Big Game Hunting: The Peculiarities of Nation-State Malware Research

Presented at Black Hat USA 2015, Aug. 5, 2015, 3 p.m. (50 minutes).

The security industry focus on state-sponsored espionage is a relatively recent phenomenon. Since the Aurora Incident brought nation-state hacking into the spotlight, there's been high profile reports on targeted hacking by China, Russia, U.S.A, Israel, to name a few. This has lead to the rise of a lucrative Threat intelligence business, propelling marketing and media campaigns and fueling political debate.

This talk will cover the idiosyncrasies of nation-state malware research using the experiences of presenters in the 'Threat Analyst Sweatshop.' Regin (aka WARRIORPRIDE, allegedly written by the Five Eyes) and Babar (aka SNOWGLOBE, allegedly written by France) will be used as case studies in examining attribution difficulties. Additionally, we'll examine attributing commercially written offensive software (implants and exploits) and the (mostly negative) vendor responses. We'll cover what happens when you find other players on the hunt, and address the public misconception that attribution is frequently done using open source information.

We will focus on the attribution problem and present a novel approach on creating credible links between binaries originating from the same group of authors. Our goal is to add to transparency in attribution and supply analysts with a tool to emphasize or deny vendor statements. The technique is based on features derived from different domains, such as implementation details, applied evasion techniques, classical malware traits or infrastructure attributes; which are then leveraged to compare the handwriting among binaries.


Presenters:

  • Morgan Marquis-Boire - Citizen Lab, University of Toronto
    Morgan Marquis-Boire is a Senior Researcher at the Citizen Lab, University of Toronto. He is the Director of Security for First Look Media and a contributing writer for The Intercept. Prior to this, he worked on the security team at Google. He is a Special Advisor to the Electronic Frontier Foundation in San Francisco and an Advisor to the United Nations Inter-regional Crime and Justice Research Institute. In addition to this, he serves as a member of the Freedom of the Press Foundation advisory board and as an advisor to Amnesty International.
  • Marion Marschalek - Cyphort, Inc.
    Marion Marschalek is a malware reverse engineer on duty for Cyphort, Inc., focusing on the analysis of emerging threats and exploring novel methods of threat detection. She teaches malware analysis at University of Applied Sciences St. Pölten and frequently appears as speaker at international conferences. Two years ago Marion won Halvar Flake's reverse engineering challenge for females, since then she set out to threaten cyber criminals. She practices martial arts and has a vivid passion for taking things apart. Preferably, other people's things.
  • Claudio Guarnieri / nex as Claudio Guarnieri
    Claudio Guarnieri is the creator and lead developer of Cuckoo Sandbox, a prominent open source automated malware analysis system. Claudio also runs the Malwr.com website and spends most of his time finding and analyzing malware. In recent years, he has devoted his attention to issues of privacy and surveillance and published numerous investigative reports on surveillance vendors with the Citizen Lab.

Links:

Similar Presentations: