SharpTongue pwning your foreign policy, one interview request at a time - Tom Lancaster (Volexity)

Virus Bulletin
9 Nov 202329:16

Summary

TLDR本次演讲由Lexity的威胁情报负责人Tom AER主讲,深入探讨了名为Sharine的朝鲜威胁行动者如何通过巧妙的网络钓鱼技术,特别是针对外交政策领域的专家进行攻击。演讲重点介绍了社会工程和网络钓鱼手段,而不是传统意义上的恶意软件工作原理。通过分析攻击者的目标、手段和基础设施,以及分享实际案例,揭示了Sharine如何获取并利用电子邮件数据,以及这对目标群体意味着什么。

Takeaways

  • 🔍 威胁情报专家Tom AER介绍了一个名为Sharine的朝鲜威胁行动者,专注于通过巧妙的网络钓鱼技术侵入外交政策专家的系统。
  • 🎯 Sharine自2012年以来活跃,使用多种恶意软件家族,主要目标是获取用户的电子邮件,因为电子邮件中包含大量敏感信息。
  • 💡 该组织通过社会工程和网络钓鱼技术,模仿目标人物的日常交流模式,以获取信任并最终实施攻击。
  • 📧 Sharine擅长利用受害者的个人电子邮件进行攻击,因为许多专业人士将工作相关的电子邮件也处理在个人邮箱中。
  • 🔗 攻击者使用各种策略,如假冒记者、研究人员或政府官员,通过建立对话和信任,再发送包含恶意链接或文件的电子邮件。
  • 🛠️ 攻击者经常使用自己注册的网站或服务,如OneDrive或Google Drive,来托管恶意文件,并通过密码保护来避免检测。
  • 🚀 通过与受害者建立长期交流,攻击者能够更好地了解目标并定制钓鱼策略,有时甚至在一个月后才发送恶意链接。
  • 🔒 一旦设备被感染,攻击者会安装多个恶意软件家族,并且很难通过自动化解决方案彻底清除,通常需要人工干预。
  • 🤝 与目标用户建立良好的关系并教育他们如何识别钓鱼攻击是减轻此类威胁的关键策略之一。
  • 🌐 攻击者的目标不限于美国,也包括欧洲联盟国家和韩国,他们对这些地区的对朝政策和立场特别感兴趣。
  • 📚 通过监控和分析攻击者的C2服务器,研究人员能够了解攻击者的操作方法,包括他们如何处理日志和帮助文本文件。

Q & A

  • Tom AER 是哪个公司的威胁情报负责人?

    -Tom AER 是 Lexity 公司的威胁情报负责人。

  • SHARINE 是哪个国家的威胁行动者?

    -SHARINE 是朝鲜的威胁行动者。

  • SHARINE 主要通过什么方式获取目标的邮箱访问权限?

    -SHARINE 主要通过两种方式获取目标的邮箱访问权限:一是通过凭证盗窃,例如通过钓鱼链接诱导用户输入登录凭证;二是通过使用恶意软件,如键盘记录器或者针对Chrome浏览器的Sharp XT恶意软件。

  • SHARINE 攻击的目标群体主要是哪些人?

    -SHARINE 攻击的目标群体主要是那些在外交政策领域,尤其是在朝鲜问题上有专业知识的专家,例如智库成员、大学教授、记者和政府机构人员。

  • SHARINE 为何对目标的个人电子邮件特别感兴趣?

    -SHARINE 对目标的个人电子邮件特别感兴趣,因为个人电子邮件是人们分享最有趣信息的地方,尤其是在政治和非政府组织领域。

  • SHARINE 如何利用已经窃取的邮件数据进行进一步的网络钓鱼攻击?

    -SHARINE 通过分析已经窃取的邮件数据,了解用户的交流内容和联系人,然后利用这些信息制作更具说服力的钓鱼邮件,以攻击不同的用户。

  • Tom AER 提到的 'baby shark' 恶意软件有什么特点?

    -'baby shark' 恶意软件的特点是使用一种特定的VB脚本函数进行字母置换编码,它具有不同的功能,如执行侦察、下载和执行远程文件等。

  • SHARINE 如何避免被大型网络邮件提供商检测到异常活动?

    -SHARINE 使用Sharp XT恶意软件作为浏览器扩展,从浏览器内部访问和窃取邮件数据,这样就能避免被网络邮件提供商检测到异常活动,因为从邮件提供商的角度看来,就像是用户正常访问自己的网络邮件。

  • Tom AER 认为一旦用户的设备被SHARINE感染,应该怎么办?

    -Tom AER 认为一旦用户的设备被SHARINE感染,很难通过自动化解决方案彻底清除恶意软件,需要人工干预。他建议与用户紧密合作,建立关系,教育他们如何识别和报告此类攻击。

  • SHARINE 的攻击活动为何难以追踪和通知用户?

    -SHARINE 的攻击活动难以追踪和通知用户,因为他们经常利用用户的个人电子邮件进行攻击,这些活动通常在网络之外发生,只有当用户在工作场所使用公共Wi-Fi时才可能被检测到。此外,攻击者会在受感染的设备上同时运行多个恶意软件家族,使得清除工作变得更加复杂。

  • Tom AER 提到的 'help.txt' 文件有什么作用?

    -在SHARINE的攻击活动中发现的 'help.txt' 文件用于指导用户如何使用不同的攻击文件,以及这些文件如何相互链接。这表明恶意软件的作者是不同的人,而不是操作者。

Outlines

00:00

🔍 介绍与背景

视频脚本的第一段介绍了演讲者Tom AER,他是威胁情报领导,讨论了名为Sharine的朝鲜威胁行动者如何通过巧妙的网络钓鱼技术,特别是针对外交政策领域的专家进行攻击。他强调,尽管会议讨论的技术性内容很多,但他的演讲将专注于黑客如何进行社会工程和网络钓鱼来安装恶意软件。他还简要介绍了他所在的公司VX,以及他们如何通过监控客户网络来收集信息。

05:01

🎯 Sharine威胁行动者的目标与策略

第二段深入探讨了Sharine威胁行动者的目标、策略和使用的基础设施。Sharine自2012年以来活跃,使用多种恶意软件家族,主要目标是获取用户的电子邮件,因为这是分享最有趣信息的地方。他们通过凭证盗窃和恶意软件来获取用户邮箱的访问权限。此外,他们擅长利用已窃取的邮件数据来针对其他用户进行钓鱼攻击。

10:02

📧 钓鱼攻击的实际案例

第三段通过一系列真实世界的钓鱼攻击案例,展示了Sharine如何进行社会工程和钓鱼。他们通过模仿目标人物的日常交流方式,建立信任并最终发送包含恶意内容的电子邮件。这些攻击可能包括请求目标提交论文、组织会议或解决账户安全问题等,最终导致目标下载或打开恶意文件。

15:02

🛠️ 恶意软件分析与C2管理

第四段讨论了Sharine使用的恶意软件类型,特别是BabyShark恶意软件的变种,以及他们如何通过C2(命令与控制)服务器管理攻击。演讲者分享了他们如何与一个被攻击者使用的C2服务器的拥有者合作,以了解攻击者的操作方法,包括他们的日志记录习惯和如何使用帮助文本文件来指导用户使用不同的攻击文件。

20:06

🚨 防御与未来展望

最后一段总结了如何防御Sharine的攻击,并对未来的威胁进行了展望。演讲者强调,一旦用户被感染,就很难彻底清除恶意软件,需要人工干预。他还提到,用户不太可能改变使用个人设备处理工作邮件的习惯,因此需要改变的是防御策略,包括与目标用户建立关系,教育他们如何识别钓鱼攻击。

Mindmap

Keywords

💡威胁情报

威胁情报是指收集、分析和处理有关潜在威胁的信息,以帮助组织预测、识别、防御和应对网络攻击。在视频中,Tom作为威胁情报负责人,讨论了针对外交政策专家的网络钓鱼技术,这是威胁情报工作的一部分。

💡社交工程

社交工程是指利用人际关系和心理操纵来获取敏感信息或访问权限的一种技术。在视频中,攻击者通过社交工程手段,诱使目标点击恶意链接或打开含有恶意软件的文件。

💡网络钓鱼

网络钓鱼是一种常见的网络诈骗手段,通过伪造电子邮件、网站或其他通信方式,诱骗用户提供敏感信息,如用户名和密码。视频中提到,攻击者使用网络钓鱼技术来安装恶意软件。

💡恶意软件

恶意软件是指设计用来对计算机系统、网络或用户造成损害的软件。在视频中,攻击者通过各种手段安装恶意软件,以窃取目标的电子邮件和其他敏感信息。

💡SharpXT

SharpXT是一种恶意浏览器扩展,专门设计来窃取用户的电子邮件数据。它通过模拟用户登录浏览器中的电子邮件账户,从而绕过电子邮件服务提供商的异常活动检测。

💡APT攻击

APT(Advanced Persistent Threat)攻击指的是高级持续性威胁,通常由国家支持的黑客组织发起,目的是长期未被发现地窃取信息或破坏关键基础设施。视频中提到的Sharine组织就是一个APT攻击的例子。

💡C2服务器

C2(Command and Control)服务器是攻击者用来远程控制受感染计算机的服务器。在视频中,攻击者使用C2服务器来管理和分发恶意软件,以及接收从受感染设备发送回来的数据。

💡Baby Shark

Baby Shark是一种恶意软件的名称,它通过VB脚本执行字母置换的方式来隐藏其真实意图。这种恶意软件的功能包括侦察主机、下载和执行远程文件等。

💡威胁行动者

威胁行动者是指发起网络攻击的个人或团体,他们可能有不同的动机和目标。在视频中,'Sharine'是一个特定的威胁行动者,专门针对外交政策专家进行攻击。

💡信息安全

信息安全是指保护信息资产免受未经授权的访问、使用、披露、破坏、修改或破坏的实践。视频讨论了如何通过威胁情报和社交工程防御来增强信息安全。

Highlights

北韩威胁行动者Sharine通过巧妙的网络钓鱼技术,专门针对外交政策领域的专家进行攻击。

Sharine自2012年以来活跃,使用多种恶意软件家族,并且拥有无数的别名。

攻击者的主要目标是获取用户的邮箱访问权限,因为邮箱是分享最有趣信息的渠道。

Sharine通过社会工程和网络钓鱼技术,安装恶意软件来实现其目标。

攻击者通过长时间的建立对话关系,使受害者在不知不觉中点击恶意链接或打开含有恶意软件的文件。

Sharine擅长模仿受害者熟悉的交流模式,通过发送看似正常的电子邮件来建立信任。

攻击者会利用受害者的电子邮件数据来针对其他用户进行钓鱼攻击。

Sharine的目标群体包括智库、教育机构、记者和政府实体等。

攻击者偏好针对受害者的个人电子邮件,因为那里有最有价值的数据。

Sharine使用的一种独特恶意软件SharpXT,能够在Chrome浏览器中窃取邮件数据。

一旦设备被感染,除非进行人工干预,否则很难彻底清除所有恶意软件。

Sharine通过注册自己控制的网站来进行网络钓鱼活动,使得钓鱼链接看起来更加合法。

攻击者在C2服务器上实施了日志记录和IP黑名单策略,以避免被监测和干扰。

Sharine的恶意软件载荷通常是BabyShark恶意软件的变种,它通过字母置换来进行编码。

攻击者通过建立长期的对话关系,使得一次性的钓鱼攻击变得更加难以防范。

Sharine的目标是获取美国、欧盟和韩国对北韩政策的内部信息,特别是在谈判和划红线时的关键信息。

攻击者愿意花费时间建立对话,这种耐心在网络威胁行动者中并不常见。

Sharine通过社会工程学技巧,改变了典型的用户工作流程,使其攻击更加难以被识别。

攻击者通过发送看似无害的电子邮件开始,逐步引入钓鱼内容,最终导致用户感染恶意软件。

Transcripts

00:04

hi everyone uh my name is Tom AER I'm

00:05

the threat intelligence lead at the

00:07

lexity and today I'm here to talk to you

00:09

about a North Korean threat actor that

00:11

we call sharine um and it's about how

00:13

they basically compromise experts

00:15

particularly in the field of foreign

00:17

policy uh through clever fishing

00:19

techniques so a lot of the talks at this

00:21

conference are highly Technical and

00:22

they're about the in and ins and outs of

00:24

how malware works or like particular

00:26

exploits this talk does not touch on

00:28

those things ironic for a talk at a

00:30

conference called virus bulletin there

00:32

is very little discussion of viruses

00:34

instead we're going to focus on the

00:36

social engineering and the fishing that

00:37

these hackers do to install the malware

00:40

that ultimately is what they want to

00:42

do so a little bit of quick background

00:45

about the company I work for VX you

00:46

might be like hey how does Tom have

00:48

access to so much cool stuff um and so

00:50

to know that you've got to understand a

00:52

little bit about

00:53

VX uh the main reason you may know about

00:55

the company is from a memory forensics

00:58

perspective so the people who wrote the

00:59

vol ility framework primarily work for

01:01

vxi now we sell commercial Solutions

01:04

around that Sergey and volcano we also

01:06

do network security monitoring and

01:08

threat intelligence and the network

01:09

security monitoring part of the business

01:10

in particular has a reasonably good

01:13

customer base in the United States

01:15

particularly in the NGO sector so uh

01:17

think tanks places like that and the

01:20

stories I'm going to share with you the

01:22

examples I'm going to share with you

01:23

today come from our kind of monitoring

01:25

of customer networks engaging with

01:26

customers uh in that

01:28

space

01:31

but before we can get to the kind of

01:32

interesting fishing techniques the

01:34

attack is using um we've got to do some

01:36

kind of uh leg workor together so we're

01:38

going to talk a little bit about who the

01:39

attackers are what they want uh and why

01:42

they want it then we're going to talk

01:44

about the social engineering and fishing

01:46

techniques that the attackers use and

01:49

then there's a little bit about the

01:50

infrastructure some unique insights we

01:52

have had in the past in particular into

01:54

how the attackers managed that

01:56

infrastructure um some quick overview of

01:58

the malware and some Outlook and

02:00

thoughts about um what this kind of

02:02

means for people who are targeted by

02:03

this threat group so who is

02:07

sharine so sharp Pine sharp tongue you

02:09

may have realized that the agenda is not

02:11

the same as what I'm going to use in the

02:13

slides today and that's because in the

02:14

summer of 2023 my organization decided

02:17

to change all of these threat actor

02:18

names and so you can basically ignore

02:20

the difference between the two they are

02:21

the same do not worry um and we can now

02:24

move on satisfi that that issue is

02:26

resolved so they're are North Korean

02:28

threat actor active since around 2012 uh

02:31

they use a swath of different maare if

02:33

you read the ap43 report there's like

02:35

100 maare families listed uh the most

02:38

common ones that we see are listed there

02:40

and they've got a numerous an

02:42

innumerable number of aliases just like

02:44

every other threat actor that people

02:46

talk about um yeah if you've read about

02:49

any of these Mal families or these

02:51

threat AC nams before you'll have a

02:52

rough idea of what I'm talking

02:54

about and for the particular stuff we're

02:57

looking at today um I think it's

02:59

interesting for any tractor to think

03:00

about what success looks like for them

03:03

and for this tractor success ultimately

03:05

looks like access to a users's mailbox

03:08

sometimes they'll go after other data on

03:09

the users machine but predominantly what

03:11

they want is the email because the email

03:13

is where people are sharing the most

03:15

interesting information with their peers

03:16

particularly in kind of politics and the

03:18

NGO space um and the way that they get

03:22

access to users mailbox is through two

03:24

kind of key things one is credential

03:25

theft so that's I send you an email uh

03:28

and eventually maybe there's fishing

03:30

link and that fishing link takes you to

03:31

a login page for some service whether

03:33

it's like your actual work email gmail

03:35

whatever it might be uh and then you

03:37

enter your credentials and heho the

03:39

attacker has access and that's becoming

03:40

less common for this attacker as a way

03:42

of doing things um maybe because of

03:44

adoption of tofa maybe for other reasons

03:47

um and the second kind of key way they

03:50

could do this is through use of malware

03:51

so they can deploy any number of malware

03:53

families uh and they could use like a

03:55

key logger to steal all of the users

03:56

passwords and they also have a very

03:59

clever piece of malware that works

04:00

within Google Chrome or any Chrome based

04:02

browser called sharp XT which steals the

04:05

mail uh from the context of the users

04:08

browser and the key outcomes for the

04:10

attacker are basically they want

04:12

insights into what the United States uh

04:14

some European Union countries and South

04:16

Korea are going to do regarding North

04:18

Korea so the types of people they're

04:20

targeting and the information that those

04:22

individuals hold is likely to be key in

04:25

times of like negotiations and red lines

04:28

so the United States might say one thing

04:31

in public about their particular stance

04:33

on what North Korea might do in one

04:35

scenario but behind the scenes the

04:37

United States might actually have like a

04:38

different Red Line like they say if you

04:41

cross this line we'll punish you but

04:43

actually the red line might be much much

04:45

deeper and the attackers are interested

04:47

in knowing what the actual red line is

04:49

not the one you

04:51

say um and the second unique outcome or

04:55

kind of thing that I don't think I

04:56

really hear a lot of other people talk

04:58

about is that having stolen one user's

05:00

mail data they are very good at

05:02

repurposing that mail data to fish other

05:04

users so by fishing one user they gain

05:07

great insight into what would make good

05:09

fishing material or compensation

05:10

material to attack a different

05:14

user and to really kind of hammer home

05:17

the like Publications you might have

05:19

read about the same type of thing there

05:20

are a number of those in the public

05:22

domain so from Google Mandan I think the

05:26

huness article on the left hand side

05:28

there uh is a really good example of

05:30

what you'll find if you find a user

05:32

who's been compromised this group um so

05:35

yeah I think there's a lot of previous

05:37

reporting you can get your hands

05:40

on sometimes we're able to gain insights

05:43

into the types of Target the group have

05:45

not just within our own customer base

05:47

but outside of our customer base um and

05:50

the data in this slide and the next one

05:51

comes from just one wave of emails but

05:53

we think it's relatively representative

05:55

of the types of targets that this group

05:57

is attacking so you can see

06:00

predominantly uh it's kind of think

06:02

tanks NOS on the left hand side uh the

06:05

next bar is education so there are

06:07

professors at universities who are

06:09

essentially experts in uh North Korea

06:12

and there are various kind of

06:13

journalists and government entities as

06:17

well and in terms of where those people

06:19

live a lot of them are in the United

06:21

States they're probably considered one

06:23

of the key kind of influences in global

06:26

politics regarding North Korea and then

06:28

there's obviously South Kore

06:30

uh which is probably also a very key

06:31

issue for the North Koreans and then a

06:34

smattering kind of countries around the

06:36

world as

06:38

well one thing that's going to come up a

06:41

couple times in this talk is the

06:42

differential between targeting a users

06:45

personal web mail and their corporate

06:47

accounts so many of you in the room

06:50

might think it's ludicrous that you

06:51

would use your personal email to talk

06:54

about work stuff however for a lot of

06:57

the targets of these attacks that is not

06:58

the case that that is actually the

07:00

status quo so particularly uh if you

07:03

you're a person who is a professor at

07:05

one University you also hold a board

07:07

position at another place you you end up

07:09

having like five or six emails related

07:11

to your work and what you don't want is

07:13

to log into five or six places so what

07:15

these professors and these other kind of

07:17

professionals and experts do is they try

07:19

to manage all of their email in one

07:21

place which is their personal email and

07:23

log into their work email as little as

07:26

possible and sharine are very good at

07:28

taking advantage of this so once they

07:30

figure out like someone's my work email

07:32

might be T Lancaster of alex.com but if

07:35

they figure out that my personal email

07:37

is like I don't know T Lancaster h.com

07:40

they'll Target that preferentially uh

07:43

because ultimately that's where the best

07:44

data

07:48

is so I uh I said at the start of this

07:51

talk that this talk is primarily about

07:52

social engineering and fishing um and so

07:55

that's what we're going to come on to

07:57

now um and I think this is is a topic

07:59

worthy of discussion because vity tracks

08:02

a a number of different th actors

08:04

Distributing like different malware and

08:06

some of those Thors are very high

08:07

sophistication some of them very low and

08:09

when it comes to social engineering uh

08:11

Shar Pine are relatively good they're at

08:13

the top end of the spectrum I would say

08:15

whereas other tr actors might have the

08:17

best m in the world but if they can't

08:19

convince the user to install it or if

08:21

they don't have an exploit they're out

08:22

of luck um and basically what I would

08:25

just it boils down to is that sharine

08:27

subvert a typical user work flow so they

08:31

have a real understanding of how the

08:33

people they're targeting work on a

08:35

day-to-day basis and these people are

08:37

typically uh so a typical scenario for

08:40

somebody who might be targeted is they

08:42

might receive an email out of the blue

08:43

this is not this is something that would

08:45

happen to them every day they'll receive

08:46

an email out of the blue from a Webmail

08:48

account and that they'll say hey I'm a

08:50

journalist working at this uh newspaper

08:53

I'd like to get interview you on the

08:55

subject of North Korea China relations

08:57

and that is a normal thing to happen to

08:59

them and so the target might reply and

09:00

say oh yeah sure I would love to do the

09:02

interview um and then they might say oh

09:06

I'm going to ask you these questions and

09:07

they sh send them the questions document

09:09

which is going to contain the questions

09:10

that I'll ask you during the interview

09:12

and all of this is normal and so the

09:14

target is quite happy to open the email

09:16

and the attackers understand

09:18

this and the reason they understand this

09:20

is because they have been doing this for

09:22

a long time they've read a lot of email

09:25

between these people and so they

09:27

understand what the conversations look

09:28

like uh and they're able to take those

09:30

conversations and basically replay them

09:32

back to a different user uh and get

09:36

success and unlike a lot of attackers

09:39

the final point is that they're willing

09:40

to spend time building a conversation so

09:43

if you ever talk to a user about what

09:44

fishing looks like you might often say

09:46

oh you'll receive an email and it'll

09:48

contain a suspicious link but what you

09:50

won't say is you'll talk to this person

09:52

for a month and then at the end of that

09:54

month they will send you a suspicious

09:56

link nobody is taught to identify

09:58

fishing that that

10:01

way so uh in the top left of my diagram

10:04

here I've got the attacker and in the

10:06

top right I've got the

10:08

Target and this is just one example of

10:10

how it might look this isn't how it

10:12

looks every time and in some of the

10:14

examples later we'll have cases where

10:15

the attackers didn't wait for so long um

10:18

but this is something that can genuinely

10:20

happen so the attacker can send an email

10:23

on day one and it contains no malicious

10:24

content whatsoever it just says hello

10:27

I'm looking to make a contact and so on

10:28

and so forth the target replies the

10:30

attacker replies this can go back and

10:32

forth for a while we can talk about

10:34

different things and then eventually the

10:37

hook is that they're going to send some

10:39

fishing content uh and the result is

10:41

that the user either has to log into a

10:42

service uh which is a fishing page or

10:45

they have to open a file which contains

10:47

malware those are the two kind of end

10:49

games but that that might take a long

10:50

time to get

10:52

to and what they've done very well is

10:55

they've got these two kind of fishing

10:57

principles that I think are kind of key

10:59

to their operations and I think a lot of

11:01

attackers are very good at the second

11:03

one so I think in the previous slides

11:05

there was an example of like you've got

11:06

to respond to this RFQ it's like a you

11:09

have to do this now and so a lot of like

11:11

commodity spam is very good at making

11:13

people people feel time pressured into

11:15

responding to a fishing message but what

11:17

commodity fishes are less good at doing

11:19

is making people feel comfortable about

11:22

responding to that uh and by engaging in

11:25

that conversation first the attackers

11:26

are able to make people feel not only

11:28

comfortable but feel like they have to

11:29

do it

11:30

now and so now I've got a series of

11:33

examples of Real World Fishing examples

11:35

from this group that hopefully

11:36

illustrate the points I've been trying

11:37

to

11:39

make so we'll start with the simplest

11:42

possible case which is uh sharing a

11:45

document so um the fonts a little small

11:48

so I'll just kind of explain what's

11:49

happening in the emails um on the left

11:51

hand side the attacker sends an email to

11:53

the Target and it says hello did you

11:56

receive my email from three days ago and

11:58

the the gotcha is that there was no

12:00

email three days ago uh this is just to

12:02

see if the person is willing to reply

12:05

and then in the second case the uh in

12:07

the second uh screenshot the target has

12:09

replied and said no I didn't receive

12:11

your email what was it about uh and then

12:13

they say oh sorry here it is again and

12:15

they create an email that looks like

12:16

it's being forwarded again and it

12:19

contains a link to one drive which is

12:20

hosting the maware file and this is the

12:22

kind of simplest rules that the

12:24

attackers will

12:27

use stepping things up to be a little

12:29

bit more maybe maybe you think it's kind

12:31

of lame that's not what he described I

12:32

think this is more along the lines of

12:34

the type of thing you might have been

12:35

expecting so in this case the attack

12:38

opposes as a researcher at the kinu

12:40

which is the Korean Institute for

12:42

National unification Korean Think Tank

12:45

that's focused on making sure or trying

12:47

to make uh unification happen in Korea

12:51

um and they say hello I would like you

12:53

to submit to an upcoming conference this

12:54

is a real event that's happening uh

12:57

please could you uh give me an idea of

12:58

the paper you'd like to submit and

13:00

you're abstract and the target replies

13:03

and says hey yeah I'd like to submit and

13:05

so on and they have a little bit of a

13:06

conversation and eventually the target

13:08

says oh what would you like me to submit

13:10

about what topics you need

13:13

covered and the attacker says thank you

13:16

so much for accepting our invitation

13:17

we'd like you to choose your Pap's topic

13:20

but please review our guidelines and

13:21

code of ethics and they are once again

13:23

hosted on one drive with a password this

13:26

time and generally the password protects

13:28

the content on the uh the one drive or

13:31

whatever it is has become much more

13:32

prevalent for the thr actor and I figure

13:35

that's because they were being kind of

13:36

thwarted by attempts by Microsoft to

13:38

detect their M on one drive and other

13:41

platforms so now they simply password

13:43

protect it meaning the cloud providers

13:45

are unable to um easily detect their M

13:49

being hosted

13:52

there possibly the best example I have

13:55

is an example where the attacker

13:56

proposes an inall life Meetup between

13:58

the attacker the Target and a third

14:01

party so in this example the attacker

14:04

says hello I am a government official at

14:06

the embassy of South Korea in Washington

14:09

DC and our Target also lives in

14:11

Washington DC but does not know this

14:13

person and they say I'd like you to

14:15

organize a meeting they're asking for an

14:17

introduction because they know that our

14:19

Target knows another person who is

14:21

visiting Washington CC from South Korea

14:24

this is a relatively informed attacker