Monday, 24 November 2014

Whodunnit? APT attribution is hard

Discovering who is behind a computer-based attack is hard because you don't know which clues are real and which have been planted as misinformation.

When well-resourced entities are thought to be behind an attack campaign the sky is the limit as far as red herrings are concerned.

Yesterday security firms started talking about a new attack called Regin.

It's not truly new, though, as the attacks have been ongoing for at least six years. Kaspersky Lab claims to have seen traces of the threat from as far back as 2003.

What's new is its discovery.

Currently Symantec has released some analysis [PDF] that includes details on how the malware is structured. However, where it came from and how it first arrived on the scene is still unknown:

"A reproducible infection vector is unconfirmed at time of writing."

Online commentators are speculating that the software involved is so advanced that it has to have been created by a nation state.

So who is behind this malware?

Symantec hints that it's a nation-state, noting similarities in sophistication between Regin and past threats such as Flame(r) and Duqu/Stuxnet. These are generally believed to be state-sponsored.

Kaspersky Labs goes further, guessing openly that, "Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state."

It notes that the malware affects victims in certain countries. Notable non-victims include the USA, UK, Canada, New Zealand and Australia, the so-called "Five Eyes" nations.

Most victims seem to be in Asia and the middle east, with Russia and Saudi Arabia being the worst affected.

Could Regin be a Western campaign aimed primarily at those two countries?

The problem with attribution is that it's almost impossible to be certain about who did what. Spies mislead as a rule and the opportunities for leaving false clues are numerous.

Kaspersky Labs' report notes the times of day during which the software was most heavily developed. It seems that most development took place between 1300 - 2000 GMT. The report invites readers to draw their own conclusions, warning that such times can be changed easily.

It's also worth noting that programmers often do not keep regular office hours.


To solve this problem I have developed an APT attribution generator. Please feel free to use the tool below whenever you want to know who is behind a specific 'APT' attack.

You can customise your own using the Dice Maker website.

Credit: The physical tool shown at the top of this page was constructed and photographed by Yonathan Klijnsma from Fox-IT.