Black Hat Europe Faking digital evidence during a cyber attack – planting a false flag – is simple if you know how, as noted infosec veteran Jake Williams told London's Black Hat Europe conference.
Speaking to a packed room, Williams informed his rapt audience that it's straightforward to misdirect investigators trying to attribute a cyber attack to a particular location or nation state.
Rather than telling the world how to do bad things, however, the point of his talk – which he made with some force at the outset – was to inform investigators and defenders alike that common attribution go-tos can be manipulated to deceive. It's no good confidently telling people that X was a Chinese hack if crafty black hats from elsewhere are leaving a false trail intended to trick you into saying that.
"Policy and corporate leadership don't understand how easy it is to fake digital evidence," Williams said. The key is making sure you leave a trail of breadcrumbs that are detected by your target and then lead investigators in the right (wrong) direction.
"Know what your target has available," continued the one-time US Army veteran and SANS instructor. "I don't want to create false flag artefacts that my target can't see. What can your target see? If they can't see it, it doesn't matter if you falsify that evidence."
Black hat, black hat, o wherefore art thou at?
The simplest of all the fake breadcrumbs is the origin of the attacker's traffic. Referring to now-defunct threat intel firm Norse Corp's rather dubious "DDoS attack map" from 2015 which showed the points from whence cyber attackers were launching their attacks ("100 per cent was done by IP," sniffed Williams), the infosec consultant said it was trivially easy to rent infrastructure in countries known for harbouring purveyors of online badness.
"I can buy infrastructure in Iran very easily, it turns out," he said. "That's not 26 servers; that's 26 different VPS providers that, with a credit card or Bitcoin, I can go ahead and buy servers in Iran that I can send traffic through. It's going to be awesome!"
Next easiest is modifying one's browser settings to mimic those of a lazy attacker in one of a number of known bad countries. You don't need in-depth knowledge to do this, either.
"About:config in Firefox," said Williams. "Changing the accept-language header can confuse savvy investigators. I can look at IP addresses ostensibly out of the US but set to accept-language Chinese," he continued, adding that changing the browser's user-agent string works in much the same way. If the people you're trying to plant the false flag on are known for using a particular browser or specific build, just copy theirs!
Yup, PowerShell's in there too
Pointing out how Kaspersky had spotted in last year's Olympic Destroyer malware attacks that the malicious software probably wasn't written by North Korea, as everyone else had concluded, Williams observed "that the rich header data had been modified, intentionally, taking Russian malware... they had replaced the rich header with a known North Korean rich header."
Although Olympic Destroyer's data-destroying function was a copy of one of the North Korean Lazarus Group's tools, metadata from the rich header pointed to the whole malware package having been written using Visual Studio 10.
PowerShell, long known as a favourite of malicious folk, can also be a useful tool in laying a trail of false breadcrumbs. Williams said you can move PowerShell transcripts from one machine to another – say, an attacker's box to target server. Being a text log of all PowerShell commands and outputs during a session, these transcripts can be useful information for investigators... and those looking to deceive them.
"We've done that," said Williams, referring to a red-team exercise, "and [blue-team investigators] took it for granted that the PowerShell transcript must have been crated by an attacker. We used some of these techniques and I can tell you first hand, they work."
In a similar vein, "typed URLs" can be made to serve the same purpose of misdirection. By looking up the wordwheelquery Windows registry key, one can view Windows Explorer-typed search queries. "Poisoning it from the command prompt would suggest [remote desktop protocol] or console access," suggested Williams.
Be on your guard and cross-reference your attribution attempts carefully against all the data points you have. You never know who's trying to fool you. ®
Sponsored: Webcast: Ransomware has gone nuclear