Monday, January 21, 2013

When a Choice is a Fingerprint

By Matthew Eble @iaimtomisbehav3

We frequently hear the phrase "Attribution is hard." And yes, if the adversary exercises perfect tradecraft, attribution can be hard to the point of impossible. But we rarely mention the opposite side of that coin, how hard it is to maintain that level of tradecraft over the lifetime of an extended operation. How many times out of muscle memory have you absent-mindedly entered one of your passwords in the wrong application? The consequences of this are typically nonexistent if you're entering your personal email address into your work client, but they can matter much more if you're entering your personal password while trying to log into the pwned mail server of Country X's Ministry of Foreign Affairs. People make mistakes, and the longer the timeframe, the more opportunities they have to do so.

This leads me to the recent release from Kaspersky labs, about a malware campaign referred to as "Red October", which they have attributed to Russian hackers. There are a number of indications pointing to Russian origination, including Russian words in the source code,  a trojan dropper that enables Cyrillic before installation, and targets concentrated in Russia's sphere of influence. Although Kaspersky has avoided naming the sponsor of the campaign as the Russian government, the targets of the malware are strongly suggestive of government sponsorship. The campaign seemed to selectively target governments, diplomatic facilities, defense, research institutes, etc. These are targets consistent with sponsors seeking geo-political intelligence, not criminals seeking profit. Kaspersky hypothesizes the perpetrators may have collected the data to sell it, but I would argue that this is fallacious. The customer of this information would be a government, and if a government is paying criminals for the information, I would argue that's state-sponsorship.

With that context, the one datapoint that was most interesting to me in Kaspersky's release was the inclusion of the word, "zakladka". As Kasperky mentions in their report, "Zakladka" is a Russian word that can mean "bookmark." In slang it can also mean "Undocumented feature" or a brick with an embedded microphone, like the kind you would sneak into an adversary nation's embassy.

It's delightfully poetic then, that in a piece of malware apparently intended to target embassies someone (presumably Russian) would choose to name a module "zakladka." The United States and Russia have a rich history of attempting to bug each other's diplomatic facilities. As early as 1945 the Soviet Union infiltrated an ingenuous listening device into the office of the US ambassador to Moscow, hiding it in a wooden US Seal presented as a gift [1]. By 1964 the Soviets were able to collect extensive classified information from the US embassy through hidden microphones [2]. In 1985 construction work stopped on a new US Embassy building in Moscow after it was determined that the building was so riddled with microphones, which had been integrated into the construction, that it could never be considered secure [3]. 

Presumably in homage to this history, a programmer decided to name his module of code "zakladka", which would be included in malware that is effectively the evolution of a microphone hidden in drywall. Zakladka is an appropriate name, but the very elegance with which its name matches
its function undermines the deniability of the malware. In this case, it was a choice made by a programmer years ago, and it has repercussions as forensic experts attempt to unravel the source of the malware today.

It's a reminder of how humans make mistakes. Defenders often talk about the difficulty of attribution, but as the offense we seldom talk about the challenge in gaining and maintaining network access on a target system while remaining totally unnoticed. We take it for granted.
Seemingly innocuous decisions made days, weeks, or months ago can unravel what was otherwise sound tradecraft. In this case, I just found it fascinating that the choice of name for a module--an elegantly appropriate choice--can be as strong a fingerprint for attribution as anything else.

No comments:

Post a Comment