Threat Actors Master ‘False Flags’ Tactics to Deceive Victims and Security Teams
Targeted attackers are using an increasingly wide range of deception techniques to muddy the waters of attribution
Woburn, MA – October 6, 2016 – Targeted attackers are using an increasingly wide range of deception techniques to muddy the waters of attribution, planting 'False Flag' timestamps, language strings, malware, among other things, and operating under the cover of non-existent groups, according to a paper presented today at Virus Bulletin by Kaspersky Lab security researchers Brian Bartholomew and Juan-Andres Guerrero-Sade.
The identity of a group behind a targeted cyberattack is the one question everybody wants answered, despite the fact that it is difficult, if not impossible to accurately establish who the perpetrators really are, which is why these two Kaspersky Lab experts researched and published their paper. It reveals how more advanced threat actors are using False Flag operations to mislead victims and security researchers.
"The attribution of targeted attacks is complicated, unreliable and subjective – and threat actors increasingly try to manipulate the indicators researchers rely on, further muddying the waters," said Brian Bartholomew, senior security researcher, Kaspersky Lab. "We believe that accurate attribution is often almost impossible. Moreover, threat intelligence has deep and measurable value far beyond the question 'who did it'. There is a global need to understand the top predators in the malware ecosystem and to provide robust and actionable intelligence to the organizations that want it – that should be our focus."
The researchers discussed the manipulation of certain indicators used by researchers to suggest where attacks may originate from, including timestamps, language markers, backend connections and toolkits.
Timestamps, which indicate when malware files are compiled, can be easily altered. Language markers, which often can give clues of the authors behind the code, can also be manipulated to confuse researchers. For example, malware used by the threat actor Wild Neutron included language strings in both Romanian and Russian.
In addition, backend connections can give a glimpse of the attackers if they fail to adequately anonymize internet connections when they retrieve data from an exfiltrating or email server, prepare a staging or phishing server or check in on a hacked server. However, such 'failure' is sometimes intentional: Cloud Atlas tried to confuse researchers by using IP addresses originating in South Korea.
The paper also discusses the alteration of toolkits. With many threat actors preferring to build their own custom backdoors, lateral movement tools and exploits, and they jealously guard them. The appearance of a specific malware family can therefore help researchers to hone in on a threat actor. The threat actor Turla decided to take advantage of this assumption when it found itself cornered inside an infected system. Instead of withdrawing its malware, it installed a rare piece of Chinese malware which communicated with infrastructure located in Beijing – completely unrelated to Turla. While the victim’s incident response team chased down the deception malware, Turla quietly uninstalled its own malware and erased all tracks from the victim’s systems.
Furthermore, some threat actors abuse the public desire for a clear link between the attacker and its targets, by operating under the cover of an (often non-existent) hacktivist group or. This is what the Lazarus group attempted by presenting itself as the 'Guardians of Peace' when attacking Sony Pictures Entertainment in 2014. Threat actors will also attempt to blame another threat actor. This is the approach adopted by the so far unattributed TigerMilk* actor, which signed its backdoors with the same stolen certificate previously used by Stuxnet.
To learn more about how False Flags are used to confuse attribution in targeted attacks, read the blog on Securelist.com.
To learn more about Kaspersky Lab’s APT Intelligence reporting service, please visit. http://www.kaspersky.com/enterprise-security/apt-intelligence-reporting.
* The report on TigerMilk is available to subscribers of Kaspersky Lab’s APT threat intelligence services
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter
Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter
Media Contact:
Sarah Kitsos
781.503.2615
sarah.kitsos@kaspersky.com
Threat Actors Master ‘False Flags’ Tactics to Deceive Victims and Security Teams
Kaspersky
Related Articles Press Releases
Kaspersky report shows just how common scams are becoming on popular online services
Consumer security survey captures user experiences and attitudes related to online scams and privacy trendsRead More >