Glider from the game of Life, rising from the left




Topic: #attribution

Analyzing False-Flag-Bearing Malware


One of the main difficulties in determining the origins and intentions of network-based attacks on the security of systems is that many attackers deliberately try to mislead analysts and often succeed. Here's a detailed description of a case in which the attackers attempted to fly a false flag but (probably) did not deceive the analysts.

“The Devil's in the Rich Header”
“GReAT”, SecureList, March 8, 2018

The case is the attack against some of the servers used to organize and run the 2018 Winter Olympics in Pyeongcheng. Some of the malware files installed by the attackers had been compiled with Microsoft Visual Studio and so contained metadata headers for the Microsoft linker to process. But at least one of the metadata headers had been replaced at some point after the linked binary executable had been produced. The replacement header came from a much earlier version of Microsoft Visual Studio that couldn't possibly have been used to produce the executable (which referred to dynamically linked libraries that didn't exist at the time of the earlier version). It was, however, an exact duplicate of a header on a file from a previously known malware package, one that the analysts had already attributed to an attack team they called “Lazarus.” The file that originally bore that header performed a similar function, but in a more limited way that used fewer system calls.

The existence of the fake Rich header from Lazarus samples in the new OlympicDestroyer samples indicates an intricate false flag operation designed to attribute this attack to the Lazarus group. The attacker's knowledge of the Rich header is complemented by their gamble that a security researcher would discover it and use it for attribution. … This newly published research consolidates the theory that blaming the Lazarus group for the attack was parts of the attacker's strategy.

#false-flag-operations #attribution #OlympicDestroyer

Weak Arguments for Attribution of Network Attacks


You would think that experienced diplomats would demand extremely reliable evidence for attributing a network attack to agents of a foreign government. But accurate attribution is so difficult, the perceived need to find someone to blame is so profound, and the notional political advantages of blaming some currently unpopular rival state are so compelling that governments are willing to proceed with accusations on incredibly weak and ambiguous evidence.

A case in point: The government of the United Kingdom has joined the United States in blaming the widespread and consequential propagation of the NotPetya ransomware on the agents of the Russian government. Here is the basis for their confident accusation:

1. More computers were affected in the Ukraine than in any other country. The Russian government hates the Ukrainian government.

2. One vector for the spread of the malware was an accounting software package used in the Ukraine. The Russian government hates Ukrainian software developers.

3. The attack “fits a pattern” that also describes other attacks that have been previously attributed to agents of the Russian government (on even flimsier evidence).

4. NotPetya was a variant of an earlier ransomware package called Petya, but it appears to have been reimplemented from scratch instead of being adapted from the Petya codebase. This demonstrates the level of technical sophistication characteristic of a nation-state. Russia is a technically sophisticated nation-state.

5. The ransomware feature of NotPetya didn't work, and provided no way for the victims to pay the ransom to the attackers. Instead, NotPetya simply waited for the payment window to run out and then wiped the targeted system's drives. Similarly, the Russian military has often used criminal operations as cover for special ops and not infrequently employs deception as a military tactic.

6. NotPetya exploited two vulnerabilities originally identified by the National Security Agency and made public by a group (nationality unknown) calling itself the Shadow Crew. Some people have speculated that the hackers who stole the NSA's tools for exploiting these vulnerabilities were agents of the Russian government.

7. Don't forget: The Russian government hates the Ukrainian government.


“What the UK Knows: Five Things That Link NotPetya to Russia”
Paul Roberts, The Security Ledger, February 15, 2018

(In case you're trying to link my seven-item list to the “five things” mentioned in the article title or to the five slides in the slideshow at the end of the article: the first slide corresponds to items 1, 2, and 3 on my list, the second to my item 4, the third to my item 5, the fourth to my item 6, and the fifth to my item 7.)

#NotPetya #attribution #Russia

Hashtag index

This work is licensed under a Creative Commons Attribution-ShareAlike License.

Atom feed

John David Stone (

created June 1, 2014 · last revised December 10, 2018