9

Juniper Networks has discovered unauthorized code that appears to be planted by a nation-state attacker in their firewalls.

A similar claim was made about Stuxnet, Duqu, Flame, Gauss, and probably others that these were probably all written by nation-states. Whatever proof that may or may not support the idea now, the media began spreading the idea very early on after their discoveries.

When pieces of malicious code are discovered in the wild without anybody taking credit what indicators point to the malicious code being nation-state and not organized crime or small hacking groups (Anonymous, LOLSEC, other unassociated groups)? Are there code smells that paint a target or is it more the circumstances around what the code impacts and who the intended target was? Or is it just fear mongering?

Corey Ogburn
  • 732
  • 5
  • 15
  • 2
    I do see that the article has a quote from a researcher stating "The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency..." but I'm not sure I believe that 100%. That sounds subjective and circumstantial. – Corey Ogburn Dec 21 '15 at 17:30
  • 3
    I run my own honeypots, and after a while of watching hacks in progress, there are certain "styles" that pop up. I feel that I can determine if the attacker is asian or eastern european just by their style. I cannot define exactly why. It could be that the researchers are using a similar process: there is nothing specific, just the way the code "feels". – schroeder Dec 21 '15 at 17:34
  • @schroeder Well said. It's just like language, and cultural-specific styles. – Mark Buffalo Dec 21 '15 at 17:36
  • 2
    @schroeder I can believe that. "Styles" and "habits" go a long way in the regular development world. But I think there's a huge problem if we, say, blamed Russia the Government for something the Russian Mob did. That's an important hair to split before we have WWIII. – Corey Ogburn Dec 21 '15 at 17:39
  • @CoreyOgburn, it's likely a judgment based on attributes of the payload and potential utility of the vulnerabilities. If the attacker is trying to install ransomware, it's probably not a nation. If the equipment being attacked is carrying traffic of a politically connected target, it's perhaps more likely a government. – John Deters Dec 21 '15 at 18:52
  • 2
    Code smells may factor in as well. If the malware is reusing code from a prior confirmed nation-state attack, like Stuxnet, it's possible that it's the same author reusing it. Also, most for-profit malware wants to spread widely. if the code is trying to avoid attacking certain targets, it may be a nation trying to limit collateral damage. – John Deters Dec 21 '15 at 19:28
  • I believe that "just fearmongering" is probably closest to reality. I'm surprised at how much attribution of motive and origin there is to malware, given how poorly coded most of it is. Maybe the backdoor code is actually well-coded. That would go a long ways toward attributing the code to someone other than the usual spammers and script kiddies. – Bruce Ediger Dec 21 '15 at 21:08
  • 1
    Consider that these statements are potentially political in nature. It's far easier to tell the world that you got hax0red by a "Nation State" (NSA or China?), than it is to say one of your dumb developers left debug code in the firewall, or one of your developers was simply bribed by the NSA. The reality is that the code in the specific example of Juniper is a relatively simple compare statement, and isn't really something you could trace back to anyone. – Steve Sether Dec 21 '15 at 22:18

2 Answers2

7

what indicators point to the malicious code being nation-state and not organized crime or small hacking groups (Anonymous, LOLSEC, other unassociated groups)?

In this specific case, the people who know the indicators, aren't telling (yet).

There are a number of indicators that may come into play, such as:

Provenance, or, where stuff comes from -

There has been significant work done to tie together actors and campaigns by analyzing the use of unreleased code. For example:

In 2015 Kaspersky's research findings on the Equation Group noted that its loader, "Grayfish", had similarities to a previously discovered loader "Gauss" from another attack series, and separately noted that the Equation Group used two zero-day attacks later used in Stuxnet; the researchers concluded that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together". (Wikipedia)

If the Juniper attack shares certain characteristics with other known APT attacks, then it's likely to be an APT attack. Unfortunately - again - the only people who'd actually know what those characteristics are, at this point, are the incident responders, and they're not talking.

Purpose, or, what can be done with the stuff -

A backdoor on a firewall is brilliant and useful for any attacker. Weakening encryption in a way that can benefit eavesdroppers without requiring endpoint access more strongly benefits APT groups, because they are more likely to have access to ISP-level network captures than, say, Anonymous.

In your comment above you call that "subjective and circumstantial", but it's really not. The described vulnerability has the advantage of being largely undetectable (compared to endpoint compromise, and assuming Detachment 2702 is working properly) and the disadvantage of requiring advantageous network access (which nation-states have been working at since long before there were computers).

Patterns, or, crumbs that don't get cleaned up -

There have been various APT groups whose work was attributed based on strings or commonalities - an email address, a command and control server IP, a source code path name that didn't get stripped from compiled objects. You can bet that whatever got left at Juniper is being gone over with a fine toothed comb, by people who have done the same at dozens or hundreds of other victims. If there are crumbs to be found, they will be found.

It could be any of these, or all, or none. No way to tell until someone writes a paper or releases details which allow us to pin it down.

Update 20151228 - You may want to read "APT28 Under the Scope", which aims to describe a particular APT actor. Notice some of the Patterns they used - they mapped the compile time of the attack tools, to determine which timezone the actors came from. They also found a hardcoded path to a debug file where one of the directories in the path was the Russian word for 'Users'. I'm not suggesting APT28 is the crowd who hit Juniper, it's just interesting to see the analysis process and the level of minutia that can be used to try and attribute responsibility for an attack.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 1
    One of the analyses of malware I read revealed binary instructions that were generated by a relatively outdated version of a rather obscure compiler, and linked routines from a static library that very few companies ever bought. That compiler and library combination turned up again later in a different piece of malware, circumstantially tying the two together like matching fingerprints. If one of the malwares could be positively attributed to a nation-state attack, then the other might also be related. – John Deters Dec 22 '15 at 04:01
2

Nation State attacks such as Stuxnet and the current Juniper attack target equipment which is not easily obtainable. Stuxnet targeted a SCADA logic controller while the Juniper attack targeted a high performance enterprise firewall.

Developing such attacks require the attacker to possess the device or at a minimum an image of the firmware running on the device. This is because attacks such as buffer overflow often requires trial and error and multiple attempts to develop a working exploit. We would also need to disassemble the binary which is not possible without access to the device.

Since you can't just walk into the department store and buy such equipment, it is difficult for hacking groups such as Anonymous, LOLSEC to develop such exploits. Hence, only large companies and government actors have access to such equipment. Companies do not have an incentive to invest valuable resources into developing such attacks, and so we are left with only government actors.

limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281
  • 1
    The development of Stuxnet required even more than that. Using actual centrifuges turned over by Libya as part of their lifting of sanctions, British engineers tried to get them working to separate uranium isotopes, but failed. However, the Israeli engineers succeeded, and then mapped out an instruction sequence that resulted in their self-destruction. Stuxnet wouldn't have been as successful without the actual hardware and a supply of uranium hexafluoride. – John Deters Dec 22 '15 at 04:08