Were they actually "caught", or was it simply determined that the level of sophistication was something that could only have come from state-sponsored malware (a claim I find dubious at best, but whatever)?
This was ultra sophisticated, they used several layers of multi-encrypted malware to tunnel out and create reverse control channels. Not to mention used a 0day IE bug to install the malware in various targeted companies. This was gov sponsered...
Hah, this reminds of a security researcher a few years ago that was reporting malware that he couldn't research without infecting his other machines. I'm fuzzy on the details, but everyone wrote him off as a paranoid delusional and the incident was quickly swept under the rug. Makes me wonder if he found some sophisticated state sponsored stuff and got smeared to hush it up.
I mean realistically, we'd be naive to not expect that state-sponsored hackers have rooted machines somewhere in the supply chain (hardware, firmware and of course software). Is everyone being monitored all the time? No, but I'd stay away from electronics if I expected an intelligence agency was interested in me.
On a semirelated note, what's with all the articles claiming the attack represents an extreme level of sophistication?
It sounds like the execution was skilled, but I haven't heard anything yet that seems technically novel or extraordinary.
Maybe I haven't read the right articles, but it sounds like solarwinds got pwned, and all these big targets loaded the malware onto their own networks...
Again, skillful execution, but it's not like they cracked an encryption algorithm or even did known-but-still-awesome exploits like rowhammer/spectre
As a lazy person and Devil's advocate, why does anyone not think that the various intelligence agencies copied the malware? Surely they would have access to some of the best in all their various honeypots be it that they are attacked by everyone and everything.
"Good artists copy, great artists steal."-PP
I think it's also possible that some of those safeguard provisions were left out of the software so that in case the malware was detected, it could have been attributed to standard hacker groups as opposed to German government organizations who play within a specific set of rules and regulations. Obviously, this plan failed and it has been identified as government-sponsored malware.
From the contents of the "attachment A" it seems like the FBI (or whatever other US agency) "sat" on the code they indirectly purchased for 2-3 years (the UPAS) and for several months (the KRONOS), observing the behaviour of Hutchins and "Vinny" and collecting evidence against them.
Shouldn't they have somehow acted to prevent the spreading of the malwares?
Attribution is one. In your own words leaked techniques are so primitive they simply cant be the stuff CIA is using, ergo _You_ personally wouldnt attribute this primitive piece of malware DLL injecting itself into a random text editor as state actor attack = success.
Law enforcement agencies including the U.S. FBI, Romanian Police (Poli?ia Româna, the Australian Federal Police (AFP), the Norwegian National Criminal Investigation Service (Kripos), and Europol were involved in the operation.
The malware "protectors" and testing services helped malware authors make their samples fully undetectable (FUD) to leading antivirus products.
The only thing interesting about this story is that whoever did it got caught. Sort of.
Is there anyone here who really believes that every major campaign organization since, say, 2004 hasn't been completely owned up? What, you think the people that build the software and IT environments for campaigns --- sites that by design have millions of users with persistent accounts, and thousands of staff members at varying levels of privilege --- are the creme de la creme of software security talent?
Because, sure, I mean, everyone I know in software security and pentesting tells me "my first career choice is to go work in IT for the DNC and the GOP", but somehow along the way Google manages after a mighty struggle to outbid the 70k/year cost-center IT organizations offer for security talent.
If there was any interesting "oppo research" on McCain in the DNC servers during the '08 election, I will bet all the money in my pocket versus all the money in yours that the Chinese read all of it long before everyone on the official CC list did.
Yeah! I was hoping that this was a discovery of NSA malware, something that only a nation-state could put together. I mean, we've all heard of Stuxnet and Flame and Duqu and the Equation Group, but there's still some nagging doubt that those were really NSA malware.
These are fascinating. It would be very interesting to know what the character and subject matter of the infecting sites were.
Outside of the great tech writeup, what is particularly interesting about this, to me, from a geopolitical perspective is the level of restraint.
The malicious actors in this case leveraged zero-days for iOS for years and yet do not seem to have overextended themselves or risk exposure by overly widening their intended targets. What I mean by this is: they clearly could have chosen to gain a massive infection rate by combining this with hacking a well-known popular site, or even pulling more visits from (say) social media, but instead the malicious actor chose to limit their intended recipients to run the exploits for a smaller set of targets for much longer while remaining undetected.
This, to me, hints at a state-actor with specific intent.
Nah, most of the time it's just a fancy infosec way of saying "it was likely ordinary criminals, or even some script kiddies, but it would be quite embarrassing to admit that".
My assumption is that this was state sponsored mass surveillance campaign of some kind but God knows what exactly they were looking for.
I think if backdoor was discovered 2 or 3 months later, we maybe could understand better what they wanted to do. My speculation is that they wanted to build a massive botnet and then snoop on machines' processes and traffic looking for something. It's hard to speculate because luckily they were captured soon enough.
It doesn't look like any of these even tried opsec - which isn't surprising because such crimes committed against individuals or small companies effectively became decriminalized in the UK so opsec would just be a waste of time.
Their mistake was to think that embarrassing the establishment by breaching high-profile (Nvidia, etc), culturally-relevant companies (BT/EE) would be met with similar inaction.
Also, with regards to skill, keep in mind that the establishment has a huge interest in making the hacks sound much more advanced than they really were to minimize the embarrassment of the affected companies. It would look really bad if it was widely known that these companies were pwned with nothing more than basic phishing, bribery and social engineering, something anyone can do.
They were not. (Though IIRC it was unclear from the leak that the IC were successful in targeting their servers; it just indicated that they had a good idea of how they might do that.)
reply