Cybercriminals vs Pirates

(To Marco Rottigni)

We live in really interesting times: exactly ten years ago the US Department of Defense defined the cyber domain as fifth domain of warfare, but it was only a few years ago that the peculiarities of this cataloging emerged in all its evidence.

Strategic, operational and tactical digital warfare techniques have combined with unique characteristics of this domain - such as the asymmetry between attacker and defender or the speed of propagation; contaminating itself with other economic and criminal spheres, to the point of representing today a unicum that rewards this cataloging by raising it almost to a technological singularity.

This is the thought that stimulated me a news concerning a threat actor particular, called Lazarus.

"Threat actor" is a specific name, normally reserved for organized actors who - sometimes sponsored by states - have emerged through the use of well-defined and particular attack strategies, procedures and techniques. Lazarusspecifically, it is a group sponsored by the North Korean state and active since 2009; according to other classifications, this group can be known by the acronym APT38, Hidden Cobra, ZINC (read article).

The news spoke of a fairly sophisticated attack campaign, based on a version of the IDA Pro software armed with a trojan malware, aimed at compromising cybersecurity researchers.

At first glance, not too striking news regarding yet another organized attack on a specific target, as many are hearing in this period.

Going deeper into the context, however, some important connotations emerge.

IDA Pro is a powerful software that allows security analysts to disassemble any executable, for example to understand how it is possible to infect systems through a malware.

This operation is called reverse engineering.

The reason why IDA Pro has become popular with security researchers is due to the power of the solution, which exists in a free version with decidedly top-notch functionality.

To take advantage of the power of the full version though, you need to purchase the version Professional, which has a significant cost. This led several researchers to search for pirated or otherwise unofficial versions of the solution, creating the target audience for the attack Lazarus Group.

Reflecting on this aspect, the choice of looking for a cracked version of a software for reverse engineering on the part of those who should know much better than others the risks they face: it is in fact more certain than probable that a pirated software version is infected with forms of malware more or less subtly concealing, but often with devastating effects.

Not that the move of Lazarus Group is in no way justifiable, but the attacker's choice of target may not be random at all.

From a strategic point of view, in fact, a cybersecurity researcher occupies an extremely important place in the "value chain": it could in fact be a consultant, infected who would have access to more clients; or hitting an unwary analyst could help violate the sancta santorum of an organization's cybersecurity, the most specialized part of the defense chain.

This is why this news should lead us to reflect on this strange conflict between two fronts that are only apparently opposite, but which in reality represent - albeit for different reasons - harmful elements for companies and for security in general. 

To learn more: