Shadow brokers: Observations on the EastNets operation notes

Steve Molloy, Incident Response Investigator
May, 2017
14 mins read

Much analysis of the Shadow Brokers dump focused on the tools and target information it contained . However, some of the most interesting insights into the tactics, methods and day-to-day operations of this threat group can be gleaned from the operational notes contained within the dumps. This article explains what was found within them.

When investigated, the files appeared to contain notes describing the operations that enabled the exfiltration of SWIFT data during the alleged breach of the SWIFT Service Bureau “EastNets”. By leveraging previously compromised machines and through deploying advanced persistence mechanisms, the attackers were able to compromise their target network for over a year, harvesting credentials and performing extensive reconnaissance. Subsequently, attackers were able to use simple, automated and standardized procedures to enter those compromised systems, laterally move to their target machine and exfiltrate data while obscuring their activities and minimizing the time spent on the target computers.


The organized and process-driven activity is a key take away from these operational notes. Now these powerful tools are in the hands of hackers around the world, teams of organized cybercriminals can use the tools and operating methods detailed within to perpetrate significant and sophisticated attacks with relative ease, potentially on a scale never seen before.


While many of the more potent exploits and security holes have been neutered by vendors and security products, networks vulnerable to these attacks will still exist for some time. Furthermore, the dump contains tools enabling cyber criminals to obscure their activities once inside a network.


These tools and numerous others do not rely on specific, and therefore patchable, exploits, but instead utilize anti-forensic techniques to ensure persistent infections remain undetected.


Another crucial implication from the data released in this dump is that the group obtained a large amount of SWIFT message data without compromising the SWIFT protocol or the organization itself. It is therefore imperative that organizations handling sensitive data, and at all points in the supply chain, take steps to protect themselves. Here we dissect the “Operation Notes” files, contained in the dump, to extract information about the tools, processes and tactics used in order to find ways for organizations to protect themselves.


Advanced and persistent: a timeline of the EastNets breach

The attackers used several mechanisms and broad-based compromise to maintain persistence within the network. While the notes contained within the Shadow Brokers dump may only provide a partial picture, we are able to determine that the network was compromised at least one year before the exfiltration of bulk SWIFT data. 



Shadow Brokers dump timeline of activities


Fig. 1 — Timeline of the activities described in the six ‘Operation Notes’ files in the Shadow Brokers Dump


In the “VPNFW_Plan.txt” file, which appears to detail an operation taking place in July 2012, we see evidence of exploits being loaded onto a Firewall in the EastNets network. The attacker pivots from this firewall to a machine within the network, and loads an exploit to that machine. Nearly a year later in June 2013, “DSL1OpNotes.txt” shows evidence of 40MB of SWIFT messages being extracted and exfiltrated from that same host, compromised a year prior.


In the intervening notes files, we see internal reconnaissance of the network, credential harvesting, additional machine compromise and privilege elevation using scripts and tools present in the dump, such as ‘Simple’ and ‘ScanSweep’. Several areas of the operation notes detail the attackers dealing with upgraded security software on compromised machines, breaching them again and circumventing the software. This level of active engagement in maintaining persistence is a sign of an advanced and resourceful group.


Overview of an “operation” – How SWIFT data were stolen

In the terminology of the notes found within the dump, an “operation” is a discrete set of activities undertaken to achieve a particular objective or objectives. It appears as though, after the initial compromise of the network, numerous and regular “operations” were launched – either to exfiltrate data or simply as maintenance tasks to ensure the attackers persisted in their access to the network. Here we focus on the operations detailed in “DSL1opnotes.txt” which appears to detail the exfiltration of approximately 40MB of SWIFT message data.


Shadow Brokers attack path to steal SWIFT data


Fig. 2  — An illustration of the attack path used by an attacker, leveraging existing compromised machines


To start the operation, an attacker connects to a previously compromised machine on a third party network. Analysis of both the current and previous dumps indicate a long list of compromised machines around the world in various institutions, in addition to specific implants deployed and exploits leveraged against EastNets’ infrastructure. It can be inferred that the majority of these are used as staging platforms from which to launch attacks on target networks.


Once access has been obtained via the third party machine, the attacker moves to the first target machine within the target network, and again onward to other target machines as needed. At each ‘hop’ during an operation, similar processes (i.e., running scripts to extract data from databases and credential harvesting) are used to gather information and escalate the privileges of the attacker on each machine.


Once access has been successfully obtained to the compromised target, the objectives are executed. For example, data are extracted from the databases on the target machine in batches using pre-written scripts. This data are exfiltrated from the machine using the console connection opened by the attackers to that machine. The attackers then delete the temporary copies of their data, and exit the network, retracing their steps back through each machine and erasing evidence of their presence.


The cyber kill chain of the EastNets breach

Cyber kill chain of the EastNets breach

Fig. 3  — Stages of the EastNets breach mapped across Lockheed Martin's cyber kill chain


Though the Shadow Brokers dump contains scant direct evidence of explicit and specific reconnaissance against the EastNets network prior to the breach, there are many indicators of the work put into the tools, preparation and selection of specific targets within the network. 


For example, in the earliest notes file, we see what may be an initial ingress into the network—the compromise of a firewall and a host within the EastNets network using several exploits and tools contained with the dump. This compromised host is the one from which the SWIFT message data is eventually extracted and exfiltrated, nearly a year later.


Additionally, the following comment is found in another notes file from 2012:


 “** Want [Employee Name] if possible, otherwise just an additional UR in the 10.10.10.X subnet” – from “Important NOTES.txt”


This indicates the targeting of known privileged users within the organization as well as knowledge of the structure of the network. While there is no direct evidence, this type of information could have been procured from publicly available sources such as LinkedIn or Facebook, or alternatively through other previous compromises, social engineering or phishing. 


The sheer length of time the attackers were in the network allowed multiple phases of reconnaissance, feeding back intelligence into multiple future operations. This allowed the honing of tools, the harvesting of credentials and the embedding of sophisticated and robust persistence mechanisms. In our experience, this is a common behavior of more advanced attackers.



Many of the tools released as part of this dump are built into a framework allowing attackers to use exploits across various operating systems and protocols with relative transparency and ease. There is much work in progress across the cyber security world in dissecting and reverse engineering the tools and exploits revealed in this dump in order to understand the security implications of each one. 


However, the organization and automation of the operations detailed here goes beyond the headline exploits and exotic 0-days.


Even the techniques and tools used to remove logs and alter system timestamps are automated, allowing different attackers to ensure they follow the same procedure in multiple breaches over a long period of time. Furthermore, the scripts which are eventually used to extract SWIFT data from the database have been heavily researched, honed and targeted to allow maximum efficiency and success for the attacker during the operation itself. Seemingly every aspect of the operations detailed here has been designed to be as efficient and effective as possible. Techniques have been honed and standardized, allowing attackers to spend less time on the target machines and increasing their success rates.


Delivery, exploit and installation

The attackers took steps to ensure their actions could not be traced, accessing compromised third party machines before accessing their eventual targets. Delivery of the exploits was achieved through a myriad of different tools and techniques. 


A key take-away from the delivery of the malware and exploitation of the machines is the number of different tools and scripts available to the attackers, along with the number of machines compromised and the persistence of their access. These tools will have evolved in the intervening years to operate in even more sophisticated and stealthy ways.


Actions on target

There were many actions undertaken by the attackers on the compromised hosts, from credential harvesting, persistence assurance and data exfiltration. 


Evidence from within the operational notes gives us specific details of the exfiltration of the SWIFT data in 2013. As with much of the operation activity outlined in the notes, this process is semi-automated. The attacker uses a command built into their shell to deploy a SQL (structured query language) file to the target machine, saving it with a pseudo-random filename such as “MSIef7bc.LOG”. In some operations, this file is deliberately named to mimic a deleted file and placed into the Recycle Bin.


Shadow Brokers command to extract SWIFT messages


This file is a pre-made and targeted SQL script designed to query the database containing SWIFT messages, using credentials obtained from previous operations.


This script is then executed, in some cases using an executable named SQLPlus, and allows the attacker to enter the date range for which to extract SWIFT messages, and the output file into which the dump should be saved.


Shadow Brokers SWIFT data extraction command


This level of targeted data extraction from the database is notable for a number of reasons. Firstly, it allows attackers to extract the data with ease. Secondly, extensive research that must have been conducted in order to facilitate its construction. Thirdly, the data are extracted without an exploit, instead using captured credentials from previous operations.


A file matching the behavior of the script seen in the operation notes was included as part of the dump. As expected, it demonstrates intimate knowledge of the structure of the SWIFT message database in order to extract data from SWIFT message tables to a file.


After the extraction of each file from the database, it is copied out of the attacker's shell to their own machine.


Data copied from attacker shell to own machine


This process is repeated by the attacker using different date ranges to exfiltrate several months’ worth of SWIFT data.


Once the data have been removed from the host, clean-up again is automated, using a script entitled “Scrubhands”. Analysis of this script shows that it removes traces of the attacker’s activities such as wiping logs, copying logs to the attacker’s machine and erasing them from the target.


The systematic infiltration is mirrored during clean-up, with the attacker exiting from each “hop” and cleaning their tracks before retreating to the previous machine.


Conclusions: how to defend yourself

Understand you don’t need to be a target to be breached

Threat actors have long been known to use third party networks to obscure their activities and muddle the task of attribution of data breaches. With direct evidence shown in these operation notes of those tactics in action, it is even more crucial than ever that all organizations understand the threats against them. Just because you’re not guarding the Crown Jewels, doesn’t mean someone doesn’t want to break in.


Update your detection and response capabilities

Three years is a long time in the world of cyber security, yet the tools and techniques used here seem advanced now. (n.b. This article was originally written in 2017.) Despite the efforts of security vendors, these tools provide potent and effective techniques for the breach of your network, and are now in the public domain. Hardening your network against these specific tools is absolutely imperative.


F-Secure Consulting’s managed detection and response service Countercept has developed a detailed analysis and automated script to enable organizations to scan their networks for the DoublePulsar implant.


Beyond this, understanding the threats that have developed since 2013 is even more important. Given the advanced nature of threat groups such as the one behind this breach, traditional detection methods such as searching the estate for basic Indicators of Compromise will not provide adequate protection against the advancement in the tools, techniques and sophistication of threat actors.


Target detection of persistence mechanisms

One of the most telling aspects of the EastNets breach is the sheer scale of the timeline involved. The level of persistence of access enacted by the attacker was extensive, and would absolutely have left behind distinct evidence of the mechanisms used to enable this persistence.


By analyzing the general characteristics of the malware or tools used, such as how persistence is achieved across the network, patterns can be identified to assist in the endeavor of detecting this kind of advanced activity.


It is essential that uncommon persistence mechanisms are taken in to account and monitored, as it is becoming more commonplace to move away from conventional methods like Run keys and services in favor of more stealthy techniques, especially in more advanced types of attack.


Monitor your endpoints and analyze memory

Some of the exploits used in the EastNets breach utilized advanced techniques to operate and persist mostly as in-memory malware. F-Secure Countercept’s analysis of the PeddleCheap implant shows how it exists and runs in memory, along with how it can be detected.


In-memory and “file-less” malware is one of the most common techniques seen in the most advanced and effective attacks. Sophisticated toolsets such as these are becoming increasingly common, including within organized crime groups, and render traditional endpoint protection and detection ineffective. Advanced memory analysis and full aggregation of host activity across the network must be undertaken to attempt to detect today’s emerging threats.


Countercept has released a whitepaper outlining the importance of memory analysis at scale across the enterprise in modern attack detection: Countercept’s research driven threat hunting and monitoring services can assist organizations to detect persistent threats across their estates.


Conduct periodic compromise assessments or hunting sprints

Attackers using these tools and techniques will aim to exploit systems with unknown vulnerabilities. With motived and creative attackers, preventing the initial breach may be impossible. However, in order to accomplish their objectives, attackers must move around the network and even the stealthiest attacker makes some noise.


At a minimum, performing detailed compromise assessments or hunting sprints periodically can check for exploited vulnerabilities which were unknown during the previous assessments, as well as detect the footprint of an attacker moving through your network. Only with constant scanning, research and deployment of cutting-edge attack detection techniques can organizations hope to uncover today’s sophisticated and advanced attacks.


Specific Recommendations:

  1. Analyze suspicious kernel Drivers. Across the suite of tools used by the attackers, one of the more common persistence mechanisms used for exploit modules are kernel drivers. Modules such as FlewAvenue, KillSuite and SentryTribe all operate in this way.
  2. Understand how WinSock Helper can be used. This is achieved by replacing the Data entry 'wshtcpip.dll' to one of the malicious DLL. This can be found in the registry key/value: 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter\Winsock\HelperDllName'. This can be seen in the module PeddleCheap.
  3. Understand PeddleCheap’s possible persistence mechanisms, such as the inclusion of the DLL within the ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs’ registry value.ise
  4. Monitor suspicious outbound network activity. Implants deployed will call back to Command & Control (C2) infrastructure, so any persistent connections to unknown or uncategorized IP addresses or domains should be followed up.     
  5. Monitor internal network communications. Tools such as ScanSweep were used to scan subnets as part of an internal reconnaissance effort, monitoring for surges in network traffic over a specific port originating from a single endpoint would have acted as an early warning sign in this case.
  6. Use host-based firewalls to reduce attack surface. Whilst protocols such as SMB need to remain open on servers, there is no need for many of these protocols to be open on normal workstations. Reducing this attack surface reduces the opportunity for lateral movement and helps focus attack detection most effectively. 
  7. Regularly conduct thorough compromise assessments using research-driven threat intelligence.
Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs