Publicly Available Tools Seen in Cyber Incidents Worldwide

According to the US-CERT, tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organised criminals, to amateur cyber criminals.

Commenting on this, Ross Rustici, senior director, threat intelligence at Cybereason, said

This report is like a greatest hits album for a struggling record company. Everything is old, well known, and generally elicits a sense of nostalgia mixed with loathing. Mimikatz, the the elder statesman of the group, has an original release date of 2007 – 11 years ago. The most “current” tool being highlighted in Powershell Empire which is a sprightly 3 years old. The three tools associated with China HTran, China Chopper, and Adwind (JBiFrost) all were in active use between 2011 and 2013. 

This report highlights the collective failure of the security community to adequately address known threats. The hacking community evolves based on necessity, and if tools from 2007 are still fundamentally successful, we will continue to see the use of these old favourites because there is no sense in fixing what isn’t broken. The fact that this release is essentially a veiled attempt to call out Chinese tools and activity without naming China directly likely serves a larger political purpose of trying to ramp up the narrative of China as an adversary that the Trump Administration is currently hyping. 

These tools are all so old and so widely available that the use of them is no more indicative of a nation state than the use of metasploit is indicative of a script kiddie. Everyone has these tools in their tool kit. Mimikatz is still the most widely used credential dumping tool in hacking. These tools/frameworks are highly effective and widely used. This allows advanced actors to hide in the noise while also enabling lower level folks to outperform their skills. The macabre silver lining of this report is that by failing to stop these tools, the security community has arrested the development of other such frameworks. No one wants to waste development time on a new capability when the one they already use works. So until we, as an industry, get better at stopping these tools, we are unlikely to see a large new development cycle to completely replace these tools. 

The real answer to reducing the development of these tools however lays not in tool disruption but technique disruption. New tools can be coded and crafted, but ultimately they must perform the same functions. If we get better about locking down the capacity of scripts and software from doing the needed activity, then it will become much harder for people to craft new capabilities. The harder it is to do this, the less likely the tool will become an open commodity because there is more value for the author in keeping it exclusive. This approach would reduce the number of people capable of crafting good malware and also reduce the number of hackers who had access to it. Ultimately, it wont stop hacking, but it would erode the overwhelming superiority hackers currently enjoy over defenders.”