I read an interesting analysis of the malware involved in the March RSA breach. The analysis was done by J. Oquendo and posted over at Infosec Island. After his analysis of the malware involved he believes that “its inconclusive but points more to RBN than APT.”. Read through his analysis and see what you think. Based on what information he has presented you may agree and he could be correct. I’m sure somebody knows definitively. Will we? Doubtful.
What I wanted to point out here is that you can’t have attribution with regards to an attack by only analyzing the tool used, no matter how through the analysis. We all know IP’s can be changed, compromised, rented out….so relying on that wont work. Code can be borrowed, stolen, reversed so that isn’t conclusive either. This especially true if we are talking about Nation State sponsored cyber attacks. The tool is only part of the bigger picture. Attribution requires taking a step back and looking at that this bigger picture. Who received the email? What is their role at the company? Where did the adversary get their email address? What tools did they use once inside? What order did they use the tools? What time of day, week, month did the carry out the attack? How did they exfil the data? What did they do with the data once exfiltrated? These are just examples of data not directly tied to the code in the malware that needs to be analyzed. Threat actors have patterns that they follow just a criminals have M.O.’s. However these cannot be relied upon completely. Misdirection is your friend when you don’t want to be named. A lot of data needs to be analyzed before you are in the position to claim attribution. I would argue that few organizations have the expertise and experience to do so and fewer still could say conclusively, outside of Defense and Intel circles.
Also remember that not all advanced intrusion are APT just as not all APT intrusions are advanced. What helps constitute the Advanced in APT is their ability to pick the right tool for the job. They are not going to pull out their 0-days unless they have to, in my opinion anyway.
[TAGS] APT, RSA [\TAGS]