Spy vs spy vs hacker vs... who is THAT? Everyone's hacking each other

And it's making threat intel much, much harder, say researchers


VB2017 Intel agencies and top-tier hackers are actively hacking other hackers in order to steal victim data, borrow tools and techniques, and reuse each other's infrastructure, attendees at Virus Bulletin Con, Madrid, were told yesterday.

The increasing amount of spy-vs-spy type activity is making accurate threat intel increasingly difficult for security researchers, according to Kaspersky Lab.

Threat intelligence depends on spotting patterns and tools that point towards a particular threat actor. Related work allows researchers to infer a hacking group's targets and objectives before advising clients about the risk they face. This process falls down now that threat actors are hacking each other and taking over tools, infrastructure and even victims.

A presentation, headlined Walking in your enemy's shadow: when fourth-party collection becomes attribution hell, explored these challenges.

Juan Andres Guerrero-Saade and Costin Raiu, both from Kaspersky Lab, explained the attribution problems that can arise when one hacking group exploits another's seemingly closed-source toolkit or infrastructure. Quizzed on this point by El Reg, the pair said to date there was no example of an intel agency backdating another foreign hacking group's malware.

Cyber-expionage groups are busy instead stealing each other's tools, repurposing exploits, and compromising the same infrastructure, they said. Reuse of fragments of other's tools is more common than wholesale theft and repurposing of third-party APTs.

What are they up to?

There are two main attack vectors. First, passive attacks that involve intercepting other groups' data in transit, for example as it moves between victims and command and control servers. The second (active) approach involves hacking into another threat actor's malicious infrastructure, an approach much more likely to risk detection but which also brings potential rewards.

An active attack would allow a hacker to extract information on a regular basis, monitor its target and its target's victims or even insert its own implants or mount attacks while throwing the finger of blame towards the initial attacker. The success of active attacks depends largely on the target (e.g. another intel agency) making operational security mistakes.

Kaspersky researchers have come across two examples of backdoors installed in another hacking group's command-and-control infrastructure.

One of these was found in 2013, while analysing a server used by NetTraveler, a Chinese-language campaign targeting activists and organisations in Asia. The second one was found in 2014, while probing a hacked website used by Crouching Yeti, a Russian-language hacking crew.

Last year a website put together by the Korean-language DarkHotel also hosted exploit scripts for another targeted attacker, which the team called ScarCruft, a group targeting mainly Russian, Chinese and South Korean-organisations, it said.

In November 2014, Kaspersky Lab reported that a server belonging to a research institution in the Middle East, known as the Magnet of Threats, simultaneously hosted implants for Regin and Equation Group (English-language), Turla and ItaDuke (Russian-language), as well as Animal Farm (French-language) and Careto (Spanish). This server was the starting point for the discovery of the Equation Group, linked by the leaks of former NSA sysadmin Edward Snowden to an elite NSA hacking crew. ®


Other stories you might like

  • HPE unveils Arm-based ProLiant server for cloud-native workloads
    Looks like it went with Ampere – which means a certain Reg writer lost a bet

    Arm has a champion in the shape of HPE, which has added a server powered by the British chip designer's CPU cores to its ProLiant portfolio, aimed at cloud-native workloads for service providers and enterprise customers alike.

    Announced at the IT titan's Discover 2022 conference in Las Vegas, the HPE ProLiant RL300 Gen11 server is the first in a series of such systems powered by Ampere's Altra and Altra Max processors, which feature up to 80 and 128 Arm-designed Neoverse cores, respectively.

    The system is set to be available during Q3 2022, so sometime in the next three months, and is basically an enterprise-grade ProLiant server – but with an Arm CPU at its core instead of the more usual Intel Xeon or AMD Epyc X86 chips.

    Continue reading
  • US weather forecasters power up latest supercomputers to keep you out of the rain
    NOAA makes it rain for HPE, AMD

    Predicting the weather is a notoriously tricky enterprise, but that’s never held back America's National Oceanic and Atmospheric Administration (NOAA). After more than two years of development, the agency brought a pair of supercomputers online this week that it says will enable more accurate forecast models.

    Developed and maintained by General Dynamics Information Technology (GDIT) under an eight-year contract, the Cactus and Dogwood supers — named after the fauna native to the machines' homes in Phoenix, Arizona, and Manassas, Virginia, respectively — will support larger, higher-resolution models than previously possible. The cost to build, house, and support and operate these machines, now operational, will cost $150 million over the next five years, we understand.

    “People are looking for the best possible weather forecast information that they can get,” Brian Gross, director of the Environmental Modeling Center for the National Weather Service, told The Register.

    Continue reading
  • Google said to be taking steps to keep political campaign emails out of Gmail spam bin
    Just after Big Tech comes under fire for left and right-leaning message filters

    Google has reportedly asked the US Federal Election Commission for its blessing to exempt political campaign solicitations from spam filtering.

    The elections watchdog declined to confirm receiving the supposed Google filing, obtained by Axios, though a spokesperson said the FEC can be expected to publish an advisory opinion upon review if Google made such a submission.

    Google did not immediately respond to a request for comment. If the web giant's alleged plan gets approved, political campaign emails that aren't deemed malicious or illegal will arrive in Gmail users' inboxes with a notice asking recipients to approve continued delivery.

    Continue reading
  • China is trolling rare-earth miners online and the Pentagon isn't happy
    Beijing-linked Dragonbridge flames biz building Texas plant for Uncle Sam

    The US Department of Defense said it's investigating Chinese disinformation campaigns against rare earth mining and processing companies — including one targeting Lynas Rare Earths, which has a $30 million contract with the Pentagon to build a plant in Texas.

    Earlier today, Mandiant published research that analyzed a Beijing-linked influence operation, dubbed Dragonbridge, that used thousands of fake accounts across dozens of social media platforms, including Facebook, TikTok and Twitter, to spread misinformation about rare earth companies seeking to expand production in the US to the detriment of China, which wants to maintain its global dominance in that industry. 

    "The Department of Defense is aware of the recent disinformation campaign, first reported by Mandiant, against Lynas Rare Earth Ltd., a rare earth element firm seeking to establish production capacity in the United States and partner nations, as well as other rare earth mining companies," according to a statement by Uncle Sam. "The department has engaged the relevant interagency stakeholders and partner nations to assist in reviewing the matter.

    Continue reading
  • California's attempt to protect kids online could end adults' internet anonymity
    Websites may be forced to verify ages of visitors unless changes made

    California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.

    Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.

    "First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."

    Continue reading
  • Is computer vision the cure for school shootings? Likely not
    Gun-detecting AI outfits want to help while root causes need tackling

    Comment More than 250 mass shootings have occurred in the US so far this year, and AI advocates think they have the solution. Not gun control, but better tech, unsurprisingly.

    Machine-learning biz Kogniz announced on Tuesday it was adding a ready-to-deploy gun detection model to its computer-vision platform. The system, we're told, can detect guns seen by security cameras and send notifications to those at risk, notifying police, locking down buildings, and performing other security tasks. 

    In addition to spotting firearms, Kogniz uses its other computer-vision modules to notice unusual behavior, such as children sprinting down hallways or someone climbing in through a window, which could indicate an active shooter.

    Continue reading

Biting the hand that feeds IT © 1998–2022