Читать книгу Russian Cyber Operations - Scott Jasper - Страница 17

To retain anonymity and avoid attribution, malicious actors employ technical means for intrusion, evasion, and deception to prevent detection and verification, association of responsibility, and determination of intent. Attack vectors are methods for intrusion into an information asset. Examples of common attack vectors are phishing individuals and use of stolen credentials.⁶² Malicious actors are constantly refining social-engineering methods to trick users to click malicious links or attachments that contain malware or to provide their username and password for a protected website.⁶³ Common tactics to make bogus emails appear authentic are using domains named to look valid yet with an intentional minor error (often only a single wrong letter or number) so as to deceive the target, adding subdomains under a valid domain, or disguising a website URL with a shortener.⁶⁴ Credentials can also be stolen by keyloggers (used to monitor and log keystrokes) and password dumpers (used to obtain a hash or a clear-text password from the operating system).⁶⁵ Attackers also compromise legitimate websites for what is known as a watering hole attack. Victims who routinely visit the site are tricked into activating pop-up alerts or are infected by embedded exploit kits that automatically scan their machines for vulnerabilities in an operating system or application. The exploit code in the kit takes advantage of the vulnerability, such as a coding flaw, to gain access to a system.⁶⁶

Malicious actors also infect software-update processes with malware in what are termed software-supply-chain attacks. These attacks have recently been observed in destructive campaigns, in addition to nation-state espionage.⁶⁷ Malware is malicious code intended to perform an unauthorized process and is inserted into a system to compromise the victim’s data, applications, or operating system.⁶⁸ Attackers use polymorphic malware that changes its signature to evade detection. By making simple changes to the code, an entirely new binary signature is generated for the file.⁶⁹ Polymorphic malware also changes its characteristics, such as file names or encryption keys, to become unrecognizable by common detection tools.⁷⁰ Other techniques used by malware for evasion include encryption during execution, compression of the file, binding with a legitimate file, and increasing the size of the file.⁷¹ Obfuscation of the malware code, by encoding plain-text strings or adding junk functions, makes analysis difficult. Malware can also avoid detection in a sandbox, which is a virtual analytical environment, by detecting related registry keys, files, or processes.

The latest trend for the category of evasion is the use of fileless malware, which infects a system by inserting itself into memory instead of writing a file on the disk drive, making detection difficult because antimalware products search for static files that attempt to run on a machine’s local storage.⁷² Fileless malware attacks are estimated to account for 35 percent of all attacks in 2018 and are ten times more likely to succeed than file-based attacks.⁷³ Threat actors can use scripting language such as Microsoft PowerShell to infect a system with fileless malware—for example, to retrieve and execute a ransomware payload into memory. PowerShell is normally used to automate administration tasks such as running background commands, checking services installed on the system, terminating processes, and managing configurations of systems and servers. Adversaries can use PowerShell to run an executable using the Start-Process cmdlet or to run a command locally or on a remote computer using the Invoke-Command cmdlet. Since PowerShell has resided in every Windows operating system since 2009, it is unlikely to be blocked outright by system policy.⁷⁴ Hence, scripting languages such as PowerShell, JavaScript, VBScript, and PHP aid attackers in operations and perform tasks that otherwise would be manual. Scripts have replaced traditional code and corresponding traditional delivery mechanisms.⁷⁵ They are also easy to obfuscate and thus difficult to detect. For instance, PowerShell can be obfuscated by command shortcuts, escape characters, or encoding functions.⁷⁶ Its efficiency to run directly from memory makes it even stealthier. Attackers have also made malware more potent by adding self-propagating, worm-like functionality to cause widespread damage.⁷⁷ Worms leverage software vulnerabilities to spread across networks in an automated fashion.⁷⁸ In addition, attackers use legitimate administrative tools such as PsExec to move laterally across networks and either infect other systems or find valuable data.

The use of the category of deception can mislead others “while they are actively involved in competition with you, your interests, or your forces.”⁷⁹ Deception causes ambiguity, confusion, or misunderstanding in adversary perceptions.⁸⁰ Cyber deception effects for the attacker include “fail to observe (prevent the defender from detecting the attack), misdirect (focus the defender on a different attacker), and misattribute (induce the defender into thinking that the attacker is someone else).”⁸¹ An example of technical means for the classification of “fail to observe” are DDoS attacks that serve as a diversion. For the second classification of “misdirect,” attackers use false flag operations, where false claims or implanted evidence imply that a third party was responsible.⁸² For instance, Russian hackers belonging to APT28 cyber-espionage group took control of the television channel TV5Monde in France in April 2015 and posted jihadist messages supposedly by the Cyber Caliphate (linked to the terrorist group ISIS), most likely to cover its destructive tracks.⁸³ Likewise, an implanted language string, time zone, or build environment used does not mean the attack originated from a certain actor. For example, Russian hackers from the Main Intelligence Directorate, the GRU, used North Korean IP addresses to make an attack on South Korea during the 2018 Winter Olympic Games look like the work of North Korean hackers.⁸⁴ Finally, for the classification of “misattribute,” states employ proxies to divert or take the blame. Proxies are generally defined as “non-state actors with comparatively loose ties to governments.”⁸⁵ Proxies in cyber space are normally found in patriotic hackers, criminal organizations, hacker groups, or advanced persistent threat (APT) groups. Adm. Michael Rogers, the former commander of US Cyber Command, testified that foreign governments’ use of criminals and other hackers gives them the “ability to say, it’s not us, its criminal groups.”⁸⁶