[kenbaylor]

It really is super easy. Even since 2007, malware like Zeus and SpyEye, and a million different Remote Access Tools (RATs) take over your machine and allow all activity to emanate from it. Very easy to plant a false flag or incriminating evidence.

and please note the careful wording: "Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow. "

interpretation 1: The guy accessed the device from his GRU office

Interpretation 2: The IP belongs to a guy (maybe his residential connection), and he happens (from other sources) to work at the GRU office. Assuming the GRU device is relatively secure, is it possible that other devices on his home have malware on them? If the latter, all the devices would appear as coming from that same residential IP address.

I work in this field and false attribution happens all the time. Evidence is really easy to fake.

[geofft]

If you have gained remote access to a Russian intelligence officer's computer, I feel like spoofing an HTTP request to a social media site is the least exciting thing to do with that access.

Don't confuse the ease of installing tools that let you maintain access once you have gained access with the ease of gaining access in the first place.

[1337biz]

If you have access to a device of some low level employee there is no harm in burning it for a high profile operation like the guccifer story. This was not just a random Twitter bot, but potentially at a global-scandal level. Whoever coordinated this was certainly not a some random fool.

[kenbaylor]

It's called a watering hole attack. You infect many of the devices way ahead of time (that are interested in whatever subject area you targeted), and pick your victim when you need to. If you haven't prosecuted these cases, you'd be surprised how often it happens:

https://www.cyberscoop.com/winter-olympics-hack-attribution-...

https://krebsonsecurity.com/2017/08/blowing-the-whistle-on-b...

https://blog.trendmicro.com/trendlabs-security-intelligence/...

https://blog.talosintelligence.com/2018/02/who-wasnt-respons...

[geofft]

All of the articles you link are about trying to derive attribution using signatures from the malware itself, which is unrelated to the thing you're talking about. I agree that trying to find meaningful attribution from the evidence left on the machine is unlikely to work and that spoofing this evidence is easy.

But that has nothing to do with a watering hole attack - are you claiming that successful watering hole attacks against GRU personnel are commonplace?

[kenbaylor]

Great question: Apologies if I wasn't being clear.

For example: the Chinese government has been waging war against the Free Tibet movement for years: https://www.google.com.sg/search?q=chinese+malware+free+tibe...

There's a bunch of articles there. One technique is they put up a pro-Free Tibet site, and put malware on it. The visitors get infected and they have an insight into who is interested in that topic and their IP addresses for basic geo location, and maybe remote control of their machines.

If we pick a topic that's super interesting for government intelligence people (like the Guccifer blog site itself), and put some awesome non-detectable malware on there, you could potentially infect multiple intelligence officers from multiple countries.

When the bots phone home, they will report username, domain name, email addresses, visited URLs, security certificates (or basically anything you want). So you now have a rolodex of machines you can manipulate. Mossad did it...nope....North Korea....nope CIA...nope FBI etc etc

Now this is super hard to do in practice. But you only have to be lucky once.

[bigiain]

"Very easy"? to fake a connection from the ip address of "of an intelligence official in another country"?

OK - show us. Doesn't need to be GRU - I'd settle for an NSA or Mossad ip address instead. Go on, install a RAT and make a connection...

[kenbaylor]

Here you go....from my 2012 Blackhat presentation. It then shows the issues of attribution as everything comes from the infected machine...sorry it's dated but nothing has really changed

https://www.youtube.com/watch?v=XvoiI5gJ7-0

[geofft]

Nobody is disputing that, given a remote-access tool running on a machine, actions taken by that tool are seen to come from that machine.

What is being disputed is that making it look like it came from a Russian intelligence officer specifically, as opposed to from some random infected machine somewhere, is easy. I see that you're claiming that if you set up a botnet and start infecting people and wait, you'll eventually get someone who works for a bank or someone who works for the military, sure. But what are the changes that you'll find someone who happens to work for the specific intelligence agency that is widely suspected as being the actual perpetrator?

Are you claiming that lots of botnet operators happen to have infected so many machines that their chance of being able to get to the machine of an employee of any government agency in the world is high? That the average GRU officer has hundreds of RATs in their home from hundreds of bored teenagers around the world?

[kenbaylor]

Hopefully I addressed it in the section above.

I believe that intelligence agencies are targeted all the time, and keeping machines clean is not that easy. Certain governments (like Singapore) adopted an air-gap approach, so the machines you use for work don't touch the internet.

But even then, it would be a lot easier to infect that persons's home machine.....Many of the people visiting Guccifers site were normal people, some were from intelligence agencies (proportionally probably a lot more than visit a normal site).

Assuming you had AWESOME undetectable malware, you'd have to infect the lot, get them to report in, and ferret out the interesting ones. Not exactly a weekend project, but if this was your passion in life, very achievable.

Spear phishing these guys is hard, watering hole may be easier.

[bigiain]

Nice talk! I just 1.5x-ed thru the first ~30 mins.

I still think we're talking at cross purposes though - I'm not disputing Zeus works, I'm disputing that it's "super easy" to identify and then infect a machine attributable to "an intelligence official in another country".

I mean - if all I need to do is make a tcp connection - all I need is an <img> tag in a web page - the big problem is getting that webpage and/or RAT onto a GRU officer's work computer.

(And if you _do_ cover how to do that in the remaining bit of the talk, I'd love to know...)

[mistermann]

Don't you also have to somehow get the up-to-date list of IP Address to Employee Name (as seems to be the claim)?

[bigiain]

(For the record - do not do this. It's a _spectacularly_ bad idea...)

[nl]

Wow.. can you imagine seeing this in the news in 3 years time:

"bigian" (an alias) taunted kenbaylor on an internet message board call Hacker News to attack the NSA or Mossad"...

[bigiain]

Yes. Yes I can imagine that... :sigh: