PolarCalm

Insert code into a Python library to emulate a supply chain attack. Whenever someone calls the targeted library a Schism agent will be downloaded from Github and loaded directly into memory. When finished, simply add the fact "clean.now" with any value to remove the inserted code from the targeted library.

TTP Tuesday: APT29 - US Think Tanks and Non-Governmental Organizations

Emulating Cozy Bear's (APT29) supply chain attack.

Theme Overview

Last week Octavia disarmed the SeaDuke malware so it could be included in the chain that emulated the 2016 DNC Hack.

This week has an increased scope, but we would be remiss if we didn’t draw some ideas from the notorious SolarWinds attack. There were two key things that made the SolarWinds attack special. The first was just the massive scope of the attack, which would have gone on much longer if FireEye itself wasn’t targeted by the attack. The second was that the attack used a supply chain as its initial access. An attack that target’s a supply chain is extremely efficient since the attacker’s return on investment is multiplied by the number of consumers of the product. Emulating this type of attack is quite difficult; it often requires access to the manufacturing facility, whether that be software (like in the SolarWinds attack) or hardware.

Supply Chain

Deciding what supply chain to target and how to accomplish the goal took some extra time. In the end, we decided to go with targeting Python libraries. Python is widely used and we have already have a Python agent available called “Schism”. To replicate the supply chain attack, we can insert code directly into a Python library that is loaded on the machine. This allows the added code to be executed every time someone uses the targeted library.

Inserting code into a library is about as close as you can get to the supply chain without actually targeting it. To keep what we are doing a secret, we ensure that the targeted library continues to function as expected while spawning our agent in the background. We then orphan the agent process so it will continue running after the user is finished. Some small changes were made to Schism to help spawn it directly into memory and not write anything to disk. The final step in the chain is to clean up the changes we made to the library. The chain will wait for the fact “clean.now” to be inserted into Operator. This will reverse the changes made to the source code so that you don’t need to do it yourself.

Watch a demonstration: APT29 PolarCalm

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VV_X_7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Insert Schism Loader
Remove Schism Loader

User-Set Custom Variables

  • target.lib: requests
  • clean.now: 1