With every APT report there comes the gnawing question of whodunit. Just this week, a Reuters report linked a spree of ransomware attacks against U.S. companies to state-sponsored hacker groups in China.
Most reports, however, offer no tangible evidence other than technological footprints that can easily be faked, or are intentionally deceptive.
On Wednesday at CanSecWest 2016 in Vancouver, Kaspersky Lab researchers Brian Bartholomew and Juan Andres Guerrero-Saade identified a growing trend among APT gangs of flying false flags to throw cybercrime investigators and malware researchers off the scent.
“People use a lot of things for attribution: timestamps or language strings, for example,”Guerrero-Saade said. “What we want to say is that there are ways to manipulate and mess with all these things. That’s one of the key reasons not to get hung up on attribution because advanced attackers have begun to manipulate these things on purpose.”
Many APT campaigns have been linked to China, Russia, North Korea, the U.S., and Middle Eastern interests, with targets as varied as the tactics and malware used by the respective groups. Most of the attribution comes from clues in the code. Things such as consistent compile times, for example, could indicate a routine workday for a part of the world. But there’s nothing stopping an attacker from intentionally setting their clocks to the wrong time, or including numerous language strings in their malware code, all as a means of frustrating analysis.
The CloudAtlas APT group, for example, emerged in late 2014 and used the same spear phishing lure as did the Red October group discovered by Kaspersky Lab a year earlier. It relied on some of the same exploits and even hit some of the same targets as Red October.
“A lot of things they did caused researchers to scratch their heads,” Bartholomew said, pointing out that the group sent Spanish-language documents to Russian targets, Arabic strings were found in their malware targeting BlackBerry mobile devices and Hindi strings in their Android malware. “Their command and control infrastructure used routers in South Korea, and they were deploying Chinese malware at some point.”
Other groups such as the Lazarus Group, which has been linked to the Sony attacks and other intrusions using destructive wiper malware, have also tried to falsely connect themselves with other hacktivist groups in order to move analysts in the wrong direction.
“The reasoning is plausible deniability,” Bartholomew said, pointing to, among others, the Sofacy APT group, which has been linked to attacks against NATO allies, Ukraine and other Eastern European nations, each with its own signature and attributes. “All of this helps these groups buy some time to cover their tracks.”
While attribution makes for sexy headlines, it has much more value to governments and military investigators than necessarily to an enterprise, which may be much more interested in getting attackers off their networks and retrieving lost data or intellectual property.
“The government needs the most fidelity if it’s doing attribution,”Guerrero-Saade said. “If it’s pursuing sanctions or indictments, it needs to go as deep as possible.
“In the private sector, a lot try to do that, but the reality is that level of attribution is not needed. It’s sexy to talk about, but the reality is they need country-level attribution, especially in countries where they do business. Focus on countries and motivations.”
The government, also, has better visibility and resources into attacks than most of the private sector, but is usually reticent to share intelligence. That leaves a sizable number of APT reports from vendors, academics and research organizations that too often rely on things such as timestamps, infrastructure, malware families and passwords to concoct attribution—all of which can be faked or tweaked, Bartholomew said.
“If you’re off track, you could have wasted weeks researching nothing. You lose all that time,” Bartholomew said of the chase for attribution. “You end up going down rabbit holes that have no bottom.”