VB2017 Intel agencies and top-tier hackers are actively hacking other hackers in order to steal victim data, borrow tools and techniques, and reuse each other’s infrastructure, attendees at Virus Bulletin Con, Madrid, were told yesterday.
The increasing amount of spy-vs-spy type activity is making accurate threat intel increasingly difficult for security researchers, according to Kaspersky Lab.
Threat intelligence depends on spotting patterns and tools that point towards a particular threat actor. Related work allows researchers to infer a hacking group’s targets and objectives before advising clients about the risk they face. This process falls down now that threat actors are hacking each other and taking over tools, infrastructure and even victims.
A presentation, headlined Walking in your enemy’s shadow: when fourth-party collection becomes attribution hell, explored these challenges.
Juan Andres Guerrero-Saade and Costin Raiu, both from Kaspersky Lab, explained the attribution problems that can arise when one hacking group exploits another’s seemingly closed-source toolkit or infrastructure. Quizzed on this point by El Reg, the pair said to date there was no example of an intel agency backdating another foreign hacking group’s malware.
Cyber-expionage groups are busy instead stealing each other’s tools, repurposing exploits, and compromising the same infrastructure, they said. Reuse of fragments of other’s tools is more common than wholesale theft and repurposing of third-party APTs.
What are they up to?
There are two main attack vectors. First, passive attacks that involve intercepting other groups’ data in transit, for example as it moves between victims and command and control servers. The second (active) approach involves hacking into another threat actor’s malicious infrastructure, an approach much more likely to risk detection but which also brings potential rewards.
An active attack would allow a hacker to extract information on a regular basis, monitor its target and its target’s victims or even insert its own implants or mount attacks while throwing the finger of blame towards the initial attacker. The success of active attacks depends largely on the target (e.g. another intel agency) making operational security mistakes.
今日微话题|快递包装泄信息 你还随手丢吗?
Kaspersky researchers have come across two examples of backdoors installed in another hacking group’s command-and-control infrastructure.
非法闯入是指黑客利用企业网络的安全漏洞,不经允许非法访问企业内部网络或数据资源,删除、复制甚至毁坏数据。
One of these was found in 2013, while analysing a server used by NetTraveler, a Chinese-language campaign targeting activists and organisations in Asia. The second one was found in 2014, while probing a hacked website used by Crouching Yeti, a Russian-language hacking crew.

Last year a website put together by the Korean-language DarkHotel also hosted exploit scripts for another targeted attacker, which the team called ScarCruft, a group targeting mainly Russian, Chinese and South Korean-organisations, it said.
In November 2014, Kaspersky Lab reported that a server belonging to a research institution in the Middle East, known as the Magnet of Threats, simultaneously hosted implants for Regin and Equation Group (English-language), Turla and ItaDuke (Russian-language), as well as Animal Farm (French-language) and Careto (Spanish). This server was the starting point for the discovery of the Equation Group, linked by the leaks of former NSA sysadmin Edward Snowden to an elite NSA hacking crew. ®
Sponsored:
The Joy and Pain of Buying IT – Have Your Say
企业内部员工,是众多信息安全事故的焦点。实际上,信息安全保障的第一道防线就是企业员工的信息安全意识。

猜您喜欢

中国网络安全年会召开 360详解无线通信安全
如何识别和防范假冒WiFi热点
网络安全法学习课堂
高速太堵车!司机路边水沟钓小龙虾打发时间
MINDVALLEY MIDWESTELITESOCCER
移动设备安全快速指南