The already difficult task of tracing a cybersecurity attack to a specific threat actor is made more difficult by the changing nature of threat groups. Despite the best efforts of the researchers, some attackers may never be identified.
At last week’s VB2021 conference, cybersecurity analysts and researchers went through the breadcrumbs they followed to identify the malicious actors behind the attacks on the Colonial Pipeline, Sony Pictures, and the Iranian rail system. These examples show why attribution is complicated and sometimes impossible.
From Carbanak to BlackMatter
CrowdStrike researchers quickly trailed the Colonial Pipeline attack last May to a group called the Carbon Spider, likely an Eastern European or Russia-based threat group. But as Josh Reynolds, a senior security researcher at CrowdStrike, and Eric Lou, a senior intelligence analyst at CrowdStrike, discovered at VB2021, the group hasn’t always been a ransomware threat to the big game.
Carbon Spider began using Carbanak malware to target financial institutions in 2013, before moving to restaurants and the hospitality industry to collect payment card data in 2015 using point-of-sale (POS) malware. In 2016, Cobalt Spider parted ways with Carbon Spider to tackle card data theft, while Carbon Spider continued to target financial companies.
In April 2020, the COVID-19 pandemic forced the group to “dramatically turn” away from card data theft as the crisis reduced personal transactions. The malicious actors instead moved to more ambitious campaigns, including ransomware attacks using REvils Ransomware as a Service (RaaS). Then, in August 2020, Carbon Spider shifted its ransomware efforts to its own malware DarkSide, which the group opened up to affiliates as a RaaS provider in November 2020.
CrowdStrike’s assignment of the attack on the Colonial Pipeline to Carbon Spider was not made by a single data point, but by comparing numerous DarkSide incidents with Carbon Spider. Researchers examined the tactics, techniques, and procedures, as well as the characteristic use of tools, shared infrastructure, and other forensic evidence to identify Carbon Spider as the culprit of the pipeline attack.
One week after the May 8 attack, DarkSide RaaS operations ceased. Three weeks later, the US Department of Justice announced that it had confiscated the subsidiary’s cut from the Colonial Pipeline ransom payment.
However, Carbon Spider has not ceased operations even after these developments, which have been strongly condemned by the US government and the international community. There is evidence that activity was renewed on other malware deployment incidents. On July 21, a new group called BlackMatter was formed to seek access to major ransomware targets with annual sales exceeding $ 100 million in the US, Canada, Australia and the UK.
CrowdStrike reverse engineered the Windows variants DarkSide and BlackMatter and saw enough overlap to believe that BlackMatter is simply DarkSide in a new guise. So the real danger posed by ransomware groups is that they can adapt to new trends and reinvent themselves, the CrowdStrike researchers said. There’s no going back to POS data theft because ransomware is too lucrative.
“The big thing that you can expect from Carbon Spider is that they keep getting better,” said Lou. “They will always introduce new initial access vectors, new PowerShell intermediates, attackers and loaders. So it can really be expected that they will continue to innovate. In a year’s time, I wouldn’t be surprised if they’ve improved significantly from their current standpoint. “
Lazarus is made up of many clusters
Security researchers have complained that all of North Korean malware is attributed to a single threat actor called the Lazarus Group, also known as the Hidden Cobra. Lazarus is best known for launching the 2014 attack on Sony Pictures and was later linked to the 2017 WannaCry 2.0 attacks. Researchers also confuse the Lazarus group with the alleged Chinese threat group Winnti, said Seongsu Park, senior security researcher at Kaspersky’s Global Research and Analysis Team.
The truth is that Lazarus evolved to be made up of several different “clusters” including:
- ThreatNeedle, which targets cryptocurrency exchanges, mobile game companies, the defense industry, and security researchers
- AppleJeus targeting a cryptocurrency exchange, a fintech company, and a blockchain company
- Bookcode that targeted a software provider, an armaments company, and a pharmaceutical company
- DeathNote (also known as DreamJob) which targeted an automotive company, colleges, defense organization, think tank, and software company
- CookieTime (also known as LCPDot), which was targeted at defense, energy, and pharmaceutical companies
- MATA (also known as Dacls), which has a fragile connection with Lazarus and focuses on cybercrime and espionage
Park said that there may be more Lazarus clusters with varying similarities and differences. The bottom line, however, is that all clusters are constantly evolving. “All threat actors are changing,” said Park. “Their internal structures are also changing and their leadership is changing. These constant changes make it difficult to assign them.”
The Indra threat group could be a nation state
Finally, some high-profile threat actors may evade attribution even after being scrutinized by the best threat intelligence analysts. For example, Itay Cohen, Senior Malware Researcher at Check Point Software Technologies, and Alexander Gofman, Malware Analyst in Check Point’s Threat Intelligence Analysis Team, summarized their team’s investigation into the hack of the Iranian rail system in early July 2021.
This attack, which crippled the country’s entire rail system, first became apparent when messages appeared on the electronic signs at the stations stating that delays were due to a cyberattack and instructing passengers to call 64411, the number that was used at the time supreme leader of the land of Ayatollah. belonged to Khamenei. The primary payload delivered during the incident was a windshield wiper called the Meteor.
Meteor was linked to two other wipers named Comet and Stardust who were used in similar attacks on Syrian airline Cham Wings, Syrian money and currency transfer company Al-Fadel, and oil trading and refining organizations. All three variants of the wiper contained background images that began with “I am Indra”, the Hindu god of war and destroyer of evil, and nicknamed the group behind the attacks Indra. The attackers in all incidents claim to be “hacktivists” who are involved in digital struggles for their political concerns against Iran.
Iran is no stranger to hacktivist attackers. In 2018, the Tapandegan hacktivist group attacked two airports in Iran. The Iranian authorities say the attackers have been identified and arrested. A few months later, the Iranian radio system and the email of the Iranian consulate in Berlin were hacked by the same group.
More recently, in late August 2021, a hacktivist group called Edalat-e Ali (Ali’s Justice) launched an attack on Iran’s Evin prison. This attack made headlines due to the horrific images displayed in hacked footage from the prison’s security cameras.
Despite having detailed knowledge of all of these attacks and precise knowledge of the execution sequence of the wiper malware used in the rail attack, Check Point cannot assign the incident to a specific threat actor. “We have had unquoted hacktivist attacks before and after the Indra attacks,” Cohen said.
“Who says these groups are hacktivists and not sponsored by the nation state? They might as well be. That is not unlikely. We have seen several attacks in recent years in which countries disguise themselves as hacktivists,” such as Russia Secret service agents posing as Guccifer 2.0 in the run-up to the 2016 presidential election.
“So who is behind Indra? The answer is, we don’t know.”
Copyright © 2021 IDG Communications, Inc.