Security Experts:

Connect with us

Hi, what are you looking for?



Attribution Hell: Cyberspies Hacking Other Cyberspies

Fourth-party collection makes attribution hell

Fourth-party collection makes attribution hell

Cyber espionage attribution is almost never easy, but it becomes even more complicated when threat actors hack other threat actors and they start using each other’s tools and infrastructure in their operations.

On Wednesday, at the Virus Bulletin conference in Madrid, Spain, Kaspersky researchers Juan Andrés Guerrero-Saade and Costin Raiu pointed out that cyberspies hacking other cyberspies, which they call “fourth-party data collection,” is the worst case scenario when trying to link an attack to a certain actor.

Fourth-party collection takes place when a competent entity (Agency-A) actively or passively harvests information related to a foreign intelligence service’s (Agency-B) computer network exploitation activity.

Passive collection involves harvesting data while it’s in transit between hop points in Agency-B’s infrastructure or between the victim’s systems and Agency-B’s command and control (C&C) servers. This assumes that Agency-A has what Kaspersky researchers refer to as “god on the wire” status, which means it has regular and legitimate access to national or international taps.

Active collection involves Agency-A breaking into the C&C servers or backend-collection nodes of Agency-B. This can be achieved either by using stolen credentials or by exploiting vulnerabilities to plant a backdoor on the server – the latter scenario can be more efficient as it provides persistent access without raising suspicion.

Once it gains access to Agency-B’s systems, Agency-A can adopt its tools and infrastructure to launch attacks in their name. According to Guerrero-Saade and Raiu, Kaspersky Lab has investigated several campaigns that could involve fourth-party collection.

One example involves Crouching Yeti, a Russia-linked threat actor also known as Energetic Bear and Dragonfly. The group, known for campaigns targeting industrial companies, is believed to be responsible for recent attacks on energy facilities in the U.S.

In March 2014, while analyzing one of the compromised websites used by Crouching Yeti, Kaspersky researchers noticed that the control panel web page had been modified to fingerprint the attackers as they logged in. The collected data was sent to an IP address in China, which experts believe may have been a false flag.

Another example provided by Guerrero-Saade and Raiu involves NetTraveler, a China-linked cyber espionage group that was recently observed targeting military and aerospace organizations in Russia and neighboring countries. While analyzing the group’s activities, Kaspersky researchers gained access to one of its main servers and noticed that, in addition to NetTraveler’s own scripts and software, it contained a basic backdoor that had apparently been planted by another entity.

Researchers have also found evidence that suggests the cyberspies tracked as ScarCruft may have hijacked a website used by the threat actor known as DarkHotel and leveraged it in their own operations. This made some researchers believe that ScarCruft and DarkHotel were the same threat actor, when in reality they are not, as shown by their targets, exploits and types of attacks launched.

Benefits of fourth-party collection

According to Guerrero-Saade and Raiu, the byproducts and benefits of fourth-party collection include tasking-by-proxy, code reuse, and learning from adversaries.

As an example of tasking-by-proxy, Agency-A uses its access to Agency-B to map the systems of a targeted organization Agency-B already has access to. In this scenario, the most benefits can be gained if Agency-B has a stakeholder role in the targeted region or organization.Cyber attack attribution

“Not only is Agency-A able to lower its investment threshold for its own campaign in a foreign region thanks to fourth-party collection, it may also be able to leverage another threat actor’s access to further its own access,” said the Kaspersky researchers.

As for code reuse, the experts pointed out that there can be numerous benefits to obtaining a different group’s tools and implants. They noted that a piece of code found in two different malware families does not necessarily mean they were made by the same developers; it’s possible that the developers of one tool used code that they had stolen from another threat actor.

When it comes to learning from adversaries, Kaspersky believes the best example is ProjectSauron (Strider), an espionage group that has targeted China, Russia and Europe since at least 2011.

ProjectSauron has leveraged innovations from other top-tier threat actors such as Duqu, Flame, Regin and Equation, while avoiding some of the mistakes that these groups had made. Kaspersky has also determined that ProjectSauron could be a perfect example of Agency-A, as evidence suggests it may have the ability to obtain data as it travels from one country to another without needing access to either the source or destination servers.

“These covert dynamics in the space of cyberespionage further substantiate the difficulties underlying accurate security research and the need to track threat actors continually,” the researchers said.

The complete paper, titled “Walking in Your Enemy’s Shadow: When Fourth-Party Collection Becomes Attribution Hell,” is available in PDF format.

Related: False Flags and Misdirection in Hacker Attribution

Related: Attribution Concerns Raised Over Cyber Sanctions Program

Related: Long-Term Strategy Needed When Analyzing APTs

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet