twitter facebook rss

iToons: Attribution and the Media…

Posted by on March 26, 2015.

…or geolocating spooks, Bunny bugs, and the elephant in the room…

Disclaimer: while I’m an independent author and consultant, I do work closely with one of the security companies mentioned in this article. However, while the starting point for this article is a blog article it recently published, this isn’t about generating extra Likes and Tweets.

Disclaimer 2: despite the gratuitous pun in the title, this rant has nothing to do with Apple, and come to that) not much to do with Famous Studios, Warner Bros or the estate of Jean de Brunhoff.

This is an article I started to write three weeks ago, so as far as recent analysis of malware is concerned, it lacks conviction. But it’s not the malware itself that concerns me here, but a longstanding tension between PR/media-friendly speculation and researcher-friendly concerns with accuracy.

Joan Calvet, one of my colleagues at ESET, recently published a rather interesting article on Casper Malware: After Babar and Bunny, Another Espionage Cartoon. Of course, it’s not about cartoons: it’s about the links suggested by code analysis of the Casper, Bunny (or EvilBunny) and Babar malicious programs, though no-one (myself included) has been able to resist making cartoon-related puns when writing about it. It seems very likely that they have a common origin, but Joan said:

Nevertheless, we did not find any evidence in Casper itself to point a finger at a specific country. In particular, no signs of French origin, as suggested by CSEC for Babar, were found in the binaries.

GData’s Sabrina Berkenkopf also went no further than saying:

Casper is considered to be EvilBunny’s and Babar’s successor, believed to be originating from the same group of programmers – possibly connected to a French intelligence agency.

According to VICE Motherboard, however, Marion Marschalek and Morgan Marquis-Boire were less cautious, much inclined to agree with CSEC’s ‘moderate certainty’ that the spying operation ‘SNOWGLOBE’ – which made use of the Babar malware – is a ‘state-sponsored CNO effort, put forth by a French intelligence agency.’ Legitimate speculation, I guess, but Joan didn’t claim a proven link to any particular country on the basis of code analysis.

Once the story reached the Register, however, the story had become entitled ‘France fingered as source of Syria-spying Babar malware’ (though it was still about the links between Babar, Casper, and Bunny), even though Darren Pauli’s article actually begins a little more cautiously:

France’s spy agency has been fingered as the likely author of complex reconnaissance malware, researchers say.

The Register also observes that ‘Kasperksy [sic] malware boffin Costin Raiu who indecently [sic] analysed Casper told Motherboard the advanced Animal Farm hacking operation was likely the work of a nation state given the absence of financial gain.’ (I don’t know what constitutes an indecent analysis of malware, but I know Costin is far too competent and ethical a researcher to perform an analysis that would deserve the adjective indecent… Perhaps that was supposed to be ‘recent’?)

The real point, I suppose, is that security researchers tend to be anxious – anal, even – about not committing themselves to unproven speculation, whereas the media are all too happy to pick up a bit of juicy gossip. And even where the content of the article is reasonably accurate, there’s a good chance that an over-eager sub-editor will take the opportunity to spice things up a bit in order to attract more readers. In fact, a few months ago I pretty much decided to decline future requests for commentary from The Register after an article in which I was quoted came out with the sensationalist headline NHS XP patch scratch leaves patient records wide open to HACKERS. Which is pretty academic, since they haven’t asked for any comments on anything since…

Mind you, Claus Cramon Houmann makes some interesting points as to why attribution is important – while acknowledging that ‘sharing about attribution on social media may have negative consequences for these professionals’ (i.e. malware analysts) – but doesn’t really explain why a potentially inaccurate speculative attribution is more useful than being non-committal. Aryeh Goretsky’s older article Needles and haystacks – the art of threat attribution is much clearer on one very good reason why ‘these professionals’ are so cautious, relating the issue to a number of specific malicious programs including ‘Stuxnet … and its siblings, [and also] … the Medre Worm … and also the Georbot worm.’

All of these different cases around the world have one thing in common: We don’t really know who the masterminds behind the attacks were or where they are actually located. All we know is where the trail ended for our researchers.

David Harley
Small Blue-Green World


Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley | Tags: , ,