Today, McAfee Labs officially released the “Dissecting Operation Troy: Cyberespionage in South Korea” whitepaper, an in-depth study by our APT research team into a previously undetected lineage of cyberespionage Trojans. Specifically, Labs found malware designed to infect and scan military systems for files containing specific military terms, and then exfiltrate the identified files through the attackers’ encrypted tunnels to compromised domains.
While attribution always takes front stage in any conversation about a new threat or attack, it tends to waste time and effort better spent trying to quickly understand the nature, intent and outcome of a given attack. The discovery of Operation Troy was possible because McAfee Labs focused on intent rather than attribution, the “what’s” and the “how’s” of the cyber threats in question, rather than the “who’s.”
If law enforcement in general focused on attribution in the way today’s security industry focuses on attribution, law enforcement would struggle to catch criminals.
Consider credit card fraud. If someone tries to commit credit card fraud, the first thing a card issuer’s fraud department does is determine what the criminal tried to do, and how they went about it. They try to determine why existing fraud controls didn’t detect the events, and uncover the tactics and technology employed. If such an investigation begins with attribution, the important work of analyzing malicious events and behavior is delayed, as are the lessons on how to better protect organizations and patrons.
In the case of Operation Troy, we had a series of attacks that were in plain view to the public and a related series of attacks that flew entirely under the radar.
Dissecting the “what’s” and the “how’s” of the Dark Seoul cyber-attacks led McAfee Labs to identify command and control servers, source code, MBR-wiping capabilities, development libraries, compromised domains, and hard-coded credentials. Our team then identified the same attributes with malware code samples on record with McAfee Global Threat Intelligence (GTI). Connecting these dots led us to the actual intent of the attackers and how they were using an ongoing lineup of DDoS, website vandalization, and MBR-wiping attacks to execute, conceal and protect an ongoing cyberespionage operation.
Organizations working instinctively towards the “what’s” and the “how’s” have an advantage in that they can quickly learn from detected threats and attacks. They can more effectively bolster defenses, adjust procedures, change the way they manage their information, authenticate and communicate to render sophisticated malware ineffective.
McAfee sees many types of attacks taking place around the world every day. The real work of deflecting them begins with the “what’s” and the “how’s” and leads us to intent. Intent uncovers new discoveries, which gets us to solutions that make us all safer.