Home page logo

dailydave logo Dailydave mailing list archives

Re: Getting called out
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 17 Jan 2013 15:15:38 -0500

We had this whole section in the early Unethical Hacking classes where
we talked about attribution, and anti-attribution methodology. To
summarize it, we realized that there are some things that can be
trivially changed by an exploit team - obviously the strings inside the
trojans are the best example of these. Or the emails they register their
cover accounts with. These mean nothing.

But there is meta-data they cannot change easily. What follows we call
the tripod of cyber attribution:

1. Knowledge of particular vulnerabilities, exploits, or techniques.
This produces a "chain"-like time-based fingerprint that is extremely
difficult to spoof, since you would need to replicate the entire Chinese
technology tree to pretend to be Chinese. Simply stealing some exploits
won't do, because you'll never have an exploit or exploit technique
BEFORE they go public with it. And you can also add "time to mature and
deploy a technology" to your analysis, making it a very robust
indicator. This is also true of operator methodologies, analysis
techniques, and attack surfaces.

2. Targeting. This is hard to change because it results not from
technological restrictions, but from policy restrictions and turf wars.
If you're not allowed by the Politburo to steal Chinese data, then you
won't. Faking this is possible, but it's somewhat complex. This, of
course, is why it's also dangerous to do "collision prevention" on your
rootkits. If you never catch Rootkits A and Q on the same box, ever in
the history of time, then A and Q are from the same team (or allied teams).

3. Dissemination. It's hard to pretend to be Russian if the data you are
stealing from Dow Chemicals ends up in Chinese state-owned enterprise's
product lines. This is one reason economic espionage efforts are so
dangerous to groups trying to hide attribution.

In any case, completely extraneous to this topic: Lurene did a podcast
you should listen to in your car or whatever -
http://theloopcast.podbean.com/2013/01/16/episode-6-offensive-cyber/ .
It's kind of like eavesdropping on two random people in a Starbucks in
DC who are talking about cyber - which .... is any two random people in
a Starbucks in DC, according to my sampling. :>


On 1/14/13 10:17 PM, Brian Keefer wrote:
On Jan 14, 2013, at 7:41 AM, Dave Aitel wrote:


That's what it looks like when the Russians call the Chinese out for
pretending to be them. How cool is that! "Here we are, pretending to
think it's a Russian trojan because of all that tricky Russian slang
left in the code. BUT WAIT, they're using exploit chains out of China!
And they use the Chinese target set! We will let you draw your own

Is it just as plausible that the Russians are stealing all the good Chinese exploits because the Chinese have shit 
OPSEC? Why do all the fuzzing and exploit dev when you can just smash & grab the weaponized goods?


INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach

Attachment: signature.asc
Description: OpenPGP digital signature

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]