> (Bonus points to readers who understand why /var/tmp instead of /tmp :D)
Because many newer Linux distributions mount /tmp as a tmpfs that gets zapped when the system shuts down. Do I get a no-prize?
> echo "Russians wuz here!" > /var/tmp/hacker.sig
Oh, that brings back memories of an incident involving Serbian/Romanian malware at a former employer of mine... when I got into the box to figure out why it was attempting to DoS Caltech, I found a complete set of DoSing tools in /root with comprehensive documentation in Romanian, plus a quick 'who' showed that the attacker was still logged in over SSH, so I looked up his IP and it came up as being somewhere in Serbia. After that, "Serbian Malware" became a meme at that company (and I quickly made sure to patch the hole -- the result of a stupid, stupid mistake that I take responsibility for -- to make sure it couldn't happen again).
didn't a cache of supposedly state-sponsored tools just get auctioned off by a group who (supposedly) compromised a machine which was under the ownership of one of the three-letter groups?[0]
Seems to give more credence to the viewpoint that the tool doesn't indicate the perpetrator too easily.
If I hand you an F-16 and you use it to do damage that would indicate possible US air force involvement. If the F-16 that attacked me was preceded by advanced ECM, suppression of air defenses using stand-off munitions, and was performed in a particular precision attack pattern then US air force involvement would be much more likely. These signatures are not just about the tools, but the opsec and procedures that the hackers used to deploy the tools, how they moved laterally to the target, and how they exfiltrated the information. It is the whole package that identifies a real state-sponsored actor vs a freelancer with access to a bag of zero days.
Well, the F-16 is used by over two dozen nations. So it's use wouldn't indicate anything.
Some of the nations that use the F-16 are also capable of the things you say prove US air force involvement. Even then, that's a bit of an extreme analogy.
How about we pull down the analogies to be more in line with what more likely happened? Like, someone used a truck to rob a bank and people think a manufacturer of trucks is somehow responsible?
So, what would be the "signature" of a state-sponsored actor, what in this sort of hack costs money and resources on the scale of "[physical?] suppression of air defenses"?
It's not so much about scale as about characteristic types. If you find that the air defenses were suppressed with anti-radiation missiles that the US doesn't sell much or at all, that makes it reasonable to find US involvement more likely than the bombs just having come off an F-16's racks does. That's just as true whether one such missile was used, or one hundred.
(In military parlance "suppress" usually means not specifically to destroy, but to render ineffective. For example, at the infantry level, "suppressing fire" isn't intended specifically to kill members of an enemy formation, but rather to make them keep their heads down so as not to die, rather than doing something useful like actively opposing a move by another of your fire teams. In the case of anti-air defenses being suppressed to clear the way for an air attack, though, the tool of choice is going to be a standoff anti-radiation missile; see "Wild Weasels" for more detail on how it's done.)
Going after authentication info (esp. the security questions) _is_ a narrow target. You are probably looking at a couple of tens of GB total. If you get away with it clean you can also then go back in and hit specific targets using that authentication info, so you walk away with a useful basket of data that does not reveal anyone you might have targeted but in turn makes it easier to go after those targets in the future.
helps to "save face", when all 0-day exploits are now considered "state sponsored".. otherwise they'd have been reported within bug-bounty program.. who else pays more - hostile governments, of course =)
