The growing market for commercial malware, the intermingling of state-sponsored agency’s code and the blurring lines between political and economic attacks are making it harder for researchers to connect attacks with specific groups.
This according to researchers with FireEye, who say that as both government hacking groups and malware marketplaces have become more successful, commercial tools are being increasingly adopted and centralized intelligence agencies are letting groups share attacks.
Traditionally, researchers have sought to identify APT groups by looking at multiple attacks and finding ‘artifacts’ like re-used code or references to the same domains for command and control operations.
“The adversary often gives us evidence, when they send a piece of malware they are handing you a piece of forensic evidence to track them,” explained FireEye’s John Holtquist.
“We would find indications or unique artifacts that we could connect because we knew no one else could have access to this information of infrastructure.”
As groups become more sophisticated, however, they also learn to cover their tracks. Likewise, with underground malware markets more prevalent, developers can write and sell a piece of malware to various groups.
This is particularly the case with Russia, where crafting malware is a cottage industry and hackers that get caught face the choice of prison or cooperating with the government. The result is government hacking groups getting their pick of commercial malware to borrow or repurpose.
“The security services have the requirement to do this [hacking] work and do all the law enforcement as well,” noted Holtquist. “We have seen them pull from the criminal space again and again.”
Global events can also muddy the waters. One such example is China, where researchers Benjamin Read and Cris Kittner found that the 2016 reorganization of the People’s Liberation Army caused a hiatus, then re-launching, of China’s state-backed political and economic hacking campaigns.
Likewise, the Chinese hacking groups that were thought to have disbanded years ago have suddenly reappeared, and with them attacks that were long dormant. In the case of one 2018 attack on an unspecified US shipping company, network intruders sat quietly for more than a year and a half.
Trump’s axing of cyber czar role has left gaping holes in US defence
“They set up a backdoor, and all you see for the next 18 months is someone checking the back door a couple times a month, then suddenly they moved in and got data,” said Read. “It is not just that we see these gaps, but we see on-network activity pausing too.”
To make matters worse, financial hacking groups are also becoming more sophisticated and difficult to distinguish. Researchers Kimberly Goody and Nart Villaneuve said that financial attacks, like heists on the SWIFT transaction system or ATM ‘jackpotting’ attacks, use the sort of complex operations previously only undertaken by government groups.
“Due to the profitability of these attacks where you can make millions of dollars in one operation,” said Goody, “and due to the growing sophistication of criminals, this is a trend we expect to see continue.”
Mea culpa: Some of the blame also falls on us hacks. Goody and Villaneuve note that when attacks occur, articles can also confuse the attacks from the tools. In the case of the this year’s attacks on Ticketmaster, Feedify, and British Airways, for example, the MageCart malware was used each time, likely by different groups with different aims rather than one party devoted entirely to MageCart.
Rather than look to link infections with groups, the researchers suggest people separate the two, and understand that these days a piece of malware itself isn’t a giveaway of a specific group, but rather a single tool that might have come from elsewhere. ®
READ MORE HERE