Identifying the brains behind cyber attacks

by Sohini Bagchi    Jun 28, 2013

cyber attack

As the cyber security threat landscape gets ubiquitously complex, it becomes essential for security professionals in an organization to identify the attackers, their motives and how they work in order to protect organization data and intellectual property. A recent report by security research FireEye titled:  ”Digital Bread Crumbs: Seven Clues To Identifying Who’s Behind Advanced Cyber Attacks,” details some of the most prevalent attack characteristics that can help security professionals identify threat actors and better defend organizations from future advanced cyber attacks. “In today’s cyber threat landscape, identifying your enemy is a crucial piece of any defense plan,” says Ashar Aziz, CTO and Founder, FireEye. Fortunately, breached computer systems, like any crime scene, contain a trail of clues.

The report analyzes advanced attacks to identify the patterns, behaviors, and techniques that comprise an attack’s digital paper trail. Sharing details of the report, Aziz states when it comes to advanced cyber attacks, attackers may give themselves away inside their malware code, phishing emails, command-and-control (CnC) servers used, and even behavior. Just as the science of fingerprints, DNA, and fiber analysis have become invaluable in criminal forensics, connecting the dots of an advanced cyber attack can help identify even the most sophisticated threat actors and their countries of origin —if researchers know what to look for. He has mentioned some of the important clues including:

Keyboard layout: The report noted that criminals can be identified through the keyboard layout. As the researcher states that hidden in phishing attempts is information about the attacker’s choice of keyboard, which varies by language and region. Most phishing attempts use standard keyboard layouts that do not point to any particular country. But when a nonstandard keyboard is apparent, it is a strong indicator.

Malware metadata: The other way to identify the source of attack is by sourcing the malware metadata. According to FirEye researchers, the malware source code contains technical details that suggest the attacker’s language, location, and ties to other campaigns. For example, the recent analysis of malware metadata, which helped to identify a previously undisclosed attack tactic used by the Chinese “Comment Crew,” a notorious hacker group linked earlier this year to a series of attacks against the U.S. government.

Embedded Fonts: These fonts used in phishing emails point to the origin of the attack. This is true even when the fonts are not normally used in the attacker’s native language, mentions Aziz.

Just as the science of fingerprints, DNA, and fiber analysis have become invaluable in criminal forensics, connecting the dots of a cyber attack can help identify even sophisticated threat actors - if researchers know what to look for.
-Ashar Aziz, CTO and Founder, FireEye

DNS Registration: The FireEye report also points out DNS Registration is another important way of identifying attackers. The domains used in attacks pinpoint the attacker’s location. “Even DNS registrations with fake names and addresses can be useful in pinpointing the culprit. In some cases, attackers reuse the bogus contact information across multiple domains. That copying allows researchers to quickly link multiple attacks to a single threat actor and piece together information gleaned from each of the attacks,” says the report.

Language: the language artifacts embedded in malware often point to the attacker’s country of origin. Often, many indicators suggest that the language used in a malware campaign is not that of a native speaker. Sometimes those indicators can even point to the attacker’s origin. Obvious typos and misspellings are clear signs. In other cases, a more detailed analysis shows telltale signs that the attacker used a language translation site. The common language mistakes in phishing emails can sometimes be reverse-engineered to determine the writer’s native language. Knowing how popular translation sites handle certain words and phrases, researchers can determine the original language of phishing emails used in an attack.

Remote Administration Tools: Popular malware-creation tools include a bevy of configuration options. These options are often unique to the attacker using the tool, allowing researchers to tie disparate attacks to a common threat actor. Remote Administration Tools (RATs) are a type of malware that give attackers real-time control of a target’s computer. The tools support a variety of features such as key logging, screen capturing, video capturing, file transfers, system administration, and command-shell access. RATs might seem to make attribution more difficult; anyone can use them, and many different groups employ the same tools. But their many customization options create a combination of settings distinctive to each attacker. Multiple attacks using a RAT configured in the same way point toa common attacker.

Behavioral patterns: Last but not the least, the behavioral patterns such as methods and targets give away some of the attacker’s methods and motives, says Aziz. For example, they focus on the same targets, use the same CnC servers, and focus on the same industries. These repeated tactics can reveal the approaches, objectives, and whereabouts of attackers. That is where threat-actor profiling can help. Much like criminal profiling helps detectives focus on potential suspects, security professionals can observe attackers over time and note patterns. Using that information, researchers can spot the proclivity of a given group toward certain styles and approaches.

Even though, none of these attributes are absolutely proof, when multiple signs point to the same attacker, researchers can conclude with a high level of certainty who is behind a given campaign. As Aziz points out these clues can help security professionals anticipate attack methods and motivations, thereby allowing  them to better anticipate future attacks and protect targeted systems and data. He believes  when a targeted organization knows the attacker’s methods and objective, it can use that information to immediately shift resources to bolster vulnerable data and also enlist additional help, whether internal resources or law enforcement to immediately secure their data and network.