Cyber espionage attribution is almost never easy, but it becomes even more complicated when threat actors hack other threat actors and they start using each other’s tools and infrastructure in their operations.
On Wednesday, at the Virus Bulletin conference in Madrid, Spain, Kaspersky researchers Juan Andrés Guerrero-Saade and Costin Raiu pointed out that cyberspies hacking other cyberspies, which they call “fourth-party data collection,” is the worst case scenario when trying to link an attack to a certain actor.
Fourth-party collection takes place when a competent entity (Agency-A) actively or passively harvests information related to a foreign intelligence service’s (Agency-B) computer network exploitation activity.
Passive collection involves harvesting data while it’s in transit between hop points in Agency-B’s infrastructure or between the victim’s systems and Agency-B’s command and control (C&C) servers. This assumes that Agency-A has what Kaspersky researchers refer to as “god on the wire” status, which means it has regular and legitimate access to national or international taps.
Active collection involves Agency-A breaking into the C&C servers or backend-collection nodes of Agency-B. This can be achieved either by using stolen credentials or by exploiting vulnerabilities to plant a backdoor on the server – the latter scenario can be more efficient as it provides persistent access without raising suspicion.
Once it gains access to Agency-B’s systems, Agency-A can adopt its tools and infrastructure to launch attacks in their name. According to Guerrero-Saade and Raiu, Kaspersky Lab has investigated several campaigns that could involve fourth-party collection.
One example involves Crouching Yeti, a Russia-linked threat actor also known as Energetic Bear and Dragonfly. The group, known for campaigns targeting industrial companies, is believed to be responsible for recent attacks on energy facilities in the U.S.
In March 2014, while analyzing one of the compromised websites used by Crouching Yeti, Kaspersky researchers noticed that the control panel web page had been modified to fingerprint the attackers as they logged in. The collected data was sent to an IP address in China, which experts believe may have been a false flag.
Another example provided by Guerrero-Saade and Raiu involves NetTraveler, a China-linked cyber espionage group that was recently observed targeting military and aerospace organizations in Russia and neighboring countries. While analyzing the group’s activities, Kaspersky researchers gained access to one of its main servers and noticed that, in addition to NetTraveler’s own scripts and software, it contained a basic backdoor that had apparently been planted by another entity.
Researchers have also found evidence that suggests the cyberspies tracked as ScarCruft may have hijacked a website used by the threat actor known as DarkHotel and leveraged it in their own operations. This made some researchers believe that ScarCruft and DarkHotel were the same threat actor, when in reality they are not, as shown by their targets, exploits and types of attacks launched.
Benefits of fourth-party collection
According to Guerrero-Saade and Raiu, the byproducts and benefits of fourth-party collection include tasking-by-proxy, code reuse, and learning from adversaries.
As an example of tasking-by-proxy, Agency-A uses its access to Agency-B to map the systems of a targeted organization Agency-B already has access to. In this scenario, the most benefits can be gained if Agency-B has a stakeholder role in the targeted region or organization.
“Not only is Agency-A able to lower its investment threshold for its own campaign in a foreign region thanks to fourth-party collection, it may also be able to leverage another threat actor’s access to further its own access,” said the Kaspersky researchers.
As for code reuse, the experts pointed out that there can be numerous benefits to obtaining a different group’s tools and implants. They noted that a piece of code found in two different malware families does not necessarily mean they were made by the same developers; it’s possible that the developers of one tool used code that they had stolen from another threat actor.
When it comes to learning from adversaries, Kaspersky believes the best example is ProjectSauron (Strider), an espionage group that has targeted China, Russia and Europe since at least 2011.
ProjectSauron has leveraged innovations from other top-tier threat actors such as Duqu, Flame, Regin and Equation, while avoiding some of the mistakes that these groups had made. Kaspersky has also determined that ProjectSauron could be a perfect example of Agency-A, as evidence suggests it may have the ability to obtain data as it travels from one country to another without needing access to either the source or destination servers.
“These covert dynamics in the space of cyberespionage further substantiate the difficulties underlying accurate security research and the need to track threat actors continually,” the researchers said.
The complete paper, titled “Walking in Your Enemy’s Shadow: When Fourth-Party Collection Becomes Attribution Hell,” is available in PDF format.
Related: False Flags and Misdirection in Hacker Attribution
Related: Attribution Concerns Raised Over Cyber Sanctions Program