Threat Actors
Uncovering the White Company
A previously unknown advanced persistent threat actor hidden in plain sight
An unprecedented and previously known advanced persistent threat group has been uncovered by AI-driven security provider Cylance. Lucy Ingham hears from Kevin Livelli, director of threat intelligence, about how the likely state-sponsored group uses tactics to hide its very existence from detection
In November AI cybersecurity provider Cylance announced the discovery of an advanced persistent threat (APT) actor quite unlike any other.
Targeting and successfully evading a host of leading antivirus products, the organisation turns them against their users, before deploying a host of methods to eliminate evidence of their existence.
While Cylance has evidence of a number of the White Company’s campaigns, it has published details of one it is confident is being targeted at a government organisation: the Pakistani Air Force. Not only is the air force responsible for Pakistan’s nuclear weapons programme, but is host to the recently announced National Centre for Cybersecurity.
Dubbed Operation Shaheen, the campaign focused on espionage, and ran for a year. Such attacks have the potential to provide significant intel for foreign powers. As a result, it is thought that the White Company may be a state-sponsored organisation, and it seems the group may have targeted other countries.
“The set of more than two dozen exploits we analysed included those used in Operation Shaheen as well as those used in other campaigns,” explains Kevin Livelli, director of threat intelligence at Cylance.
“Some of those other exploits launched decoy documents with file names that invoked Chinese, Turkish, US, and Pakistani themes. However, we are still in the very early stages of investigating that evidence, so we cannot with confidence draw any conclusions or assert that any of those countries are targets of The White Company at this stage.”
How the White Company differs from other APT groups
While the White Company is suspected to be a state-sponsored organisation, its approach differs from any other group that is publicly known about.
“The White Company’s approach and style of attack does not resemble any of the publicly known state or state-sponsored threat actors, though it is possible that the group is aligned with one of the known actors but engaged in activity that has not been written about publicly yet,” explains Livelli.
The level of obfuscation the organisation deployed is particularly unusual – although there are some signs that makes the involvement of a government less than certain.
“The White Company goes to many and varied lengths to evade attribution and maintain stealth both within the context of their exploits as well as their malware, which is distinct from several known APT groups,” he says.
“That said, the easy-to-track nature of the first phase of attack in Operation Shaheen, where a series of external websites were compromised and used to deliver malware, is out of character for state or state-sponsored groups that prize stealth. So is the deliberate surrendering of both the exploit and the malware to the target.”
“The White Company goes to many and varied lengths to evade attribution and maintain stealth both within the context of their exploits as well as their malware.”
The levels of care the organisation takes in hiding its existence is unusual – but so too are the tools the group utilises.
“Many APT groups do not appear to care when their tools are caught; none that we know of deliberately ask to be caught. The malware payloads The White Company deploys are off-the-shelf and publicly available, which is out of character with APTs known for using custom malware,” he adds.
“The White Company is the only threat actor we’ve seen that has the ability to evade eight different antivirus as a feature of its exploits (as opposed to its malware), and is the only advanced threat actor we’re aware of that deliberately surrenders to its victims after certain, specific dates.”
Extraordinarily different: The White Company’s attack methods
As with all exploits, the White Company made use of machine-language instructions, or shellcode, however, these too were very different from other publicly known methods.
“The exploit used by the White Company in the second phase of its campaign in Operation Shaheen differed in extraordinary ways from the more commonly seen, publicly available exploits,” said Livelli.
“The White Company’s exploit shellcode included instructions to evade eight different antivirus products before surrendering to them on eight, different dates. It included instructions regarding four different ways to check whether the exploit was on an analyst or investigator’s system.
“It demonstrated the capacity to clean up Word and launch a decoy document. And it had the ability to delete itself entirely from the target system. These features, in combination, are very rarely seen in exploit shellcode.”
Stealth beyond the norm
Stealth is a relatively normal part of APT actors’ playbooks, but the White Company takes this to a new level.
“The White Company goes to numerous elaborate measures to evade attribution, deploying obfuscation techniques both within its malware as well as within its exploits. This is not commonly seen,” says Livelli.
“However, it’s not entirely unheard of, as stealth is a value common to a small number of elite state actors. If there are concerning trends evoked in Operation Shaheen, they would include the increasing use of off-the-shelf, public malware by an advanced threat actor despite the capability and the resources to use custom malware.”
“The White Company goes to numerous elaborate measures to evade attribution, deploying obfuscation techniques both within its malware as well as within its exploits.”
Notably, the organisation also leaves breadcrumbs to misdirect those attempting to track it down.
“I’d also highlight this threat actor’s ability to hack the thinking of forensic investigators and to attack the mindset of researchers by deliberately leaving contradictory bits of evidence behind in an attempt to fluster and confuse those who rely on a traditional approach to incident response and security research,” he says.
“Using those legacy methods would, in this case, have resulted in missing the attack entirely.”
Getting a sense of the people behind the organisation
While it is not clear if the White Company is definitely a state-sponsored organisation – and Cylance does not speculate on what state that might be – there is some insight the cybersecurity company can glean about its size and operation.
“The evidence we uncovered points to the notion that the White Company has several teams working together, with resources devoted to the following tasks: the acquisition of the Stage 1 exploit, reconnaissance of target systems, the development of the Stage 2 (mission-specific) exploit, the improvement and evolution of the exploit over time, the obfuscation of the malware, the management of the Command and Control infrastructure, the development and deployment of the phishing lures, et al.”
With such sophisticated methods of hiding its path it may be challenging to uncover more about the organisation. But with knowledge about the White Company now public, more is likely to be uncovered over time.
PR nightmares: Ten of the worst corporate data breaches
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
Share
Share this article
