Attribution. That’s what makes most cyber attack investigations inconclusive. Attribution is what makes cybersecurity firms incapable of delineating the extent of Russian meddling in the 2016 U.S. election, if any. No matter what you may read, no one, not even cybersecurity firm, CrowdStrike, the only entity ever to get a glimpse of the DNC servers, will say they are 100% sure that Russia was behind the DNC hack. In short, the more attackers can obscure their origins, the safer they are from being linked to an attack. Who would be most concerned about attribution, and who would have the most money to spend on hiding their trail? The answer: nation-states.
So how does the world’s most financially empowered nation-state agency, the CIA, obscure its attacks? Until Wikileaks gave the details of a program called, Hive, we had little idea. Hive is the name given to an architecture the CIA used (or still uses) to make it nearly impossible for the victim of an attack to trace the attack back to the CIA.
There are basically three stages of a successful cyber attack. These could be named infection, persistence, and eradication. Government agencies use more sophisticated infection techniques because they have the money to do so. They don’t have to hope someone downloads an infected file included in a spam email. They can specifically target an individual in a network. They can infiltrate the supply chain or constellation of enterprises that work with the target enterprise and leverage this connection to get a file downloaded or a website visited. It is also more common for them to arrange for an insider to get the infection (malware) implanted. Eradication is the opposite of infection. It refers to the removal of all evidence of an attack when the attack has accomplished its goal or is in danger of being exposed.
What this post is concerned with is the second stage of the hacking process, persistence. This is where any attribution is most likely to occur. This is where sophisticated masking is most necessary as this would allow the malware to operate undetected for enough time to accomplish the necessary gleaning of important information. Hive is a program designed for persistence. Here is a diagram of how it works. I added information to make this complex program somewhat easier to understand. Keep in mind that Hive uses normal, if boring, websites to mask its operations, so the architecture must be designed to separate normal web browsing interactions from interactions involving stolen data.
Information from the implanted malware authenticates itself on these innocent looking websites by using a fake certificate pretending to be associated with Kaspersky. Here is part of that code.
Many writers on this topic seem to imply that this certificate is designed to ‘fool’ security software or security staff into thinking nothing suspicious is occurring on the network. These analysts claim that seeing outgoing traffic on a machine log with the name, Kaspersky, attached to it would raise no alarms. Really? What if that machine had no Kaspersky security products on it? Sure, it may fool software, but not trained IT staff. That is, of course, unless the machine had Kaspersky security software installed on it. This would bring up the possibility that the machine or network was scanned prior to the installation of the malware to determine whether Kaspersky products were being used.
Oddly, this is what Duqu 2.0 malware does. For those who don’t know, Duqu 2.0 was designed by Israeli intelligence to hack into Kaspersky. Kaspersky subsequently wrote a report on it. The malware was found to search for devices using Kaspersky antivirus as well as antivirus programs from other venders. It used these antivirus programs to harvest files that the attackers identified as holding important information. Thus, if the CIA used similar malware to scan for machines using Kaspersky products, outgoing traffic from these machines that used bogus Kaspersky certificates would not look suspicious and the malware would be able to persist for an extended period of time.
It should be noted that Kaspersky has been a thorn in the side of the U.S intelligence community for a long time. They seriously exposed and undermined actions of the Equation Group, which was the name Kaspersky gave to NSA espionage malware developers. When the Equation Group used Flame malware, their fake certificates were made to look like they came from Microsoft. Kaspersky subsequently sinkholed some C&C sites used by Flame, as seen in the page below. This interrupted the NSA’s intelligence gathering operations and must not have been looked upon fondly, to say the least.
It would, then, certainly have given U.S. intelligence some satisfaction to give Kaspersky a black eye by using false Kaspersky certificates. But this was but the first step in efforts to discredit the security firm. U.S intelligence has been casting doubts on Kaspersky and suggesting that it had links to the Russian government for some time. Recently, the final nail was put in Kaspersky’s coffin when its products were banned for use by government agencies.
Hive may or may not still be in operation. However, even if it is not, it is certain that something like it, but even more sophisticated, is being used to maintain persistence and impede attribution. It is also certain that these new programs will eventually be exposed through either insider leaks or the investigations of security firms.
Many cyber security firms have close relationships to governments. Check Point, for example, has been working with the U.S. government since at least 2013. It would be quite a surprise if Kaspersky was not doing some work for the Russian government, but just how much work remains the question.
All of this is more complicated by the actions of a hacking group called The Shadow Brokers which routinely tries to sell NSA hacking tools online. Edward Snowden believes The Shadow Brokers is a Russia-based group; “circumstantial evidence and conventional wisdom indicates Russian responsibility”. One cannot help but wonder where The Shadow Brokers is getting these tools. At first, it was believed the tools were leaked by an insider named Harold Martin III; however, the leaks continued after he was imprisoned. It has been suggested by more than one researcher that Kaspersky may have, inadvertently or not, been implicated in the actions of The Shadow Brokers. It simply doesn’t help their case that a Russian-based group is behind the sale of these NSA tools. There seems but one way out of this dilemma for Kaspersky. They need to put as much energy into uncovering the cyber operations of the Russian government as they did on the NSA, otherwise, they will never regain an unbiased position in the cybersecurity community.