‘Hackers used Stuxnet certificate to mislead researchers’
Hackers signed their own malware with the same Realtek certificate stolen by the creators of the Stuxnet malware. According to Kaspersky researchers, this is done to deceive researchers.
The Kaspersky researchers, who recently presented their research at the Virus Bulletin conference, tell Motherboard that the use of the certificate is one of the most notable uses of a so-called false flag. In doing so, hackers try to disguise the origin of their attacks. The hackers in the current case belong to the so-called ‘TigerMilk’ group. It used a common exploit for Microsoft Office to attack government agencies in Peru.
The malware itself was nothing special, unlike using the Realtek driver certificate. This was already withdrawn in 2010 by VeriSign, to counter the Stuxnet malware. As a result, the researchers conclude that the sole reason for using the certificate may be to mislead security researchers and incident responders. Using the certificate, they might be tempted to attribute the attacks to the group behind Stuxnet. It is not clear how the TigerMilk hackers came into possession of the certificate.
In the report, the researchers discuss the difficulty of assigning hacks to specific countries or groups, also expressed in the adage ‘attribution is hard’. At the moment, this is done, for example, on the basis of IP addresses that were used in an attack, or on the basis of reused pieces of code and types of malware. According to the researchers, intercepted network traffic, or pcaps, is the most useful information. But even with this it is still not easy to point out the actual perpetrator.
Security and intelligence services are in the best position to identify a perpetrator because they have the most information. However, these services are limited in this role because they cannot publicly substantiate their findings, the researchers said. Therefore, they could point to a perpetrator, but not be believed.
The recent hacks on the US Democratic party have sparked much speculation about the party responsible, with Russia consistently emerging as one of the prime suspects. Recently, the US government officially designated this country as responsible.