1

Given that most characteristics of binaries can be spoofed and seeing from the CIA documents published on Wikileaks that at least that organization is cautious to deploy several methods such that their malware cannot be linked to each other and cannot be linked to the US, how is APT attribution done?

As APTs are said to repurpose and recycle code and binaries found in the wild and given it's easy to throw in some comments in a different language or character set, I don't see how attribution of campaigns to APT groups and groups to state sponsors works.

Keeping in mind that some states actions are aimed at confusion and discord in other countries and the political impact and reason behind attacks or publications is often not clear nor foreseeable:

What are ways to attribute a specific sample to an APT group and how can such a group be associated with a state sponsor?

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • Possibly true. Yet, that Q has no answer. Also, I'll leave this question for better search results. I couldn't find anything before asking. – Tobi Nary Sep 23 '17 at 15:56
  • I also think you should keep it, this is indeed useful to improve search results. I upvoted it and was about to write an answer when I found the duplicate. There is no definitive, accepted answer but the first two are good and complementary. I miss some elements still which I think would worth mentioning but will maybe add them (if I find enough time) as yet another answer to the linked question ;). – WhiteWinterWolf Sep 23 '17 at 16:31
  • While the other question is similar the existing answers are too broad to be applicable to APT attacks, i.e. cases where the attacker explicitly tries to make attribution hard. But, I'm not sure that this question will get a good answer. I recommend instead to have a look at the many detailed reports from Mandiant/FireEye, Checkpoint, Kaspersky, ESET, ... which can be found online. They tend to be very careful with attributions, i.e. only suggest similarities to other attacks and often point out that misattribution might be possible. But these aspects are usually lost in mass media reports. – Steffen Ullrich Sep 23 '17 at 17:38
  • @SteffenUllrich I'm familiar with reports from those entities. The center of my question is exactly how those similarities can be counted as hints - and how the groups can be linked to suspected state sponsors, with more than just "well, that seems to pan out as positive for state X" – Tobi Nary Sep 23 '17 at 17:42
  • @SmokeDispenser: I think it's blurry. As I read these supports they mainly combine language used in the malware, language of the compilers, working times, C2 infrastructure, kinds of targets in relation to the political and economic interests of various states, relation to similar attacks and their tools and targets etc to find out what the most likely actor could be. The hope is that the attacker is making mistakes and is not able to place false tracks everywhere. – Steffen Ullrich Sep 23 '17 at 17:54
  • @SmokeDispenser I'd still promote my answer as a possibility here – schroeder Sep 23 '17 at 19:44
  • I think this might be too broad to answer. As you know, any forensic investigation might turn up any clue that can be used to correlate. Not just repeated code, but even a single string has been enough to attribute with some confidence. Anything might be the key to match it up with any small detail seen in other attacks. – schroeder Sep 23 '17 at 19:46
  • Following my previous comment, I've now written [the new answer](https://security.stackexchange.com/a/170316/32746) I mentioned. If by any chance it may interest you... – WhiteWinterWolf Sep 28 '17 at 15:03

0 Answers0