Elite spies used leaked Hacking Team code to learn techniques and hide attacks
Highly sophisticated hackers are poaching components from a leaked library of exploits originally created by infamous Italian spyware maker Hacking Team — even though tools built with this copied code could be detected by basic antivirus products.
Cybersecurity experts are confounded by the decision to include this code in the elite hackers’ malware, especially given that some groups adopting the material are conceivably capable of developing more evasive and effective exploits on their own.
“To be honest, it doesn’t really make much sense,” said Cylance Director of Threat Intelligence Jon Gross. “This one sort of puzzled us … while you might see the criminal underground doing this, I wouldn’t immediately suspect an APT.”
A mysterious, self-described black hat hacker named Phineas Phisher breached Hacking Team in 2015 and posted a trove of internal company documents and other data online. Some of the company’s exploits — like those that can compromise more recent versions of iOS and Android — have been known to cost several hundreds of thousands of euros for governments to purchase.
Within 24 hours of the Hacking Team leak, a group of elite hackers aligned with Russian interests, dubbed APT28 or Fancy Bear, began rifling through the leaked code, according to iSight’s Director of Espionage Analysis John Hultquist. APT28 is best known for breaking into the Democratic National Committee in 2016.
APT28 was using “[Hacking Team] exploits within hours of the leak,” Hultquisit told CyberScoop.
Synack Director of Research Patrick Wardle last month found that one of APT28’s recently discovered spying tools, which was designed to injecting code into target Apple Mac OSX software and the iPhone’s iOS backup protocols, carried ripped-off Hacking Team code.
“This is either laziness or maybe an attribution-obfuscation effort,” Wardle said. “Either way, it’s weird for sure.”
Cylance also recently published research about an ongoing, advanced hacking operation that targeted Japanese companies and individuals with malware using code-signing certificates from the Hacking Team breach.
Gross, who wrote a company’s blog post about Cylance’s research, said his team believes the Hacking Team code may have been included to hide the original authors’ identity. The group believed to be behind this operation against Japanese targets is codenamed “Snake Wine.”
While some of Snake Wine’s previous cyberattacks originated from computers based in China, the group has previously shown the ability throw investigators off their trail by adopting unique techniques and signatures typically characteristic of other prominent hacker syndicates.
“Attribution of threat actors on the Internet is a difficult, if not an impossible task,” described Kaspersky Lab Senior Security Researcher Mohamad Amin Hasbini, “the issue is that indicators to malware authors, found in malware activities, can be forged.”
Cylance found that Snake Wine had recently leveraged smaller name servers that appeared related to APT28 domains. At first glance, an investigator may mistake one group’s actions for another, though a closer inspection proved that, “the malware used in the [Japanese] attacks did not seem to line up at all [with APT28 tools].”
Based on a newly published cache of supposed CIA document by Wikileaks, it’s likely that APT28 and Snake Wine weren’t the only ones to explore the leaked Hacking Team library.
One internal CIA document which WikiLeaks claims to have obtained from a defense contractor reads: “In the interest of learning from and leveraging existing work, it was decided to review selected pieces of the publicly dumped [Hacking Team] data.”
The document continues, “In August of 2015, we performed an initial review of a few selected repositories that were obtained from GitHub … no effort was made to build and/or test the source code, either in whole or in part. Thus, if one is interested in using some implementations found in the source code, it should be considered a best practice to extract the desired pieces, and thoroughly review and test the extracted pieces.”
While the FBI, Drug Enforcement Agency and U.S military have reportedly purchased Hacking Team services and products in the past, it remains unclear whether the CIA leveraged the company’s leaked code to construct capabilities. A CIA spokesperson told CyberScoop that the agency does “not comment on the authenticity or content of purported intelligence documents.”