makes the involvement of a government less than certain.

“The White Company goes to many and varied lengths to evade attribution and maintain stealth both within the context of their exploits as well as their malware, which is distinct from several known APT groups,” he says.

“That said, the easy-to-track nature of the first phase of attack in Operation Shaheen, where a series of external websites were compromised and used to deliver malware, is out of character for state or state-sponsored groups that prize stealth. So is the deliberate surrendering of both the exploit and the malware to the target.”

“The White Company goes to many and varied lengths to evade attribution and maintain stealth both within the context of their exploits as well as their malware.”

The levels of care the organisation takes in hiding its existence is unusual – but so too are the tools the group utilises.

“Many APT groups do not appear to care when their tools are caught; none that we know of deliberately ask to be caught. The malware payloads The White Company deploys are off-the-shelf and publicly available, which is out of character with APTs known for using custom malware,” he adds.

“The White Company is the only threat actor we’ve seen that has the ability to evade eight different antivirus as a feature of its exploits (as opposed to its malware), and is the only advanced threat actor we’re aware of that deliberately surrenders to its victims after certain, specific dates.”

Extraordinarily different: The White Company’s attack methods

As with all exploits, the White Company made use of machine-language instructions, or shellcode, however, these too were very different from other publicly known methods.

“The exploit used by the White Company in the second phase of its campaign in Operation Shaheen differed in extraordinary ways from the more commonly seen, publicly available exploits,” said Livelli.

“The White Company’s exploit shellcode included instructions to evade eight different antivirus products before surrendering to them on eight, different dates. It included instructions regarding four different ways to check whether the exploit was on an analyst or investigator’s system.

“It demonstrated the capacity to clean up Word and launch a decoy document. And it had the ability to delete itself entirely from the target system. These features, in combination, are very rarely seen in exploit shellcode.”

Stealth beyond the norm

Stealth is a relatively normal part of APT actors’ playbooks, but the White Company takes this to a new level.

“The White Company goes to numerous elaborate measures to evade attribution, deploying obfuscation techniques both within its malware as well as within its exploits. This is not commonly seen,” says Livelli.

“However, it’s not entirely unheard of, as stealth is a value common to a small number of elite state actors. If there are concerning trends evoked in Operation Shaheen, they would include the increasing use of off-the-shelf, public malware by an advanced threat actor despite the capability and the resources to use custom malware.”

“The White Company goes to numerous elaborate measures to evade attribution, deploying obfuscation techniques both within its malware as well as within its exploits.”

Notably, the organisation also leaves breadcrumbs to misdirect those attempting to track it down.

“I’d also highlight this threat actor’s ability to hack the thinking of forensic investigators and to attack the mindset of researchers by deliberately leaving contradictory bits of evidence behind in an attempt to fluster and confuse those who rely on a traditional approach to incident response and security research,” he says.

“Using those legacy methods would, in this case, have resulted in missing the attack entirely.”

Getting a sense of the people behind the organisation

While it is not clear if the White Company is definitely a state-sponsored organisation – and Cylance does not speculate on what state that might be – there is some insight the cybersecurity company can glean about its size and operation.

“The evidence we uncovered points to the notion that the White Company has several teams working together, with resources devoted to the following tasks: the acquisition of the Stage 1 exploit, reconnaissance of target systems, the development of the Stage 2 (mission-specific) exploit, the improvement and evolution of the exploit over time, the obfuscation of the malware, the management of the Command and Control infrastructure, the development and deployment of the phishing lures, et al.”

With such sophisticated methods of hiding its path it may be challenging to uncover more about the organisation. But with knowledge about the White Company now public, more is likely to be uncovered over time.

Share this article