Attributing attacks to nation-states is a difficult task. Not only do state-sponsored threat actors often have more time and resources than traditional cybercriminals, but they also try to trick their victims into anonymity. Further complicating the cyber attribution process are copy attacks.
“Ransomware gangs and organized crime groups take the information that information security analysts have collected over the years about invading nation-states and incorporate these techniques into their attacks,” said Jon DiMaggio, author of The art of cyber warfarepublished by No Starch Press.
For example, he noted, the malware used in the 2016 Democratic National Convention hack had French and Russian roots. “The French part was put there intentionally to keep people away,” he said.
The who and why of an attack is important information, but organizations should never jump to conclusions when attributing attacks. Just because two attacks look similar doesn’t necessarily mean they’re from the same attacker.
The following excerpt from Chapter 2, “State-Sponsored Financial Attacks,” from The art of cyber warfare details the tactics, techniques and procedures that cybercrime group Odinaff copied from SWIFT attacks attributed to North Korea in 2016. This real-world case study exemplifies why it is so difficult to attribute attacks to nation states.
Odinaff: How cybercriminals learn from nation states
Earlier in this book, we pointed out the differences between common cybercriminals and nation-state attackers. Few cybercriminals are capable of the persistence, patience, and planning used in the compromises covered in this book so far. Unfortunately, there are always exceptions.
North Korean SWIFT attacks made global headlines in 2016, attracting the attention of an organized cybercrime group called Odinaff. That year, security researchers revealed what they had discovered about the tactics, techniques and procedures used in SWIFT attacks to compromise banks. This information helped to better defend against these incidents. But it also provided criminals with a roadmap for future bank compromises.
Believed to originate from Eastern Europe, Odinaff has successfully exploited banks with its own malware. It relied on tactics first seen in North Korean attacks, and current intelligence suggests the group successfully stole millions of dollars from financial institutions.
As an initial attempt to gain access to banks’ systems, attackers injected malware into a popular administrative tool called AmmyAdmin. They expected bank administrators to download it, effectively infecting themselves. To do this, attackers compromised AmmyAdmin’s legitimate website – an attack that may seem elaborate, but in fact, criminals have often compromised the same website to distribute malware.
Observation: The website used to host AmmyAdmin is known to distribute remote access trojans, exploit kits and ransomware. Due to this risk, you should not visit the hosting site or download this tool.
While the AmmyAdmin tool may have acted as an effective infection vector, attackers likely realized that it didn’t give them control over who downloaded the app. This ran the risk of infecting many unintended victims. It also exposed them to unwanted public attention. Probably for this reason, attackers switched to spear phishing emails, which allowed them to choose their targets.
Odinaff’s spear phishing emails were nowhere near as sophisticated as those from North Korea. Although targeted, the phishing campaign used a generic email template directing recipients to click on a URL in the body of the email. The URL would then download a malicious payload. The attachment, however, did not infect victims if they opened it. Instead, victims had to open a compressed file that required the target to enter a password included in the text of the email. If victims followed the attackers’ instructions, the file would unzip and present the target with a Microsoft Office document. When victims tried to open the document, the attachment presented the option to enable macros. If the target does not enable macros, the infection will fail.
Only if victims followed all these steps would the first stage malware known as Trojan.Odinaff compromise the system, giving attackers initial access to the victims environment. The fact that the attack required so many active actions on the part of victims points to its precariousness; if the targets were suspicious of the emails, or perhaps the unusual requirements needed to open the attachment, the attack would have failed. It may seem difficult to imagine that anyone would fall for such a scheme. However, this has happened more than once, in attacks on various banks.
The Odinaff malware provided basic backdoor functionality, issued shell commands, and downloaded and executed additional malware. It used something called a mutex, encoded in the binary itself. ONE mutex is an object in code used as an identifier. In this case, the identifier revealed whether a system was already infected. If it was, the malware stopped running. This prevented multiple infections from occurring on the same host, which would have strained additional resources and potentially drawn unwanted attention. The malware also used a hard-coded proxy to connect to command and control servers, making it difficult for defenders to identify outbound traffic.
Once in the victims environment, attackers would review infected victims and identify systems of interest. They then used Odinaff’s malware to download stage two malware known as Backdoor.Batel, for the subset of high-value systems of interest. (The researchers coined the name Backdoor.Batel after a string they found in the malware code containing the term “BATEL_SOURCE”.) the infrastructure.
The Backdoor.Batel malware is designed and developed using common penetration testing software such as red-team tools metasploit and CobaltStrike. The Metasploit framework identifies vulnerabilities and runs exploit code against them. CobaltStrike works with Metasploit to provide various post-exploitation and attack management capabilities. Penetration testers often use both for legitimate security assessment exercises. Unfortunately, cyberattacks also use this tool to find and exploit weaknesses in victims’ environments.
The Odinaff attack shared another tactic with nation-states: the use of tools already present in the victims’ environment. Using legitimate administrative tools and applications already present on the system, an attacker can arm binaries of the Microsoft Windows operating system. This tactic, known as Binaries living off the ground (LOLBins), allows attackers to hide malware in legitimate system binaries, often whitelisted by security tools. When a binary is whitelisted, tools such as antivirus and endpoint detection software will not detect the file as malicious. Whitelisting prevents security tools from removing or quarantining legitimate operating system features that could affect system functionality. Knowing this, attackers leverage the legitimate resource to use in attacks and evade detection.
Odinaff attackers used Windows administration software such as PSExec, Netscan and PowerShell. When attackers needed to fulfill a capability unattainable by tools present in the victims’ environment, they relied on publicly available hack tools rather than custom tools. A growing trend in cyberattacks, this strategy makes discovery and attribution more difficult. For example, criminals and nation-state attackers have used the Mimikatz hacking tool against banks because it is freely available, effective, a favorite of legitimate red teams, and unattributable.
Using Batel, the attackers learned everything they could about the victims’ environment. They spent time monitoring bank activities and exploring systems and infrastructure. Specifically, the Batel malware included the ability to capture keystrokes and screenshots of users’ screens at 5- to 30-second intervals. He then saved the output to a disk where attackers could retrieve and study the catch. This allowed criminals to learn about banks’ technical processes and procedures for executing financial transactions. Another capability of the Batel malware – again modeled after nation states – was a module that allowed attackers to wipe victims’ disk drives. Despite its inclusion, attackers have not used this feature.
Odinaff’s attackers also manipulated the SWIFT messaging system using tactics almost identical to those of nation-states. The malware looked for any strings in the SWIFT messages that included specific details such as dates and international bank account numbers. When the date and account number in a SWIFT message matched the details associated with a fraudulent transaction, the malware would suppress the message, preventing the bank from discovering the activity or at least delaying it until the funds were already gone.
While no cybersecurity authority has established a solid attribution, several clues point to the attacker’s ties to Russia. The strings present in the malware, as well as the names of the folders, were composed of Cyrillic characters; in addition, some have speculated that there is a relationship between the Odinaff attackers and the Carbanak malware attacks. Carbanak is the tool of choice of a cyber criminal gang, also known as Carbanak, who have been targeting large corporations for financial gain since at least 2014. The Carbanak gang has been the subject of media and security reports due to its high-profile attacks. profile.
The North Korean and Russian Odinaff attacks were so similar that when initially discovered, investigators believed the heist originated from the same North Korean attackers responsible for the previous SWIFT-related attacks. They soon realized that was not the case, but this serves as another example of why investigators cannot let opinion dictate attribution; they must follow the evidence. While the Odinaff attackers were successful – they were one of the few cyber criminal groups to steal money from financial institutions themselves as opposed to their customers – they did not have the same monetary success as the nation-state attackers.
About the author
Jon DiMaggio is Chief Security Strategist at Analyst1 and has over 15 years of experience hunting, researching and writing about advanced cyber threats. As an expert in corporate ransomware attacks and nation-state intrusions, including the world’s first ransomware cartel and the infamous Black Vine cyberespionage group, he has exposed the criminal organizations behind top ransomware attacks, assisted law enforcement agencies law on federal charges of attacking nation-states and discussed his work with The New York Times newspaperBloomberg, Fox, CNN, Reuters and Wired.