Whose line of attack is it anyway? Cyber-assault whodunnits harder than ever to solve

Sophisticated groups not always so easy to pick out

10 Got Tips?

Government-backed spies and hackers are increasingly using commercially available malware – thanks to a flourishing market of off-the-shelf software nasties – making it harder for researchers to identify who exactly is behind a cyber-attack.

Traditionally, infosec bods have sought to pinpoint and unmask hacking crews by studying the malicious code they use, or domain names and IP addresses for the backend control servers, and so on. However, when groups within intelligence agencies use common and widely available toolkits, or launch attacks from each others' networks, it's hard to figure out who exactly is behind an intrusion, according to FireEye eggheads. It could be a nation state operation, it could be some criminals in a basement, or it could be a bored teenager, all using the same toolsets. As always, attribution is difficult.

"The adversary often gives us evidence, when they send a piece of malware they are handing you a piece of forensic evidence to track them," explained FireEye's John Holtquist. "We would find indications or unique artifacts that we could connect because we knew no one else could have access to this information of infrastructure."

As underground malware markets become more prevalent, developers can write and sell software nasties to various groups. This is particularly the case with Russia, where crafting malware is a cottage industry and hackers that get caught face the choice of prison or cooperating with the government. The result is government hacking groups getting their pick of commercial malware to borrow or repurpose, muddying the waters in terms of identification. Anyone can buy and use these programs.

"The security services have the requirement to do this [hacking] work and do all the law enforcement as well," noted Holtquist. "We have seen them pull from the criminal space again and again."

Global events can also obscure sources of cyber-assaults. One such example is China, where researchers Benjamin Read and Cris Kittner found that the 2016 reorganization of the People's Liberation Army caused a hiatus, then re-launching, of China's state-backed political and economic hacking campaigns.

China crisis

Likewise, the Chinese hacking groups that were thought to have disbanded years ago have suddenly reappeared, and with them attacks that were long dormant. In the case of one 2018 attack on an unspecified US shipping company, network intruders sat quietly for more than a year and a half.

Trump's axing of cyber czar role has left gaping holes in US defence


"They set up a backdoor, and all you see for the next 18 months is someone checking the back door a couple times a month, then suddenly they moved in and got data," said Read. "It is not just that we see these gaps, but we see on-network activity pausing too."

To make matters worse, financial hacking groups are also becoming more sophisticated and difficult to distinguish. Researchers Kimberly Goody and Nart Villaneuve said that financial attacks, like heists on the SWIFT transaction system or ATM 'jackpotting' attacks, use the sort of complex operations previously only undertaken by government groups.

"Due to the profitability of these attacks where you can make millions of dollars in one operation," said Goody, "and due to the growing sophistication of criminals, this is a trend we expect to see continue."

Mea culpa: Some of the blame also falls on us hacks. Goody and Villaneuve note that when attacks occur, articles can also confuse the attacks from the tools. In the case of the this year's attacks on Ticketmaster, Feedify, and British Airways, for example, the MageCart malware was used each time, likely by different groups with different aims rather than one party devoted entirely to MageCart.

Rather than look to link infections with groups, the researchers suggest people separate the two, and understand that these days a piece of malware itself isn't a giveaway of a specific group, but rather a single tool that might have come from elsewhere. ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

In a desperate bid to stay relevant in 2020's geopolitical upheaval, N. Korea upgrades its Apple Jeus macOS malware

Nork cash grab nasty gets stealthier

B-but it doesn't get viruses! Not so, Apple fanbois: Mac malware is growing faster than nasties going for Windows

So says Malwarebytes, anyway

Apple-Google COVID-19 virus contact-tracing API to bar location-tracking access

Renamed 'ExposureNotification' will only only one app per nation

Apple and Google tweak key bits of contact-tracing privacy plan

As European nations back decentralised plan that leaves data on the device until users call in sick

Contacts-slurping Android malware sneaked onto Google Play store – twice

Could a simple automated scan have picked up open-source nasty? Hmm

Unexpected risks of using Apple ID: 'Sign in with Apple' will be blocked for Epic Games

Updated Games dev pleads with users to set up a password before they get locked out

Health Sec Hancock says UK will use Apple-Google API for virus contact-tracing app after all (even though Apple were right rotters)

Updated It's The Reg wot warned it

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

Microsoft and chums use US trademark law to trash Trickbot malware network

Multinational operation is part of election protection effort

Malware spotted doing unspeakable, filthy things to infected Macs – injecting Bing results into Google searches

Or so claim these security bods after clocking proxy-installing fake Flash plugin

Tech Resources

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Evaluating Vulnerability Assessment Solutions

Find out why vulnerability assessment is important and why you need it

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

IBM and Nvidia® Solutions Power Insights with the New AI

IBM is well-positioned to help organizations incorporate high-performance solutions for AI into the enterprise landscape.