The other top post on HN right now is full of commenters making fun of the attribution to “sophisticated” and “with resources of a nation-state.” Oops.
As for the write-up itself, I honestly can’t believe they published this much detail. The feds and FireEye must be very concerned that folks are exposed to this right now and those folks don’t know it.
This a common take among the uninitiated and certain individuals in the "security community". Lots of people only witness bots breaking into sandboxes and installing bitcoin miners and then think they've seen the entirety of computer security.
Targeted, sophisticated, nation-state threats are real and have been documented in the FLAME, DUQU, DARKHOTELs of the world. Supply-chain attacks are not new either, Juniper was compromised 4 years ago and backdoored into their firmware, NOTPETYA compromised a legitimate accounting software company, and ransomware has been delivering through MSPs for quite some time.
Professionals look at indicators posted and techniques leveraged and come to their own conclusions.
This is not standard malware. This was not a script kiddie.
I'd prefer if we would call these things aggressive, rather then sophisticated. What we are witnessing is that adversaries are upleveling and they dont even care if they get caught or not anymore. It's pretty much like warfare in the open field soon.
High profile security vendors and national security officials have a real history of describing script kiddie jobs using months or years-old public exploits as "sophisticated" or "nation-state level", one instance that turned out to be a real supply chain attack that actually requires serious resources...doesn't really change the overall picture. In the Boy Who Cried Wolf fable, we don't fault the villagers for failing to expect that there would be a wolf this time.
Can you cite specific examples of national security officials misattributing a script kiddie as nation-state level sophistication? This is a common take which I've never seen substantiated anywhere. In comparison with hidden cobra, olympic destroyer, or the canonical stuxnet which were all clearly not script kiddies.
I don't have a more recent example, but this article[0] identifies a component of the RSA SecurID attack which utilized Poison Ivy. In my own experience experimenting with PI as an underaged teen in high school, it was a very popular and very lethal trojan and by most definitions, users were "script kiddies".
The old school concept of a script kiddie was someone who had a limited skill set that consisted of downloading exploits and trying everything to see what worked. Traditionally, a script kiddie didn't develop any of their own exploits.
Nowadays these people are known as Network Security Consultants and they are paid very well.
I think it comes from the same place as “I could build that in a weekend”: people who know what most of the words mean but aren’t experienced enough to understand the difference between knowing in theory how something could work and successfully running a production-grade implementation.
Security has a certain cachet which makes people want to sound like experts and one way to do that is to minimize others’ accomplishments, implicitly saying that they aren’t challenging to you.
In one of the threads about the Zodiac cypher, which had been unbroken for 51 years despite being given to the NSA, FBI, and the crypto community at large, there were several people who remarked how simple it was and how easy it should have been to crack.
Dunning Kruger doesn’t cover the entirety of what’s happening, but there’s some pathology at work here.
Meanwhile, the Zodiac story also demonstrates you don’t need to be a nation state to craft something sophisticated. Obfuscation and de-obfuscation aren’t on a level playing field. (This comment isn’t specifically about this attack.)
Nihilistic, cynical contrarianism is indistinguishable from intelligence unless you know a subject.
Example: "Continents move around", "time slows if you're fast", and "turtles, all the way down" are all similarly ridiculous unless you've studied these subjects. People see the first two receiving lots of applause[1] and start making claims that to them are just as believable.
[1]: Or they see footnotes being correlated with "serious science" and start adding footnotes.]2]
[2]: For details on how references make people appear smart, see Feynman, 1968: Cargo-Culting. Also scientism
[3]: A heuristic that in our experiments succeeded in identifying 0.65 of the lower 20-quantile of wannabe basement-warriors is to count the occurrences of the terms /threat (model|actor)/, /sigint/, /retcon/, /psyops/, /opsec/, and the phrase /everyone does it/. Exclude any >= 1.
This has several factors that lead people to make such comments:
Tech nerds like to describe things as boring, obvious, and easy to do, it makes them feel smart.
Certain politics lead people to assume that government is incompetent and therefore obviously it was an unsophisticated attack that breached them.
A lot of IT workers think every instance of a hack is an example of underfunding the IT department, or the IT department wastes the budget they do have.
>>Certain politics lead people to assume that government is incompetent
I would say history leads people to assume that government is incompetent. We have plenty of evidence on which to form this conclusion
>A lot of IT workers think every instance of a hack is an example of underfunding the IT department,
Again this is also drawn from a place of experience, many of us have seen first hand organization refusing to put in the money needed to properly secure systems until AFTER their is a compromise, and then the money is only allocate for a few months to resolve the exact compromise that impacted the organization never really changing the security posture of the company / organization.
This pattern is repeated over and over and over again
Honestly HN seems to have a very contrarian streak on these matters. I wouldn't necessarily say it's partisan but the prevailing opinion seems to be whatever is against the mainstream view (Examples include Election Fraud, Assange, Litvinenko etc.)
> making fun of the attribution to “sophisticated” and “with resources of a nation-state.” Oops.
This annoys me.
1) I'm equally breached whether the hacker used a sophisticated attack or not.
2) A "nation-state" attacker is more than willing to use "unsophisticated" attacks to accomplish their goals.
In fact, a "nation-state" attacker is probably less likely to use "sophisticated" attacks as they will want to save those for the cases where they really need to get through security.
That’s a really narrow view. Solar winds Orion is a widely used, popular tool for managing switches and routers and backing up network device configuration. It’s been compromised for months.
This could be a stuxnet type attack looking for a particular facility, or something far worse at a time when the US is most vulnerable.
I believe it was state sponsored, but that covert channel isn’t an example of sophisticated or of something that suggests nation state resources. There was better tech than that documented publicly over 20 years ago.
Why oops, at least in relation to parent's comment? The process, while perhaps complicated to detect, is not particularly complicated to design from scratch. The technique as described by OPs post could probably be designed by a single individual in a day.
Just from the target I'd suspect it is not someone doing it for the lulz, but I didn't see anything in OPs quote that indicates that it must be a nation state.
This is the danger of these kind of write-ups; people will look at it and go "oh that's simple, anyone could do that". It's a great example of the cognitive bias called the curse of knowledge.
Edit: a quick counterfactual here. If this is so easy and so valuable, why is it so rare?
Because there is so much more than what the OP quoted. I was disagreeing that you could characterize what OP quoted as being indicative of a nation state. There was far more to this hack than that.
> The technique as described by OPs post could probably be designed by a single individual in a day.
Designed, as in back-of-the-envelope chicken scratching? Sure. You can reduce almost any exploit to "compromise system or org, leverage compromise to go after another system or org" and any stealth measures reduce to something like "hide your own efforts among legitimate signals, and use cutouts to make them harder to trace back".
I'm not sure what you think counts as "sophistication", but thinking up the specifics of multiple stages, and executing each stage without errors that would expose the other stages to detection isn't easy, and takes time and patience by many people with diverse skills working in concert.
Sure, each specific link in the chain may not look difficult, but those were just the solutions that worked in isolation when tried in whatever testing environment(s) the threat-actor operates (not to mention funding the "blue team" that operates it, because you don't want your unsuccessful attempts to tip your hand), and then deployed in sequence.
Or were you under the impression that this whole effort was created de-novo and worked (correctly, might I add) without being detected the very first time each component was tried?
As for the write-up itself, I honestly can’t believe they published this much detail. The feds and FireEye must be very concerned that folks are exposed to this right now and those folks don’t know it.