Isn't our preference to preserve the original headline when possible? ("Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize." Maybe it's misleading?)
Thoughts on what advantage you get from know which tools your adversaries are using as good targets to inject with backdoors assuming state actor resources?
The methods described seem to be pretty basic. I'm surprised that copy pasting passwords and manually connecting a email account to zimbra would be part of a training video (and not completely automated using more sophisticated tools than zimbra).
> X-Force IRIS security team obtained the 40GB cache of data as it was being uploaded to a server
Wut? That makes it sound like it was uploaded over an unencrypted channel.
Is this really the level that state sponsored hackers are on? Unencrypted uploads, manual copy-paste of passwords and free versions of bandicam?
Given the above I wouldn't be surprised if it was intentionally leaked to make them seem like less of a threat.
This is a common misperception of foreign infosec. Most foreign infosec is much older and basic than most would believe. This comes from the lack of trust between cooperating countries and basic skills. Not to say they aren't smart ppl but most ppl shy away from this type of work even when it's possible bc of the downside of being the one that leaked 40gb of video, this impacts them and their entire family in ways we wouldn't even consider in the west. And on top of it they don't have the cooperation of their allies in most cases to help advance their tech. Then on top of all that a lot of what they know is stolen instead of learned so when you don't really understand the tech to begin with, it's very difficult to make advances to it. It would be like me, a non-programmer, but great scripter getting c source code that has no documentation and being asked to add a feature to the program.
“APTs” are somewhat of a misnomer they are not usually that advanced but they are always persistent they relentlessly go after soft targets and there are way more of them than people realize, especially in the west due to the age and scale of both organizations and IT systems and the fact that these are much more commonly operated directly or supported by dozens of civilian contractors and sub-contractors which their practices are much harder to manage.
Ironically it would probably be easier to run a secure network in North Korea or Iran than in the US simply because of how those societies and their own military/government-industrial complexes are structured.
Its always a question of resources, encrypting the payload won’t prevent discovery, and if it’s not some super valuable zero day there is no point of doing that.
Spending 1000’s of man hours on zero day research is nice when you have an abundance of resources but utterly useless when you don’t since your entire way in is dependent on something that can be patched out or signature blocked at the perimeter within days if not hours.
However going after people and soft targets is a completely different story it can be easily executed, the signature is low, direct attribution is limited and it can be easily scaled up. You can write processes and procedures that instruct operators exactly what to do which means that in a relatively short timeframe you can have 100’s and 1000’s of mechanical Turks trying to find a way in. This is the equivalent of lock picking a brand new Mercedes in the parking lot vs simply going around and looking for an unlocked car.
The first option requires more skill and arguably is more risky since it exposes your activity for a longer duration, the latter can be performed by anyone and at the end of the day yield more fruitful results if all you want is a few hangbags and some cash from the glove compartment.
And Iran isn’t unique I would wager you that this is the way that western intelligence agencies operate too for the most part, the super top secret NSA stuff you see when leaked is executed against targets that can’t be accessed via other means.
Because even tho the NSA has much more money their resources aren’t unlimited and their talent pool doesn’t consist of zero day rainmen that can cause a core dump just by looking at a computer.
The only major difference would be that organizations like the NSA have developed better tooling for these mechanical Turk style of operations but I can guarantee you they aren’t going to be burning zero-days or running super complex exploits and C&C infrastructure if they don’t need too, those are reserved for high value targeted attacks.
On a national / strategic level it’s also makes a lot of sense.
Building offensive cyber capabilities that are extremely costly and requires exceptional talent is risky, especially for a country like Iran.
It doesn’t have as much resources and more importantly maintaining talent is hard both for the reasons you mentioned but also because western counter intelligence can much more easily take them off the board than the other way around.
If Iran’s entire offensive cyber capability would rely on a handful of project-zero level talents then it could easily be wiped out by the US, UK, Israel and other western powers and not necessarily by brute force, bribing people that are extremely hard and costly to replace is just as effective as a magnetized bomb strapped to their Peugeot by a motorcyclist at a traffic light.
And the more complex and advanced something is the harder it is to rebuild from scratch, on the other hand you can probably eliminate 80% of their current operatives and they’ll rebuild their capabilities back to current strength within a year.
This is the nature of and the leading principle behind asymmetric warfare. Seal Team Six is nice, but it costs millions and takes the better part of a decade to create a single operator, cocked up brainwashed suicide bombers however can be just as eff...
Yeah I also don’t think it’s from a state sponsored hacking group. They should be paranoid enough to not upload their training materials to servers outside their network. Maybe it’s just an average unethical hacking workshop.
Perhaps if they were positive that it’s from a state sponsored group, IBM would not go public about it until NSA take maximum advantage from these information.
But the tactics explained there aren’t necessary ineffective. You can build an army of online soldiers that aren’t really hackers or capable of doing anything complicated. They just need to know enough to help your hackers with data gathering and phishing. So they can scale up their operations.
I think maybe you're looking for chatroulette or something? Why would hackers have their pants down? Hands in the cookie jar maybe, as hackers are known for junk food consumption. Maybe it's hacker sport by trying to handicap the better hackers?
Seriously though, even if there was footage of the actual hack occurring, it's just going to be a room with computers and users in front of a screen. It would potentially look like any office in any city with computer users. At least the state sponsored hackers. I totally expect the setups of l33t hackers living at home with mom to be just like in the movies. 8 50"+ computer screens, 10 computers in racks, better setup than most NOCs, then all of Mountain Dew cans and junk food wrappers tossed about, the posters on the wall of swimsuit models. Maybe these guys would literally have their pants down.
> Seriously though, even if there was footage of the actual hack occurring, it's just going to be a room with computers and users in front of a screen.
After reading the headline, I expected webcam footage showing the hackers' faces -- or something similar. I don't think m000 actually anticipated true pants-less video :)
That said, this is all really interesting; I'd love to see the data itself. Unfortunately, all this really shows is that Iran conducts state-sponsored cyber-attacks -- which, of course, we already know.
So assuming these was all on private space, it’s interesting that IBM has read customers data! Or, maybe these particular servers were only monitored because they are associated to hacking groups?
13 comments
[ 3.0 ms ] story [ 41.1 ms ] thread> X-Force IRIS security team obtained the 40GB cache of data as it was being uploaded to a server
Wut? That makes it sound like it was uploaded over an unencrypted channel.
Is this really the level that state sponsored hackers are on? Unencrypted uploads, manual copy-paste of passwords and free versions of bandicam?
Given the above I wouldn't be surprised if it was intentionally leaked to make them seem like less of a threat.
Ironically it would probably be easier to run a secure network in North Korea or Iran than in the US simply because of how those societies and their own military/government-industrial complexes are structured.
Its always a question of resources, encrypting the payload won’t prevent discovery, and if it’s not some super valuable zero day there is no point of doing that. Spending 1000’s of man hours on zero day research is nice when you have an abundance of resources but utterly useless when you don’t since your entire way in is dependent on something that can be patched out or signature blocked at the perimeter within days if not hours.
However going after people and soft targets is a completely different story it can be easily executed, the signature is low, direct attribution is limited and it can be easily scaled up. You can write processes and procedures that instruct operators exactly what to do which means that in a relatively short timeframe you can have 100’s and 1000’s of mechanical Turks trying to find a way in. This is the equivalent of lock picking a brand new Mercedes in the parking lot vs simply going around and looking for an unlocked car.
The first option requires more skill and arguably is more risky since it exposes your activity for a longer duration, the latter can be performed by anyone and at the end of the day yield more fruitful results if all you want is a few hangbags and some cash from the glove compartment.
And Iran isn’t unique I would wager you that this is the way that western intelligence agencies operate too for the most part, the super top secret NSA stuff you see when leaked is executed against targets that can’t be accessed via other means.
Because even tho the NSA has much more money their resources aren’t unlimited and their talent pool doesn’t consist of zero day rainmen that can cause a core dump just by looking at a computer.
The only major difference would be that organizations like the NSA have developed better tooling for these mechanical Turk style of operations but I can guarantee you they aren’t going to be burning zero-days or running super complex exploits and C&C infrastructure if they don’t need too, those are reserved for high value targeted attacks.
On a national / strategic level it’s also makes a lot of sense.
Building offensive cyber capabilities that are extremely costly and requires exceptional talent is risky, especially for a country like Iran.
It doesn’t have as much resources and more importantly maintaining talent is hard both for the reasons you mentioned but also because western counter intelligence can much more easily take them off the board than the other way around.
If Iran’s entire offensive cyber capability would rely on a handful of project-zero level talents then it could easily be wiped out by the US, UK, Israel and other western powers and not necessarily by brute force, bribing people that are extremely hard and costly to replace is just as effective as a magnetized bomb strapped to their Peugeot by a motorcyclist at a traffic light.
And the more complex and advanced something is the harder it is to rebuild from scratch, on the other hand you can probably eliminate 80% of their current operatives and they’ll rebuild their capabilities back to current strength within a year.
This is the nature of and the leading principle behind asymmetric warfare. Seal Team Six is nice, but it costs millions and takes the better part of a decade to create a single operator, cocked up brainwashed suicide bombers however can be just as eff...
Perhaps if they were positive that it’s from a state sponsored group, IBM would not go public about it until NSA take maximum advantage from these information.
But the tactics explained there aren’t necessary ineffective. You can build an army of online soldiers that aren’t really hackers or capable of doing anything complicated. They just need to know enough to help your hackers with data gathering and phishing. So they can scale up their operations.
Seriously though, even if there was footage of the actual hack occurring, it's just going to be a room with computers and users in front of a screen. It would potentially look like any office in any city with computer users. At least the state sponsored hackers. I totally expect the setups of l33t hackers living at home with mom to be just like in the movies. 8 50"+ computer screens, 10 computers in racks, better setup than most NOCs, then all of Mountain Dew cans and junk food wrappers tossed about, the posters on the wall of swimsuit models. Maybe these guys would literally have their pants down.
After reading the headline, I expected webcam footage showing the hackers' faces -- or something similar. I don't think m000 actually anticipated true pants-less video :)
That said, this is all really interesting; I'd love to see the data itself. Unfortunately, all this really shows is that Iran conducts state-sponsored cyber-attacks -- which, of course, we already know.