Freely subscribe to our NEWSLETTER

With regards to this type of attack and whether or not Russia is the true culprit, Mark McArdle, CTO at eSentire, says:

“These types of attacks aren’t theoretical – they’re real, they happen, and they’re going to keep happening because the technologies we use every day to do business, or even buying things on a home computer – they all have vulnerabilities that will eventually be exploited. The attack on the DNC is an engineered attack developed by someone with a deep knowledge of the Microsoft Windows system and who is very well resourced. The level of sophistication here is not typical of the more common attacks we see today. If this turns out to be the Russians, it’s a great example of a foreign power using the internet and all its vulnerabilities as a weapon to affect the results of an election.”

“Incident response investigators assigned to this case will evaluate recovered malware, looking for clues of where they might’ve seen it before. Based on similarities to previously seen malware, the analyst draws comparisons, and builds a circumstantial case of who they think the author may be. But in cases like this (which we’re seeing more and more), identifying the culprit with certainty can be very difficult."

“For example, when APT 28 was first investigated by FireEye, their investigation led them to determine that it was used to attack countries for which Russia has an interest in. When they tore apart the malware, there was Russian language in some parts of it – it had Russian DNA. But, while the malware is out and samples are everywhere, it’s not necessarily safe to assume that the next time you see it used, it’ll be used by the original creator - it may have been modified. We’ve seen this over and over again (Lazarus is another example). While it may be safer earlier on in a piece of malware’s life to build a case for who built it, as time passes it’s less and less safe because it’s accessible for others to reuse and repurpose.”

"Consider you have an attacker in China, who identifies a key target in the United States. The attacker in China won’t use the same tools they’ve used before — they won’t want to provide any breadcrumbs to help build an identifiable profile. So, the attacker decides to start from scratch. In doing so, they can leverage tools (malware) already seen… they can mimic them, tweak them as they like to create something new that ultimately cloaks their identity. Once the tool is ready, the attacker deploys it to their endpoint target in the US. Once they successfully access the network, they need to exfiltrate data, but they won’t exfiltrate it to back to China — that’d be a clue to their identity. Instead, the attacker will pick a nondescript host, bouncing the data through compromised servers, to cover their trail.”