Researchers have revealed that nation-state hacking groups are not only dedicated to striking targets issued to them, but also to fighting each other.
On Wednesday, Kaspersky Labs researchers presented their findings at the Virus Bulletin conference in Woburn, MA, claiming that sophisticated threat actors are proactively targeting other groups in a land-grab for victim data, as well as a means to copy each others’ tools and probe each other’s infrastructure.
Also known as SIGINT, or the “fourth-party collection practice of spying on a spy spying on someone else,” according to the Global Research & Analysis Team (GReAT), such attacks are most likely to be launched by nation-state sponsored groups in order to target less sophisticated groups and foreign rivals.
There are two main approaches to this internal warfare that groups tend to take. The first, a “passive” model, involves intercepting each others’ data and communication — for example, when commands are issued to a slave system via a command-and-control (C&C) server. Kaspersky says that such attacks, when conducted properly, can be “almost impossible to detect.”
The “active” approach, however, involves infiltrating a hacking group’s infrastructure. While more likely to be detected, these attacks can result in the theft of victim information, tools, and a deep insight into how other threat actors operate.
A common tactic used by state-sponsored groups against each other is the installation of backdoors into C&C infrastructure, which creates persistence. Kaspersky discovered two such examples in wild, one of which in the NetTraveler malicious server, used to target activists in Asia by a Chinese group.
The second was found in the C&C infrastructure employed by Crouching Yeti also known as Energetic Bear, a Russian-speaking threat group which has been linked to attacks against the industrial industry.
However, the team was not able to trace the groups that engineered the backdoors.
Another tactic employed is the surveillance of malicious websites. In 2016, a Korean-speaking state-sponsored group dubbed DarkHotel hosted malicious scripts for another group called ScarCruft, which targeted Russian, Chinese, and South Korean victims.
“The DarkHotel operation dates from April 2016, while the ScarCruft attacks were implemented a month later, suggesting that ScarCruft may have observed the DarkHotel attacks before launching its own,” the team says.
Sometimes, however, threat groups decide to play nice and share, rather than steal.
Kaspersky found that a server belonging to the Magnet of Threats, a group from the Middle East, also hosted implants and malicious tools used by hacking groups Regin, Equation Group, Turla, ItaDuke, Animal Farm, and Careto — English, Russian, French and Spanish-speaking communities, respectively.
Sharing sophisticated tools and data does have a downside — as it was this server which led to the discovery of the Equation Group, later revealed to be linked to the US National Security Agency (NSA).
The constant theft, copying, and internal battles between state-sponsored groups are making the role of security researcher more difficult as time goes on. Without clear “signatures” of each group, tracking who is responsible for what can be very difficult, and without being cautious, could attribute attacks from different countries and groups incorrectly.
“Attribution is hard at the best of times as clues are rare and easily manipulated, and now we also have to factor in the impact of threat actors hacking each other,” said Juan Andres Guerrero-Saade, Principal Security Researcher at Kaspersky. “As more groups leverage each other’s toolkits, victims, and infrastructure, insert their own implants or adopt the identity of their victim to mount further attacks, where will that leave threat hunters trying to build a clear, accurate picture?”