Advertisment

Spy Wars: How nation-state backed threat actors steal from and copy each other

Sophisticated threat actors are actively hacking other attack groups in order to steal victim data, borrow tools and techniques

author-image
DQC Bureau
Updated On
New Update
threat actor

Sophisticated threat actors are actively hacking other attack groups in order to steal victim data, borrow tools and techniques and re-use each other’s infrastructure – making accurate threat intelligence ever harder for security researchers,according to Kaspersky Lab’s Global Research and Analysis Team (GReAT).

Advertisment

Accurate threat intelligence relies on identifying the patterns and tools that signpost a particular threat actor. Such knowledge allows researchers to better map different attackers’ goals, targets and behaviors, and to help organizations determine their level of risk. When threat actors start hacking each other and taking over tools, infrastructure and even victims, this model quickly starts to break down.

Kaspersky Lab believes that such attacks are likely to be implemented mainly by nation-state backed groups, targeting foreign or less competent actors. It is important that IT security researchers learn how to spot and interpret the signs of these attacks, so that they can present their intelligence in context.

In a detailed review of the opportunities for such attacks, GReAT researchers identifiedtwo main approaches: passive and active. Passive attacks involveinterceptingother groups’data in transit, for example as it movesbetweenvictims and command and control servers – and are almost impossible to detect.The active approachinvolvesinfiltratinganother threat actor’s maliciousinfrastructure.

Advertisment

There is a greater risk of detection in the active approach, but it also offersmore benefits as itallows the attacker to extract information on a regular basis, monitor its target and their victims, and potentially eveninsert its own implants or mount attacks in the name of its victim.The success of active attacks relies heavily on the target making mistakes in operational security.

GReAThas encountered a number of strange and unexpected artefactswhile investigating specific threat actorsthat suggest such active attacks are already happening in-the-wild.

Examples include:

Advertisment
  1. Backdoors installed in another entity’s command-and-control (C&C) infrastructure

Installing a backdoor in a hackednetwork allows attackers to establish persistence inside the operations of another group. Kaspersky Lab researchers have found what appear to be two in-the-wild examples of such backdoors.

One of these was found in 2013, while analyzing a server used by NetTraveler, a Chinese-language campaign targeting activists and organizations in Asia. The second one was found in2014, while investigating a hacked website used by Crouching Yeti (also known as Energetic Bear), a Russian-language threat actor targeting the industrial sector since 2010. The researchersnoticed that, for a brief period of time, the panel managing the C&C network was modified with a tag that pointed to a remote IP in China (likely a false flag). The researchers believe this was also a backdoorbelonging to another group, although there are no indicators as to who this might be.

Advertisment
  1. Sharing hacked websites

In 2016, Kaspersky Lab researchers found that a website compromised by the Korean-language DarkHotel also hosted exploit scripts for another targeted attacker, which the team called ScarCruft, a group targeting mainly Russian-, Chinese- and South Korean- organizations. The DarkHotel operation dates from April 2016, while the ScarCruft attacks were implemented a month later,suggesting that ScarCruft may have observed the DarkHotel attacks before launching its own.

  1. Targeting-by-proxy
Advertisment

Infiltrating a group with an established stake in a certain region or industry sector enables an attacker to reduce costs and improvetargeting, benefiting from the specialist expertise of its victim.

Some threat actors share rather than steal victims. This is a risky approach if one of the groups is less advanced and gets caught, as the inevitable forensic analysis that follows will also reveal the other intruders. In November 2014, Kaspersky Lab reported that a server belonging to a research institution in the Middle East, known as theMagnet of Threats,simultaneously hosted implants for the highly sophisticated threat actors Regin and Equation Group(English-language), Turla and ItaDuke (Russian-language), as well as Animal Farm(French-language) and Careto (Spanish).In fact, this server was the starting point for the discovery of the Equation Group.

“Attribution is hard at the best of times as clues are rare and easily manipulated, and now we also have to factor in the impact of threat actors hacking each other. As more groups leverage each other’s toolkits, victims and infrastructure, insert their own implants or adopt the identity of their victim to mount further attacks, where will that leave threat hunters trying to build a clear, accurate picture? Our examples hint that some of this is already happening in-the-wild and threat intelligence researchers will needto take pause and adapttheir thinking when it comes to analysing the work of advanced threat actors,” saidJuan Andres Guerrero-Saade, Principal Security Researcher,Global Research and Analysis Team, Kaspersky Lab.

Advertisment

In order to keep pace with the rapidly evolving threat landscape, Kaspersky Lab advises enterprisesto implement a full-scale security platform combined with cutting-edge threat intelligence. Kaspersky Lab’s enterprise security portfolio provides businesses with threatprevention through its next-generation endpoint security suite, detection based on the Kaspersky Anti Targeted Attack platform, and prediction and incident response through its threat intelligence services.

Further details on ways in which threat actors acquire and reuse elements of other groups, including tool repurposing and malware clustering, and their ramifications for threat intelligence can be found in the blogpost on Securelist.

For more information about Kaspersky Lab’s Private Intelligence Reports, please contact: intelreports@kaspersky.com

kaspersky-lab hacking spy-wars threat-actors global-research-and-analysis-team
Advertisment