Researchers stymied by hackers who drop fake clues

December 10, 2014 byRaphael Satter

It's a hacker whodunit. Researchers say they have a wealth of clues—but no clear answers—as to the identity of those behind a series of newly discovered cyberattacks targeting Russian and Eastern European embassies, oil companies and military officers.

"The level of misdirection is impressive," said Hugh Thompson, a security strategist at Blue Coat Systems, Inc., which is publishing a report on the malware campaign Wednesday.

Blue Coat says the malware—nicknamed "Inception" after the complex dream heist movie starring Leonardo DiCaprio—has been attacking mainly Russian or Eastern European targets in the fields of diplomacy, energy and finance.

The Blue Coat report says researchers found signs hinting at the hackers' identity, but that they're all over the map.

For example, some of the malicious code carries words in Arabic and Hindi. Another piece of code carries the words, "God Save The Queen." A third clue, suggesting Chinese involvement, appears to have been left on purpose after the attackers realized they were being watched.

Kaspersky Lab researcher Costin Raiu, who is familiar with the malware, links the code to "Red October," a Russia-focused campaign his company uncovered early last year. Raiu points to similarities in the attackers' "philosophy and style" and says several of the same targets were hit.

Blue Coat malware researcher Waylon Grange says that connection is possible, but that he is reserving judgment in light of the hackers' trickiness. And he says the new campaign is a good reminder that suggestive words or phrases found hiding in malicious code aren't necessarily smoking guns.

"A lot of these, as this malware illustrates, can be made up, and can lead you astray," he said.

Explore further: Espionage malware may be state-sponsored, researchers say

More information: Blue Coat's report on "Inception": … 0f-b89e-e40b2f8d2088

Related Stories

Experts see Korean parallels in Sony hack

December 4, 2014

Some cybersecurity experts say they've found striking similarities between the code used in the hack of Sony Pictures Entertainment and attacks blamed on North Korea which targeted South Korean companies and government agencies ...

Hackers turning smartphones into slave armies

November 19, 2014

Mobile security firm Lookout on Wednesday warned that Android-powered smartphones or tablets are being targeted with malicious software that puts them at the mercy of hacker overlords.

Recommended for you

Coffee-based colloids for direct solar absorption

March 22, 2019

Solar energy is one of the most promising resources to help reduce fossil fuel consumption and mitigate greenhouse gas emissions to power a sustainable future. Devices presently in use to convert solar energy into thermal ...

EPA adviser is promoting harmful ideas, scientists say

March 22, 2019

The Trump administration's reliance on industry-funded environmental specialists is again coming under fire, this time by researchers who say that Louis Anthony "Tony" Cox Jr., who leads a key Environmental Protection Agency ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Dec 10, 2014
For example, some of the malicious code carries words in Arabic and Hindi. Another piece of code carries the words, "God Save The Queen." A third clue, suggesting Chinese involvement,

Here's a few ideas:

- Take a snapshot of the current implementation and look for what is NOT there. That's your point of origin.
- Look for misapplied chinese/arab/hindi words and what kind of person (from what language background) would make those mistakes. People not native to a language make very characteristic mistakes based on their own native tongue/grammar.

- Look at naming of variables. Differnet countries have different keyboard layouts which make different letters more/less likely (e.g. in german and english keyboards the z and y keys are switched)

In the end it's always the same in forensics: look for side channels that are not the specialty of the attacker. There he will make his mistakes.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.