Two security firms' disagreement over an unusual hack highlights the difficulty of attributing cyber attacks.
In November, security researchers revealed a hacking operation with so many layers of labyrinthine convolution they dubbed it “Inception,” after the 2010 science-fiction film. Initially preying on Russian business executives—including the chief executive of a large Russian bank—the attack expanded to include targets across the globe in government, the United Nations, militaries, and in industries such as oil and gas. The schemers created tailor-made malware for mobile operating systems—Google’s Android, Apple’s iOS, even BlackBerry—and plotted a phishing campaign that included more than 60 mobile providers such as China Mobile and T-Mobile.
Blue Coat, the Sunnyvale, Calif.-based network security firm that began investigating the attacks in late August, decided to release its findings in a detailed report in December rather than continue what it deemed a fruitless hunt to expose those responsible. “The damage is coming faster than the hints are coming to us,” says Hugh Thompson, chief security strategist and senior vice president at Blue Coat, on his team’s decision to publish the white paper at the time. “It’s time to bring this to an end.”
Waylon Grange, a senior malware researcher at Blue Coat and one of the authors of the report, analyzed the campaign, and continuously turned up false leads. The pains the attackers took to preserve their anonymity stunned him. “They’ve been playing very calm, quiet, and stealthy—that really makes these guys different in my book,” Grange says, noting that the group covered its tracks with proxy servers, encrypted communications and a highly automated attack framework sheltered in cloud-based servers. “They’re using tools to hide their identity I’ve seen nobody else use.”
Among the clues contained in the hackers’ code, Grange says, were a document labeled in Spanish, strings of code in Arabic, Hindi words, a sprinkling of the Britishism “God Save The Queen,” social network accounts allegedly belonging to Iranians, compromised Korean home routers, and IP addresses originating from all different regions across the globe. An attempt to determine precisely when the campaign’s malware files were created—a means of zeroing in on the authors’ time zone—seemed promising until Blue Coat analysts realized the attackers’ must have set their system clocks incorrectly. And an easily identifiable piece of Chinese malware appears to have been thrown into the mix as a decoy.
Grange considers most of these breadcrumbs, from which one might deduce a source, dubious. “Even when you do find a clue with these guys you can’t be so sure of trusting it,” he says. “All the hints we thought we had were red herrings.” Given how conflicted the evidence is, the operation cannot be pegged on any one particular group with certainty. But the big picture cannot be ignored: the level of sophistication, scale of the operation, targets involved, and apparent aim of espionage indicates that the cyber attack is probably the work of a nation-state or private entity with considerable financial backing.
“It’s one of the most sophisticated frameworks I’ve ever seen,” Thompson adds. “They knew somebody was going to put this puzzle apart on the other side, and they threw random jigsaw puzzle pieces to confuse the other side. It’s something I hadn’t seen to this level before.”
Not everyone considers the puzzle unsolvable. Researchers at Kaspersky Labs, the Moscow-based security firm, believe they have seen something like this before. The company revealed additional pointers in a blog post published on the heels of the Blue Coat report, peeling back the layers of the cyber attack, which it rebranded—equally as cinematically—”CloudAtlas.” Like Blue Coat, Kaspersky Labs began investigating the campaign in August. The two firms compared notes along the way.
Costin Raiu, director of global research and analysis at Kaspersky Labs, is convinced that the attackers, so often successful at obfuscating their tracks, made a couple of mistakes. One of their phishing documents—”Car for Sale.doc”—echoed a filename used in another hacking campaign a couple years ago. Lead in hand, Raiu and his team began to look for more correlations with artifacts from that previous exploit. They were already on alert, expecting that an attack the firm unveiled the year prior would resurface. That campaign’s name, in honor of the sweltering month in 2012 during which researchers began investigating it: “RedOctober,” an allusion to Tom Clancy’s first novel and the 1990 film of the same name.
“Groups like RedOctober don’t just disappear overnight,” Raiu says, reasoning from the infrastructural requirements and hundreds of analysts that must have been involved. “We’ve been expecting such a massive group to go underground for a couple of months and to come back in one form or another.” In locating some relics—such as a matching marker for a piece of shell code, the payload that helps an attacker to take over a machine—Raiu suspects the attackers carefully combed through Kaspersky’s reports that outed RedOctober, then rebuilt their operation to the point of rewriting the majority of their code from scratch so as not to repeat what earlier had gotten them caught.
Tellingly, the two operations’ targets paralleled each other, right down to the targets: the top nations affected by the attack include Russia and Kazakhstan. (Russian, it should be noted, was conspicuously absent as one of the diversionary languages used by the hackers, per Grange’s research.) If the “CloudAtlas” attackers are the same group as “RedOctober,” which Kaspersky Labs had previously determined as hailing from a Russian-speaking country, it makes sense that the attackers would avoid potentially self-identifying Russian words.
CloudMe, a Swedish cloud storage provider, was used the main command and control infrastructure to conduct the attacks. As the attackers’ malware collected information from targets who had been phished—duped into compromising their personal information and devices—that malware would send back data to CloudMe servers where it would check for new instructions or “tasks” uploaded through a network of compromised routers. (Neither Kaspersky Labs nor Blue Coat believes that the cloud company willingly abetted.) The cloud-based scheme recalls a similar abuse of Dropbox, a competitor of CloudMe, in an attack on a Taiwanese government agency in 2013.
“Our company has been investigating this over several weeks to learn more about the attackers and to stop the network from distributing additional malware to end users,” said CloudMe CEO Daniel Arthursson at the time the report was released. “In some ways it’s flattering that they chose our system,” he added, touting the service as secure and safe in spite of its exploitation. “But that’s really not the intention of our system and it takes up resources from real users.”
Arthursson said that tens of thousands of his service’s accounts had been discovered to be participating in the attack, and that his team has been working to deactivate them. (The malicious accounts have no affect on regular customers’ CloudMe accounts, he said.)
Since the publication of Blue Coat’s report and Kaspersky Labs’ blog post, activity associated with the Inception attack has subsided. The number of so-called taskings per night, for instance, halved from 100 to 50 after the report appeared. (“It almost feels to me like they wanted to cut it short, but there were a few guys they really wanted to get some last information out of,” Grange says.) Within 48 hours, the operation ceased altogether.
Raiu and Grange believe the attackers will at some point return. They will learn what they did wrong and adapt their approach, each says. “This time they’ll probably include Russian words and American words and French just to be on the safe side,” Raiu says. “And they’ll target pretty much everyone—so no Russian bias anymore.”
Despite the theories held at Kaspersky Labs, Blue Coat’s Grange is still not entirely confident in attributing the attack to the group behind RedOctober. “The ties that Kaspersky used to tie it to them could all be forged [by the hackers],” Grange says. “Looking at the code, I don’t think it wasn’t the same artist behind the two samples.” He added: “I think the strongest indicator is the large number of target overlap.”
Attributing cyber attacks is difficult work, and it’s only getting tougher. Malware kits are bought and sold on black markets. Code can be copied and pasted from sites where programmers share work. Hackers read, learn, adjust. When determining whodunit, investigators have biases. Attribution often comes down to what and whom you’re willing to believe. (Exhibit A: The recent cyber attack on Sony Pictures and the heated debate over whether North Korea was behind it.)
To quote the Blue Coat report: “Due to the many levels of obfuscation and indirection, we named this the Inception framework; but there ends all similarity with the movie by the same name. Leonardo DiCaprio is not associated with this investigation.” Let’s hope the thieves don’t figure out how to invade our subconscious, too.