Malware writers: Don't screw up

Share this article:
Snorre Fagerland
Snorre Fagerland

Remember the Wet Bandits in the movie Home Alone? Marv, one of a pair of bumbling burglars, thought it would be a cool move to leave a faucet running in each of the houses they burglarized, like a calling card. The downside was that, when the police finally nabbed them, it was obvious exactly which houses the Wet Bandits had hit.

The “Hangover” operation my company recently documented was a bit like that. The attackers did not leave the tap running, but they used the same customized malware for every sting, the same infrastructure for wildly different attack targets, and the same modus operandi for the maintenance of this infrastructure.

At first, we were surprised by how commoditized it all was. How malware creation was doled out in neat monthly tasks. How manpower was acquired from legitimate freelance employment services. And, how the attack infrastructure was possible to track – not because every computer did something malicious, but because arrays of attack computers were configured identically.

We should not have been surprised, though, as all these attributes serve to demonstrate a development that has been going on for years. These days, targeted attacks designed to steal intelligence are easy, cheap and convenient.

The truth is: You don't need a lot of resources to start an offensive operation. This is one reason I am now assuming malware-assisted surveillance to be a natural part of ongoing conflicts all over the world. This has been abundantly illustrated in the Middle East, where espionage against various parties during the Arab Spring uprisings has been well-documented. Less known are the trojan attacks directed at FARC sympathizers in Colombia, or the recent disclosures of monitoring of Ethiopian and Angolan dissidents. If you have enemies, watch your inbox. Actually, just watch your inbox.

However, even as the push for offensive cyber capabilities grows stronger in public discourse, I must point out that offensive action in this realm is not without liability. Security professionals are constantly looking for targeted attack malware, and will document and map these once found. It's not personal. People like me are paid to combat malware, and the motives of the malicious creator aren't evident. Whether driven by good or bad, right or wrong, if you make malware, you and I are adversaries.

That means that if you represent a state or any other entity for that matter, and are sponsoring the malware-based monitoring of your enemies, you must assume that information about your actions will become public. For some, this might not be a problem, but for others it could mean no end of trouble. 

The same rule applies in this realm as in other more conventional covert operations: Don't get caught. The risk of getting nabbed is reduced by following rules that are simple, but expensive: Hire skilled professionals, vary your methods and keep a keen eye on operational security. This is why cyber operations may not turn out to be so cheap and easy after all. 

The Hangover operation should be a cautionary tale. It appears to have been a case of someone trying to get a lot for a little, because the attackers were not skilled. They had some sophisticated elements, but only a few.

At the time of writing, we don't know who the real clients in the Hangover case were. We speculate that there were several. If so, their various operations were mixed together in an unsightly hairball of attacks. When one was uncovered, the rest unraveled too. But then, that's what you get when you hire the Wet Bandits.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Falling off the 'Wagon of Things'

Falling off the 'Wagon of Things'

The Internet of Things promises so much. And so the question arises, how are we going to keep all this 'stuff' safe and secure?

Know your traffic: The case for egress monitoring and filtering

Know your traffic: The case for egress monitoring ...

Our networks are our field; no one knows our network better than us, the people who maintain it. We need to use that to our advantage.

Breach shaming and the need for a new model to discuss data breaches

Breach shaming and the need for a new ...

The breach shaming trend impedes forward progress in preventing such incidents in the future and leaves consumers worrying without educating them.