The press reports would have you believe that the latest threat report from Symantec names North Korea as the harbinger of all bad things, including the bank heist at the central bank in Bangladesh. In fact, they lay out what is pretty well known in the cyber world: Russia, China, Iran and North Korea are the common elements in most of the attacks. We are in a war with these countries and the most we discover about their activities the more we realize how the attacks are taking place and what their targets might be.
They have a slick chart on page 15 that shows what I am talking about, and the report says possibly North Korea. For years, they were saying possibly China for Suckfly, but now they are clearly showing that they were right about their original speculation, even though the chart still says possibly China. Suckfly is still around using those code-signing certs to do their deed. This is the most insidious of them all because it looks legitimate to most security modules. Credit to Symantec on this because they were the first to point out where it came from.
Now, these are just countries of origin and not necessarily state sponsorship of attacks. In fact, they say possibly to those too, so there is no real conviction to their reporting on country of origin which is crucial to attribution to a state. All this points out is the ability to say for sure where an attack is coming from and who made it are becoming more difficult now that so many security evaluation groups have said how they know who was make this bad software. You only have to mention once or twice that the changes were made in a certain time zone with certain holidays taken off and the developers will stop posting on the same time and holidays. They are not stupid. So we help them by saying how we know who is doing the work on this stuff. It is the disclosure of sources and methods used in the evaluations that allows this to happen. Any intelligence service will tell you not to do that.
The main point I saw in this report was that none of the attack software has been taken out of use by any activity of any other state or company. It seems like there should be a way to disable or disrupt the software itself so it can't continue to be used, or if it is used, to track where it is coming from and its targets. Maybe these people are smarter than we are. Possibly.
No comments:
Post a Comment