THE GROWING PROPENSITY of government hackers to reuse code and computers from rival nations is undermining the integrity of hacking investigations and calling into question how online attacks are attributed, according to researchers from Kaspersky Lab.
In a paper set for release today at the Virus Bulletin digital security conference in Madrid, the researchers highlight cases in which they’ve seen hackers acting on behalf of nation-states stealing tools and hijacking infrastructure previously used by hackers of other nation-states. Investigators need to watch out for signs of this or risk tracing attacks to the wrong perpetrators, the researchers said.
Threat researchers have built an industry on identifying and profiling hacking groups in order to understand their methods, anticipate future moves, and develop methods for battling them. They often attribute attacks by “clustering” malicious files, IP addresses, and servers that get reused across hacking operations, knowing that threat actors use the same code and infrastructure repeatedly to save time and effort. So when researchers see the same encryption algorithms and digital certificates reused in various attacks, for example, they tend to assume the attacks were perpetrated by the same group. But that’s not necessarily the case.
https://theintercept.com/2017/10/04/masquerading-hackers-are-forcing-a-rethink-of-how-attacks-are-traced/