At this point, one should assume that "attack the supplier" is a known, standard strategy for any person or organization that supplies software or expertise to a larger or target organizations.
This seems to get fuzzy when you consider there are many graduate students doing research who aren't going to have the same funds and likely not be as rigorous.
North Korean government-backed entity: This reminds me that one of the approach of the "western" agencies was to hide themselves as coming from North Korea to run their operations.
I would just write it as: "an entity" is trying to target security researchers. But it has less marketing power.
>In January, the Threat Analysis Group documented a hacking campaign, which we were able to attribute to a North Korean government-backed entity, targeting security researchers.
The first sentence says they themselves were able to attribute it to a North Korean-sponsored entity. One of the very first and obvious parts of the attribution process is considering and attempting to rule out false flags. False flag assessment could potentially be the majority of such an attribution effort, even.
They're specifically and explicitly staking their credibility on the claim that the attribution is ultimately North Korea and not merely some entity possibly masquerading as North Korea.
They certainly could be wrong, but these sorts of comments remind me of Feynman's remarks about non-physicists frequently suggesting the experts didn't consider [X] when the experts have in fact spent much of the past few decades concertedly considering and trying to understand [X] every day. If something is obvious to you, it's probably very obvious to the people who dedicate their lives to that field; at least if it's a technical field.
> They certainly could be wrong, but these sorts of comments remind me of Feynman's remarks about non-physicists frequently suggesting the experts didn't consider [X] [...]
I'm intrigued, do you have a source for that? It's a phenomenon I came across daily (say Covid) and because the world is becoming increasingly complex I would argue that so does the appeal of 'simple' explanations, or 'why the experts are wrong'.
Yes this is a very interesting philosophical concept to me.
I think the counterpoint to it is that it's also somewhat common for specialists to get stuck in local Maxima, as their expertise provide a deep but potentially narrow framework for thinking about the problem, and people with more broad experience may be more able to find more imaginative solutions.
There was a piece that I can probably dig up about the theory that this has quite seriously affected e.g. theoretical / particule physics - for decades we have spent more and more money trying to prove more and more complex versions of superstring theory etc., and what might be needed is more whacky out-of-the-box ideas that could lead to simpler explanations that fit our subatomic observations better.
I spent a while trying to look for it, but I can't seem to find it at the moment. I think I may have initially seen it linked in an HN comment a while ago.
I'm not quite sure where it came from originally, I've seen it attributed to Feynman for sure. Michael Crichton described it as "Gell-Mann Amnesia" in a talk:
If you follow the link, they just state again: "The actors behind this campaign, which we attribute to a government-backed entity based in North Korea" but no details at all. This is why I allow myself to be skeptical.
I would produce a research paper with "my method is the best" and nothing behind to prove it, I hope my peers would be very skeptical.
Except that in this particular field, you don't want to give your adversaries your methods because then they probably will not work anymore, as those who want to create a false flag will know how to fool you, and the original malicious actor will know how to hide themselves from you.
If they don’t want to show their hand then why even report it’s North Korean to the general public? I don’t see how widely reporting that detail is useful, especially if they don’t intend to back up their claims publicly.
They can easily report their findings privately to the appropriate authorities without any loss in potential for real punishment or rectification.
I don't know and couldn't guess the reason, but given they're staking their credibility and potentially putting themselves at risk of retaliation (see: Sony), I suspect they think they have a good rationale for saying it.
Perhaps it could be to gain a bit more trust or respect from researchers (targeted or otherwise) and/or certain customers/users, or perhaps the US government encouraged them due to some geopolitical calculus, or maybe it's part of some plan that only makes sense because of some private knowledge known to few.
It's very reasonable and necessary to be skeptical when no evidence is presented, but I think the tenor and nature of the skepticism and critique should go beyond what essentially seems to reduce to "oh yeah well what if they were framed why even bother naming anyone".
It may very well may not be North Korea, but you at least have to grant them some degree of charity in the sense that they're confidently putting their neck out there and saying "we really think the North Korean government is behind this". If they didn't have high confidence in the claim, they wouldn't have clearly attributed it to them like they did.
As you retorted, the default response in these situations would indeed be to say "a sophisticated entity" or "a sophisticated, possibly government-sponsored entity". Often even if you're pretty sure you know who it is.
Laying it all out on the field like they did probably suggests months and hundreds/thousands of man-hours of deep investigation to be sure they really got it right. They have some of the best security people in the world and rely on people taking their company and security teams seriously, so when they make such a claim, they know it carries a lot of weight and liability.
As others have mentioned, publicly presenting APT attribution evidence is often a double-edged sword for these sorts of things. Especially when you're Google and have a dual role of both threat research and directly protecting a lot of systems and customers against the threats you're researching. The more you tip your hand, the harder both jobs become, and you lose some of the mutual benefit you get from having both kinds of insight.
Also, circumstantially, the North Korean government has shown a pattern of things like this for decades. Even if you hypothetically assumed 90% of the North Korean attributions by private industry and intelligence agencies are wrong (very doubtful IMO; but just for the sake of argument), the remaining 10% would still make this newly reported attack unsurprising for them. That of course certainly doesn't mean people should default to blaming them whenever they're accused, but it means the prior probability for these sorts of attacks isn't low, so it wouldn't be shocking if it is true.
And, finally, just on how such attributions are done in the first place: at least as of 2021, it's often not as hard as you might think. The interesting thing about attribution is it flips the infamous "attacker's edge" around.
Attackers have a huge advantage when targeting a system/organization in that defenders have to win every time, but attackers often only have to win once to start infiltrating and pivoting. Conversely, covert attackers trying to evade or misdirect attribution need to successfully cover all of their tracks, but forensic investigators often only need to discover one mistake to start pulling on threads and pivoting. And, and in both cases, the bigger and more complex the surface area, the more likely at least one opening will be found.
> The interesting thing about attribution is it flips the infamous "attacker's edge" around.
Q: Do we think that anyone in North Korea, never mind anyone in power in North Korea, cares whether some group in the West "attributes" another alleged hack to them?
> forensic investigators often only need to discover one mistake to start pulling on threads and pivoting
Would that be the forensic investigators who can't actually disclose their evidence of the "mistake" because it might help the adversary?
>Q: Do we think that anyone in North Korea, never mind anyone in power in North Korea, cares whether some group in the West "attributes" another alleged hack to them?
Possibly. It's true that they may just not care at all. But it's difficult to know how they work and think internally.
>Would that be the forensic investigators who can't actually disclose their evidence of the "mistake" because it might help the adversary?
It would be the investigation/research team and whoever's leading them who would be making that decision. But, basically, yes.
> They're specifically and explicitly staking their credibility on the claim that the attribution is ultimately North Korea and not merely some entity possibly masquerading as North Korea.
That's a weak argument.
We live in a post-credibility world. Every major corporation, government and media giant has been caught lying on similar subjects and suffered no consequence.
The status quo is, Google can absolutely afford to lie to the public and expect it not to affect is bottom line even if it gets caught (or at least, affect its bottom line less than pissing off the US by pointing the finger at an allied country would).
(On the other hand, if it did cover up US allies that way, I'd expect whistleblowers to reveal it, and so far I don't think they have; so I dunno)
> That feels like a bold claim to make without any references
"Marble Framework"[1], Wikileaks' Vault 7:
> Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA. [...] The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion
That's the description, but looking over the technical documents doesn't really correspond to what is claimed. From my reading it looks like it a tool that replaces some of the strings at runtime? Why is this even needed? Wouldn't it be more straightforward to not use natural language strings at all, or swap it out at the preprocessor level?
I wonder what an Internet Explorer 0-day does for these people? Maybe that's all they had? Is it supposed to be a "sign" to us that they are capable of developing exploits?
Surely no security researcher would open a link in IE as their "burner browser"?
I remember IE was required for the South Korean government issued digital certificate (required for all internet-based retail transactions and likely others).
I guess I had assumed that the standard was compatible with newer versions of Windows or MS browsers. Really sad if it isn’t.
For some things in SK you have to download a bunch of weird proprietary government .exe's that seem to only run in conjunction with specific combinations of windows and IE. I was pretty shocked when my wife and I went to get our marriage certificate from the government, and going to get our marriage certificate was finding an old windows NT system at her college library that everyone used to do their government related .exe stuff. We had to download 2 or 3 apps to do it, I'm not even sure what they all did, just a bunch of programs you had to run in a specific order, some of them provided iFrame type windows to logins, it was really strange.
I wonder why they needed an active x control for that. TLS/SSL client certificates have been supported by all browsers since basically forever, going back even further than active x.
If I had to guess, HTTPS / SSL was governed by US export restrictions above a certain strength so S Korea managed to use the existing extensibility built into the browser the government wanted to support.
Yes, I roughly understand the limitations of the existing implementation. but it is not the only browser or platform and it’s not like the S Korean government is not capable of noticing the market share / cybersecurity trends of the past decade+.
If Microsoft suddenly disabled all IE installations in South Korea, they'd have no choice but to change. Sometimes I wonder if the Apple-style "this just won't work at all anymore" attitude isn't that bad.
It has its places, given the correct trade-off, it works well. Not allowing flash was good because iOS was a growing market with no preexisting businesses relying on flash on iOS to work.
Not in SK, but in China
Here basically all banks require ActiveX, and if you don't have an Windows computer(Mac), what you can do is to use their app, which of course is super sluggish.
My understanding (not sure how accurate or up-to-date) is that Windows still opens some file formats using Internet Explorer (possibly depending on other OS/domain settings). The Windows Help File (.chm) or something similar comes to mind.
Also worth pointing out that security researchers targeting specific platforms/applications (say a specific version of older Windows where one particular organization has applications which require a specific version of IE) might be a valuable stack for the researcher to spend time on.
That said, those stacks/environments should be treated like a meth lab: you want to be very careful what you do with it and it shouldn’t be commingled with where you live and play.
Edge is Microsoft's new browser that is based on Chromium. It is distinct from Internet Explorer which is effectively deprecated but still used somewhat widely as many legacy enterprise applications still require it.
There are so many fake LinkedIn accounts out there -- this is a very common attack. People should be careful about who they connect with and what information they share.
I don't know if it is relevant, but I receive daily requests on ResearchGate from people with lots of 'following' and zero 'followers', no picture, no papers, no questions, i.e. empty profile.
The names are quite 'inventive' such as Alex Brooks, Julie Sanders, Mark Wellington, some chinese-like names posing as students, and so on.
Individuals can’t compete against nation state level actors.
There are US private citizens who are monitored/tracked due to the known national security risk if they are captured to work for other nations. Cybersecurity is huge.
Security researchers should read 'Stealing the network: Complete series'. Book has covered very practical crazy hacking scenarios. In one story, hacker keeps monitoring researchers' system for the latest zero day. In another interesting story, hacker targets dev server instead prod assuming security is less tightened there.
How does Google differentiate a malicious offensive security operation from a benign one? Previous websites and social media accounts posted malicious content, but this Google blog post doesn't really do much to connect the between the previous accounts and the new ones.
There's one article every day on "How I changed my life by switching to firefox and duckduckgo"...Surely you could read one of those and use firefox to browser the compromised website?
the "I'm being persecuted by google" schtick is getting old.
SafeBrowsing blocked redbean downloads for a day (https://justine.lol/redbean/index.html) and it was the #3 top Show HN story of all time. Google put a real chill down my spine when they did that to me, not being able to download files from my own website.
In my experience, this has become increasingly common when distributing software that isn't signed.
I don't sign my software due to privacy concerns, and it regularly gets bogus detections on VirusTotal and Google's similar systems that flow into Safe Browsing.
Mostly from Norton and BitDefender, who are notorious for not replying to any inquiries/submissions. AV is a complete ripoff nowadays and downright malware (coming from someone that had to cancel an accidental Norton subscription for his usually technically sufficient parents, it's a maze of broken support pages and infinite redirects between different language versions).
It happens to software that's signed too, according to folks on my issue tracker. What I do now is just upload the binaries to VirusTotal and click the upvote button, before I put them on my website, so that people can double-check they came from me.
Only a subset of security professionals are researchers, and only a subset of those are vulnerability researchers / exploit developers, and only a subset of those have arms dealer-like roles where they hoard and/or sell and/or privately deploy zero-days they discover.
I think it's totally fair to critique the arms dealers (and that's indeed undeniably exactly what they are), but only a small percentage fall into that bucket.
You could easily argue they are doing the opposite, in that they close down potential weapons and responsibly disclose them so that they are fixed and patched. Add to that, a majority of computer security work is revolved around improving infosec. A further point, I doubt infosec researchers are the types that run a deprecated microsoft web browser.
The main argument I have heard is it’s less finding exploits and doing real security and more mind numbing auditing and checking boxes not to prevent attacks but to cover your ass when they happen.
You got to admit that's a pretty clever strategy: cast a wide net and convert your older already patched exploit into a zero day.