Operation Arachnophobia: The Spy-der Who Loved Me

The story of Operation Arachnophobia is not unlike a good spy novel; the characters aren’t who they appear to be, motives must always be questioned and the twists in the plot keep you guessing until the end. Our story begins in early August 2013 with the research blog “Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up”. Published in the shadow of ThreatConnect’s public debut and just days after the blog’s release, newly discovered events would reveal notable data points, casting suspicion that there was more to this story than originally observed. For nearly a year, we researched different angles of these events and uncovered substantial evidence of Pakistani involvement and relationships previously unreported.

In the next chapter of our tale, we find FireEye Labs and the ThreatConnect Research Team collaborating on the production of Operation Arachnophobia. Their efforts began at a Memorial Day wedding weekend, topside on the crystal blue waters of the Virgin Islands. A group of former colleagues and their wives would trade old cyber war stories and investigative tradecraft during an afternoon of island hopping, snorkeling and frozen drinks. These industry conversations usually end with the well-intended but rarely executed sentiment of, “we should work on something together,” and this was no exception. Little did they know, only a month later they would indeed find themselves making good on their Caribbean agreement.

You see, analysts and researchers often come across activity they feel would benefit from the perspective of an additional set of eyes. Taking a pragmatic look at today’s threat landscape, we must humbly acknowledge that no one organization can be all places at once; no one organization can observe everything and then deliver ground truth of the events that transpired in a timely manner. This is why teamwork and collaboration within the community are vitally important. We must be willing to come together and share knowledge if we expect to be effective in deducing modern cyber threats.

Although our story doesn’t include a chase scene, exploding cufflinks or an underwater swordfight, Operation Arachnophobia serves as an example of how two organizations can come together to make sense of technical and non-technical observations. Building off of last year’s research, ThreatConnect Research and FireEye Labs team expanded on the initial analysis of a custom backdoor, later to be dubbed BITTERBUG by FireEye Labs. Analysts would detail BITTERBUG functionality and highlight notable changes across BITTERBUG samples before and after the original August 2013 ThreatConnect Research blog. In addition to focusing on the malware capability, the ThreatConnect Research/FireEye Labs team would also look at the infrastructure used in the BITTERBUG activity to uncover additional commercial Pakistani connections. The team would also identify Pakistani-based personas affiliated with these commercial entities that also appear within each others’ social networks.

To download the Operation Arachnophobia report – register here. All of the indicators associated with BITTERBUG activity have been shared within the ThreatConnect Common Community Incidents 20130731A: South Asia Cyber Espionage Heats Up and BITTERBUG Threat.

Join us for a webinar in September featuring myself and Mike Oppenheim, FireEye Principal Threat Intelligence Analyst. The webinar will be held Tuesday, September 24, 2014 at 11:00 AM ET and we will present and discuss the findings in Operation Arachnophobia.

Our team here at Cyber Squared already knows the value of community collaboration, and how that is just one part of an organization’s success in fighting our adversaries. Your organization can get started right away, whether you are a team of one or twenty, ThreatConnect is the most comprehensive Threat Intelligence Platform on the market today and can help your organization see immediate benefits and value in fighting the good fight. No more do we have to be in the dark from one another, and together we can work to unravel all of the threats out there working against us.

Rich Barger
About the Author
Rich Barger

Rich is a pioneer in threat intelligence analysis and is the Chief Intelligence Officer and Director of Threat Intelligence at ThreatConnect. In 2011, Rich sought likeminded security experts and together they founded ThreatConnect. Rich has more than 15 years supporting DC’s most elite cyber defense and intelligence organizations from within both public and private sector as former U.S. Army Intelligence Analyst and security consultant. Rich is an analyst at heart, and his technical and operational vision is truly what makes ThreatConnect a disruptive new technology for organizations worldwide. Rich leads the ThreatConnect Intelligence Research Team , a globally recognized threat research team. Rich maintains a variety of professional industry certifications, and a BS in Information System Security. Rich is married and is a proud father.