Saade and Raiu at VB2017

When cyber spies known as NetTraveler were busy snooping on hundreds of government and military victims in 40 countries a few years ago, little did they know that another hacking group was probably watching them.

During their investigation of NetTraveler, Kaspersky Lab researchers discovered an unusual backdoor that could have helped another attacker access one of their main servers, and then use the group’s infrastructure or steal data.

In the past five years, cybersecurity experts have encountered several cases in which espionage groups likely pilfered one another’s spoils, being interested in getting both data and hacking tools. Kaspersky Researchers Costin Raiu and Juan Andrés Guerrero-Saade talked about such incidents on Wednesday during the Virus Bulletin 2017 Conference in Madrid, Spain.

Government hackers sometimes “obtain data by stealing it from someone else, who took it in the first place from the victims,” Raiu told Bleeping Computer in an email interview before the conference. He and Guerrero-Saade believe that citizens’ personal data could fall into the hands of a foreign intelligence agency that’s better equipped than the domestic one.

The experts based their presentation on so far unpublished research that shows how spies walk off with other spies’ data and tools, gaining valuable insight into a foreign service’s intelligence collection methods, recruitment tactics, procedural guidelines, and the targets operatives have to monitor.

“Attackers can [...] adopt the victim threat actor’s toolkit and infrastructure, leveraging their data and access, and perpetrating attacks in their name,” the researchers wrote in their paper.

Real world stories

A few of the in-the-wild examples Raiu and Guerrero-Saade showed come from investigating APT (Advanced Persistent Threat) campaigns launched by Crouching Yeti/Energetic Bear, HackingTeam, or ProjectSauron/Strider threat actors.

While studying these attacks, the researchers have encountered “strange artifacts [pieces of code or other identifying information left by the attackers] that defy immediate understanding in the context of the investigation itself,” the paper reads. The Kaspersky experts said they cannot be sure of the intent or origin of these artifacts, but they fit a conceptual framework of spies pilfering from other spies.

One such example involves the Crouching Yeti threat actor, active between 2010 and 2014, that monitored thousands of organizations mainly from the industrial and machine manufacturing sector.

While investigating a website hacked by Crouching Yeti and made to act as a command-and-control server, meaning it was used to send malicious commands, the researchers noticed an unusual image the size of a pixel hidden on one of the webpages, that of the control panel. Whenever the webpage loaded, the pixel hailed an IP address in China, which pointed to another hacked server. Most likely, the researchers said, the image was used by another espionage group to monitor Crouching Yeti’s hackers as they logged in.

As for code reuse, Raiu and Guerrero-Saade talked about the Italian technology company Hacking Team, which sells surveillance tools to governments and law enforcement agencies. After it was hacked in 2015, some of its tools appeared on the web. The dump carried weaponized zero-day exploits and a full malware codebase. The DarkHotel/Tapaoux espionage group was seen repurposing a Hacking Team Flash exploit only a few days after it became publicly available.

Another example involves the cyberespionage platform ProjectSauron, also known as Strider, that secretly extracted encrypted government and companies communications using tools tailor-made to each victim and to the environment on which it was installed. The group used different file names and sizes for the malware when targeting different entities. ProjectSauron drew inspiration from other cutting-edge threat actors, including Duqu, Flame, Regin, and Equation. It emulated their better features while avoiding the pitfalls, the researchers said. They also suspect that ProjectSauron group might have been capable of collecting the information they took from the victim while it traveled on the wire.

Why do spies steal from other spies?

There are several reasons why state-sponsored hackers would steal from others, according to the Kaspersky Lab researchers. For instance, spies might have difficulties monitoring targets in a certain geographical area, so a powerful attacker might tune in to a server that belongs to a less advanced group that comfortably operates in that particular region.

Small espionage groups could gain superpowers by borrowing tools from the more capable ones. Exploits, implants, scripts, and source code found on servers that end up online might boost a group’s creativity and cut the costs of a future attack. “Clear examples of this are the dumping of Hacking Team exploits and EquationGroup exploits. The latter were provided fully weaponized and used by multiple players like DarkHotel and the Lazarus Group with the infamous WannaCry,” Guerrero-Saade said. “Exploits, particularly zero-days, are of immediate benefit for any threat actor and are likely to be seized and repurposed immediately,” the paper reads.

Meanwhile, rather than stealing, truly advanced espionage groups, “high-powered god-on-the-wire style threat actors” as Guerrero-Saade called them, prefer to build in-house tools that require extensive development and quality assurance practices. “We can only imagine what the ‘big boys’ are capable of,” he told Bleeping Computer.

Whodunnit theories are getting more complicated

With spies using other spies’ tools and infrastructure, and even perpetrating attacks in someone else’s name, cybersecurity researchers might have increasing difficulties in proving who’s really behind a campaign.

Guerrero-Saade said cybersecurity researchers need to understand their limitations when attributing an attack, as they can only aggregate data from cyberspace. “Institutions that are being fed high fidelity signals intelligence and human intelligence and can generate an ‘all-source’ product are in a position to conduct the sort of attribution that might satisfy inquisitive bystanders,” he said.

“We believe [that the phenomenon of spies collecting data and tools from other spies] is an important development and we took the steps to describe it as it can change attribution and the way we see cyberwarfare in general,” Raiu said.

Image credits: Kihong Kim‏