Identifying state-sponsored malware increasingly difficult

The rising sophistication of cybercriminals is blurring the characteristics between their tools and state-sponsored malware, making it harder to attribute attacks.

Having capabilities to gather data stealthily, or having specific victims are two key characteristics present in malware used for state-sponsored attacks, but it is increasingly hard to tell them apart from tools by cybercriminals, let alone attribute their origin.

Cybercriminals have evolved from using "broad, scattershot approaches" of mass-market malware to sophisticated and unique malware used to steal valuable information such as sensitive data, intellectual property, authentication credentials or insider information, Phil Lin, director of product marketing at FireEye, noted.

Characteristics of state-sponsored malware
While malware comes in "all shapes and sizes", the key determinant in identifying malware as state-sponsored is the creator's intent, Myla Pilao, director of core technology marketing at Trend Micro's TrendLabs, observed.

Most state-sponsored malware are designed for activities such as data-gathering, cyberespionage or sabotage, she explained.

Elaborating, Lin noted these malware often have particular data-stealing capabilities, communicating back to certain regions and countries in the world, using advanced infiltration tactics, and employing multiple data theft mechanisms.

Nation-sponsored malware also have specific targets, unlike the usual cybercriminals who aim to hit as many victims as possible, Luis Corrons, technical director of Panda Security's PandaLabs, observed.

For instance, Stuxnet, which has been linked to Israel, had a very specific target--a uranium enrichment plant in Natanz, Iran, he remarked. Another case was with Flame virus, uncovered in May, with targets located in certain Middle Eastern countries, a region with a lot of political and economical interest, he pointed out.

When the victims or targets are limited to specific groups, it is an indicator that the attacker is only interested in gathering intelligence and conducting espionage, Pilao added.

Attack attribution the hardest
Still, all of these characteristics can also be found in advanced malware used by cybercriminals for regular attacks, which makes the geographical attribution of cyberattacks "the most difficult task", Lin observed.

"Cybercriminals from one country can easily set up 'command and control (C&C)' servers used to store exfiltrated data in a different country leading to incorrect attribution of the nationality of the threat actors, not to mention their ultimate nation-state ties," he explained

It is also "extremely unlikely" a country will openly admit sponsoring attacks, Corrons added.

There are rare exceptions though, such as U.S. Secretary of State Hilary Clinton admitting in May that U.S. intelligence agents had hacked into Web sites used by Al Qaeda's affiliate in Yemen, he noted.

The level of sophistication of attacks by these malware also make them harder to detect and be prevented by the target organization or institution, Pilao added. While they are usually created by professionals, many non-professional code writers can also create and deploy their own malware and be successful at it, she added.

In order to uncover the threat actors, a thorough digital forensic examination of the advanced targeted attack lifestyle, from exploit to exfiltration, should always be carried out within the enterprise and government infrastructure, Lin advised.

Threat protection technologies must also be implemented for continuous threat monitoring and geo-attribution, Lin added. However, if done incorrectly or irresponsibly, it could risk "unnecessary escalations of tensions" between nation states , he warned.