Kaspersky Lab are finding more and more APT groups using false flag tactics to throw off investigators. The news was revealed by Juan Andrews Guerrero-Saade, senior security researcher at Kaspersky Lab as he presented to a crowd at CanSecWest 2016 in Vancouver.
Guerrero-Saade, who presented Kaspersky's findings, told SCMagazineUK.com that "overt manipulation and subtle false flags are appearing with increasing frequency in the work of intermediary to advanced attackers. It takes experience and familiarity with attacker techniques to recognise these attempts to befuddle researchers.”
Guerrero-Saade added that “when it comes to incident responders dealing with an ongoing attack, a well executed false flag can result in a devastating mismanagement of already limited resources".
The reasons behind these tactics may appear obvious; pin the blame on some other group and exonerate yourself, and your backer, from guilt.
In fact those tactics have been employed by some of world's premiere APT groups like Red October and CloudAtlas. The infamous Russian group Sofacy aka PawnStorm aka APT 28 pulled of one of it's more famous campaigns on french news channel TV5Monde. The group took the channel's broadcast down for three hours, all while claiming to be called CyberCaliphate, a group doing the work of the Islamic State.
This is nothing new. “We've observed attackers practicing deception techniques for years” Nick Carr, Consultant on Mandiant's incident response team told SC. Attackers will try and cloak their with domains and false phishing email content, among others
APT groups are well aware that investigators use clues from the code to find out where attacks come from. To that end, APT groups manipulate the vectors which investigators look at to throw off the scent: Language strings are changed to foreign script, timestamps are altered to look like they come from a foreign time zone.
Christopher Porter, senior threat intelligence analyst at Fireeye told SC, that there's two levels to deception.
First, attackers will think about what kind of techniques they can “use to sneak around a system and avoid detection long enough to avoid getting kicked out of the system”
Second, is how “you avoid blow-back for your sponsor”. If you are part of a People's Liberation Army proxy, then your backers will not be happy if your operations can get traced back to the Chinese government. So, near the top of an APT's list of priorities is how you create plausible deniability.
That, Porter told SC, is not even quite about making sure the attack never gets traced back, but about making the decision to respond that much more complex: “that's about complicating decision making”.
Porter added, “for example, if an APT group presents itself publicly as a non-state group, there should be signs of activity by that group in the digital underground. When those signs are missing it becomes an additional data-point that the incident may not be as simple as it seems.”