Mixed-Use Zoning in Malicious Infrastructure
By Nancy Dickson on August 9, 2018
As nation-state hacking groups multiply and grow rapidly, the need to develop their infrastructure in more formal ways is likely to increase. To scale what were once small operations — what we recognized as advanced persistent threats (APTs) — groups will continue adopting more aggressive tactics as they pay financially motivated cybercriminals to provide them with unattributable infrastructure, or otherwise seek to develop the capabilities themselves.
Profiteering, for example, was a tactic mostly used by groups sponsored by the Democratic People’s Republic of Korea (the DPRK), but it is now becoming a more widespread and standard technique, both to increase noise and to run false flag operations. While some APT groups still employ custom tooling, many are now adopting open-source malware and using compromised infrastructure to increase the speed and scale of future operations.
The malware attack known as VPNFilter is an excellent recent example of the mixing of APT activity with broad and financially oriented compromise. The attack was publicly identified in May 2018 but has been ongoing since at least 2016, infecting over half a million routers with malware that allows attackers to intercept and modify traffic on a network’s gateway, collect sensitive information, launch attacks on other routers, and even instantly disable the infected router with a single command.
Attacks like this are typically financially motivated smash-and-grab operations, casting a wide net to to harvest credentials from a broad user base rather than focusing on a limited number of targets, and at first, the VPNFilter attack looked no different. But as cybersecurity experts looked closer, the evidence revealed an operation displaying great technical proficiency and a capacity to attack a high number of targets, indicating that the team behind the attack was professional and well funded. The attack was ultimately attributed to an operation with Russian origins.
But financial motivation, or the appearance of it, adds another dimension to false flag operations run by nation-state hacking groups, creating a spectrum of possible targets and incentives. We’ve seen the widest range of profit orientation from DPRK groups that use everything from destructive malware pretending to turn a profit (WannaCry) all the way to purely for-profit compromises of cryptocurrency exchanges. This variety of motivations further frustrates attribution attempts that seek to map shared infrastructure or tactics, techniques, and procedures (TTPs) to threat actor groups.
Rising Cybercrime Trends
As the use of purchased and compromised infrastructure by APT groups continues, we are likely to come across instances where multiple APT groups begin to overlap in both their infrastructure and indicators of compromise. For groups that are not yet known to perform financially motivated attacks, this may encourage them to do so, as it has the additional benefit of pointing attribution toward other groups or nations that will more readily chase profits.
It is publicly reported, for example, that Russia has already tried to attribute its Olympic operations to DPRK activity, using compromised routers to do so. Turning consumer equipment and infrastructure into cyber weapons is a widespread TTP already commonly used by distributed denial-of-service (DDoS) perpetrators who undertake attacks motivated both by profit and activism — expect this tactic to be an increasing trend for both cybercrime and APT operations, as they share and enrich each others’ toolsets.
The Role of Threat Intelligence
The clear contrast between state-sponsored actors and cybercriminals is likely to soon fade, putting an additional burden on threat intelligence teams that separate the two types of operations or focus too heavily on attribution. The growing likelihood that commodity malware could be the front line of an advanced attack increases the need for organizations to have full-stack security with an effective threat intelligence strategy in place in order to investigate a high percentage of incidents and proactively stay ahead of these threats.