Advertisement

A Department of Defense bulletin on a ‘leaking’ sinkhole has baffled cybersecurity experts

Sinkholes don't leak. So why does a small DOD agency say a Chinese hacking group is using one to steal data?
DCSA cybersecurity
A DCSA bulletin described a 'leaking' sinkhole. Experts told CyberScoop they aren't sure what that term means. (Getty Images)

In mid-April, an obscure agency housed under the Department of Defense issued a bulletin that a little-known, Chinese-linked hacking group is likely responsible for some suspicious activity aimed at defense contractors in the U.S. But how the Defense Counterintelligence and Security Agency (DCSA) came to that conclusion is complicated.

The alert, sent to 38 contractors, says DCSA detected the group was making “inbound and outbound connections” with contractors’ facilities as of Feb. 1. The targeting, which appeared to have stopped by March 25, was directed at several critical infrastructure sectors, including aerospace, health care and maritime, according to a copy of the bulletin obtained by CyberScoop.

A DCSA official tells CyberScoop the document was meant to raise awareness among the contractors, but numerous sources tell CyberScoop that it is more confusing than clarifying. The bulletin, which was first reported by Politico, has raised questions about the attributed hacking group and if the actions described in the document are even technically possible.

Chinese hackers have long been known to collect information on government contracting work in the U.S. But the group singled out in this alert, known as Electric Panda, is not as well-known in the cybersecurity community as its peers. Prior to the DCSA alert, the only reference to this group is from a 2013 presentation from CrowdStrike. The security company declined to comment on the bulletin.

Advertisement

It is also unclear from the bulletin what the attackers are doing; the DCSA doesn’t elaborate on what it means by “inbound and outbound connections.” Security experts who have examined the bulletin tell CyberScoop they can’t explain what’s technically detailed, and it provides no solutions to remedy the problem.

A leaking sinkhole?

In particular, the bulletin notes concerning activity coming from a “sinkhole.” Sinkholes are used by researchers to capture bad internet traffic, mostly coming from botnets, and block infected machines from carrying out their orders. According to the bulletin, the sinkhole in question, owned by the Portuguese company Anubis, appears to be “leaking” data belonging to the cleared contractors.

“While the sinkhole’s stated purpose is to conduct security research, the actual traffic going through the sinkhole and emanating from it is likely malicious in nature,” the bulletin reads, adding “data may be leaking, not only outside the company, but outside the country.”

However, sinkhole experts, including those working for the company that owns Anubis, told CyberScoop they don’t know what a “leaking sinkhole” is, even theoretically.

Advertisement

Boston-based BitSight, which owns Anubis, told CyberScoop it hasn’t noticed the behavior described in the bulletin.

“As far as my best indication, there’s nothing from where our infrastructure is concerned that is any behavior that we could identify as being associated with ‘leaking,’” BitSight Director of Security Research Dan Dahlberg told CyberScoop. “There is nothing that is indicative at all. In terms of even conceptually, I can’t even imagine what ‘leaking’ in regards to [this] infrastructure might be referring to.”

GreyNoise founder Andrew Morris said the bulletin seems to defy what he knows about internet traffic and sinkholes. His company sells a product that allows security teams to scan and analyze internet traffic data.

“I mean, a leaking sinkhole?” Morris said in disbelief. “[The bulletin’s authors are] using some kind of buzzwords without using any technical clarity.”

Dahlberg said the idea that a sinkhole would “leak,” and allow traffic to move through it without being stopped, isn’t the way the technology works.

Advertisement

“There’s little opportunity for a sinkhole to reveal anything,” he told CyberScoop. “Really, the only thing a sinkhole can effectively reveal is the information it’s receiving about infected clients. There’s not a situation where the sinkhole would provide that back to anybody.”

Travis Green, a threat intelligence principal at Verizon who has written about the Anubis sinkhole, said one possible explanation is that the contractors were hacked by state-backed hackers, known as advanced persistent threat (APT) actors, but when the contractors’ machines tried communicating back with the hacker group’s servers, the sinkhole captured and blocked the traffic.

“That sinkhole doesn’t leak data, that sinkhole just does what it does,” Green, a certified ethical hacker and former government contractor, told CyberScoop. “I would not be at all surprised to hear that Anubis has sinkholed some APT domains.”

Different explanations

Dahlberg also suggested that the hacking group could have somehow become aware of the sinkhole in question and managed to bypass it.

Advertisement

If the attackers somehow identified the IP address of the sinkhole, for instance, they could block its IP address so that their victimized computers could communicate back with the attackers, Dahlberg said. However, he says that issue has an easy fix.

“This is actually a relatively easy thing for us to get around,” Dahlberg said. “We can change our IPs to get around that.”

Morris told CyberScoop it’s also possible the suspicious traffic could be tied to recycled IP addresses. For instance, a hacking group has a designated set of IP addresses to communicate with victims’ computers. If the group abandons those IP addresses — something that happens all the time — and Anubis now uses those same IP addresses, that could result in that traffic “delivering” data to the sinkhole.

Morris said GreyNoise has experienced a similar scenario after his company encountered traffic that appeared to be coming from infected devices after they obtained a set of recycled IP addresses.

“We at GreyNoise have had cases where we just inherited an IP address that belonged to a former command and control server, and we’ll see weird traffic hitting some of our collector nodes,” Morris told CyberScoop. “That could be something like a leaking sinkhole.”

Advertisement

There’s also a scenario in which the inbound and outbound “connections” aren’t necessarily related to infections at all, Morris said. If cybersecurity researchers at the contracting facilities are studying the attackers, they would likely be communicating with the hacking group’s server, giving off the impression they’re infected, when in reality, they are just conducting research.

“If you see a bunch of security researchers … researching [the command and control server], scanning it, communicating with it, they’re going to look like infected hosts to the observer,” Morris said, noting this kind of research can create “potentially false positives for who’s infected and where.”

Contractors that specialize in cybersecurity had the most inbound and outbound connections made with the suspected actors, according to the bulletin.

Old malware

The hackers suspected to be responsible for this activity appear to be somewhat elusive. For its part, the DCSA acknowledges it’s not certain that Electric Panda is behind the bad traffic. The bulletin suggests the activity is “highly likely” to be carried out by Electric Panda.

Advertisement

But there are clues about the group’s origin in the bulletin, according to Karim Hijazi, CEO of Maryland-based security company Prevailion.

Hijazi told CyberScoop that one of the indicators of compromise detailed in the bulletin is a command and control server linked with Fireball, malware that Chinese actors have been known to use in years past. Fireball has two capabilities: allowing for the download of additional malware or tampering with web traffic in schemes related to ad fraud.

“One of the IOCs in the bulletin (giqepofa[.]com) is a known [command and control server] of Fireball,” Hijazi told CyberScoop.

According to previous research from Check Point Technologies, Fireball has infected 250 million computers worldwide. There is no mention of Fireball in the DCSA bulletin.

The remaining puzzle

Advertisement

The DCSA, the newly re-organized office that’s responsible for federal background checks, has been silent about the bulletin’s details since its release. The DCSA would only say it was meant to help contractors with mitigation efforts.

Additionally, other government agencies that play a role in cybersecurity — the Department of Homeland Security, FBI and U.S. Cyber Command — declined to comment or deferred to the DCSA.

When asked about the bulletin, a National Security Agency official said that users should be patching and and running two-factor authentication.

“Actors continue to steal and abuse credentials, so users should also leverage two-factor authentication whenever possible,” the official told CyberScoop.

Hackers frequently abuse old or unpatched systems to run exploits against a wide variety of targets, including in the government sector. For instance, a Chinese hacking group known as APT41 recently ran an espionage campaign that abused unpatched Citrix vulnerabilities.

Advertisement

It was not clear if bad hygiene or unpatched systems were related to the DCSA bulletin. The NSA declined to comment on whether it had contributed any information to the DCSA bulletin.

BitSight also told CyberScoop that it remains unable to explain what’s described in the bulletin. The company would not say if DCSA reached out to the company since the bulletin was issued, and it remained steadfast that it’s unaware of any cleared contractor data that may have come into contact with its sinkhole.

“Without the full context it’s hard to comment exactly what [DCSA] might be specifically referring to,” Dahlberg told CyberScoop.

Latest Podcasts