5 Questions with Hakan Tanriverdi, Reporter for Bayerischer Rundfunk
1. Your news organization, Bayerischer Rundfunk, and another well-respected German news organization, Zeit Online, recently published an in-depth investigation into a possible nation-state cyberespionage campaign. Please provide a brief overview of the investigation, its length (how long it took), and what you and other investigative journalists initially hoped to learn from the investigation.
In 2019, we became aware that the German carmaker BMW had been hacked. During our investigation of the attack for our story that broke the news in December 2019, we were able to find out that a group called APT32 and/or "OceanLotus" was said to be behind the intrusion and that BMW had caught them early on and monitored what they'd been doing while in their networks before eventually kicking them out. While doing research on the group – which, according to researchers and people from the intelligence community, is operating out of Vietnam and most likely in the interest of the government – I was told that there might be an interesting way to track the group's infrastructure. I didn't have enough time back then to do so because we had a story to finish. But once we were done, I went back to find out more about the approach. Turns out, ESET published a paper in 2018 describing how OceanLotus is using a backdoor with particular DNS queries.
By early January 2020, we heard that OceanLotus is pretty active and not only targeting companies, but also human rights organizations, journalists and dissidents. We wanted to find out more about the infrastructure and see where it would take us. My hypothesis was: We might be able to find out about more targeted intrusions. Turns out, we were able to see infrastructure being set up for future intrusions. (We had no way to verify in real-time whether the domains were used for an ongoing campaign, though.)
As we began to work on our updated story, which took a total of about six to seven months, to be fair, we reached out to the Vietnamese embassy in Berlin and asked them if the group was working on behalf of the Vietnamese State. They told us that the accusations were unfounded and that Vietnam would condemn any form of cyberattack.
2. For the investigation, it appeared that you followed many of the same threat hunting best practices used by today's security practitioners. Please explain and also share any new learnings that would benefit the broader security community.
We used a mix of the following tools: Passive DNS (Farsight DNSDB), SSL certificates and sites like VirusTotal for malware analysis. For the latter, I went through public reports from other companies. While information security companies will often focus on new techniques in their threat reports, my goal, as an investigative journalist, is to tie together as much information as possible to deliver a broader view on the group, starting with technical bits but also including geopolitical aspects. So how I define newsworthiness is different from the way other people would describe that word, I guess.
I'm not sure that I have something to add that the security community is not already aware of. However, I will say that reaching out to people whose computers might've been infected with malware is a good way to get more background on why some people are targeted. A phishing-mail alone has no context, but knowing who was targeted and asking them that question may be very interesting for understanding the motives of a hacking group.
3. As part of the investigation, you used Farsight Security DNSDB, our historical Passive DNS database. Farsight provides free access to our tools, as part of our grant program, to investigative journalists. How did you use DNSDB in the investigation and what role, if any, did it play in your findings?
Our research started with passive DNS. We used the method ESET described in their paper and queried the DNSDB API. From there, we had a good overview of the attacker infrastructure and the domains they have been and, in some cases, still were using. Once we had a closer look at the domain and noticed that they were using a specific SSL certificate when setting up new infrastructure, we wrote a script to query sites like Shodan to alert us if their scans came across that SSL certificate. From there, we went back to DNSDB again to see what domains were hosted on that IP address.
4. What was the investigation's overall takeaways -- and biggest surprises -- for you and your colleagues?
The biggest surprise was that, at some point, whoever we reached out to in the Vietnamese community in Germany, they either had heard of the group or had been targeted by them. The attack was widespread. When writing on allegedly state-sponsored campaigns, it usually is hard to speak with affected parties, because you only have the malware and not the people being targeted with it. This research was different. We had lots of people we could talk with.
The overall takeaway, in my view, is that we were able to show how huge nation-state infrastructures are set up to target a vast group of people who are allegedly deemed to be problematical and dangerous by governments. In our case, the alleged nation state is Vietnam (just to restate: they have gone on record to deny doing anything like this.)
5. Since your investigation was published in October 2020, there have been other stories published about this particular hacker group. Has the story advanced -- if so, how? Also, do you plan to publish any followup articles to this investigation?
Volexity has published a blogpost detailing "multiple new attack campaigns being launched by OceanLotus via multiple fake websites and Facebook pages". In Germany, there has been a discussion what the best way is to protect Vietnamese people leaving their country to live here. It is concerning to authorities that these people want to live in freedom, but are still being targeted.
