Hackers hack hackers to steal their hacking tools and deflect blame

Rule #1 of hacking is "attribution is hard" (other contenders: "don't be on fire," "don't get involved in a land-war in Asia" or "there is no security in obscurity"), which is to say, it's really hard to say who hacked you, in part because it's really easy for hackers to make it look like someone else did the deed.

A new Kasperky report delves into this "attribution hell" by documenting cases in which nation-state hackers steal other nation-state hackers' tools and compromise the staging servers used by those hackers in order to pin the blame on third parties.

Intelligence agencies and military hackers are uniquely positioned to trick researchers through code and tool re-use because of something they do called fourth-party collection. Fourth-party collection can encompass a number of activities, including hacking the machine of a victim that other hackers have already breached and collecting intelligence about the hackers on that machine by stealing their tools. It can also involve hacking the servers the hackers use to launch their assaults. These machines sometimes store the arsenal of malicious tools and even source code that the attackers use for their attacks. Once the other group’s tools and source code are stolen, it’s easy to go a step further and re-use them.

“Agency-A could steal another agency’s source code and leverage it as their own. Clustering and attribution in this case begin to fray,” wrote Juan Andres Guerrero-Saade, a senior security researcher with Kaspersky, and his colleague, Costin Raiu, who leads Kaspersky’s Global Research and Analysis Team.

“[O]ur point in the paper was: This is what it would look like [if someone were to do a false-flag operation] … and these are the cases where we’ve seen people trying and failing,” said Guerrero-Saade.

The recent WannaCry ransomware outbreak is an obvious example of malware theft and re-use. Last year, a mysterious group known as the Shadow Brokers stole a cache of hacking tools belonging to the NSA and posted them online months later. One of the tools — a so-called zero-day exploit, targeting a previously unknown vulnerability — was repurposed by the hackers behind WannaCry to spread their attack. In this case it was easy to make a connection between the theft of the NSA code and its reuse with WannaCry, because the original theft was well publicized. But other cases of theft and re-use won’t likely be so obvious, leaving researchers in the dark about who is really conducting an attack.