Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/4/2017
06:36 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Nation-State Attackers Steal, Copy Each Other's Tools

When advanced actors steal and re-use tools and infrastructure from other attack groups, it makes it harder to attribute cybercrime.

New research indicates cybercriminals are making attacker attribution increasingly complex by re-using tools and tactics from other hacker groups.

Researchers on the Kaspersky Lab Global Research and Analysis Team (GReAT) found evidence that sophisticated threat actors are hacking other attack groups to steal victim data, borrow tools and techniques, repurpose exploits, and compromise the same infrastructure.

The result is a major attribution challenge. Reliable threat intelligence is based on identifying patterns and tools associated with a specific threat actor. These signs help security researchers map the targets and behaviors of different attackers. When hackers start hacking one another, using the same tools, and targeting the same victims, the model breaks down.

Kaspersky believes these types of attacks are most likely to be used among nation-state backed groups targeting foreign or less competent actors. IT security researchers should know how to detect and interpret these attacks so they can present their intelligence in context.

The idea behind this research was to better understand the practice of fourth-party collection through signal intelligence (SIGINT), which involves the interception of a foreign intelligence service's computer network exploitation (CNE) activity. Researchers observed attackers' actions and in doing so, found evidence showing they actively steal from one another.

"In less technical terms, fourth-party collection is the practice of spying on a spy spying on someone else," explain GReAT researchers Juan Andrés Guerrero-Saade and Costin Raiu in a post on Kaspersky's SecureList blog.

There are two main approaches to these attacks: passive and active. Passive involves intercepting other groups' data while it's in transit between victims and command-and-control (C&C) servers. It's almost impossible to detect. Active collection, however, leaves footprints.

Active attacks involve breaking into another threat actor's malicious infrastructure. It's dangerous for attackers because it heightens the risk of detection, but it's also beneficial. The success of active collection depends on the target making operational security errors.

During their investigation of specific threat actors, the GReAT team found several pieces of evidence suggesting these active attacks are already happening in the wild. These include:

Backdoors installed in another actors' C&C infrastructure

Researchers found two examples of backdoors in hacked networks, which let attackers persistently infiltrate another group's operations. One of these instances was discovered in 2013 during an investigation of the NetTraveler attacks. Researchers obtained a server and, during their analysis, discovered a backdoor seemingly placed by another actor. It's believed the goal was to maintain prolonged access to the NetTraveler infrastructure or the stolen data.

Another was found in 2014 while investigating a hacked website used by Crouching Yeti, also known as "Energetic Bear," an APT actor active since 2010. Researchers noticed the panel managing the C&C network was modified with a tag pointing to a remote IP in China, which is believed to be a false flag. They think this was also a backdoor belonging to another group.

Sharing compromised websites

In 2016, Kaspersky found a website hacked by DarkHotel also hosted exploit scripts for another attacker. The second, which was codenamed "ScarCruft," primarily targeted Russian, Chinese, and South Korean organizations. The actor relied on watering hole and spearphishing attacks.

Targeting attackers' focus areas

By infiltrating a group with stake in a specific region or industry, attackers can benefit from another group's work and specifically target certain groups of people. It's risky for attackers to share victims in the case one group gets caught; if they do, analysis will reveal who the other threat actors were.

In November 2014, Kaspersky researchers located a server in a Middle East research institution hosted implants for advanced actors Regin, Equation Group, Turla, ItaDuke, Animal Farm, and Careto. The discovery of this server marked the beginning of the eventual discovery of the Equation Group.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15943
PUBLISHED: 2019-09-19
vphysics.dll in Counter-Strike: Global Offensive before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a memset call.
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.