all right. So as I was talking about earlier nation state attribution is probably the most difficult type of analysis to do. Especially since during
the late 2016 early 2017
there's been various news stories about malware being stolen
from the NSA. You know, anyone who's following this story on wiki leaks
is already somewhat familiar with these
with these concerns and also because of that story breaking. It was also discovered that
the attribution methodologies that have been used in the past
may not be good enough anymore. It's certainly possible for any organization that's that's developing mount, where to try to make it appear as if it came from somewhere else. That's part of covering your tracks. That's part of obfuscation and remaining undetected. So spoofing I P addresses using proxy chains,
writing code in different languages. And when I meet my different spoken languages
using, you know, a little luck,
cultural clues, these are all things that could be done to throw a investigator off the path off the scent. This might make them focus on something which they think is really true, which traces us back to the
the cognitive biases and logical fallacies that we talked about a little bit earlier in this module. So geopolitics is a complex subject in a
one that's endlessly fascinating for me from certain points of view
as it relates to cyber espionage, cyber terrorism and other kinds of cyber attacks. It certainly has a lot of complexity and
various levels of intrigue and mystery. So in the course of doing some analysis, it could be very difficult to conclusively prove that this particular Mao where this attack came from this nation state or this this Packer group,
because there's a large market
that's open to anybody who wants to purchase malware or wants to have mount were designed for them.
This further complicates the issue. So many open source tools also exist, which can be used to great malware very quickly, very easily,
with, in some cases, very little skill required by the persons
From a United States perspective. Being concerned about China, Russia, North Korea and Iran
is part of the daily work flow for anyone who's working in a classified, classified space or national security capacity.
So we see some examples of
different types of sabotage espionage.
First, we're gonna look at is
Iron Gate in Stuxnet.
So have a look at the hacker news for some information about Iron Gate as relates to Stuxnet, this is is they're both, uh, industrial control systems related malware.
So skate A systems in particular
And if you, uh this is a pretty good website gives a decent amount of information,
it's not super technicals of people that are newer, too.
Threat analysis will have. Ah, needs your time too.
Read the stories and figure out what you're looking at.
But they do go into a decent amount of detail about how the malware works
trying to get at the question Who wrote it?
could be some some interesting clues to consider.
Then we have ah, dragon fly.
So power outage caused by hackers.
This happened early in 2016.
So similar to stuxnet going after skate of systems.
there are some theories that this is
produced by the Russians, perhaps,
but good information, really, regardless,
and this kind of stuff is pretty fascinating. In my opinion,
trying to look at the work of other analysts can be very illuminating because you can see
what kind of methodology they used. Hopefully, there's some information available to show how something was done or the conclusion was reached.
Then we have the shadow brokers
trying to sell stolen s a hacking tools
and they're trying to claim credit for this. So in this case, maybe attribution could be a little bit more straightforward,
But again, there's no proof. Uh, just because someone claims responsibility doesn't mean that they actually did it.
I'm not saying there's no proof in this case. I'm just saying in a general sense,
and that is always something to be aware of
because there are so many ways to spoof information so many ways to make it appear as if
traffic came from somewhere, that it really didn't and so on and so on.
Anyone who spent any time doing pen testing work would have at least that level of understanding of how to hide their own tracks,
surmising, of course, anybody else who's doing malware
creating malware would also use the same techniques to remain obfuscated or or even to appear to be
pointing at another entity.
So it is something to think about, and probably one of the most fascinating part of doing summer threat analysis.