CANCUN – Sophistication, resourcefulness and ingenuity are characteristics usually associated with state-sponsored espionage hacker groups. But they’re certainly not infallible.
Like most detective work, security analysts generally are able to toss back the covers on APT campaigns and major financial hacks because the bad guy makes a bad mistake – or two. Or three.
Today during a talk at the Security Analyst Summit, Kris McConkey of PricewaterhouseCoopers explained how researchers and analysts are able exploit hackers’ operational failures to learn who adversaries are, understand how they share code and ultimately shut them down before damage is irreversible.
McConkey’s dive into these opsec shortcomings covered a range of eye-opening gaffes, including the attackers’ insistence on staying true to their online handles and embedding those in malware and commands. Others used personal email addresses to register command and control domains, while others shared passwords. All of the same operational security no-no’s that enterprises have tried to steer users away from for years plague attackers as well.
One of the most well-documented APT gangs, the Comment Crew (aka APT1), was tied to the 2nd bureau of the PLA General Staff Department’s (GSD) 3rd Department, also known as Unit 61398, a group whose work is considered a state secret. The unit is staffed by specialists who skilled in English linguistics, as well as cover communications, network security, operating system internals and digital signing processes. Recruits primarily are plucked from a pair of universities, the Harbin Institute of Technology and Zhejiang University School of Computer Science and Technology.
Researchers at Mandiant were able to identify the location of its operational headquarters, malware resources and the victims it was targeting.
“They took terabytes of data, but they were incredibly sloppy in some areas,” McConkey said.
One major pitfall was the use of victims’ infrastructure to access their personal social media platforms, he said.
“This was a big giveaway, and it’s likely a result of their government policy,” he said. “Their restricted Internet made access to the unfettered Internet even more tempting.”
APT1 operators, one in particular called UglyGorilla, were married to their handles.
“It was difficult for them to move away from that in their day job,” McConkey said. “UglyGorilla had that moniker stamped all over malware, injection commands in websites, all sorts of things. It’s difficult to leave that stuff behind. Old habits really do die hard.”
It’s this human frailty that kicks open the door to exposing these attack groups and helps defenders learn exactly what systems, vulnerabilities they’re targeting and how.
That doesn’t mean, however, that some APT groups don’t learn from their mistakes. McConkey said the PutterPanda gang exposed by a 2014 Crowdstrike report, used personal addresses to register early command and control domains and one handle in particular, cpyy, was used throughout the campaign. Researchers were able to eventually link that handle to a Picasa account that was loaded with photos of the hacker behind the handle, photos of the Unit 61 office and other data pertinent to the investigation.
“They were learning from their mistakes,” McConkey said, adding that by 2014 whois registration information had been cleaned up, as well as other public giveaways.