The already difficult task of attributing a cyber security attack to a particular threat actor is made harder by the shape-shifting nature of threat groups. Despite the best efforts of researchers, some attackers may never be identified.
At the recent VB2021 conference, cyber security analysts and researchers walked through the breadcrumbs they followed to identify the malicious actors behind the Colonial Pipeline, Sony Pictures, and Iran railway system attacks.
These examples show why attribution is complicated and sometimes impossible.
From Carbanak to BlackMatter
CrowdStrike researchers quickly attributed the Colonial Pipeline attack this past May to a group known as Carbon Spider, likely an Eastern European or Russia-based threat group. But as Josh Reynolds, a senior security researcher at CrowdStrike, and Eric Lou, a senior intelligence analyst at CrowdStrike, spelled out at VB2021, the group wasn't always a "big game" ransomware threat.
Carbon Spider started in 2013 using Carbanak malware to target financial institutions before moving on in 2015 to target restaurants and the hospitality industry with point-of-sale (POS) malware to collect payment card data. In 2016, Cobalt Spider broke off from Carbon Spider to handle the card data thefts while Carbon Spider continued to target financial entities.
In April 2020, the COVID-19 pandemic forced the group to perform a "dramatic pivot" away from card data theft as the crisis reduced in-person transactions. The malicious actors moved instead toward more ambitious campaigns, including ransomware attacks using REvil's ransomware as a service (RaaS).
Then, in August 2020, Carbon Spider shifted its ransomware efforts to its own malware, DarkSide, which the group opened up to affiliates as an RaaS provider in November 2020.
CrowdStrike's attribution of the Colonial Pipeline attack to Carbon Spider came through no single data point but by comparing numerous DarkSide incidents to Carbon Spider. The researchers examined the tactics, techniques, and procedures and the distinctive use of tooling, shared infrastructure, and other forensic evidence to name Carbon Spider as the culprit in the pipeline attack.
A week after the May 8 attack, the DarkSide RaaS operation was shut down. Three weeks later, the US Justice Department announced it had seized the affiliate cut from the Colonial Pipeline ransom payment.
However, Carbon Spider did not halt operations even after these developments, which drew harsh condemnation from the US government and the international community.
Evidence suggested that it was renewing activity in other malware delivery incidents. On July 21, a new group called BlackMatter emerged seeking access to big game ransomware targets with annual revenues above $100 million in the US, Canada, Australia, and the UK.
CrowdStrike reverse-engineered the DarkSide and BlackMatter Windows variants and saw sufficient overlaps to believe that BlackMatter is simply DarkSide in a new guise. The real danger from ransomware groups, then, is that they can adapt to new trends and reinvent themselves, the CrowdStrike researchers said. There's no going back to POS data thefts because ransomware is too lucrative.
"The big thing to expect from Carbon Spider is that they will always keep improving," Lou said. "They are always going to keep introducing new initial access vectors, new intermediary PowerShell stagers, attackers, and loaders. So, the real thing to expect is that they are going to keep innovating. In a year, I wouldn't be surprised if they were significantly more improved from where they are now."
Lazarus composed of many clusters
Security researchers have complained that all North Korean malware is attributed to a single threat actor known as the Lazarus Group, also known as Hidden Cobra. Lazarus is best known for launching the 2014 attack on Sony Pictures and later was connected to the 2017 WannaCry 2.0 attacks.
Researchers also confuse the Lazarus Group with the alleged Chinese threat group known as Winnti, said Seongsu Park, senior security researcher at Kaspersky's Global Research and Analysis Team.
The truth is that Lazarus has evolved to consist of several different "clusters," including:
- ThreatNeedle, which targets cryptocurrency exchanges, mobile game companies, the defence industry, and security researchers
- AppleJeus, which has targeted a cryptocurrency exchange, a fintech company, and a blockchain company
- Bookcode, which has targeted a software vendor, a defense contractor, and a pharmaceutical company
- DeathNote (also known as DreamJob), which has targeted an automobile entity, academia, a defense organisation, a think tank, and a software company
- CookieTime (also known as LCPDot), whose targets have included defense, energy, and pharmaceutical organisations
- MATA (also known as Dacls), which has a fragile connection to Lazarus and focuses on cybercrime and espionage
Park said there are possibly even more Lazarus clusters with varying degrees of similarities and differences. The bottom line, though, is that all the clusters are constantly evolving. "All threat actors are changing," Park said. "Even their internal structures change and their leadership changes. These continual changes make attribution difficult."
Indra threat group could be a nation-state
Finally, some high-profile threat actors can elude attribution even after scrutiny by the best threat intelligence analysts. For example, Itay Cohen, senior malware researcher at Check Point Software Technologies, and Alexander Gofman, malware analyst on Check Point's Threat Intelligence Analysis Team, recapped their team's investigation into the hack of Iran's railway system that occurred in early July 2021.
That attack, which shut down the country's entire rail system, first became evident when messages appeared on railway stations' electronic signs saying that delays were due to a cyber attack, instructing passengers to call 64411, the number that then belonged to the country's supreme leader Ayatollah Khamenei. The primary payload delivered during the incident was a wiper called Meteor.
Meteor was connected to two other wipers called Comet and Stardust, used in similar attacks on Syria-based airline Cham Wings, Syrian money and exchange transfer company Al-Fadel, and oil trading and oil refinery organisations.
All three variants of the wiper contained background images that started with "I am Indra," the Hindu god of war and destroyer of evil, giving the group behind the attacks the moniker Indra. The attackers in all the incidents claim to be "hacktivists" engaged in digital battles for their anti-Iran political causes.
Iran is no stranger to hacktivist attackers. In 2018, the hacktivist group called Tapandegan attacked two airports in Iran. Iranian authorities say the attackers were identified and arrested. A few months later, the Iran broadcasting system and the email of the Iran consulate in Berlin were hacked by the same group.
More recently, in late August 2021, a hacktivist group called Edalat-e Ali (Ali's Justice) launched an attack on Iran's Evin prison. That attack made headlines due to the horrific images displayed in hacked footage from the prison’s security cameras.
Despite the detailed knowledge of all these attacks and a firm grasp of the execution flow of the wiper malware used in the railway attack, Check Point is unable to attribute the incident to any particular threat actor. "We have quote-unquote hacktivist attacks before and after the attacks conducted by Indra," Cohen said.
"Who says these groups are hacktivists and not nation-state sponsored? They might as well be. This is not unlikely. We saw several attacks in recent years in which countries disguise themselves as hacktivists," such as Russian intelligence operatives posing as Guccifer 2.0 in the run-up to the 2016 presidential election.
"So, who is behind Indra? The answer is: we don't know."