> FireEye CEO Mandia wrote that none of the red team tools exploited so-called “zero-day vulnerabilities,” meaning the relevant flaws should already be public.
Seems like a massive amount of energy to devote to stealing tools, that by and large, probably have public equivalents sitting around on GitHub.
That's interesting. My first thought was that the attacker wanted access to internal red team tools under the assumption that resulting indicators would be ignored by the blue team, making attacks against their customers less likely to be detected. Wanting to harm FireEye directly is certainly a more simple explanation.
Yeah, no. People say this every time an attack is attributed to a state-level adversary, and while attribution is imperfect, it's not based on the idea that you have to be GRU to write an exploit. There's much more that goes into it; attribution specialists collect and catalog indicators of compromise, like the C&C servers and protocols people are using, many of which are not widely known.
But nothing is known, we have to believe a company trying to master a PR shitshow right now, saying that the attackers were extremely sophisticated. Maybe it was, maybe they are "inflating" the sophistication of the attack to avoid looking bad.
Besides that, I care little about "attribution specialists" and what they say (sorry if anybody is in the audience :p). Evidence can be faked, it's all bits and bytes in the end (and some server locations, usually rented boxes) and things have been misattributed constantly in the past and will be in the future. I think the most you can infer is the general sophistication of the attackers and their resources, but that doesn't require an "attribution specialist". Attributing it to some specific nation state is guess work at best based on mistakes they made in their camouflage (if those mistakes aren't a deliberate or accidental red herring; e.g. [1]). And such "It was China/Russia/North Korea/underpants gnomes" claims are made by people claiming to be "attribution specialists" all the time. It's extremely rare that there is compelling evidence to supporting such attributions.
So if FireEye provided evidence or at least a reasonably detailed post mortem backing their claim of a sophisticated attack, then I'd probably believe them on that. If they made claims about a particular nation state (and so far they did not, as far as I can tell) then I would find that a dubious claim to make.
The FBI has confirmed the state-level adversary thing in a release today. There is no love lost between the outgoing administration and FireEye.
You're probably never going to get evidence that will satisfy a message board.
The Wikileaks post you cited repeats the fallacy I mentioned earlier --- the idea that analysts are simply attributing exploit code. I think if you stop and think about it, you can probably rattle off a number of things besides exploits that a single attacker group will share in common across its attacks.
To fake the evidence we're discussing, you have to know what it looks like. A bored teenager doesn't.
I think it's unlikely that you can derive the entire practice of attribution axiomatically from your own intuitions about how attacks work, unless you've had some real exposure to IR and forensics as a practitioner.
No, I am not saying a bored teenager can create evidence like that, but the sophisticated nation states surely can, and probably some other larger orgs, too.
Code can be faked, meta data can be faked, MO can be imitated, and so on. And the nation states at the very least - and their contractors and (former) employees in the areas of concern - will know what it has to look like. Motive isn't always clear, and quite often there are multiple parties with motives.
>unless you've had some real exposure to IR and forensics as a practitioner.
I'll bite on your argumentum ad verecundiam... who says I didn't? ;)
But I agree, we'll likely never see evidence or a post mortem, and are expected to believe what FireEye and/or the FBI tells us.
I haven't yet, because all I have to go by is claims by FireEye and the FBI. I already said why I take what FireEye says with a grain of salt, and frankly, I also take what the FBI says with more than a grain of salt. The FBI is inherently political, and even when they are not, they are known to make up stuff when it suits them (e.g. "parallel construction").
That may be a rather untrusting/paranoid mindset that I employ, but it worked for me so far.
Asking sincerely: is there some particular reason it should matter to the rest of us whether your perspective on attack attribution has "worked for you so far"? What would the consequences to you have been had your intuition not "worked"?
Replying sincerely: It matters the same way as your own opinion matters to the rest of us.
And consequences? In this case, probably none. We're here for news and entertainment, and reasoning about topics such as this one is enjoyable to me. But lively discussions and their takeaways can inform future arguments and decisions.
But in more general terms, I am a member of the electorate in my country, and misattributions and/or bad or even fake evidence quite often have direct influence on policy. E.g. I was quite happy that I, along with a majority of my fellow citizens, did not believe the "conclusive" "evidence" of WMDs in Iraq the US had put forth, and stayed out of that war.
Seems like a massive amount of energy to devote to stealing tools, that by and large, probably have public equivalents sitting around on GitHub.