Hacking groups are keen to “blend in with the noise”, says former NSA official

State-sponsored hackers from China and elsewhere are switching to less effective hacking tools so that they can “blend in with the noise” and avoid taking the blame for their actions.

This is according to former top US National Security official Priscilla Moriuchi, who headed up the NSA’s East Asia and Pacific cyber threats office prior to moving to the private sector.

She said that US indictments against named officials in the Chinese military, Russian military intelligence, and Iranian hackers are having an impact.

China’s willingness to avoid a digital paper trail is also forcing a switch up in tactics.

“China, for example, realised the amount of data you generate when you do an intense cyber operation,” Moriuchi told The Daily Swig.

Data from domain registration and payments, as well as the use of RATs and malware that are synonymous with Chinese operations, has allowed experts to attribute cyber campaigns to agents of the state, such as the Ministry of State Security (MSS) and the Peoples Liberation Army – undesirable from a Chinese perspective.

“China has streamlined its operations,” Moriuchi, the director of strategic threat development at intel threat firm Recorded Future, explained.

“Their techniques have evolved to the point where attribution, or not being attributed, is very important to them. They are willing to use publicly available tools, like malware or command and control, that might be less effective, as a compromise to avoid attribution.”

Security researchers looking into suspected state-sponsored attacks are seeing much less tailored malware and less sophisticated command and control communications.

For example, command and control traffic is being run over ports 80 (http) and 443 (SSL) rather than tailored ports.

The use of commodity techniques, using publicly available hacking tools available through cybercrime forums and elsewhere, alongside “blending in with the noise” by running attack traffic over widely-used ports helps to disguise attacks and their origins.

Tradecraft has also evolved so that state-sponsored hackers, for example, are becoming more careful about making sure they only have access to a command and control server or other hacking resource through a VPN, which hides their true IP address.

This switch up in tactics and techniques means that private sector intelligence firms (in particular) are no longer highly confident in attributing a cyber operation to China. Intel agencies who have access to secret information can usually be more secure in their assessments.

Cases vary in difficulty but in general, attributing attacks to nation-state actors is becoming far less straightforward, though it is still possible – especially when human error is factored into the equation, according to Moriuchi.

“You can get to the point when you can say that an attack is the work of a nation state with moderate confidence, but getting beyond that is becoming increasingly difficult,” Moriuchi explained.

“Luckily there are still enough groups that retain common techniques across a lot of intrusions, so that for many cases you can attribute with moderate confidence... There’s a lot of data out there and it’s about pulling it together and placing the right emphasis. Everyone makes mistakes, so you just have to be patient enough to find them.”

Other threat intel experts agreed that indictments against alleged spies are having an effect – even in cases where suspects are beyond the reach of US law enforcement.

Valentino De Sousa, senior manager of cyber threat intelligence at Accenture Security, said that both intel agencies and private security firms have “outed” hacker groups in public.

“From their end they are at a bit more careful in the way that they carry out some of their operations,” De Sousa told The Daily Swig.

APT groups are demonstrating care in areas such as target selection, attempting to avoid “burning out” their malware through overuse, and by using weaponised documents even if the older documents are still successful.

Cyber accord

Has the Obama-Xi 2015 accord against conducting cyber-enabled industrial espionage of 2015 had an effect? “Not to our current knowledge,” says De Sousa.

Moriuchi said that there were so many other things – including an anti-corporate drive and a reorganization of the Chinese military – around the 2015 period that it was impossible to say what impact the Obama-Xi accord had alone.

China’s MSS is using contractors and smaller companies that are set up to maintain deniability. Examples of contractors working for MSS are APT3 and APT10, according to Moriuchi.

“We’ve never seen a decline in terms of a desire to conduct intellectual property theft from China using cyber operations,” said Moriuchi. “We’ve seen this targeting consistently. It’s just evolved.”

Cyber operations attract a lot of publicity, but they are only one of the mechanisms China might use to get the information it wants. Other tactics can include technology transfer deals and offering select academics or other experts financially lucrative postings in China.

“The type of information that the Chinese are seeking has evolved,” Moriuchi concluded.

“It’s not just the Crown Jewels of a company’s IP that China is after. A lot of the data that they are pursuing is around strategic business plans and other non-public insights that make them more competitive, as opposed to [outright] stealing the technology and repurposing it.”