InSecurity Podcast: Inside the White Company’s Operation Shaheen Espionage Campaign

Applying a new, comprehensive approach to threat intelligence, Cylance researchers profiled a new and likely state-sponsored threat actor dubbed The White Company in a set of recently published reports. The report details Operation Shaheen, a year-long espionage effort directed at the Pakistani government and military – in particular, the Pakistani Air Force.

The “genetic mapping” of more than 40 unique shellcode features allowed the researchers to track the development, modification, and evolution of the White Company’s tool kit over time. This worked to tie this threat actor to other previously unidentified or misattributed campaigns, and to understand a larger corpus of their activity more deeply.

Two technical chapters of the Operation Shaheen report delve deeply into the exploit kits, malware, and infrastructure employed – the keys that unlocked the doors and the tools used to steal what’s inside. The third chapter lays out how the campaign worked, situating the technical findings in geopolitical context, and explains why it all matters.

The White Company is the first threat actor our researchers encountered that had the ability to evade eight different antivirus products before deliberately surrendering to them on specific dates in order to distract, delay, and divert the targets’ resources.

In today’s episode of InSecurity, Matt Stephenson talks with Operation Shaheen researchers Ryan Smith, Jon Gross, and Kevin Livelli. Their report unravels the mystery of a campaign in which traditional approaches to analysis, focused primarily on the malware and infrastructure, yielded few clues yet many misleading attributes.


About Ryan Smith

Ryan Smith is a member of the Cylance Advisory Board. Prior to that, he was the Vice President of Research at Cylance, where he led teams performing both internal and external research.

He has spent the last decade leading such teams for consulting, product, and Fortune 50 organizations. As an individual contributor, Ryan has discovered and exploited highly impactful vulnerabilities in widely deployed client and server software.

His interests include reverse engineering, exploitation, vulnerability discovery, analysis algorithms, and magnets. He has spoken at international conferences and is a two-time Pwnie Award winner for best server and client bugs.

About Jon Gross

Jon Gross is a Director of Threat Intelligence at Cylance.
Other than that, he doesn’t tell us much…

 

About Kevin Livelli

Kevin Livelli is a Director of Threat Intelligence at Cylance, where he conducts long-term, complex investigations with the Research and Intelligence team.

His work there follows ten years as a producer at 60 Minutes, where his team’s investigative reporting and analysis was recognized with several Emmy and Peabody awards.

Before that, Livelli supervised investigations at the nation’s largest independent police oversight agency. A graduate of Dartmouth, he earned Master's degrees from Trinity College Dublin and Columbia University. 

About Matt Stephenson

Insecurity Podcast host Matt Stephenson (@packmatt73) leads the Security Technology team at Cylance, which puts him in front of crowds, cameras, and microphones all over the world. He is the regular host of the InSecurity podcast and host of CylanceTV.

Twenty years of work with the world’s largest security, storage, and recovery companies has introduced Stephenson to some of the most fascinating people in the industry. He wants to get those stories told so that others can learn from what has come before.