This post is also available in: heעברית (Hebrew)

11431490_sFireEye, a company developing solutions for stopping focused and advanced cyber attacks (APT), represented in Israel by Innocom of Aman Group,  published a new cyber report. The report, based on data from 1,500 cyber attacks against organizations all over the world, lists the most frequent characteristics of attack, enabling cyber experts to identify the actors threatening an organization and to improve its defense lines against future advanced cyber attacks.

The report describes also attack techniques used by Chinese military groups, called also “Comment Crew”, that were linked in the past with attacks against the US government.

 i-HLS Israel Homeland Security

 The company lists in its report seven main clues for identification of an attacker who stands behind the cyber attacks:

–       Characters of the Phishing type malware code disclose sometimes the country of origin, where the malware code was created. So, for instance, Fire Eye researchers found that many malware codes include the characters GB2312, the source of which is the Mandarine language keyboard, namely – China.

–       Malware operating code often includes expressions with local context, like slang or common insults, indicating the source country of the code writer.

–       Similarly to code characters, indicating a keyboard in a certain language, also fonts can indicate sometimes the malware source. So, for instance, FireEye researchers found that the source of malware code hidden in a document written in Cyrilic letters is in Korea, due to the font with which the infected document was written.

–       In certain cases, in order not to be blocked by a Black List, the attackers pay in order to penetrate the target computer from a certain domain. In many cases, DNS registration leads directly to the country of origin of the attacker. Also false DNS listings can help in locating the attacker, who sometimes reuses information (such as a spelling error) – enabling to link between the attackes and to identify the attacker.

–       Quite often, the attacker does not use his/her native language in the malware code. Typing errors and bad traslations can help in identification of the country of origin of the attacker. So, for instance, identification of translation by using translation sites for certain words or expressions may help in identification of the native language of the attacker.

–       Remote Administration Tools are a kind of malware enabling the attacker to control, in real time, the computer of the target of a cyber attack. Seemingly, it is difficult to identify by them the attackers, but the many possibilities of customization of these tools may lead to identification of settings that are specific to an attacker, helping in his identification.

–       Attackers have their own habits, There are attacker focusing on a certain target, with the same CnC servers, in the same industries, etc. These recurring techniques can expose the target, the access and the location of the attacker.

“At the cyber era, the capability of identifying the attacker is a considerable part of defense”, states Jonathan Gad, chairman and CEO of Innocom. “The report indicates that recurring patterns, discovered in malware codes can improve the capability of information security experts and SOC centers to protect the information and the information systems of an organization”.