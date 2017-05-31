* Experts say tracking cyber attackers grows more confusing
* Leaks of U.S. spy tools enable new level of cyber crimes
* Cyber criminals harder to distinguish from state-backed
hackers
By Eric Auchard
TALLINN, Estonia, May 31 Veteran espionage
researcher Jon DiMaggio was hot on the trail three months ago of
what on the face of it looked like a menacing new industrial
espionage attack by Russian cyber spies.
All the hallmarks were there: targeted phishing emails
common to government espionage, an advanced Trojan horse for
stealing data from inside organisations, covert communication
channels for grabbing documents and clues in the programming
code indicating its authors were Russian speakers.
It took weeks before the lead cyber spying investigator at
Symantec, a top U.S. computer security firm, figured out instead
he was tracking a lone-wolf cyber criminal.
DiMaggio won't identify the name of the culprit, whom he has
nicknamed Igor, saying the case is a run-of-the-mill example of
increasing difficulties in separating national spy agency
activity from cyber crime. The hacker comes from Transdniestria,
a disputed, Russian-speaking region of Moldova, he said.
"The malware in question, Trojan.Bachosens, was so advanced
that Symantec analysts initially thought they were looking at
the work of nation-state actors," DiMaggio told Reuters in a
phone interview on Wednesday. "Further investigation revealed a
2017 equivalent of the hobbyist hackers of the 1990s."
Reuters could not contact the alleged hacker.
The example highlights the dangers of jumping to conclusions
in the murky world of cyber attack and defence, as tools once
only available to government intelligence services find their
way into the computer criminal underground.
Security experts refer to this as "the attribution problem",
using technical evidence to assign blame for cyber attacks in
order to take appropriate legal and political responses.
These questions echo through the debate over whether Russia
used cyber attacks to influence last year's U.S. presidential
elections and whether Moscow may be attempting to disrupt
national elections taking place in coming months across Europe.
The topic is a big talking point for military officials and
private security researchers at the International Conference on
Cyber Conflict in Tallin this week. It has been held each year
since Estonia was swamped in 2007 by cyber attacks that took
down government, financial and media websites amid a dispute
with Russia. Attribution for those attacks remains disputed.
THE SMOKING GUN
"Attribution is almost never a clean, smoking-gun," said
Paul Vixie, creator of the first commercial anti-spam service,
whose latest firm, Farsight Security, helps firms track down
cyber attackers to identify and block them.
Raising the stakes, a mystery group calling itself
ShadowBrokers has taken credit for leaking cyber-spying tools
that are now being turned to criminal use, including ones used
in the recent WannaCry global ransomware attack, ratcheting up
cyber security threats to a whole new level.
In recent weeks, ShadowBrokers has threatened to sell more
such tools, believed to have been stolen from the U.S. National
Security Agency, to enable hacking into the world's most used
computers, software and phones. (reut.rs/2rmTZmm)
"The bar for what's considered advanced is lowered as time
goes by," said Sean Sullivan, a security researcher with Finnish
cyber firm F-Secure.
The Moldovan hacker's campaign to steal data and resell it
on the web came to light only after infections popped up last
year at a major airline, an online gambling firm and a Chinese
automotive software maker, which are all customers of Symantec
products used to secure their business networks.
Igor appears to have targeted the auto-tech company to steal
its car diagnostics software, which retails for around $1,100
but Igor sold for just a few hundred dollars on underground
forums and websites he had created. His aims in trying to break
into the airline and gambling firm remain a mystery.
“Considering the audacity of this attack, the financial
rewards for Igor are pretty low,” DiMaggio wrote in a blog post
on his findings to be published on Wednesday.
As a threat, Symantec rates Trojan.Bachosens as a very low
risk virus, in part because the attack singles out only a
handful of specific firms rather than the wide-ranging, random
attacks used by many cyber criminals to scoop up the greatest
number of victims.
"I think those days are over when we can say in black and
white: We know this is an espionage group," DiMaggio said.
The Symantec researcher has not reported Igor to local
authorities, calculating that exposing the methods of the attack
will be enough to neutralise them.
(Editing by Peter Millership)