F*ck the attribution, show us your .idb!

Over the past few years state-sponsored hacking has received attention that would make a rockstar jealous. Discussion of malware has shifted in focus from ‘cyber crime’ to ‘cyber weapons’, there have been intense public debates on attribution of various high profile attacks, and heated policy discussion surrounding regulation of offensive tools. We’ve also seen the sale of ‘lawful intercept’ malware become a global trade.

While a substantial focus has revolved around the activities of China, Russia, and Iran, recent discoveries have revealed the capabilities of Western nations such as WARRIORPRIDE aka. Regin (FVEY) and SNOWGLOBE aka. Babar (France). Many have argued that digital operations are a logical, even desirable part of modern statecraft. The step from digital espionage to political persecution is, however, a small one. Commercially written, offensive software from companies like FinFisher and Hacking Team has been sold to repressive regimes under the guise of ‘governmental intrusion’ software.

Nation state hacking operations are frequently well-funded, difficult to attribute, and rarely prosecuted even if substantive evidence can be discovered. While efforts have been made to counter this problem, proof is hard to find and even more difficult to correctly interpret. This creates a perfect storm of conditions for lies, vendor lies, and flimsy attribution.

In this talk we will unveil the mess happening backstage when uncovering nation state malware, lead the audience on the track of actor attribution, and cover what happens when you find other players on the hunt. We will present a novel approach to binary stylometry, which helps matching binaries of equal authorship and allows credible linking of binaries into the bigger picture of an attack. After this session the audience will have a better understanding of what happened behind the scenes when the next big APT report surfaces.

Presented by