In this in-depth Threatpost podcast Christoph Hebeisen, who leads the Security Intelligence Research Division at Lookout, shares a behind-the-scenes look at how his team discovered and tracked three never-before-seen surveillanceware tools, dubbed SilkBean, GoldenEagle and CarbonSteal.
Hebeisen walks listeners through what these new tools are and how they were used in a seven-year long surveillanceware campaign against the Uyghur ethnic minority group. Also discussed are the threat actor’s methods and procedures and why the mobile landscape is becoming a popular targets for advanced persistent threat actors.
Below find a lightly edited transcript of this podcast.
Lindsey O’Donnell-Welch: Hi all this is Lindsey O’Donnell-Welch with Threatpost and I’m here today talking with Christoph Hebeisen with Lookout about a new surveillance campaign that Lookout researchers recently uncovered earlier in July. So just for some background, Christoph leads the Security Intelligence Research Division at lookout. And in this role, he oversees the company’s suite of research activities like covering malware, device compromises, network threats, phishing and threat intelligence services. So, Christoph, thanks so much for joining us today. How are you doing?
Christoph Hebeisen: I’m doing fine. Thank you.
LO: Good. Well, we really appreciate you coming onto the show today and talking about this new surveillanceware campaign. So Lookout discovered it uses kind of a slew of Android surveillance software tools to spy on an ethnic minority group called the Uyghurs. And this campaign was only disclosed last week, but it goes all the way back to 2013. So tell us a little bit about the story behind the scenes here from the perspective of Lookout’s research team, what was kind of the process of uncovering this campaign and really getting into it and analyzing it. And you know, when did it really first appear on your radar?
**CH: **Yeah, this this is actually a very fascinating story, because we found various pieces of surveillanceware over time, but we didn’t initially realize that they were all connected, and were all coming from the same actor. We have certainly been tracking this since 2015. We have samples in our database that, as you said, go back to 2013 and actually all the way back to 2012. But we think that those are probably test samples. So we pegged the start of the actual campaign to 2013. There’s a little bit of fuzziness in that.
The campaign really started to take shape in our view of all of this in late 2019, when we were looking into the SilkBean family in particular, when we started looking deep into the infrastructure involved in SilkBean, we found many connections to the other malware families involved in this and this whole web of interconnections started to unravel. And that is when the campaign took shape for us. That said, the malware families individually we had known about for a long time, we hadn’t talked about them publicly, because it wasn’t such an interesting story while they were all standing in isolation.
**LO: **No, that’s really interesting too. And I know that there have been a couple of different spyware, Android tools that were wrapped up in this as well. So how did the campaign really evolve over time?
CH: So as I already mentioned, the earliest samples started showing up in 2012, and we believe that, that the production samples that were actually used in the campaign are from 2013. The same year in 2013, Citizen Lab actually reported on a single malware family sample being used against the Tibetan government in exile. And we later connected that sample to the DoubleAgent family, so we know there was activity there. At that time, we saw a great spike in activity actually in 2015, 2016, which kind of aligned with a new national security law that China issued at the time, and also what they called an anti-terrorism campaign that got started in 2014. So that’s an interesting correlation to see there.
#mobile security #newsmaker interviews #podcasts #android #c2 #carbonsteal #goldeneagle #silkbean #spyware #surveillanceware #uyghur
