{"id":27561,"date":"2020-06-10T11:59:57","date_gmt":"2020-06-10T15:59:57","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/kaspersky-threat-attribution-engine\/27561\/"},"modified":"2021-05-14T16:20:39","modified_gmt":"2021-05-14T14:20:39","slug":"kaspersky-threat-attribution-engine","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/kaspersky-threat-attribution-engine\/27561\/","title":{"rendered":"Which hacker group is attacking your corporate network? Don’t guess, check!"},"content":{"rendered":"

About four years ago, cybersecurity became a pawn in geopolitical games of chess. Politicians of all stripes and nationalities wag fingers at and blame each other for hostile cyberespionage operations, while at the same time \u2014 seemingly without irony \u2014 enlarging their own countries\u2019 offensive cyberweapons<\/span>tools. And caught in the crossfire<\/a> of geopolitical shenanigans<\/a> are independent cybersecurity companies<\/a>, which have the ability, and the nerve, to uncover this very dangerous tomfoolery.<\/p>\n

But, why? It\u2019s all very simple.<\/p>\n

First, \u201ccyber\u201d is and has been a cool\/romantic\/sci-fi\/Hollywood\/glamorous term since its inception. It also sells \u2014 not just products but press. It\u2019s popular, including with politicians. And it\u2019s a handy distraction, given its coolness and popularity, when distraction is something that\u2019s needed, which is often.<\/p>\n

Second, \u201ccyber\u201d is really techy. Most folks don\u2019t understand it. As a result, the media, when covering anything to do with it, and always seeking more clicks on their stories, are able to print all manner of things that aren\u2019t quite true (or are completely false), but few readers notice. So what you get are a lot of stories in the press stating that this or that country\u2019s hacker group is responsible for this or that embarrassing or costly or damaging or outrageous cyberattack. But can any of it be believed?<\/p>\n

We stick to technical attribution. It\u2019s our duty and what we do as a business.<\/p><\/blockquote>\n

Generally, it\u2019s hard to know what to believe. Given that, is it actually possible to accurately attribute a cyberattack?<\/p>\n

The answer is in two parts:<\/p>\n

From a\u00a0technical\u00a0<\/strong>standpoint, cyberattacks possess an array of particular characteristics, but impartial system analysis thereof can only go so far in determining\u00a0how much an attack looks like it\u2019s the work of this or that hacker group<\/em>.<\/p>\n

However, whether the hacker group might belong to Military Intelligence Sub-Unit 233, the National Advanced Defense Research Projects Group, or the Joint Strategic Capabilities and Threat Reduction Taskforce (none of which exists, to save you Googling them) \u2026 that is a political issue, and there, the likelihood of factual manipulation approaches 100%. Attribution goes from being technical, evidence-based, and accurate to \u2026 well, fortune-telling. So, we leave that to the press. We stay well away.<\/p>\n

Meanwhile, curiously, the percentage of political flies dousing themselves in the fact-based ointment of pure cybersecurity grows several-fold with the approach of key political events. Oh, just like the one that\u2019s scheduled to take place in five months\u2019 time!<\/p>\n

Knowing the identity of one\u2019s attacker makes fighting it much easier: An incident response can be rolled out smoothly and with minimal risk to the business.<\/p><\/blockquote>\n

So yes, political attribution is something we avoid. We stick to the\u00a0technical\u00a0side; in fact, it\u2019s our duty and what we do as a business. And we do it better than anyone, I might modestly add. We keep a\u00a0close watch<\/a>\u00a0on all large hacker groups and their operations (600+ of them), and pay zero attention to what their affiliation might be. A thief is a thief and should be in jail. And now, finally, more than 30 years since I started out in this game, after collecting nonstop so much data about digital wrongdoing, we feel we\u2019re ready to start sharing what we\u2019ve got \u2014 in a good way.<\/p>\n

Just the other day, we launched an awesome new service for cybersecurity experts. It\u2019s called the\u00a0Kaspersky Threat Attribution Engine<\/a>. It analyzes suspicious files and determines from which hacker group a given cyberattack comes. Knowing the identity of one\u2019s attacker makes fighting it much easier: It enables informed countermeasures. Decisions can be made, a plan of action can be drawn up, priorities can be set out, and on the whole an incident response can be rolled out smoothly and with minimal risk to the business.<\/p>\n

\"Kaspersky<\/a><\/p>\n

How do we do it?<\/p>\n

As I mentioned above, cyberattacks have many purely technical characteristics, or \u201cflags\u201d: the time and date when files were compiled, IP addresses, metadata,\u00a0exploits<\/a>, code fragments, passwords, language, file-naming conventions, debug paths, obfuscation and encryption tools, and more.\u00a0Individually, such characteristics are\u00a0useful<\/a>\u00a0only to (a) politicians, to point their fingers at opponents in the international arena, to bolster a hidden agenda, or (b) bad journalists seeking sensational scoops. Only\u00a0together\u00a0can they indicate to which hacker group they belong.<\/p>\n

Besides, it\u2019s easy to fake or emulate a flag.<\/p>\n

For example, hackers from the\u00a0Lazarus<\/a>\u00a0group appear to have used Russian words transcribed into Latin letters in their implanted binary code. However, the sentence construction would be unnatural in Russian, and the grammatical\/syntax mistakes make it looks like something Google Translate would produce, to perhaps send security experts in the wrong direction:<\/p>\n

\"False<\/a><\/p>\n

But, then again, any hacker group can use Google Translate \u2013 even for its native language, rendering \u2018language used\u2019 hardly a reliable pointer.<\/p>\n

Here\u2019s another case highlighting this in a slightly different way: The\u00a0Hades group<\/a>\u00a0(authors of the infamous\u00a0OlympicDestroyer<\/em>\u00a0worm that attacked infrastructure of the 2018 Olympic Games in South Korea) planted some flags as employed by the Lazarus group, leading many researchers up the garden path into believing the Hades hackers actually were Lazarus (other differences between the two groups\u2019 \u2018style\u2019 led most to conclude it wasn\u2019t Lazarus).<\/p>\n

However, manual expert analysis of hundreds of characteristics and comparing them with the signature styles of other hacker groups\u2026 it\u2019s practically impossible in short timeframes, with limited resources, and with acceptable quality of results. But such results are needed sooooo badly. Companies want to quickly catch the cyber\u2026-octopus that\u2019s attacking them, and nail down all its tentacles so that it doesn\u2019t crawl somewhere where it shouldn\u2019t again, and to be able to\u00a0tell<\/a>\u00a0everyone about how to stay protected from this dangerous cyber-mollusk.<\/p>\n

Malware \u2018genotypes\u2019 help finding malware code similarities with known APT threat actors with almost 100% accuracy<\/em><\/p><\/blockquote>\n

So, that\u2019s what was needed sooooo badly? Well, that\u2019s just what we\u2019ve come up with\u2026<\/p>\n

A few years ago we developed for internal use a system for automated analysis of files. It works like this: we extract from a suspicious file something we\u2019ve called\u00a0genotypes<\/em>\u00a0\u2013 short fragments of code selected using our proprietary algorithm \u2013 and compare it with more than 60,000 objects of targeted attacks from our database on a whole spectrum of characteristics. This allows us to determine the most likely scenarios as to the origin of a cyberattack, and to provide descriptions of the likely responsible hacker groups and links to\u00a0paid<\/a>\u00a0and free resources for more detailed information and the development of an incident response strategy.<\/p>\n

So, how reliable is the search, you may ask. Well, let\u2019s just say that in three years the system hasn\u2019t made a single mistake in pointing an ongoing investigation in the right direction!<\/p>\n

Some of the more well-known investigations that have used the system include: the\u00a0LightSpy iOS implant<\/a>,\u00a0TajMahal<\/a>,\u00a0Shadowhammer<\/a>,\u00a0ShadowPad<\/a>,\u00a0and\u00a0Dtrack<\/a>. In all of those cases, the result was in full agreement with the evaluation of our experts. And now our customers can use it, too!<\/p>\n

\"Kaspersky<\/a><\/p>\n

The\u00a0Kaspersky Threat Attribution Engine\u00a0comes in the form of a Linux-based distribution kit to be installed on a customer\u2019s air-gapped computer (for maximal confidentiality). Updates are supplied by USB. \u00a0Any malware samples the customer\u2019s in-house analysts finds can be added to the solution\u2019s database, and it also uses an API interface to connect the engine to other systems \u2014 even a third-party SOC (security operations center).<\/p>\n

In closing, I offer one disclaimer: No tool for the automated analysis of malicious cyberactivity has a 100% attack attribution guarantee. Everything can be faked and tricked, including the most advanced solutions. Our main objectives are to point experts in the right direction and to\u00a0test likely scenarios. Also, despite ubiquitous and resounding choruses about the effectiveness of\u00a0AI<\/a>\u00a0(which\u00a0doesn\u2019t actually exist<\/a>\u00a0yet), existing \u201cAI\u201d systems \u2014 even the very smartest \u2014 are at present not able to do everything without the assistance of Homo sapiens. It is a synergy of machines, data, and experts \u2014 what we call\u00a0humachine<\/a><\/em>\u00a0\u2014 that today helps effectively fight even the most complex of cyberthreats.<\/p>\n

And finally, I\u2019d like to invite you to join a\u00a0webinar on June 17<\/a>\u00a0to see a live demo of the product, hear directly from its developers, and ask questions in real time.<\/p>\n

That\u2019s about all for today for your intro to our new solution. You can find more info on the\u00a0product page<\/a>,\u00a0in the product datasheet<\/a>,<\/u>\u00a0and in this\u00a0white paper<\/a>.<\/p>\n\n

PS: I highly recommend a read of this post<\/a>\u00a0by Costin Raiu, one of the parents of this product, in which he goes into detail about the story of how it was developed and also explains some of the finer points of Kaspersky Threat Attribution Engine\u00a0on the whole.<\/p>\n","protected":false},"excerpt":{"rendered":"

We have released a new solution that provides businesses with code similarity analysis and gives technical evidence for APT attribution.<\/p>\n","protected":false},"author":13,"featured_media":27568,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3020],"tags":[499,3148,3300],"class_list":{"0":"post-27561","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-apt","10":"tag-attribution","11":"tag-solutions"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/kaspersky-threat-attribution-engine\/27561\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/kaspersky-threat-attribution-engine\/21437\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/kaspersky-threat-attribution-engine\/16901\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/kaspersky-threat-attribution-engine\/22540\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/kaspersky-threat-attribution-engine\/20688\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/kaspersky-threat-attribution-engine\/23005\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/kaspersky-threat-attribution-engine\/22093\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/kaspersky-threat-attribution-engine\/28574\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/kaspersky-threat-attribution-engine\/35852\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/kaspersky-threat-attribution-engine\/15103\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/kaspersky-threat-attribution-engine\/13569\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/kaspersky-threat-attribution-engine\/22475\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/kaspersky-threat-attribution-engine\/27719\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/27561","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=27561"}],"version-history":[{"count":7,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/27561\/revisions"}],"predecessor-version":[{"id":29036,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/27561\/revisions\/29036"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/27568"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=27561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=27561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=27561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}