Comment by motohagiography
5 years ago
Superb work. The "who" of attribution is more likely related to the actual PII they were after than any signature you'll get in the code. Seems like a lot of effort and risk of their malware being discovered for PII instead of being an injection point into those users machines. I rarely hear security people talk about why a system was targeted, and once you have that, you can know what to look for, inject canaries to test etc.
From Twitter chatter, this appears to be Chinese APT malware, something related to PlugX
>Chinese APT
Wow, surprising!
> Chinese APT malware,
Why is it necessary to point out the foreign origin? Doesn't that just encourage our innate xenophobia?
It should be pretty easy for someone to differentiate between the Chinese people and the Chinese government.
Meanwhile, can you prove that this "innate xenophobia" is present in every human to an extent that it's actually relevant, and that this particular instance of suggesting that the malware is Chinese in origin meaningfully exacerbates it?
Moreover, China is a geopolitical rival to the United States, India, and other countries that constitute a majority of HN readers. Information like this is interesting from that viewpoint.
Threat modelling to develop useful risk mitigation requires that system owners essentially do a means/motive/opportunity test on the valuable data they have. The motive piece includes nation states as actors, and that matters in terms of how much recourse you are going to have against an attacker.
However, I'd propose a new convention that any unattributed attacks and example threat scenarios of nation states should use Canada as the default threat actor, because nobody would believe it or be offended.
If it were Russian, American or Israeli would you have the same reservations?
1 reply →
My interpretation, not knowing anything about the field, is that this is a nation state actor or sponsored by such.
2 replies →
I guess it depends on when we talk about it but it certainly matters if it is the janitor / secret hacker in the building or someone from somewhere that you have no legal recourse.