Other issues in this category (26)
Who are you, Mr. Hacker?
Tuesday, April 10, 2018
Judging by everything one reads and hears in the news these days, "Russian hackers" reign supreme. Somehow all the attacks that have been publicised are easily traced back to Fancy Bears and similar hack teams.
The hackers who were monitoring the contents of the Democratic National Committee’s computers weren't just ordinary cybercriminals. They are suspected of mounting a series of high-profile attacks on the USA and other Western countries over the last decade. Now security researchers claim that they are connected directly to Russian intelligence.
According to Marco Rubio, the Florida senator and one of Donald Trump's rivals during the presidential election, staffers “who had access to internal information” relevant to Rubio's White House campaign “were targeted by [internet protocol] addresses” from an unknown location inside Russia in July 2016, shortly after he announced his Senate re-election bid.
Many information security companies, including those offering their customers ISOC services, have research divisions of their own (at least that's what they claim). This means that in theory, they have at least minimal experience in cyber-threat intelligence and attribution. But they also remain silent. Why?
Here we won't go into questioning the credibility of the statement about "an unknown location inside Russia". Anti-virus Times readers know that an attack can be mounted from a rented server or a compromised computer. And either can be located in a different country. Furthermore, publicised, unsubstantiated claims are often followed by discreet refutations or by a professional analysis of the actual facts.
The April attack on French TV channel TV5Monde seemingly was another evil deed carried out by “those horrifying Russian hackers”. According to some experts, the attack, which caused the channel to stay off air for two days and caused it to incur $17 million in losses, was also orchestrated by the mysterious hack team APT28, even though the group, Cyber Caliphate, was the first to claim responsibility for the attack.
So why are Americans so confident that "Russians" are behind the attacks on the Democratic Party's computers and other federal IT infrastructures?
- The PAS Tool PHP Web Kit web shell was created in Ukraine and is being actively promoted on Russian-speaking hacker forums. At the same time, according to Robert Graham from Errata Security, the web shell "is used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world".
- The malware Xagent is usually associated with Russian hackers. However, any competent specialist can get hold of it if they want to. For example, ESET managed to procure and analyse it.
- Many IP addresses belonging to Russian broadband service provider Yota, which, in turn, used to belong to a former Telecom deputy minister—in other words, someone with definite connections to Russian authorities. Yota is ranked first among the service providers whose IP addresses are on the DHS's list. As many as 44 addresses out of 866 belong to Yota (and five other addresses are used by Rostelecom). On the other hand, if we set aside the addresses associated with service providers and factor in the actual location, most "Russian" IP addresses involved in the attacks reside in the USA. And 15% of the addresses are related to Tor, which anyone could use to maintain their anonymity.
- The hackers were most active during business hours (Moscow time). The DHS report doesn't mention this fact, but it appears in CrowdStrike’s and Mandiant’s investigation accounts. I already mentioned that such countries as Iran and Iraq, which may have a grudge against the US, are in the same time zone. Meanwhile, Turkey, Syria, and Libya are located in an adjacent time zone and aren't exactly known for their friendly relations with Americans.
- Comments in Russian, the use of sites with a Russian UI, and files that were created using software and operating systems supporting the Russian language. The DHS report doesn't mention this either, but this fact appears in other investigation accounts. About 300 million people worldwide speak Russian, which puts the language in fifth place among the most common languages in the world and in second place among the most used languages on the Internet. About 160 million people regard it as their mother tongue, both in Russia and abroad. So "Russian Windows" could be used outside Russia, too. But I do understand that Americans refer to all former USSR citizens as Russians, even if they aren't citizens of the Russian Federation.
And even more interesting information appears every now and then:
On March 31, 2017, WikiLeaks published the third batch of CIA secret documents. The revealed documents contained 676 files of Marble Framework source code. This tool was used to thwart cybercrime investigations. The CIA used it to obfuscate or patch the code it was using to conceal its origins.
Marble Framework incorporates a number of routines with foreign words intentionally inserted into their code. The text was intended to put security analysts off track. With the help of this tool, the CIA could disguise its attacks so that they are wrongly attributed to Russians, hackers from North Korea, etc.
The leaked source code contains words in the Russian, Chinese, Korean, Arabic, Farsi and English languages. "...for example, by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion," WikiLeaks explains.
And that's only one leak. Other secret agencies are likely to have similar tools at their disposal, too.#hacker #technologies
The Anti-virus Times recommends
It's difficult to draw any definitive conclusions—there is not enough information, but we can give you a piece of advice: when drawing conclusions of your own, assess the data sources critically. And also employ the knowledge you acquire by reading the Anti-virus Times.