Needles and haystacks – the art of threat attribution

Over the past few weeks we have seen a lot of attention paid by the media to the targeted attack campaign reported on by ESET and Norman researchers, with articles appearing not just on security-focused news sites such as DaniWeb, DarkReading, Hacker News, SC Magazine and Virus Bulletin, but also in the general computing trade press at eWeek, InformationWeek, PCWorld,  The Register, Tech2, TechNewsDaily, and TechWeek Europe. However, when articles start appearing in mainstream global news sources such as Forbes, Pakistan Today, The Indian Times, International Business Times, and The Times of India, you realize that it’s major news.

One of the most interesting aspects of this range of coverage is the way in which the story has been treated at each level. The reports by ESET and Norman focused on the mechanics of the attack campaign as well as the functionality and capabilities of the malware created to implement that campaign. However, as one moves from the security press to the trade press to the mainstream media, the focus changes from attack mechanisms to commentary about threat attribution, or identifying the attackers, even though the public commentary  by the researchers analyzing the attack has only been speculative. To quote from Norman’s excellent write-up, Operation Hangover: Unveiling an Indian Cyberattack Infrastructure [PDF, 2768KB]:

None of the information contained in the following report is intended to implicate any individual or entity, or suggest inappropriate activity by any individual or entity mentioned.

This statement seems to have been largely ignored by those reporting on events.

This is not the first time we have seen what some believe to be a nation-state motivated, if not targeted, attack. Stuxnet and its siblings Duqu, Flamer and Gauss are sophisticated pieces of malware, yet positive confirmation of their ownership and origin remains unproven. The same is true for the Medre Worm, which sent documents from Peruvian government contractors’ computers to mailboxes in China, and also the Georbot worm (which the Georgian government identified as being the work of a Russian hacker in the employ of his own government, although the government of Georgia has changed since that claim was made). We have also seen numerous targeted attacks against Tibetan NGOs traced back to Chinese computers.

All of these different cases around the world have one thing in common: We don’t really know who the masterminds behind the attacks were or where they are actually located. All we know is where the trail ended for our researchers. In the case of Stuxnet, et al, trying to trace the origins of the malware came up with dead-end after dead-end. At one point the Georgian CERT (Computer Emergency Response Team) seems have had the best luck in identifying their attacker, but however strong the evidence was against him, the evidence they provided of his ties to nation-state action were still circumstantial.

The fact is, it can take months, if not years, of careful detective work to follow the digital trail of malware back to its point of origin, and plenty of additional research to overlay data about the attackers behind it (identity, location, affiliations, accomplices and so forth). And in many cases that intelligence is never located.

In the case of the current round of targeted attacks, while we do see some careful targeting of victims, that’s not particularly unusual these days. See ESET’s A Pretty Kettle of Phish white paper written by David Harley and Andrew Lee in 2007 for a description of spear phishing. As Jean-Ian Boutin noted in his blog post, the malicious software created by the attackers for this campaign was childishly simple, exploiting vulnerabilities long since patched, lacking any of the mechanisms normally used in malware to prevent analysis, with the exception of using a Caesar cipher to encrypt some of the text strings in the binary files; a technique I learned about in the third grade of elementary school. Likewise, the network of C&C (command and control) servers, drop zones and domain registrations shows a similar lack of security, with data about them generating evidence to link specific organizations to this campaign.

All of this “evidence,” a series of near-continuous poor choices building upon each other from the design of the malware to the building of its exfiltration networks, seem more like the work of skiddies than the work of a competent, if criminal, hacker. In fact, the information gathered about the attackers so far seems so strong and incontrovertible—especially when compared to other targeted attacks—that we cannot help but wonder if it was specifically planted in plain sight in order to divert attention or otherwise mask the identity of the true attacker.

The one remaining puzzle is how this targeted campaign was successful for so long. While bits and pieces of it have now been detected for several years, the campaign as a whole went unexamined until last year: One does not expect amateurish malware to be hallmark of a targeted attack, let alone one that is nation-state sanctioned. The defenders must also take some of the blame, for failing to follow basic information security guidelines such as keeping systems up-to-date, examining logs and network traffic for suspicious behavior, using security software and so forth. While none of these measures guarantee protection against a determined adversary, practicing them does allow an organization to greatly reduce the attack surface of its computers.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s