Cyber threat activity has become an increasingly common topic of discussion in the media and in society in general. Why is this? Due to public disclosures, they have helped shed light on an obscure part of the malware and piracy underworld on the Internet. But so far, little has been considered about the potential impact of these revelations on the attackers themselves.
About the Author
Saher Naumaan, threat intelligence analyst at BAE Systems Applied Intelligence.
That is why BAE Systems recently compiled a new report, analyzing the motivations for public disclosure of the threat activity and the responses of the attackers who appear to have been influenced by it.
Who publicly discloses and why?
The disclosures come from a variety of sources, from government agencies to threat intelligence teams in private security companies, human rights group investigators or even people or groups who prefer to remain anonymous.
Why do you usually want to reveal?
There really is a variety of motivations from different parties. Some researchers or companies may want to publicly attribute an attack to a particular country or entity, or at least disclose more information about the attackers, in order to increase their organization's reputation and offer useful intelligence to the general community to improve defenses. collective
Often, research such as this can help drive a more effective response across the industry to a particular threat, and may even disrupt adverse operations. Sometimes, the goal of publicly disclosing details about a group is primarily to name and embarrass them as governments that seek to accuse specific individuals and announce that they are using certain TTPs and indicators ("burning"). Others may want to "double" people involved in attacks and publicly disclose their personal data.
How do attackers respond?
It is important to remember that no two attackers are alike. Whether we are talking about state-sponsored agents, criminal actors with financial motivation, hacktivists or even private investigators, they all have their own different motivations and characteristics that inform their decisions. As such, it is impossible to know without directly asking what precipitated a certain course of action or response.
That said, there is considerable evidence that they act in response to public disclosure of their activities and, sometimes, hackers even control what is reported about them. The actors of the TRITON group have been observed monitoring Open source coverage of your activities, for example. The answers fall into three basic categories. They can "keep quiet" and stop the current activity; "Change" to alter aspects of your operations; or "get angry." Some actors can also continue their operations without changes.
Why could an attacker be silent?
The cessation of activity is a natural response to public disclosure. The attackers know that investigators and perhaps governments are involved with them, and they don't want to continue being tracked or risk attributing them to their country or agency. One of the first incidents of this kind was Mandiant's 2013 report on APT1 / Comment Crew, a state-sponsored group that was constantly active but whose C&C servers shut up immediately after the disclosure.
However, staying silent does not mean that this is the last time we will hear about these hackers. Especially in the case of state-sponsored operatives, it could mean that they will resurface under a different disguise. This happened when the Middle East APT Cleaner Operation was called in 2014. It is believed that its members reappeared the following year in the form of the OilRig group.
What is the risk that hackers change their tactics?
Most of the threat groups that are burned in public disclosure are silent before changing their approach and tools later. The danger here when calling attention to the fact that we are before them is that they will disappear completely or change tactics to avoid being found again. This happened most notably with a threat group backed by the state of East Asia, which was burned in the historic CloudHopper report in which BAE Systems and PwC revealed large-scale attacks against managed service providers (MSPs).
After that report, the group changed to new techniques and tools, changing PlugX for Quasar RAT and a new custom tool called RedLeaves. He became more careful and lined up his campaigns based on IT tools, objectives and infrastructure, making it difficult to map his operations. In some cases, there is a risk that the group in question decides to defend itself.
The ClearSky security provider's investigations into the Charming Kitten group led the attackers to launch a counterfeit version of the ClearSky website designed to obtain credentials from the company's employees and customers. In a similar mean and vindictive manner, the 2018 Kaspersky report that reveals MuddyWater's operations led the group to upload a YouTube video demonstrating how to "disable" the antivirus product of the Russian security firm.
Is there any unwanted consequence of the disclosure?
You never know how the attackers will react. But along with the answers described above, there may also be some more serious consequences of public disclosure.
The first is replication. Once the tools and techniques are made public, other threat groups could use them in their own attacks. This happened when a new SMB watering hole technique used by the Eastern European group Dragonfly was subsequently used by threat groups from the Middle East.
The attackers could also use copied tools and techniques to plant false flags in their own operations, in order to deceive investigators. It was discovered that the destructive Olympic destroyer malware targeting the Pyeongchang Olympic Games in 2018 contained elements that linked it to numerous groups around the world; However, it was finally discovered that it was the work of a group from Eastern Europe.
Finally, it goes without saying that an attack group will probably factor the revealing organization into future operations, whether this means retaliating or, more likely, adapting its TTP to avoid being detected in the next campaign.