Anatomy of an attack: Deploying military tactics against a retailer
Norse Corp. discovers cyber criminals hacked intellectual property in huge counterfeiting mission
By Byron Acohido, ThirdCertainty
Core finding: Nation state-backed cyber warfare campaigns typically focus on infrastructure such as utilities, defense contractors, financial firms and technology companies. However, forensic experts at Norse Corp. recently documented how a hacking group used military-style breach and data-exfiltration techniques against a large U.S. retailer. The hackers, widely believed to be backed by the Chinese government, ignored the usual pot of gold: payment card transaction data. Instead, they went after intellectual property to support an elaborate counterfeiting campaign.
Distinctive technique: The infected computers then began to communicate with a command-and-control (C2) server using browser-based URL requests. Data sent back up to the C2 server gets encrypted. Norse analysts have to unravel multiple layers of obfuscation to reveal what’s being exfiltrated, including translating part of the hackers’ encryption string from Japanese to English, and another part from Korean to English.
Wider implications: Retailers, or any other organization with trademarked and/or patented goods and services, should realize financial data isn’t the only data sophisticated hacking groups are proactively seeking. Governments engaging in cyber warfare must now worry that loosing military hacking techniques to breach nonmilitary targets, for whatever reasons, risks exposures of those intricate techniques to security vendors now protecting those companies.
Excerpts from ThirdCertainty Editor-In-Chief Byron Acohido’s interview with Stiansen at Black Hat Vegas 2015. (Answers edited for length and clarity.)
3C: How did Norse get onto this?
Stiansen: A customer came to us and gave us their firewall logs, and we ran it through our malware pipeline and uncovered active command-and-control traffic.
3C: Malware pipeline?
Stiansen: Norse collects between 2,000 to about 50,000 new binaries every day that no one has seen before. These are real threats, real malware. Some of them are APT (advanced persistent threat) campaigns. Some of them are targeted campaigns. We categorize them and map them, and then we fuel our platforms with all this knowledge. We also execute the malware so that we can record the behaviors.
3C: So you found military tactics being used against a nonmilitary target?
Stiansen: The adversary wasn’t someone looking to defraud or breach credit card data, which you would expect. This was a nation state attacking a retailer. Not a nation state versus a nation state. This was commercially driven by what I call piracy or imitation branding. This was a massive scale counterfeiting operation, with a lot of money involved.
3C: Someone tapping the government’s military cyber capabilities for personal profit?
Stiansen: To make money, yes. They were actually able to get the military to help them in their counterfeiting mission. That’s the scary part. Imagine being the retailer here and you have another nation state coming after you. If you don’t have the power of the military behind you, it’s hard to defend yourself.
3C: You’re pretty sure it was China?
Stiansen: Yes, we have attributed this fully to them. There’s no doubt. We’ve had several companies and law enforcement corroborate our findings that it was the military that was behind it and the motivating factor was the counterfeiting.
3C: Kind of a frivolous use of cyber capabilities, isn’t it?
Stiansen: This is why the Chinese government is interested in this. This is corruption they need to fight. This hurts their (cyber) offensive program immensely. We were able to do a lot of fingerprinting on their tools and tactics and the people involved, as well. It basically puts (China) at risk.
Related story: Anatomy of an attack: Poisoning the watering hole
3C: What’s the big takeaway for companies?
Stiansen: All enterprises have to basically adopt military standards to defend themselves in today’s environment. This was a retail company, after all. The tough part is the board (of directors) still didn’t want to listen to the security people. Luckily they had really good analysts who spotted something suspicious. A lot of enterprises are learning that security today is no longer how much you can afford. It’s about getting the right people. Their analysts found a little clue, and that’s how we actually uncovered it.
3C: Isolated case or tip of the iceberg?
Stiansen: This is a tip of the iceberg. We also correlated other possible targets in the same mix. Their domain naming algorithms pointed us to other targets. We could actually see other victims in the past. We found other military targets, and we found other victims that were nation states.
3C: Why don’t the good guys share this kind of intel more widely?
Stiansen: This is a competitive market. We have so many security companies and everyone is doing great work, but none of us are sharing. The military is less and less involved in the enterprises today. So our military branch doesn’t always get this level of intelligence back to them either. This is a gap that we need to address. We need to start sharing intelligence between commercial and military.