bartholomew-guerrerosaade-vb2016 – See Kaspersky Lab paper at this link.
How Hackers Plant False Digital Flags To Hide/Disguise Their Real identities; And, Make Their Hacks Appear To Have Come From Someone/Somewhere Else
With the U.S. Government reportedly leaning towards initiating some kind of cyber retaliatory action against Russia — for Moscow’s alleged hacking of the Democratic National Committee, and other U.S. political entities — an article on the publication Motherboard, is a reminder of the difficulty of cyber forensic attribution. Lorenz Franceschi-Biccherai has an article on the Motherboard website, dated October 12, 2016, about how digital cyber thieves, sleuths, privacy advocate and others, use false digital flags to disguise and/or, hide their true identities. He begins by noting that “during the first half of 2015, a mysterious hacking group allegedly started attacking military and government organizations in Peru, in what looked like a routine — even run-of-the-mill — espionage campaign.”
“The group used an old exploit and “clunky” malware, nothing particularly notable,” he wrote. “What was unusual,about this operation was that the malware was signed with a stolen digital certificate, that had already been used by the hackers responsible for disrupting an Iranian nuclear power plant with the Stuxnet cyber worm,” according to the Moscow-based Kaspersky Lab.
“All this made very little sense,” Lorenz Franceschi-Biccherai notes.
“The use of a stolen [digital] certificate made it look like the hacking group was the same as [those who conducted] the Stuxnet attack, or was it just a trick?,’ a ruse to throw digital detectives off their trail? Cyber, forensic attribution can be very, very difficult, especially if those who carried out the hack are network savvy. A clever digital thief, hacker, nation-state, etc.. can lead those who are attempting to uncover their real identity down a digital rabbit hole that never ends.
Kaspersky Labs published a paper last week, “Wave Your False Flags! Deception Tactics Muddying Attribution In Targeted [Cyber] Attacks,” [see link above] analyzing the Peruvian attack; and, explained that “the digital certificate the hackers used, had already been long revoked, meaning it didn’t make the malware any more stealthy,” Mr. Franceschi-Biccherai wrote. “The hackers, whoever they were, had apparently planted this clue — this “false flag” — to make it look like they were the same group behind the Stuxnet attack. The hackers, whom Kaspersky Lab dubbed, “Tiger Milk,” were trying to fool investigators, and security researchers alike.” The Kaspersky Lab paper is attached below.
“This is a good example of throwing a shinny object in another direction, and being very good at — at least masking where they’re coming from,” said Juan Andres Guerrero-Saade, one of the authors of the Kaspersky Lab report, in a phone interview with Motherboard.
Kaspersky Lab considers the “Tiger Milk case, as one of the most impressive examples of a false [digital] flag hacking operation,” Motherboard noted. And, it should serve as an example to all cyber sleuths and investigators about just how difficult a task it can be to determine who actually was responsible for carrying out the attack, the publication warned.
Clever and savvy hackers, cyber sleuths, malcontents, cyber mafia’s/militia’s, nation-states and off-the-grid types all are using a variety of tools and techniques that leave false digital trails, lead to cyber dead ends, or worse — a cyber wilderness of mirrors leaving the pursuer confused, uncertain, and somewhat paralyzed.
Attribution in the cyber realm is incredibly difficult, if the adversary is sophisticated and clever. You can eventually trace the origin of the cyber attack to a certain server, at certain location; but, that still does not provide you with who actually did the hack — nation-state, individual, group, or someone attempting to bring blame on the government where the server and IP address are hosted — and, the government may not have had anything to do with the original hack. On the other hand, a government could employ someone outside the government to carry out a hack/hacks, in order to provide plausible deniability that they had anything to do with the hack.
Thus, one can understand the metaphor, wilderness of mirrors — when attempting to unmask the true identity of a clever hacker. With a clever/sophisticated adversary — the attribution process can take too much time, resources, expense, and so on. And, while the intelligence agencies may have the necessary means to determine culpability, providing the definitive proof — publicly — could well be impossible, because the disclosure of how the proof was obtained could betray precious intelligence sources and methods that are unique enough that their disclosure would endanger the ability to use these techniques in the future.
Tactical attribution against a clever adversary in the digital universe is practically impossible; and, often too dangerous because of the likelihood that who you think conducted the attack; and, who actually did the attack are not the same. Strategic attribution may be possible, when the entire national security apparatus puts their best cyber talent on the problem. But, even in these cases, definitive attribution could still take days, weeks, or longer — when circumstances demand a quicker answer. Unless and until we have the equivalent of digital nano-dust that tags the offender, cyber forensic attribution will remain a difficult task, and beyond the capabilities of most corporate entities to successfully undertake — if the perpetrator is a clever and sophisticated adversary. . And, even if we are able to come up with something akin to digital nano-dust — one has to assume the adversary will figure out a way to deceive or somehow evade it.
Welcome to the digital wilderness of mirrors. V/R, RCP