New Threat Actor “Grayling” Blamed For Espionage Campaign

Cyber Security Threat Summary:
Security researchers have revealed evidence of a newly discovered APT group that primarily targeted Taiwanese organizations during a cyber-espionage campaign spanning at least four months. Known as "Grayling" according to Symantec, this group initiated their operations in February 2023 and persisted until at least May 2023. Their focus was on pilfering sensitive data from various sectors, including manufacturing, IT, and biomedical companies in Taiwan, as well as victims in the United States, Vietnam, and the Pacific Islands. The group employed DLL sideloading by utilizing the exported API "SbieDll_Hook" to load tools like the Cobalt Strike Stager, which subsequently led to the widely-used post-exploitation tool known as Cobalt Strike Beacon. Additionally, they installed "Havoc," an open-source post-exploitation command-and-control (C2) framework, similar in function to Cobalt Strike. Grayling's tactics involved the use of the publicly available spyware tool NetSpy, the exploitation of a legacy Windows elevation of privileges vulnerability known as CVE-2019-0803, and the downloading and execution of shellcode, as detailed in the report.

Security Officer Comments:
The absence of data exfiltration from victim machines doesn't rule out the likelihood of intelligence gathering, according to the security vendor. Grayling, like many APT groups today, blends custom and publicly available tools to operate stealthily. Havoc and Cobalt Strike are favored for their extensive post-exploitation capabilities, often chosen over developing custom tools. This use of public tools complicates attribution for investigators. Grayling's actions, such as process termination, emphasize their commitment to staying hidden. While the vendor didn't explicitly attribute Grayling to a nation-state, their targets align with China's geopolitical interests.

Suggested Correction(s):

  • Organizations can make APT groups’ lives more difficult. Here’s how:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.