Threat actor attribution in the cyber world – when done properly – is a damned difficult task complicated by missing and inaccessible traffic logs, international jurisdictions, and routing through anonymizing proxies and compromised hosts scattered around the globe. Unlike professional forensic investigations of physical-world crime scenes, the virtual world spawns an endless supply of amateur cyber investigators (with no certified credentials) many seeking notoriety or promoting conspiracy stories based off any data they can lay their hands upon – no matter the relevance.
The muddied waters of cyber attack attribution is a torrid story that repeats itself with every major hack or disclosure. As we kick off 2017, the current headlines are of the DNC hacks and attribution to Russian hackers operating under State-level direction. Back in August 2016 the attribution frenzy of the Shadow Brokers auction of the Equation Group’s exploits and attack tools reached fever pitch – and still hasn’t died down.
This Wednesday (at 4:15pm) during the Suits and Spooks 2017 conference I’ll be joining a panel titled “Shadowbrokers Attribution, and Responsible Disclosure” with Anup Ghosh (CEO @ Invincea), Paul Kurtz (CEO @ TruSTAR), and Andrey Nikishin (Special Projects Director @ Kaspersky Lab).
“Who are the ShadowBrokers? Their disclosure of stolen NSA documents on Pastebin assisted in assigning responsibility of the Equation Group threat actors to the NSA. This panel, moderated by Anup Ghosh, will explore the complexities of attribution and responsible disclosure as well as the problem of proliferation of malicious code including Zero days.”
The incident is interesting because of attribution attempts to identify both the Shadow Brokers and Equation Group entities, and the subsequent release of malicious code (exploits and attack tools).
The Shadow Brokers group had claimed to have hacked the Equation Group, stolen a cache of their tools, and then sought to sell them off to the highest bidder after announcing an auction on Pastebin (the page was later removed, but is still accessible via the Internet Wayback Machine). Two encrypted files were made available – an auction file, and a free sampler file. The winner of the auction would receive the password to the auction file content.
The Equation Group was a name originally assigned by Kaspersky Labs back in 2015 to an unknown hacking group responsible for highly targeted attacks and the use of strong encryption – with most of their targets in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali. Many threat investigators and reverse engineers (of the malware and tools captured from the attacks and from studying the Shadow Brokers “free” release zip file) believe that the group is the NSA’s highly sensitive Tailored Access Operations (TAO) group.
Analysis of the malicious code contained within the “free” file that Shadow Brokers released revealed that the samples were already quite dated (June 2013) – resulting in speculation of a relationship between Edward Snowdon’s theft and the subsequent lockdown of the NSA and DoD. Technical analysis of the attack tools revealed numerous exploits against popular firewall technologies – including zero-day vulnerabilities in Cisco’s ASA software.
With that as history to the Shadow Brokers release, attribution of the Exploit Group, and the release of zero-day exploits that had been in circulation for at least three and a half years, the panel discussion at Suits and Spooks should be rather interesting. I hope you’ll be able to join the fun.
-- Gunter Ollmann, Founder/Principal @ Ablative Security LLC