Government-backed spies and hackers are increasingly using commercially available malware – thanks to a flourishing market of off-the-shelf software nasties – making it harder for researchers to identify who exactly is behind a cyber-attack.
Traditionally, infosec bods have sought to pinpoint and unmask hacking crews by studying the malicious code they use, or domain names and IP addresses for the backend control servers, and so on. However, when groups within intelligence agencies use common and widely available toolkits, or launch attacks from each others' networks, it's hard to figure out who exactly is behind an intrusion, according to FireEye eggheads. It could be a nation state operation, it could be some criminals in a basement, or it could be a bored teenager, all using the same toolsets. As always, attribution is difficult.
"The adversary often gives us evidence, when they send a piece of malware they are handing you a piece of forensic evidence to track them," explained FireEye's John Holtquist. "We would find indications or unique artifacts that we could connect because we knew no one else could have access to this information of infrastructure."
As underground malware markets become more prevalent, developers can write and sell software nasties to various groups. This is particularly the case with Russia, where crafting malware is a cottage industry and hackers that get caught face the choice of prison or cooperating with the government. The result is government hacking groups getting their pick of commercial malware to borrow or repurpose, muddying the waters in terms of identification. Anyone can buy and use these programs.
"The security services have the requirement to do this [hacking] work and do all the law enforcement as well," noted Holtquist. "We have seen them pull from the criminal space again and again."
Global events can also obscure sources of cyber-assaults. One such example is China, where researchers Benjamin Read and Cris Kittner found that the 2016 reorganization of the People's Liberation Army caused a hiatus, then re-launching, of China's state-backed political and economic hacking campaigns.
Likewise, the Chinese hacking groups that were thought to have disbanded years ago have suddenly reappeared, and with them attacks that were long dormant. In the case of one 2018 attack on an unspecified US shipping company, network intruders sat quietly for more than a year and a half.
Trump's axing of cyber czar role has left gaping holes in US defenceREAD MORE
"They set up a backdoor, and all you see for the next 18 months is someone checking the back door a couple times a month, then suddenly they moved in and got data," said Read. "It is not just that we see these gaps, but we see on-network activity pausing too."
To make matters worse, financial hacking groups are also becoming more sophisticated and difficult to distinguish. Researchers Kimberly Goody and Nart Villaneuve said that financial attacks, like heists on the SWIFT transaction system or ATM 'jackpotting' attacks, use the sort of complex operations previously only undertaken by government groups.
"Due to the profitability of these attacks where you can make millions of dollars in one operation," said Goody, "and due to the growing sophistication of criminals, this is a trend we expect to see continue."
Mea culpa: Some of the blame also falls on us hacks. Goody and Villaneuve note that when attacks occur, articles can also confuse the attacks from the tools. In the case of the this year's attacks on Ticketmaster, Feedify, and British Airways, for example, the MageCart malware was used each time, likely by different groups with different aims rather than one party devoted entirely to MageCart.
Rather than look to link infections with groups, the researchers suggest people separate the two, and understand that these days a piece of malware itself isn't a giveaway of a specific group, but rather a single tool that might have come from elsewhere. ®