Which hacker group is attacking your corporate network? Don’t guess, check!

About four years ago, cybersecurity became a pawn in geopolitical games of chess. Politicians of all stripes and nationalities wag fingers at and blame each other for hostile cyberespionage operations, while at the same time — seemingly without irony — enlarging their own countries’ offensive cyberweaponstools. And caught in the crossfire of geopolitical shenanigans are independent cybersecurity companies, which have the ability, and the nerve, to uncover this very dangerous tomfoolery.

But, why? It’s all very simple.

First, “cyber” is and has been a cool/romantic/sci-fi/Hollywood/glamorous term since its inception. It also sells — not just products but press. It’s popular, including with politicians. And it’s a handy distraction, given its coolness and popularity, when distraction is something that’s needed, which is often.

Second, “cyber” is really techy. Most folks don’t understand it. As a result, the media, when covering anything to do with it, and always seeking more clicks on their stories, are able to print all manner of things that aren’t quite true (or are completely false), but few readers notice. So what you get are a lot of stories in the press stating that this or that country’s hacker group is responsible for this or that embarrassing or costly or damaging or outrageous cyberattack. But can any of it be believed?

We stick to technical attribution. It’s our duty and what we do as a business.

Generally, it’s hard to know what to believe. Given that, is it actually possible to accurately attribute a cyberattack?

The answer is in two parts:

From a technical standpoint, cyberattacks possess an array of particular characteristics, but impartial system analysis thereof can only go so far in determining how much an attack looks like it’s the work of this or that hacker group.

However, whether the hacker group might belong to Military Intelligence Sub-Unit 233, the National Advanced Defense Research Projects Group, or the Joint Strategic Capabilities and Threat Reduction Taskforce (none of which exists, to save you Googling them) … that is a political issue, and there, the likelihood of factual manipulation approaches 100%. Attribution goes from being technical, evidence-based, and accurate to … well, fortune-telling. So, we leave that to the press. We stay well away.

Meanwhile, curiously, the percentage of political flies dousing themselves in the fact-based ointment of pure cybersecurity grows several-fold with the approach of key political events. Oh, just like the one that’s scheduled to take place in five months’ time!

Knowing the identity of one’s attacker makes fighting it much easier: An incident response can be rolled out smoothly and with minimal risk to the business.

So yes, political attribution is something we avoid. We stick to the technical side; in fact, it’s our duty and what we do as a business. And we do it better than anyone, I might modestly add. We keep a close watch on all large hacker groups and their operations (600+ of them), and pay zero attention to what their affiliation might be. A thief is a thief and should be in jail. And now, finally, more than 30 years since I started out in this game, after collecting nonstop so much data about digital wrongdoing, we feel we’re ready to start sharing what we’ve got — in a good way.

Just the other day, we launched an awesome new service for cybersecurity experts. It’s called the Kaspersky Threat Attribution Engine. It analyzes suspicious files and determines from which hacker group a given cyberattack comes. Knowing the identity of one’s attacker makes fighting it much easier: It enables informed countermeasures. Decisions can be made, a plan of action can be drawn up, priorities can be set out, and on the whole an incident response can be rolled out smoothly and with minimal risk to the business.

Kaspersky Threat Attribution Engine interface

How do we do it?

As I mentioned above, cyberattacks have many purely technical characteristics, or “flags”: the time and date when files were compiled, IP addresses, metadata, exploits, code fragments, passwords, language, file-naming conventions, debug paths, obfuscation and encryption tools, and more. Individually, such characteristics are useful only to (a) politicians, to point their fingers at opponents in the international arena, to bolster a hidden agenda, or (b) bad journalists seeking sensational scoops. Only together can they indicate to which hacker group they belong.

Besides, it’s easy to fake or emulate a flag.

For example, hackers from the Lazarus group appear to have used Russian words transcribed into Latin letters in their implanted binary code. However, the sentence construction would be unnatural in Russian, and the grammatical/syntax mistakes make it looks like something Google Translate would produce, to perhaps send security experts in the wrong direction:

False flags in Lazarus code.

But, then again, any hacker group can use Google Translate – even for its native language, rendering ‘language used’ hardly a reliable pointer.

Here’s another case highlighting this in a slightly different way: The Hades group (authors of the infamous OlympicDestroyer worm that attacked infrastructure of the 2018 Olympic Games in South Korea) planted some flags as employed by the Lazarus group, leading many researchers up the garden path into believing the Hades hackers actually were Lazarus (other differences between the two groups’ ‘style’ led most to conclude it wasn’t Lazarus).

However, manual expert analysis of hundreds of characteristics and comparing them with the signature styles of other hacker groups… it’s practically impossible in short timeframes, with limited resources, and with acceptable quality of results. But such results are needed sooooo badly. Companies want to quickly catch the cyber…-octopus that’s attacking them, and nail down all its tentacles so that it doesn’t crawl somewhere where it shouldn’t again, and to be able to tell everyone about how to stay protected from this dangerous cyber-mollusk.

Malware ‘genotypes’ help finding malware code similarities with known APT threat actors with almost 100% accuracy

So, that’s what was needed sooooo badly? Well, that’s just what we’ve come up with…

A few years ago we developed for internal use a system for automated analysis of files. It works like this: we extract from a suspicious file something we’ve called genotypes – short fragments of code selected using our proprietary algorithm – and compare it with more than 60,000 objects of targeted attacks from our database on a whole spectrum of characteristics. This allows us to determine the most likely scenarios as to the origin of a cyberattack, and to provide descriptions of the likely responsible hacker groups and links to paid and free resources for more detailed information and the development of an incident response strategy.

So, how reliable is the search, you may ask. Well, let’s just say that in three years the system hasn’t made a single mistake in pointing an ongoing investigation in the right direction!

Some of the more well-known investigations that have used the system include: the LightSpy iOS implantTajMahalShadowhammerShadowPad, and Dtrack. In all of those cases, the result was in full agreement with the evaluation of our experts. And now our customers can use it, too!

Kaspersky Threat Attribution Engine.

The Kaspersky Threat Attribution Engine comes in the form of a Linux-based distribution kit to be installed on a customer’s air-gapped computer (for maximal confidentiality). Updates are supplied by USB.  Any malware samples the customer’s in-house analysts finds can be added to the solution’s database, and it also uses an API interface to connect the engine to other systems — even a third-party SOC (security operations center).

In closing, I offer one disclaimer: No tool for the automated analysis of malicious cyberactivity has a 100% attack attribution guarantee. Everything can be faked and tricked, including the most advanced solutions. Our main objectives are to point experts in the right direction and to test likely scenarios. Also, despite ubiquitous and resounding choruses about the effectiveness of AI (which doesn’t actually exist yet), existing “AI” systems — even the very smartest — are at present not able to do everything without the assistance of Homo sapiens. It is a synergy of machines, data, and experts — what we call humachine — that today helps effectively fight even the most complex of cyberthreats.

And finally, I’d like to invite you to join a webinar on June 17 to see a live demo of the product, hear directly from its developers, and ask questions in real time.

That’s about all for today for your intro to our new solution. You can find more info on the product page, in the product datasheet, and in this white paper.

PS: I highly recommend a read of this post by Costin Raiu, one of the parents of this product, in which he goes into detail about the story of how it was developed and also explains some of the finer points of Kaspersky Threat Attribution Engine on the whole.