Anatomy of an attack: Deploying military tactics against a retailer

Norse Corp. discovers cyber criminals hacked intellectual property in huge counterfeiting mission

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Core find­ing: Nation state-backed cyber war­fare cam­paigns typ­i­cal­ly focus on infra­struc­ture such as util­i­ties, defense con­trac­tors, finan­cial firms and tech­nol­o­gy com­pa­nies. How­ev­er, foren­sic experts at Norse Corp. recent­ly doc­u­ment­ed how a hack­ing group used mil­i­tary-style breach and data-exfil­tra­tion tech­niques against a large U.S. retail­er. The hack­ers, wide­ly believed to be backed by the Chi­nese gov­ern­ment, ignored the usu­al pot of gold: pay­ment card trans­ac­tion data. Instead, they went after intel­lec­tu­al prop­er­ty to sup­port an elab­o­rate coun­ter­feit­ing cam­paign.

 Ed note_Norse_Tommy StiansenAttack vec­tor: To get a foothold in the retailer’s net­work, the hack­ers spear phish work­ing devel­op­ers, engi­neers and design­ers. The tar­gets get enticed into down­load­ing what they believe to be 3D soft­ware to use in their dai­ly work. They actu­al­ly get the soft­ware, but the down­load also sneaks mal­ware into the company’s net­work.

Dis­tinc­tive tech­nique: The infect­ed com­put­ers then began to com­mu­ni­cate with a com­mand-and-con­trol (C2) serv­er using brows­er-based URL requests. Data sent back up to the C2 serv­er gets encrypt­ed. Norse ana­lysts have to unrav­el mul­ti­ple lay­ers of obfus­ca­tion to reveal what’s being exfil­trat­ed, includ­ing trans­lat­ing part of the hack­ers’ encryp­tion string from Japan­ese to Eng­lish, and anoth­er part from Kore­an to Eng­lish.

Wider impli­ca­tions: Retail­ers, or any oth­er orga­ni­za­tion with trade­marked and/or patent­ed goods and ser­vices, should real­ize finan­cial data isn’t the only data sophis­ti­cat­ed hack­ing groups are proac­tive­ly seek­ing. Gov­ern­ments engag­ing in cyber war­fare must now wor­ry that loos­ing mil­i­tary hack­ing tech­niques to breach non­mil­i­tary tar­gets, for what­ev­er rea­sons, risks expo­sures of those intri­cate tech­niques to secu­ri­ty ven­dors now pro­tect­ing those com­pa­nies.

Excerpts from Third­Cer­tain­ty Edi­tor-In-Chief Byron Acohido’s inter­view with Stiansen at Black Hat Vegas 2015. (Answers edit­ed for length and clar­i­ty.)

Norse Corp profile box3C: How did Norse get onto this?
Stiansen: A cus­tomer came to us and gave us their fire­wall logs, and we ran it through our mal­ware pipeline and uncov­ered active com­mand-and-con­trol traf­fic.

3C: Mal­ware pipeline?
Stiansen: Norse col­lects between 2,000 to about 50,000 new bina­ries every day that no one has seen before. These are real threats, real mal­ware. Some of them are APT (advanced per­sis­tent threat) cam­paigns. Some of them are tar­get­ed cam­paigns. We cat­e­go­rize them and map them, and then we fuel our plat­forms with all this knowl­edge. We also exe­cute the mal­ware so that we can record the behav­iors.

3C: So you found mil­i­tary tac­tics being used against a non­mil­i­tary tar­get?
Stiansen: The adver­sary wasn’t some­one look­ing to defraud or breach cred­it card data, which you would expect. This was a nation state attack­ing a retail­er. Not a nation state ver­sus a nation state. This was com­mer­cial­ly dri­ven by what I call pira­cy or imi­ta­tion brand­ing. This was a mas­sive scale coun­ter­feit­ing oper­a­tion, with a lot of mon­ey involved.

3C: Some­one tap­ping the government’s mil­i­tary cyber capa­bil­i­ties for per­son­al prof­it?
Stiansen: To make mon­ey, yes. They were actu­al­ly able to get the mil­i­tary to help them in their coun­ter­feit­ing mis­sion. That’s the scary part. Imag­ine being the retail­er here and you have anoth­er nation state com­ing after you. If you don’t have the pow­er of the mil­i­tary behind you, it’s hard to defend your­self.

3C: You’re pret­ty sure it was Chi­na?
Stiansen: Yes, we have attrib­uted this ful­ly to them. There’s no doubt. We’ve had sev­er­al com­pa­nies and law enforce­ment cor­rob­o­rate our find­ings that it was the mil­i­tary that was behind it and the moti­vat­ing fac­tor was the coun­ter­feit­ing.

3C: Kind of a friv­o­lous use of cyber capa­bil­i­ties, isn’t it?
Stiansen: This is why the Chi­nese gov­ern­ment is inter­est­ed in this. This is cor­rup­tion they need to fight. This hurts their (cyber) offen­sive pro­gram immense­ly. We were able to do a lot of fin­ger­print­ing on their tools and tac­tics and the peo­ple involved, as well. It basi­cal­ly puts (Chi­na) at risk.

Relat­ed sto­ry: Anato­my of an attack: Poi­son­ing the water­ing hole

3C: What’s the big take­away for com­pa­nies?
Stiansen: All enter­pris­es have to basi­cal­ly adopt mil­i­tary stan­dards to defend them­selves in today’s envi­ron­ment. This was a retail com­pa­ny, after all. The tough part is the board (of direc­tors) still didn’t want to lis­ten to the secu­ri­ty peo­ple. Luck­i­ly they had real­ly good ana­lysts who spot­ted some­thing sus­pi­cious. A lot of enter­pris­es are learn­ing that secu­ri­ty today is no longer how much you can afford. It’s about get­ting the right peo­ple. Their ana­lysts found a lit­tle clue, and that’s how we actu­al­ly uncov­ered it.

3C: Iso­lat­ed case or tip of the ice­berg?
Stiansen: This is a tip of the ice­berg. We also cor­re­lat­ed oth­er pos­si­ble tar­gets in the same mix. Their domain nam­ing algo­rithms point­ed us to oth­er tar­gets. We could actu­al­ly see oth­er vic­tims in the past. We found oth­er mil­i­tary tar­gets, and we found oth­er vic­tims that were nation states.

3C: Why don’t the good guys share this kind of intel more wide­ly?
Stiansen: This is a com­pet­i­tive mar­ket. We have so many secu­ri­ty com­pa­nies and every­one is doing great work, but none of us are shar­ing. The mil­i­tary is less and less involved in the enter­pris­es today. So our mil­i­tary branch doesn’t always get this lev­el of intel­li­gence back to them either. This is a gap that we need to address. We need to start shar­ing intel­li­gence between com­mer­cial and mil­i­tary.

More on hack­ing:
Ash­ley Madi­son, ‘data kid­nap­ping,’ and a new era of hack­ing
Chi­nese hack­ers’ dossier on Amer­i­cans is grow­ing
Will Chi­na use Anthem hack to jump start domes­tic health care?