Recently on the Decipher podcast, Dennis Fisher talked with Juan Andres Guerrero-Saade, senior director at SentinelLabs, about the investigation into the new Metador APT group. This is a condensed and edited version of the conversation.
Dennis Fisher: Juan gave a killer presentation at to LABScon, which was two weeks ago now. So this was on the Metator APT, which you and some of your colleagues discovered, I don't know, I'll let you go through the timeline, but it's one of those really interesting research projects where I was reading through the 30-page PDF that you guys produced and I got to the end, I was looking for the attribution part. And the attribution part is usually pretty long and it says like, ‘we kind of think this, we kind of think that.’ This could have just been a shrug emoji. You guys were like we don't really know, honest to God, we don't know, we're not being coy. We don't know if this is an intelligence agency, if it's Russia, if it's China, if it's Iran. We just don't know. I mean you've been doing this a long time. Is this the first time you've really come up against an actual brick wall like that? I know you ran this by your colleagues at other places and stuff and nobody really pointed a finger in any one direction.
Juan Andres Guerrero-Saade: I wouldn't say it's the first time we hit a brick wall. They are rare though, right, and there's some that stick with you so when we published Metador, when it went live, Costin Raiu, a friend of both of ours and very much a mentor to me, he actually led off with a list of top 10 unattributed APTs, and I don't doubt Costin, when I say that we think about these at least once a month. Where you're just like what the hell was that thing? So Wild Neutron/ Morpho/Butterfly; whatever you want to call them, that was sort of one of the big question marks along the way and there's been several. So Costin and I tend to go backwards every once in a while, and play a little bit of cyber paleontology, and sometimes you do get answers after the fact, but cases like Metador, I don't know. I don't know that we'll get an answer but I hope that we do. But there's all kinds of issues tied into this one including collection capabilities, telemetry and a lot of complications that I think are more worrisome than the attribution itself.
Dennis Fisher: Okay, so let's start from the beginning. How did you and your colleagues get onto this case in the first place?
Juan Andres Guerrero-Saade: So it's been an interesting one, right? It's been a ride for quite some time, I want to say since end of 2021, beginning of 2022, but essentially there's this fantastic analyst in our team - Amitai Ben Shushan Ehrlich - over in Israel and he does a lot of hunting for Iranian APTs among other things. And so we get a new customer rolled on, they are quickly identified as what you might call a “magnet of threats,” which is a euphemistic way of saying like this is a really desirable target, to the point where you see a half dozen APTs sort of sitting on a box. That was popularized when Equation Group was discovered, it was discovered this way - You have this amazing target and everybody wants to be on there and they start to fail at what we tend to refer to as deconfliction, which is to say normally a high-end APT doesn't want to be on the same target as others because they might get rolled up inadvertently, if there's a really careless Chinese APT that kind of lets the victim know that they're hacked, then everyone else on that box gets caught at the same time. So normally you don't want that. With this particular customer, a telco, I think Amitai found something like 10 APTs, and so you had four Iranian ones and five Chinese ones, and then one sort of mystery one sitting in between. And that's really how once again, the failure of deconfliction, it's how you end up tripping over the first sighting of Metador, of this entirely different threat. So we should address attribution at some point because it isn't completely a question mark. But it was very much kind of a stumping moment. We were like well this clearly doesn't look like the Chinese or Iranian ones, so what are we dealing with?
Dennis Fisher: So in those cases where you've got multiple actors on one target, whether it's a machine or network or whatever, how do you go about – yourself as an analyst - separating them and saying okay, we know who this is, who this is, we don’t know who this is.
Juan Andres Guerrero-Saade: There's a couple of complications there and it's really going to come down to the telemetry that you're playing with, so we have the benefit of having our product on there. So the way that - I really hate sales pitching and I'm really not trying to go into it - But at least the way that our XDR works, it is actually creating these little storylines about what process started what, and communicated with what, and start what other things. So it takes some of the difficulty out of it in the sense that we can at least look at it and go, okay this component started that other component that connected to that other infrastructure that downloaded that component. So in a sense you have some segmentation where you can say okay, these components are from this one APT. What is that one APT? And then these other components are from this other APT. But usually a lot of the mystery is, it's like a plate of noodles and you're trying to figure out whose stuff is what, and what starts what component, and who owns this piece. And you spend a lot of time just sort of sifting through stuff and making sure that you can at least put a stake of ownership - Even if you don't know whose it is - you can at least say all of these belong to that one group. So that's a lot of the time. That's what we spend the most time on. And then let's be honest, it's not all rocket surgery. The Chinese ones are fairly easy, Chinese APTs are hard to tell apart from each other but they're not hard to to notice as Chinese APTs right? Like they're all using very similar tooling. With the Iranians what you tend to get is a fairly defined signature of what each of those Iranian APTs are. So after a little bit you go okay, well this is MuddyWater for sure. It gets harder when you get to Metador.
“I like to think of them as sort of like very pragmatic, which is interesting because normally when you deal with a well-resourced APT they tend to suffer from a rich kid syndrome.”
Dennis Fisher: Okay, so you start seeing this weirdness and you're like okay, anybody have any ideas what this is? Have you seen this tool before, have you seen this behavior before, at what point do you decide, well I guess this is a wholly new thing that we've never seen.
Juan Andres Guerrero-Saade: So I think we got there I won't say relatively quickly but every component of what makes up the Metador attack chain is very distinctive. So they're very very clever. I like to think of them as sort of like very pragmatic, which is interesting because normally when you deal with a well-resourced APT they tend to suffer from a rich kid syndrome. You know that daddy's going to buy you a new exploit, you're going to get a new framework, so you use all the shiny tools and and you don't care if you lose access to it, if you crash the new car daddy's gonna buy you a new one. Metador is very interesting in that they're very pragmatic. I think they realize that rather than burning a ton of 0-days or trying to find some ways to start off their attack in a way that won't get noticed because it's so novel, instead they went for what we normally refer to as a LOLBin - which is to say a living off the land binary - which is pretty funny. But a very unusual one, so I'd never seen this one before, it was documented in 2016 but essentially there's a Microsoft debugger that lets you essentially load some arbitrary shell code into a process that you're debugging, and that's not to lose the general audience but it's just to say, look these guys they really dug deep and they found something that not only let them kick off their attack chain, but it's a Microsoft binary, that I think right there and then you're kneecapping Microsoft Defender, you're kneecapping a lot of native security solutions that you kind of consider it unthinkable to just arbitrarily block a Microsoft signed binary. So I'm pretty sure that I would personally stake in this sort of world of totally arbitrary percentages that 75 percent of their success comes from just being that inventive with that very first stage that lets them load right into memory. So with that, instead of having some super expensive trampoline into Kernel Memory exploit blah blah, instead this one little nifty trick just kind of catapults them right out for where most products wouldn't see them.
Dennis Fisher: That living off the land technique, it's not new, but lots of groups use it. What’s the defensive strategy for detecting that? Like you said, your product, other products, Microsoft Defender are not going to block a binary that's signed by Microsoft and is a legitimate part of Windows or some other component.
Juan Andres Guerrero-Saade: I think that there's always a complicated calculus there, and let me put this on the most selfish terms. I've worked in different AV companies for some time. I think the only truly fireable offense is to DDoS or essentially cripple your customers. So if you think that somebody, some cowboy is going to go all gung ho and decide to arbitrarily block a Microsoft certificate or a common binary, you're very much mistaken. Like that's one of the few things that will get you packed up and walked out of the office. So it's not to belittle anyone, including the Defender folks, but it's a very complicated question: How many folks are actually using something that you consider esoteric. Hey, maybe Chrome is finding some way to use this or maybe there's a really important part of the operating system that relies on this one binary that you haven't thought of, there is extensive testing and there's still a lot of fear that goes into blocking something like a LOLBin or some very native whitelisted process. And these guys, they're not the ones who invented this, I think LOLBins are very well documented, and they're very well used. But I think they found a crucially valuable one that nobody else was exploiting, like we haven't found anybody else using this thing.
Dennis Fisher: That's interesting because a lot of these - and obviously I think you guys were the first ones to expose them, at least as far as any of us know - and a lot of these teams tend to be copycats, if they see something that works, that other teams might adopt it, so I don't know, maybe maybe we'll see that soon.
Juan Andres Guerrero-Saade: I'm afraid so, like that's one of those things that you, as an analyst, you bang your head against the table. You're like okay well we found this thing, it was very hard to deal with, now we're going to talk about it and you can bet that someone else is going to start trying to use it. So in a sense it is also a pressure moment to say, okay, how well are we handling this? Are we ready for others to kind of do the same abuse? And at least on our end I think we feel a little more confident having dealt with this, but… you always go, hey let me be honest, right, how about everybody else that doesn't use our product? And that's part of why you have those discussions, I think there's this idea that we're all in this tooth and nail like barbaric competition with each other for market share. It doesn't really work that way. We hit up Kaspersky because we thought Metador was abusing their product. It turns out they weren't. We also thought they were abusing our product. That was kind of a complicated discussion there. But ultimately they weren't in the way we thought. You talked to Microsoft, you talked to everybody and you go, hey guys look; this is our finding, we trust all of you, nobody's going to sort of run for the hills with it - at least most people won't - look, go protect your customers and hey, if you can share some telemetry with us that would be great. And you get some fantastic collaborators along the way, some of them are cool being named, some of them are not. But for example, Kaspersky, after figuring out that their product wasn't being injected into it - because, I don't want to kind of spiral into the technical details but - one of the one of the alternate ways that the backdoor could load itself is called “kl injected” and because it's so obfuscated at first we were like, is this Kaspersky Labs product being injected into? It turns out that it's not, it was an old reference to a keylogger being injected, but that led us right off the bat to be like hey industry partner, look at this thing, figure out if it's messing with your product, also, if you happen to see any more of this, like please let us know, and it's what reinforced this notion of Metador as a mystery, it wasn't a mystery to us, it was a mystery to the larger industry. After knocking on enough doors, both in private sector, industry partners and also friendly governments. We just kept coming out with this sort of bigger and bigger question mark, until now. I mean it remains very much a mystery to us.
“After knocking on enough doors, both in private sector, industry partners and also friendly governments. We just kept coming out with this sort of bigger and bigger question mark.”
Dennis Fisher: So when you guys go and you have those private discussions with other threat intel teams or government agencies or whatever, did any of them come back and say oh now that we've gone back and looked at our telemetry or looked at our logs, we found them here, we found some indicators of activity eighteen months ago.
Juan Andres Guerrero-Saade: Normally they would, and that's part of the rewarding part of sharing with friends and partners. In this case I think there were two entities - two private sector entities that will remain unnamed at their own discretion - who were very kind enough to say look, here's some network telemetry and here's a few other infections. But it was very very limited. I mean we're talking about all kinds of organizations that have - between all of us you can really blanket a great deal of the network and endpoints of the planet - and to have them all come back and say here's a couple of puffs of smoke in this particular part, in that particular part, makes it all the more unusual. To us, that either signifies A, an incredibly careful selective targeted attacker that is going after very, very, very, very few targets, which is a possibility, and very likely a factor; but B, also an actor that has figured out how to dance around defenses so well that they're really not tripping any sort of tripwires or mines anywhere… because what we saw on our end was a careful actor but it wasn't one that was so easily spooked that they would run away at the first sight of of a defensive measure. So if you were there, for us, we have enough indications that this particular victim that we were working with had been infected likely since 2020. So overall you're talking almost two years and there were attempts to modify the infection chain when they saw SentinelOne get deployed, so they didn't run away right away. So when you look at that, yes, it's likely that they're very targeted, but I think that they're just getting to live quite comfortably in their targets and they're not getting caught and that's what makes it scarier. That’s what makes this, sort of the shark fin breaking out of the water analogy we were talking about, where it's like, it's not just that you saw that shark fin, it's that if you're in the water, it's a very terrifying sight and you go I'm clearly unprotected and very concerned.
Dennis Fisher: So I have two follow up questions on that, one is, could it be, since there's not that much knowledge on them yet - you haven't seen that many indications across - could it be that they're just relatively new? I mean you mentioned 2020, that doesn't make them brand new, but some of the APTs you've been following are 15 years old.
Juan Andres Guerrero-Saade: I doubt that these guys are 15 years old, and I really doubt that they're only two years old. One thing that I'll point you at is one of the two major frameworks they were using- which they call Mafalda - Mafalda was on build 144 on the earliest one we'd seen. So I don't know how rapid their development process is, but it's just to say, there's kind of an established history there. MetaMain, which we called it that, but it's sort of the main loading platform that they were using, the thing that ended up loading Mafalda, was built in such a way that to me suggests a great deal of experience. I think there's also a great deal of experience going into the handling of the command-and-control servers, which is what made it so hard for us to figure out the breadth of their operations. So let me put it this way, I don't know how old Metador in particular is as a group, but I think that there's a great deal of wisdom and experience going into the folks involved. Whether it's some of the operators or some of the developers. And it's why I allowed myself a completely unrigorous comment in that report, but I basically said, look, on a complete hunch it’s very likely these are contractors. And from an intel perspective that is a complete no no, but I don't work for any particular intelligence agency, so I'll allow myself to be unrigorous every once in a while and just say, look, to me between the folks we've talked to, and the things we're seeing, I wouldn't be completely surprised if we ended up - in a world of perfect information - if we found out that it's a Project Raven style, DarkMatter style situation where you get a few very smart, very capable developers and operators who decided they wanted to make more money and they're working for someone else at this point, and there’s a lot that falls on that line of thinking, but I won't get ahead of myself on that.
“So let me put it this way, I don't know how old Metador in particular is as a group, but I think that there's a great deal of wisdom and experience going into the folks involved.”
Dennis Fisher: Okay, so that was my second follow-up question; that line jumped out at me when I read the report, and I think you guys mentioned it in your presentation but you didn't really dwell on it, in the way that you just described their activities and the way that they didn't get scared off when your product was deployed, they didn't run for the hills kind of led me as a complete amateur to think well, maybe it sounds like this is a group of people that may have had some defensive experience too. They may have been on the other side of the ball at some point, and know how defenders think. Or they’ve just learned by watching over the years, I'm not sure. That's what jumped out to me reading it and listening to you guys talk about it the other day.
Juan Andres Guerrero-Saade: Yeah, there's definitely experience there. There's a few different things that - I hate publicizing the techniques that make life hard for us, but I also kind of have to point at them for the sake of being appraised of the actor and sort of understanding how they operate - but there's things in the way that they handled their infrastructure, the way they segmented the victims, even some of the tooling that goes into the way that MetaMain works. For example, you as an operator on a target that's been infected with MetaMain, you have the option to deploy Cobalt Strike and Metasploit selectively onto other targets within the same network and other components that you're trying to infect. That, to some folks, might appear amateurish. To me, it’s like look at how careful you're being that you would - even though you already have a well-established foothold with an advanced platform on a victim - you're still willing to avail yourself of totally burnable, commodity off-the-shelf stuff in order to keep expanding your foothold. That kind of thing is very careful, very pragmatic, no hubris kind of thinking, that I think defines this actor… that you go, okay, you're not just out here showing off, you are very carefully taking each step with great care. Even the measures they took when they saw our product get deployed were fascinating; I mean first of all, they expanded how Mafalda worked, so that to us shows that it's a platform that's still in active development. It's not just something that they bought and have been using the way that it is. They added something like I want to say 14 additional commands and then wrapped the whole thing in some of the most complicated custom obfuscation we'd ever seen. So God bless Alex from our team, who beat his head against this awful obfuscation and I think his brain was about to melt. But, you have a series of opaque predicates and control flow obfuscation and string encryption and a bunch of other measures that just make it very very very hard to reverse engineer, dynamically, statically, however you want, just very hard to reverse engineer. And then once you get under that wrapping what we realize is they've added a bunch of commands and capabilities for the backdoor in order to do things like, what they call non-naive execution which is ways to do the things that they were going to do without involving the normal APIs and aspects of the operating system that are what generic EDR solutions would hook. It's what the AV normally hooks. So to them it was like look hey, okay, there's a new contender here. We're just going to reengineer the platform in a way that avoids what we expect them to be using. It also tells us that they don't have our product to test against, because even though they've done all that, it lit up like a Christmas tree on our console, so we were like okay well nice try. Thanks for the new platform. It also lets us know that you're not sitting on the product trying test against.
Dennis Fisher: Okay, so if they had a given product to test against they would understand how it's going to react once it's deployed, what it's going to be looking for, what it's going to hook and then what kind of behaviors they could use to get around that, right?
Juan Andres Guerrero-Saade: I mean that's very common. VT, VirusTotal is something we all know and love and it's definitely a defensive measure. There are not just sort of black market versions but also custom in-house versions of those AV farms, what you might call them, where what you're doing is that. Let's run it against 60 engines and let's see what antivirus detects our stuff and from the ones that did, well what exactly set them off? So you go back even to the days of of Flame back in 2012 and Flame had a list of AVs and what it would do as well, if we see McAfee then we're going to change our file extension to be this other file extension and they don't check that stuff, and if we see Symantec or Kaspersky or whomever; like they had studied what these different AVs did, what their weaknesses were, and they would modify the platform in situ in order to abuse that. It's a lot harder these days, in the age of cloud-enabled detection, to do that… you have no idea what the machine learning and sort of cloud side of it and correlating between different endpoints and stuff like that, all that stuff happens on the cloud. And that's more of a hold your breath and hope area.
Dennis Fisher: Yeah, so in the initial victim, where you guys found this, were you eventually able to eject them from the environment at some point as far as you know?
Juan Andres Guerrero-Saade: Yeah, as far as we know, yes. That's where you pit the threat intel researcher versus the defender in me, because yes, we evicted them to the extent of our abilities, in collaboration with the customer and that's where it gets you right, it's in collaboration with the customer. I'm not going to malign anybody but there are some customers who'll tell you, hey thank you, we're busy, goodbye. They don't care. I hate to say it. But there are some customers who are like that. In this case, I'm conflicted because we definitely evicted them from the Windows side and then we know that there were components in the Linux side of the house in what represents the core network of a telco and that's where the cool stuff happens. And it took some folks a little too long to get the product onto the Linux servers and we missed all of those Linux… So we saw them communicating. We saw that there were parts of the Windows components in Mafalda that are clearly stealing stuff from Linux implants. But we have no idea what the Linux implants were doing, what they look like, we didn't get our hands on samples. And it kind of sucks because with telcos and ISPs that's where the cool stuff is happening. When, I want to say Mandiant did this great research into MessageTap, I think it was called, it was a Linux implant for telcos, I believe used by the Chinese, and because they got their hands on the sample, you could see hey they really care about text messages from this list of phone numbers or from people in this particular region and we'd of course love to know that. But on our side, we see a similar set of components, we have no clue what they were after at that point.
Dennis Fisher: Yeah, and now that this stuff is public I'm sure the teams like this pay attention to - I mean obviously they knew they got got in some way or another, because they adapted to when your product was deployed - so they knew they were at least found in that environment. So you would expect them to adapt their tools and techniques in other and or upcoming intrusions as well, right?
Juan Andres Guerrero-Saade: Absolutely, again a moment where me as a defender versus me as a researcher is kind of caught in a bind, because I want to be able to keep track of these guys. And in some cases, I mean there's some threat actors who will get very clever and pour a lot of resources into trying to engineer against your defensive product. There's others that will say hey if S1 is there, don't deploy and I mean in a sense that's a qualified victory for customers. But for me, it's like well there goes a whole white whale that I'm not going to deal with for a significant amount of time. And from wanting to understand the threat landscape, wanting to have real situational awareness, that doesn't necessarily feel like a victory to me.
Dennis Fisher: Yeah I completely understand that because you had this window into the behavior of an animal that you'd never seen before, you got to observe it, you got to see how it behaved for a certain amount of time and then the window closes, and you’re just like, what's it doing behind that window? Now what, what are we missing? What else could we have learned?
Juan Andres Guerrero-Saade: That was a big point, I mean honestly, that was a big point in how we structured our release. You mentioned the 30-something-page PDF, there's another 30 some pages of living technical analysis on a GDoc. We tried this different approach of saying look, here's all of our reversing notes, and whatever we find, if people share more stuff, if they're cool with it, we’ll add it to this living document. But part of that was to say, A, LABScon was meant to be something to enable collaboration and the talks we put out from our team, Tom Hegel, from me, Amitai, and Alex and so on, they really were meant to foster collaboration and we tried to do our best to be like look here's the kimono open, like Tom did his talk was off-the-record even though he published a report but it was an off-the-record version where he could be like look, these are some of the guys we found, this is one of the companies we found, this is one of the tracking methods we're using, and instead of being coy or just kind of like patting ourselves on the back with a big release, it was more to say look, we don't want to burn this method, but all of you that are working on this stuff, you should know how we're doing this thing. With Metador there's this reminder that even though for the past 10 or so years, there've been a lot of amazing discoveries and unbelievable findings from seeing the NSA/CIA, seeing Five Eyes, seeing the Russians and a variety of their teams, the Chinese and a variety of their teams, not just the low-end but some very high-end organizations, Singapore, all these other really amazing countries doing really cool things; Most of those findings are snapshots in time. They give us a really amazing sense of look at how they do things right at that sliver, maybe look at how they did things for the past however many years. But they seldom turn into consistent situational awareness of what these actors are doing. And I think that's an important reminder and a humbling reminder that we really haven't bested any of these folks. You can go like gotcha for five seconds, but from a defensive standpoint that doesn't suddenly turn into we know everything that this Russian team is going to do indefinitely. And it's a reminder of the grappling and tussling that comes not just with threat intel teams, but also the software and hardware that's generating our telemetry, and I think that a lot of times we lose the battle on the software development end. Like there is a race to the bottom when it comes to costs, when it comes to being pragmatic, when it comes to not wanting to consume too much CPU resources, as if Chrome and Slack weren't already doing that on their own. You know there's all these arguments for why you need to have as little a footprint as possible and the counter-argument as well is look at what these people are doing in firmware and memory and well beyond the pale of what some light logging is going to provide you and how comfortable are you with that.
“Even though there's a greater and greater set of eyes and more and more talent in the threat intel space, I think we are less and less aware of what's out there.”
Dennis Fisher: You mentioned the Russian teams, Chinese teams, a lot of times when people talk about the the apex predators in this arena. That's who you're talking about, Russia, China, North Korea, perhaps, Iran, the U.S. obviously, if we're on the other side of the fence. Are there other teams out there that you just don't think that we've discovered yet that are in that same ballpark?
Juan Andres Guerrero-Saade: I think there's tons. Like we used to have these arguments. Ryan Naraine would - we'd all sit down back in the great days - and Ryan would question Costin, and he'd say how many teams do you think we're aware of, like what percentage of the activity out there, and I think Costin always had this very optimistic view of how aware we were of things, and with years, I don't know that I doubt him at that time. But I will say that I think our visibility has decreased, perhaps drastically, so in that sense, I think we may, even though there's a greater and greater set of eyes and more and more talent in the threat intel space, I think we are less and less aware of what's out there. And in that vein, I don't think we are aware of a great deal of high end operations that are out there. Like I think we are getting very very good at catching the lower tranche, like that's almost a given right? You should be easily grabbing the lower tranche of APTs. The mid tranche of APTs, we're still tussling with but you can still find them, but they're going to get a little better and then you're going to catch them again, it's like cat and mouse. But I think the high end tranche is completely invisible to most of us. We cannot genuinely characterize how many actors are in there, how much we know, which of them have split, which of them are now contractor capabilities. There's a lot happening in firmware in-memory and rather than getting better at it we seem to be getting worse, particularly on the memory side. This is not an indictment of security products alone, I think it's also an indictment of the operating system maintainers themselves. Like I don't think Google, Apple or Microsoft are making life easier for anybody to inspect memory. And that might sound trivial but nobody wants to put in the investment to deal with memory, like you look at a company like Volexity and the guys that develop volatility and it's admirable that they’re so good at what they do, precisely because it's a moving target. Windows redevelops every six months, every major update overhauls how a lot of these undocumented features work, how a lot of the memory works and what you're asking is for a company to be willing to maintain a high R&D capability that's continually adapting to a moving target. Microsoft, Apple, they're not calling you up to say hey this is how we retooled memory in the OS. I'm wondering if the market is even in a position to support these things. I think it should be. But I don't think the incentives are necessarily there and so what you get are very few companies that are willing to really put the effort in and and APTs are thriving in that space. If you don't have a behavioral engine, if you don't have memory inspection and almost none of us have firmware inspection, what is happening in that space?
Dennis Fisher: Yeah I often wonder too about I mean we're mostly talking about laptops, desktops, servers in some cases, I often wonder about the mobile space too, because the implants that get discovered for iOS and Android are still relatively rare. You might see one or two a year depending on the year and what what gets coughed up, but that's obviously high-value targets for a lot of these, especially in oppressive regimes that really want to surveil their populations, and mobile is the default platform in a lot of developing nations and in other places too. So it seems like there's still a lot of work to be done there.
Juan Andres Guerrero-Saade: Oh massive. And frankly I don't know how we're going to handle that.
Dennis Fisher: Because those are opaque, especially iOS, obviously.
Juan Andres Guerrero-Saade: I mean in the case of iOS I think it's opaque on purpose. It’s why I think we've ragged on Apple in giving them such a hard time. Like I'm a huge Apple fanboy, I love the products, I understand the walled garden mentality, I don't necessarily disagree with it, I think it has raised security for most users of Apple devices or at least iOS devices. Let's focus on iOS. But there is a certain point at which if you are going to build the seemingly impenetrable walled garden, you are also taking on the responsibility of protecting and monitoring the inside of that garden. It's basically a gated community, you're telling the cops to go away. Well, you better have some pretty decent rent a cops inside, right? Like there's got to be somebody sort of paying attention and I think despite some improvements on the Apple side I think what we're seeing in this battle with NSO and sort of the more public aspects of this riff, the way they handle Corellium, the way you know just they've handled the bug bounty for researchers, all that stuff. What we're seeing is more of an unwillingness to really know what's there, and a lack of desire to know what's there, and a minimization of the problem. We saw it with, probably I think the lowest point in Apple's history as far as I'm concerned on the security side was that blog where they responded to the use of iOS zero-days to target Uyghur populations. I think it was an incredibly callous moment, and one that it's left a really bad taste in my mouth ever since. But it goes to show that it's more of a priority to say look, it's not that big a problem. It's not that big a problem for most of you. You really don't need to worry about this. It's a very specific subset of people, and for that specific subset of people: Good luck, take care guys.
And you get into a very polarizing discussion. Whenever we're like, well, what we want is monitoring what we want is like some kind of logging, what we want is some kind of accessible way of verifying. What you get are very angry responses from very intelligent engineers who go, well but we don't want to reduce the integrity of the operating system. I'm not asking you to do that, I want you to build something into the operating system that lets me verify things, that lets you verify things. And we kind of went off on a very big tangent but this is something that drives me insane right? Even with Lockdown Mode, like Lockdown Mode is an amazing new feature. But what it says is, these guys keep coming up with new exploits, they're going to keep coming up with new exploits all the time. So we're just going to reduce the attack surface of those exploits.
“There’s capability there, these guys have skills from before, but I'm not about to start calling them by name at this point.”
Dennis Fisher: So, let me back you into a corner and ask about the attribution for Metador. What's your best, educated guess on this?
Juan Andres Guerrero-Saade: I have no concrete sense. Let me put out the spread of tiny tiny things we found along the way, with the awareness that everything is fungible - Brian and I wrote the paper on false flags, I'm well aware of what that potential is and the more that we publicize things about groups the more false flagging potential grows - I don't necessarily think that a false flag is the issue here, I think instead, it’s just sort of a general sparseness. But what we're seeing is multiple developers, some of them speak English decently, some of that English doesn't look perfect, but some of them speak very good English, there's at least two different English speakers, one of them more of like a highfalutin academic type, one more of like an informal lol, smiley face, don't do anything stupid type, then there's some Spanish-speaking folks involved. Even the the Mafalda name to me - again, everything fungible, everything subject to interpretation - but Mafalda is a very well-known political comic strip in the Hispanic world, I grew up with it, my parents grew up with it, It's been around since the 1960s, it's an Argentinian political cartoon. The idea was like you would talk about fairly complicated geopolitical issues through the eyes of like a 6-year-old girl and that naivete would kind of let you express some sentiments that are otherwise kind of difficult to express and we all grew up with that. Between that, like sort of the thing is named Mafalda, the C2s are expected to answer in Spanish in some cases. There's a few different sort of small traits there that I think there's definitely Spanish speaking devs, I wondered if there's an Argentinian dev or two involved, I mean Argentina is this poorly kept secret in that it's an amazing source of talent. I know that Latin America is easy to dismiss as maybe not the best talent pipeline for the rest of the world but, boy are you mistaken if you lump Argentina into that right, there's a ton of exploit devs, OpSec folks, Core Security came out of there, Immunity used to have some a great deal of folks out there. So it's not beyond the pale that there may be some Argentinian folks lending their services or their development capabilities there. And we have at least one indication of UTC+1 as a time zone for at least one of these folks or whatever organization is involved. Which puts you in the UK and Spain side of things, not to say that I would rush to point the finger at either of those, but look, I'm giving you this very garbled picture precisely because that's what we're seeing. We're seeing a bunch of indicators of different things that aren't necessarily moving in the same direction. Normally we'd get more of a sense of things from victims. But… a telco and an ISP, they are espionage enablers for further downstream customers, so it doesn't necessarily give you a good sense of who you're dealing with, so what we can say at this time is, I think this is a diverse group. It's more diverse than you would expect from normal nation state capabilities. I'm not entirely certain what their particular remit is, I wouldn't be surprised if it was a contractor of some sort, I wouldn't be surprised if it's a contractor that's particularly servicing one or multiple nation states. I have no clue beyond that. There’s capability there, these guys have skills from before, but I'm not about to start calling them by name at this point.
Dennis Fisher: And I mean the picture that you just painted to me as a non-expert in this space does tend towards the contractor side of things, just given that the targets weren't a cohesive thing. We didn't really mention the geographic targeting. But I think it was Africa and the Middle East, for the most part.That doesn't lead me into one country or another, it doesn't really give me any strong indicators.
Juan Andres Guerrero-Saade: It's also so few of their targets that, I tried to emphasize this in the paper as well, don't take that as a definitive spread neither of regions nor of verticals. When you have you know five or less victims, that's so statistically skewed that it's not letting you know that - I wouldn't be surprised if they had targets in North America, Latin America, wherever, like Western Europe almost certainly but like, who knows, right? And that's where I worry about the vertical and region getting blown out of proportion because I think that's how a lot of organizations do their prioritizing. Oh yes, we are a telco but we're not in Africa or the Middle East so it’s not our problem or vice versa; we're in the Middle East but we're not a telco, not a big deal. I think in this particular case it’s like we know so little about what these guys are after that I wouldn't get much of a sense of comfort out of not being in either of those.
Dennis Fisher: No, honestly, that would give me a sense of discomfort not just because the sample size was so small, as you mentioned, you know a handful, literally a handful, of known victims. You have no concept of how big the actual victim space is.
Juan Andres Guerrero-Saade: I doubt it’s huge, but it’s definitely bigger than what we saw, and not knowing what they're doing with those ISPs or telcos, like hey man look, we weren't going to go hyper hype train. But there's nothing keeping you from having that as a supply-chain attack as an enabler of downstream infections. Maybe that's how they deliver some other type of component. They obviously have multiple frameworks, there's so many ways that this could be something way way bigger. Or it could be a glimpse of this comet in the sky just sort of like running particular ops, at which point I would say well these people are very skilled. Do you really think this is the only op they've ever run or they're ever going to run? So there's no comforting side of this, like we're selling discomfort in this one.
Dennis Fisher: It was awesome to talk to you, you guys obviously put in tons and tons of time on this and it was a cool presentation.
Juan Andres Guerrero-Saade:Thank you Dennis! Thanks for coming to LABScon, and hopefully we'll we'll keep this momentum going.