Whose line of attack is it anyway? Cyber-assault whodunnits harder than ever to solve

Sophisticated groups not always so easy to pick out

Government-backed spies and hackers are increasingly using commercially available malware – thanks to a flourishing market of off-the-shelf software nasties – making it harder for researchers to identify who exactly is behind a cyber-attack.

Traditionally, infosec bods have sought to pinpoint and unmask hacking crews by studying the malicious code they use, or domain names and IP addresses for the backend control servers, and so on. However, when groups within intelligence agencies use common and widely available toolkits, or launch attacks from each others' networks, it's hard to figure out who exactly is behind an intrusion, according to FireEye eggheads. It could be a nation state operation, it could be some criminals in a basement, or it could be a bored teenager, all using the same toolsets. As always, attribution is difficult.

"The adversary often gives us evidence, when they send a piece of malware they are handing you a piece of forensic evidence to track them," explained FireEye's John Holtquist. "We would find indications or unique artifacts that we could connect because we knew no one else could have access to this information of infrastructure."

As underground malware markets become more prevalent, developers can write and sell software nasties to various groups. This is particularly the case with Russia, where crafting malware is a cottage industry and hackers that get caught face the choice of prison or cooperating with the government. The result is government hacking groups getting their pick of commercial malware to borrow or repurpose, muddying the waters in terms of identification. Anyone can buy and use these programs.

"The security services have the requirement to do this [hacking] work and do all the law enforcement as well," noted Holtquist. "We have seen them pull from the criminal space again and again."

Global events can also obscure sources of cyber-assaults. One such example is China, where researchers Benjamin Read and Cris Kittner found that the 2016 reorganization of the People's Liberation Army caused a hiatus, then re-launching, of China's state-backed political and economic hacking campaigns.

China crisis

Likewise, the Chinese hacking groups that were thought to have disbanded years ago have suddenly reappeared, and with them attacks that were long dormant. In the case of one 2018 attack on an unspecified US shipping company, network intruders sat quietly for more than a year and a half.


Trump's axing of cyber czar role has left gaping holes in US defence


"They set up a backdoor, and all you see for the next 18 months is someone checking the back door a couple times a month, then suddenly they moved in and got data," said Read. "It is not just that we see these gaps, but we see on-network activity pausing too."

To make matters worse, financial hacking groups are also becoming more sophisticated and difficult to distinguish. Researchers Kimberly Goody and Nart Villaneuve said that financial attacks, like heists on the SWIFT transaction system or ATM 'jackpotting' attacks, use the sort of complex operations previously only undertaken by government groups.

"Due to the profitability of these attacks where you can make millions of dollars in one operation," said Goody, "and due to the growing sophistication of criminals, this is a trend we expect to see continue."

Mea culpa: Some of the blame also falls on us hacks. Goody and Villaneuve note that when attacks occur, articles can also confuse the attacks from the tools. In the case of the this year's attacks on Ticketmaster, Feedify, and British Airways, for example, the MageCart malware was used each time, likely by different groups with different aims rather than one party devoted entirely to MageCart.

Rather than look to link infections with groups, the researchers suggest people separate the two, and understand that these days a piece of malware itself isn't a giveaway of a specific group, but rather a single tool that might have come from elsewhere. ®

Broader topics

Other stories you might like

  • Running Windows 10? Microsoft is preparing to fire up the update engines

    Winter Windows Is Coming

    It's coming. Microsoft is preparing to start shoveling the latest version of Windows 10 down the throats of refuseniks still clinging to older incarnations.

    The Windows Update team gave the heads-up through its Twitter orifice last week. Windows 10 2004 was already on its last gasp, have had support terminated in December. 20H2, on the other hand, should be good to go until May this year.

    Continue reading
  • Throw away your Ethernet cables* because MediaTek says Wi-Fi 7 will replace them

    *Don't do this

    MediaTek claims to have given the world's first live demo of Wi-Fi 7, and said that the upcoming wireless technology will be able to challenge wired Ethernet for high-bandwidth applications, once available.

    The fabless Taiwanese chip firm said it is currently showcasing two Wi-Fi 7 demos to key customers and industry collaborators, in order to demonstrate the technology's super-fast speeds and low latency transmission.

    Based on the IEEE 802.11be standard, the draft version of which was published last year, Wi-Fi 7 is expected to provide speeds several times faster than Wi-Fi 6 kit, offering connections of at least 30Gbps and possibly up to 40Gbps.

    Continue reading
  • Windows box won't boot? SystemRescue 9 may help

    An ISO image you can burn or drop onto a USB key

    The latest version of an old friend of the jobbing support bod has delivered a new kernel to help with fixing Microsoft's finest.

    It used to be called the System Rescue CD, but who uses CDs any more? Enter SystemRescue, an ISO image that you can burn, or just drop onto your Ventoy USB key, and which may help you to fix a borked Windows box. Or a borked Linux box, come to that.

    SystemRescue 9 includes Linux kernel 5.15 and a minimal Xfce 4.16 desktop (which isn't loaded by default). There is a modest selection of GUI tools: Firefox, VNC and RDP clients and servers, and various connectivity tools – SSH, FTP, IRC. There's also some security-related stuff such as Yubikey setup, KeePass, token management, and so on. The main course is a bunch of the usual Linux tools for partitioning, formatting, copying, and imaging disks. You can check SMART status, mount LVM volumes, rsync files, and other handy stuff.

    Continue reading

Biting the hand that feeds IT © 1998–2022