Case study: Why it's difficult to attribute nation-state attacks
If two attacks look similar, don't assume they're from the same attacker. It's difficult to attribute nation-state attacks, as evidenced by the notorious 2016 Odinaff malware.
Attributing nation-state attacks is a difficult task. Not only do state-sponsored threat actors typically have more time and resources than traditional cybercriminals, but they also notoriously try to mislead their victims to maintain anonymity. Further complicating the cyber attribution process are copycat attacks.
"Ransomware gangs and organized crime groups take the information security analysts have collected over the years about nation-state attackers and build those techniques into their attacks," said Jon DiMaggio, author of The Art of Cyberwarfare, published by No Starch Press.
For example, he noted, the malware used in the 2016 Democratic National Convention hack had both French and Russian roots. "The French part was put there intentionally to throw people off," he said.
The who and why behind an attack are important information, but organizations should never jump to conclusions when attributing attacks. Just because two attacks look similar doesn't necessarily mean they are from the same attacker.
The following excerpt from Chapter 2, "State-Sponsored Financial Attacks," of The Art of Cyberwarfare details the tactics, techniques and procedures the Odinaff cybercrime group copied from the 2016 North Korean-attributed SWIFT attacks. This real-world case study exemplifies why it's so difficult to attribute nation-state attacks.
In this Q&A, DiMaggio explains why organizations should create threat profiles to track and reduce the threat of nation-state attacks. He also discusses the top signs of a nation-state attack, how to create a threat profile and more.
Odinaff: How Cybercriminals Learn from Nation-States
Earlier in this book, we pointed out differences between ordinary cybercriminals and nation-state attackers. Few cybercriminals are capable of the persistence, patience, and planning used in the engagements covered in this book so far. Unfortunately, there are always exceptions.
The North Korean SWIFT attacks made global headlines in 2016, garnering the attention of an organized cybercrime group named Odinaff. That year, security researchers revealed what they had discovered of the tactics, techniques, and procedures used in the SWIFT attacks to compromise the banks. This information has helped better defend against these incidents. But it also provided criminal attackers with a roadmap for future bank compromises.
Believed to originate from Eastern Europe, Odinaff successfully exploited banks with its own malware. It relied on tactics first seen in North Korean attacks, and current intelligence suggests that the group successfully stole millions of dollars from financial institutions.
As an initial attempt to gain access to the banks' systems, the attackers injected malware into a popular administrative tool called AmmyAdmin. They hoped bank administrators would download it, effectively infecting themselves. To do this, the attackers compromised the legitimate AmmyAdmin website -- an attack that may sound elaborate, but in fact, criminals have frequently compromised the same site to distribute commodity malware.
Note: The website used to host AmmyAdmin has been known to distribute remote access trojans, exploit kits, and ransomware. Due to this risk, you should not visit the hosting website or download this tool.
While the AmmyAdmin tool might perhaps have functioned as an effective infection vector, the attackers likely realized it gave them no control over who downloaded the application. This risked infecting many unintended victims. It also exposed them to unwanted public attention. Probably for this reason, the attackers switched to the spear-phishing emails, which allowed them to choose their targets.
Odinaff's spear-phishing emails were nowhere near as sophisticated as North Korea's. Although targeted, the phishing campaign used a generic email template directing recipients to click a URL in the body of the email. The URL would then download a malicious payload. The attachment, however, did not infect victims if they opened it. Instead, victims had to open a compressed file that required the target to enter a password included in the email text. If victims followed the attackers' instructions, the archive would decompress and present the target with a Microsoft Office document. Once victims attempted to open the document, the attachment presented them with the option to enable macros. If the target did not enable macros, the infection would fail.
Only if victims followed all of these steps did the first-stage malware, known as Trojan.Odinaff, compromise the system, providing the attackers with initial access to the victims' environment. That the attack required so many active steps on the part of the victims points to its precarity; if the targets had become suspicious of the emails, or perhaps the unusual requirements necessary to open the attachment, the attack would have failed. It may seem hard to fathom that anyone would fall for such a scheme. Yet it happened more than once, in attacks across several banks.
The Odinaff malware provided basic backdoor functionality, issued shell commands, and downloaded and executed additional malware. It used something called a mutex, hardcoded into the binary itself. A mutex is an object in the code used as an identifier. In this case, the identifier revealed whether a system was already infected. If it was, the malware halted execution. This prevented multiple infections on the same host from taking place, which would have tied up additional resources and potentially drawn unwanted attention. The malware also used a hardcoded proxy to connect to command-and-control servers, making it difficult for defenders to identify outgoing traffic.
Once in the victims' environment, the attackers would review the infected victims and identify systems of interest. They then used Odinaff's malware to download the stage-two malware, known as Backdoor.Batel, onto the subset of high-value systems of interest. (Researchers coined the name Backdoor.Batel after a string they found in the malware code containing the term "BATEL_SOURCE.") The Batel malware ran malicious payloads in memory on the victims' systems, and it created a reverse shell, launched from a batch file, between it and the attackers' infrastructure.
The Backdoor.Batel malware was designed and developed using common penetration-testing software, such as the red-team tools Metasploit and CobaltStrike. The Metasploit framework identifies vulnerabilities and executes exploitation code against them. CobaltStrike functions with Metasploit to provide various post-exploitation and attack-management capabilities. Penetration testers commonly use both for legitimate security assessment exercises. Unfortunately, cyberattackers also use this tool to find and exploit weaknesses in victims' environments.
Odinaff's attack shared another tactic with those of nation-states: the use of tools already present in the victims' environment. Using legitimate administrative tools and applications already present on the system, the attacker can weaponize Microsoft Windows operating system binaries. This tactic, known as Living Off the Land Binaries (LOLBins), allows attackers to hide malware in legitimate system binaries often whitelisted by security tools. When a binary is whitelisted, tools such as antivirus and endpoint detection software will not detect the file as malicious. Whitelisting prevents security tools from removing or quarantining the legitimate operating system resources that could affect system functionality. Knowing this, attackers take advantage of the legitimate resource to use in attacks and avoid detection.
The Odinaff attackers used Windows administration software, such as PSExec, Netscan, and PowerShell. When the attackers needed to fulfill a capability unattainable by tools present in the victims' environment, they relied on publicly available hacktools instead of custom ones. A growing trend in cyberattacks, this strategy makes discovery and attribution more difficult. For example, both criminal and nation-state attackers have used the hacking tool Mimikatz against banks, because it is freely available, effective, a favorite of legitimate red teams, and impossible to attribute.
Using Batel, the attackers learned everything they could about the victims' environment. They spent time monitoring banks' activities and exploring the systems and infrastructure. Specifically, the Batel malware included the ability to capture keystrokes and images of users' screens in 5 to 30-second intervals. It then saved the output to a disk, where attackers could retrieve and study the captures. This allowed criminal attackers to learn the banks' processes and technical procedures for the execution of financial transactions. Another capability of the Batel malware -- again, modeled after the nation-states' -- was a module that allowed attackers to wipe the victims' disk drives. Despite its inclusion, attackers did not use this capability.
The Odinaff attackers also manipulated the SWIFT messaging system using tactics almost identical to the nation-states'. The malware looked for any strings in the SWIFT messages that included specific details, such as dates and international bank account numbers. When the date and account number in a SWIFT message matched the details associated with a fraudulent transaction, the malware suppressed the message, preventing the bank from discovering the activity or at least delaying it until the funds were already gone.
While no cybersecurity officials have established solid attribution, several clues point to attacker ties to Russia. Strings present in the malware, as well as folder names, were comprised of Cyrillic characters; additionally, some speculated the existence of a relationship between the Odinaff attackers and the Carbanak malware attacks. Carbanak is the tool of choice of a cybercriminal gang, also referred to as Carbanak, that has targeted large corporations for financial gain since at least 2014. The Carbanak gang has been the subject of both media and security reporting due to their high-profile attacks.
The North Korean and Russian-based Odinaff attacks were so similar that, when initially discovered, investigators believed the heist originated from the same North Korean attackers responsible for the previous SWIFT-related attacks. They soon realized that was not the case, but this serves as another example of why investigators cannot let opinion dictate attribution; they must follow the evidence. While the Odinaff attackers were successful -- they were one of a few cybercriminal groups to steal money from financial institutions themselves as opposed to their customers -- they did not enjoy the same monetary success as nation-state attackers.
About the author
Jon DiMaggio is chief security strategist at Analyst1 and has more than 15 years of experience hunting, researching and writing about advanced cyber threats. As a specialist in enterprise ransomware attacks and nation-state intrusions, including the world's first ransomware cartel and the infamous Black Vine cyberespionage group, he has exposed the criminal organizations behind major ransomware attacks, aided law enforcement agencies in federal indictments of nation-state attacks and discussed his work with The New York Times, Bloomberg, Fox, CNN, Reuters and Wired.