WALKING IN YOUR ENEMY’S SHADOW: WHEN FOURTH-PARTY COLLECTION BECOMES ATTRIBUTION HELL
Contents
WALKING IN YOUR ENEMY’S SHADOW... GUERRERO-SAADE & RAIU
WALKING IN YOUR
ENEMY’S SHADOW: WHEN
FOURTH-PARTY COLLECTION
BECOMES ATTRIBUTION HELL
Juan Andres Guerrero-Saade & Costin Raiu
Kaspersky Lab, USA & Romania
Email [email protected];
[email protected]
ABSTRACT
Attribution is complicated under the best of circumstances.
Sparse attributory indicators and the possibility of overt
manipulation have proven enough for many researchers to shy
away from the attribution space. And yet, we haven’t even
discussed the worst-case scenarios. What happens to our
research methods when threat actors start hacking each other?
What happens when one threat actor leverages another’s
seemingly closed-source toolkit? Or better yet, what if they
open-source an entire suite to generate so much noise that
they’ll never be heard?
Leaked documents have described how the standard practice
of one espionage outfit infiltrating another has transcended
into the realm of cyber in the form of fourth-party collection.
While this represents an immediate failure for the victim
intelligence service, the tragedy doesn’t end there. Attackers
can then go on to adopt the victim threat actor’s toolkit and
infrastructure, leveraging their …
WALKING IN YOUR
ENEMY’S SHADOW: WHEN
FOURTH-PARTY COLLECTION
BECOMES ATTRIBUTION HELL
Juan Andres Guerrero-Saade & Costin Raiu
Kaspersky Lab, USA & Romania
Email [email protected];
[email protected]
ABSTRACT
Attribution is complicated under the best of circumstances.
Sparse attributory indicators and the possibility of overt
manipulation have proven enough for many researchers to shy
away from the attribution space. And yet, we haven’t even
discussed the worst-case scenarios. What happens to our
research methods when threat actors start hacking each other?
What happens when one threat actor leverages another’s
seemingly closed-source toolkit? Or better yet, what if they
open-source an entire suite to generate so much noise that
they’ll never be heard?
Leaked documents have described how the standard practice
of one espionage outfit infiltrating another has transcended
into the realm of cyber in the form of fourth-party collection.
While this represents an immediate failure for the victim
intelligence service, the tragedy doesn’t end there. Attackers
can then go on to adopt the victim threat actor’s toolkit and
infrastructure, leveraging their …
IoC
29.214.39.124
54.251.107.25
58a4d93d386736cb9843a267c7c3c10b
6355c82c7c6a90ef41824a03bbabbabc
84.45.76.100
99a18bf3c04a491b256f7d60eb6e0f26
http://89.46.102.43
http://checkupdates.flashserv.net
http://download.ns360.info
http://download1.ns360.info
http://flashserv.net
http://rfchosun.org
http://scarcroft.net/plus/thumbs/index.php
http://scarcroft.net/wp-content/plugins/twitplug/
http://update.craftx.biz
http://www.chateau-eu.fr/wp-content/player/
http://www.chateau-eu.fr/wp-content/plugins/
http://www.chateau-eu.fr/wp-content/protect/wpprotect.php
54.251.107.25
58a4d93d386736cb9843a267c7c3c10b
6355c82c7c6a90ef41824a03bbabbabc
84.45.76.100
99a18bf3c04a491b256f7d60eb6e0f26
http://89.46.102.43
http://checkupdates.flashserv.net
http://download.ns360.info
http://download1.ns360.info
http://flashserv.net
http://rfchosun.org
http://scarcroft.net/plus/thumbs/index.php
http://scarcroft.net/wp-content/plugins/twitplug/
http://update.craftx.biz
http://www.chateau-eu.fr/wp-content/player/
http://www.chateau-eu.fr/wp-content/plugins/
http://www.chateau-eu.fr/wp-content/protect/wpprotect.php