VB2017 Intel agencies and top-tier hackers are actively hacking other hackers in order to steal victim data, borrow tools and techniques, and reuse each other’s infrastructure, attendees at Virus Bulletin Con, Madrid, were told yesterday.
The increasing amount of spy-vs-spy type activity is making accurate threat intel increasingly difficult for security researchers, according to Kaspersky Lab.
Threat intelligence depends on spotting patterns and tools that point towards a particular threat actor. Related work allows researchers to infer a hacking group’s targets and objectives before advising clients about the risk they face. This process falls down now that threat actors are hacking each other and taking over tools, infrastructure and even victims.
A presentation, headlined Walking in your enemy’s shadow: when fourth-party collection becomes attribution hell, explored these challenges.
Juan Andres Guerrero-Saade and Costin Raiu, both from Kaspersky Lab, explained the attribution problems that can arise when one hacking group exploits another’s seemingly closed-source toolkit or infrastructure. Quizzed on this point by El Reg, the pair said to date there was no example of an intel agency backdating another foreign hacking group’s malware.
Cyber-espionage groups are busy instead stealing each other’s tools, repurposing exploits, and compromising the same infrastructure, they said. Reuse of fragments of other’s tools is more common than wholesale theft and repurposing of third-party APTs.
Source: The Register