The blog has been silent for about a month now and I have struggled with how to release some of my work without burning TTPs in the process. It’s funny, the closer you get to the targets and victims, the less public analysis you end up doing. I am currently working on a couple projects that will eventually make their way to the public, but in the meantime I wanted to write about the attribution game I see a lot of researchers and companies playing.
When I was in Asia or more specifically, China, I got the chance to sit down with a bunch of native hackers. One in particular made some interesting claims, but those details are better left for in-person discussions. During my time there (10 days or so), I shared beer, food and jokes with the group, eventually building enough trust to be invited up to their company headquarters for demonstrations of their code. What was shown was a mixture of public and private RATs, some I had analyzed the week prior and others I had never heard of though their code was amusingly familiar. As I walked from laptop to laptop, I made mental notes of what I saw and had my co-worker, Tom Creedon, translate the Chinese burried within the source.
That night I shared drinks and food with the group. We talked about hacking, security and dared each other who would eat the most bugs. It occurred to me while sitting at the table that the code these hackers had might of been used in attacks against other countries including the USA. Was it likely? Maybe, but even if you knew who the operator was and where he/she lived, what difference would that make assuming you were not one of the select few individuals capable of leveraging that knowledge? Truth be told, unless you were to activate a web cam on the operator’s machine who was conducting the collections, you would never see hands-on-keyboard (assuming you haven’t implanted one of their toasters or appliance of your choosing).
With all that said, tracking the “who” and the “what” is still important, but not necessarily from an identification perspective. Instead these items and attributes should be used to cluster and classify activity therefore associating previous attacks with their evolving or non-evolving current ones. At the end of the day however, indicators are possible to game. I see more overlap in infrastructure, domains, registrants and attack profiles as the days go on.
And yet more often than not, and I do this too, we are quick to blame an entire area for an attack based on the circumstantial evidence within the malware. Watching the hackers in China SQL inject a few public facing banks from the hotel network using the old school XP_CMDSHELL technique was enough for me to realize that infrastructure in Asia was lacking in security. Talking to professionals in the surrounding countries only confirmed that fact when I was told servers were not be restarted, ever, no matter what. So in other words, anyone could own those machines.
Cyber-based targeted attacks favor the attackers not only from a technical perspective, but also from a legal perspective. Efforts must be put forth to protect assets deemed critical to the organization because it is unlikely any one person will be held responsible for successful thefts of intellectual property, trade secrets and other valuable data.
In closing, the next time you want to blame a single entity for attacking someone, consider that we too do operations. While they are directed at different countries and follow a different cause, they are still done by us. When I asked the main Chinese hacker why he did what he did I was told, “just you do some research for USA,I DO for China”. You can argue with that answer, but cultures differ and so do operations.