In-brief: The folks at Trend Labs take apart the recent EyePyramid malware attacks on high profile targets in Italy to talk about the risk of doing cyber attribution badly, and whether its even worth while.
The folks over at Trend Labs have an interesting blog post that looks at the difficulty of doing cyber attribution through the lens of the recent EyePyramid malware attacks that targeted high profile persons in the U.S., Japan and Europe. The incident, which was believed to be the work of sophisticated nation-state hackers, was eventually tracked down to a 40-something brother and sister pair. The operation, which had all the hallmarks of state sponsored espionage, was anything but, Trend notes:
If there’s anything EyePyramid can valuably teach us, it’s that playing whodunit is hard. Attribution is one of the most complicated aspects in cybersecurity. It’s partly because of the Internet’s underlying architecture and the many ways perpetrators can cover their tracks.
While we can attribute cyberattacks to certain threat actors, most threat researchers and information security professionals are cautious and often avoid attributing them to a specific person, group, or country. Doing so is fraught with slippery slopes. For instance, artifacts found in malicious code are a common sample of forensic evidence available to the security community. Unfortunately, malicious code cannot give clues to its authors, as they can be commercially available underground. They also cannot give away its operators, as there are many anonymizing and spoofing toolkits and techniques at their disposal. Even victims, objectives, or the operation they were employed for are difficult to determine.
Even if we attribute incidents based on the nature of stolen information, these have political, economic, and sociological influences. As much as possible, we attribute certain threat actors based on what is technically provable, such as texts from source codes, usernames, domain registration, and other information recycled across various sites.
The warning echoes points made by Kaspersky Lab’s research group, as well, which noted that the attackers were successful in spear phishing high profile individuals, but that “in general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence…This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims.”
The moral? “If there’s anything EyePyramid can valuably teach us, it’s that playing whodunit is hard,” Trend notes. Attribution is one of the most complicated aspects in cybersecurity. It’s partly because of the Internet’s underlying architecture and the many ways perpetrators can cover their tracks.
Indeed, the tools used by sophisticated state actors and amateurs often mirror each other. The differences in attacks boil down to factors such as preparation for the action, interest in a specific set of data and long term residence on target networks (versus indiscriminate ‘smash and grab’ operations) and an ability to remove the telltale signs of a compromise and frustrate forensic work.
In the end, ‘whodunit?’ isn’t even the most important or useful question to ask. More vital for companies to focus on what any attacker might be interested in, and then directing resources to protect that, Trend argues.
When you hear about high-profile attacks, put yourself in the victim’s shoes. What’s more important for my organization? Can my company manage an attack like that? For enterprises and many information security professionals, it’s more critical to know what has to be defended, and the kinds of attacks that can be used against it. Among them: how the intruders got in, what they did to the systems and their data, if they’re still in the network.