operator
ChainsTTPsBlogLogin
menu
Prelude chain browser

PolarCalm

Insert code into a Python library to emulate a supply chain attack. Whenever someone calls the targeted library a Schism agent will be downloaded from Github and loaded directly into memory. When finished, simply add the fact "clean.now" with any value to remove the inserted code from the targeted library.

2022-03-08

/static/assets/apple-logo.svg/static/assets/linux-logo.svg/static/assets/windows-logo.svg
Professional
This is a professional attack chain. A professional subscription automatically gives you access to this chain + 50 more, with direct integration inside of Operator.info
Authors:bartimus

TTP Tuesday: APT29 - US Think Tanks and Non-Governmental Organizations

Emulating Cozy Bear's (APT29) supply chain attack.

Theme Overview

Last week Octavia disarmed the SeaDuke malware so it could be included in the chain that emulated the 2016 DNC Hack.

This week has an increased scope, but we would be remiss if we didn’t draw some ideas from the notorious SolarWinds attack. There were two key things that made the SolarWinds attack special. The first was just the massive scope of the attack, which would have gone on much longer if FireEye itself wasn’t targeted by the attack. The second was that the attack used a supply chain as its initial access. An attack that target’s a supply chain is extremely efficient since the attacker’s return on investment is multiplied by the number of consumers of the product. Emulating this type of attack is quite difficult; it often requires access to the manufacturing facility, whether that be software (like in the SolarWinds attack) or hardware.

Supply Chain

Deciding what supply chain to target and how to accomplish the goal took some extra time. In the end, we decided to go with targeting Python libraries. Python is widely used and we have already have a Python agent available called “Schism”. To replicate the supply chain attack, we can insert code directly into a Python library that is loaded on the machine. This allows the added code to be executed every time someone uses the targeted library.

Inserting code into a library is about as close as you can get to the supply chain without actually targeting it. To keep what we are doing a secret, we ensure that the targeted library continues to function as expected while spawning our agent in the background. We then orphan the agent process so it will continue running after the user is finished. Some small changes were made to Schism to help spawn it directly into memory and not write anything to disk. The final step in the chain is to clean up the changes we made to the library. The chain will wait for the fact “clean.now” to be inserted into Operator. This will reverse the changes made to the source code so that you don’t need to do it yourself.

Watch a demonstration: APT29 PolarCalm

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Insert Schism Loader
Remove Schism Loader

Tactics

User-Set Custom Variables

  • target.lib: requests
  • clean.now: 1
Other chains in this theme
ExBox

2022-03-29

/static/assets/windows-logo.svg
Emulating RNC hack in 2021
APT29 COVID-19 Vaccine Data

2022-03-22

/static/assets/linux-logo.svg
Emulating APT29's WellMess malware targeting vaccine research.
Operation Ghost

2022-03-15

/static/assets/linux-logo.svg
Emulating APT 29 malware loader via steganography.
APT29 Democratic National Committee

2022-03-01

/static/assets/windows-logo.svg
Emulating Cozy Bear's 2016 Democratic National Committee hack.
About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.
twitterFollow @preludeorg on Twitter for new chains and more.
discordJoin the Prelude Discord to discuss chains and more.
githubKeep up to date with code changes and community activity on Github
operator
preludesecurity.comCareersTactics & TechniquesAttack themes
Privacy Policysupport@preludesecurity.com© 2023 Prelude Research, Inc.All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.