This article based on data from 1500 cyber attacks against organizations all over the world. This article lists the most frequent characteristics of attack, enabling cyber experts to identify the actors threatening organizations around the world and to improve its defense shield against these attackers in future.
It also describe the attack techniques used by Chinese military groups, called as “Comment Crew”, that were linked in the past with attacks against the US government.
In this report there are seven main clues for identification of an attacker who stands behind the cyber attacks:
Characters of the Phishing type malware code disclose sometimes the country of origin, where the malware code was created. So, for instance, Fire Eye researchers found that many malware codes include the characters GB2312, the source of which is the Mandarin language keyboard, namely China.
Malware operating code often includes expressions with local context, like slang or common insults, indicating the source country of the code writer.
Similarly to code characters, indicating a keyboard in a certain language, also fonts can indicate sometimes the malware source. So, for instance, FireEye researchers found that the source of malware code hidden in a document written in Cyrilic letters is in Korea, due to the font with which the infected document was written.
In certain cases, in order not to be blocked by a Black List, the attackers pay in order to penetrate the target computer from a certain domain. In many cases, DNS registration leads directly to the country of origin of the attacker. Also false DNS listings can help in locating the attacker, who sometimes reuses information enabling to link between the attacks and to identify the attacker.
Quite often, the attacker does not use his/her native language in the malware code. Typing errors and bad translations can help in identification of the country of origin of the attacker. So, for instance, identification of translation by using translation sites for certain words or expressions may help in identification of the native language of the attacker.
Remote Administration Tools are a kind of malware enabling the attacker to control, in real time, the computer of the target of a cyber attack. Seemingly, it is difficult to identify by them the attackers, but the many possibilities of customization of these tools may lead to identification of settings that are specific to an attacker, helping in his identification.
Attackers have their own habits, like attacker focusing on a certain target, with the same CnC servers, in the same industries, etc. These recurring techniques can expose the target, the access and the location of the attacker.
It also describe the attack techniques used by Chinese military groups, called as “Comment Crew”, that were linked in the past with attacks against the US government.
In this report there are seven main clues for identification of an attacker who stands behind the cyber attacks:
Characters of the Phishing type malware code disclose sometimes the country of origin, where the malware code was created. So, for instance, Fire Eye researchers found that many malware codes include the characters GB2312, the source of which is the Mandarin language keyboard, namely China.
Malware operating code often includes expressions with local context, like slang or common insults, indicating the source country of the code writer.
Similarly to code characters, indicating a keyboard in a certain language, also fonts can indicate sometimes the malware source. So, for instance, FireEye researchers found that the source of malware code hidden in a document written in Cyrilic letters is in Korea, due to the font with which the infected document was written.
In certain cases, in order not to be blocked by a Black List, the attackers pay in order to penetrate the target computer from a certain domain. In many cases, DNS registration leads directly to the country of origin of the attacker. Also false DNS listings can help in locating the attacker, who sometimes reuses information enabling to link between the attacks and to identify the attacker.
Quite often, the attacker does not use his/her native language in the malware code. Typing errors and bad translations can help in identification of the country of origin of the attacker. So, for instance, identification of translation by using translation sites for certain words or expressions may help in identification of the native language of the attacker.
Remote Administration Tools are a kind of malware enabling the attacker to control, in real time, the computer of the target of a cyber attack. Seemingly, it is difficult to identify by them the attackers, but the many possibilities of customization of these tools may lead to identification of settings that are specific to an attacker, helping in his identification.
Attackers have their own habits, like attacker focusing on a certain target, with the same CnC servers, in the same industries, etc. These recurring techniques can expose the target, the access and the location of the attacker.
