VB2017 Intel agencies and top-tier hackers are actively hacking other hackers in order to steal victim data, borrow tools and techniques, and reuse each other's infrastructure, attendees at Virus Bulletin Con, Madrid, were told yesterday.
The increasing amount of spy-vs-spy type activity is making accurate threat intel increasingly difficult for security researchers, according to Kaspersky Lab.
Threat intelligence depends on spotting patterns and tools that point towards a particular threat actor. Related work allows researchers to infer a hacking group's targets and objectives before advising clients about the risk they face. This process falls down now that threat actors are hacking each other and taking over tools, infrastructure and even victims.
A presentation, headlined Walking in your enemy's shadow: when fourth-party collection becomes attribution hell, explored these challenges.
Juan Andres Guerrero-Saade and Costin Raiu, both from Kaspersky Lab, explained the attribution problems that can arise when one hacking group exploits another's seemingly closed-source toolkit or infrastructure. Quizzed on this point by El Reg, the pair said to date there was no example of an intel agency backdating another foreign hacking group's malware.
Cyber-expionage groups are busy instead stealing each other's tools, repurposing exploits, and compromising the same infrastructure, they said. Reuse of fragments of other's tools is more common than wholesale theft and repurposing of third-party APTs.
What are they up to?
There are two main attack vectors. First, passive attacks that involve intercepting other groups' data in transit, for example as it moves between victims and command and control servers. The second (active) approach involves hacking into another threat actor's malicious infrastructure, an approach much more likely to risk detection but which also brings potential rewards.
An active attack would allow a hacker to extract information on a regular basis, monitor its target and its target's victims or even insert its own implants or mount attacks while throwing the finger of blame towards the initial attacker. The success of active attacks depends largely on the target (e.g. another intel agency) making operational security mistakes.
Kaspersky researchers have come across two examples of backdoors installed in another hacking group's command-and-control infrastructure.
One of these was found in 2013, while analysing a server used by NetTraveler, a Chinese-language campaign targeting activists and organisations in Asia. The second one was found in 2014, while probing a hacked website used by Crouching Yeti, a Russian-language hacking crew.
Last year a website put together by the Korean-language DarkHotel also hosted exploit scripts for another targeted attacker, which the team called ScarCruft, a group targeting mainly Russian, Chinese and South Korean-organisations, it said.
In November 2014, Kaspersky Lab reported that a server belonging to a research institution in the Middle East, known as the Magnet of Threats, simultaneously hosted implants for Regin and Equation Group (English-language), Turla and ItaDuke (Russian-language), as well as Animal Farm (French-language) and Careto (Spanish). This server was the starting point for the discovery of the Equation Group, linked by the leaks of former NSA sysadmin Edward Snowden to an elite NSA hacking crew. ®