Fake timestamps, language strings and malware are increasingly being used by cybercriminals to shake security researchers and investigators off their scent, Kaspersky Lab has revealed.
Those who plant malware and other malicious files are increasingly using false flags to hide their identity, meaning it's almost impossible to identify the hacker groups.
Kaspersky Lab explained how timestamps can be easily changed by cyber criminals to avoid researchers uncovering which timezone they are working from, for example, while mixing language markers - such as language proficiency and mixed language metadata - can confuse those trying to find the criminal.
Another way to confuse researchers trying to pin down malicious actors' location is by purposefully failing internet connections, making it appear as though they are working from another territory.
By varying the types of target, hackers are able to remove a pattern to their attack, which again makes it much harder for anyone to work out a motive. The criminals who launched the Wild Neutron attack, for example, had such a varied victims list but no pattern could be established. Threat actors can also pretend to be other hacking groups to remove any certainty.
"The attribution of targeted attacks is complicated, unreliable and subjective and threat actors increasingly try to manipulate the indicators researchers rely on, further muddying the waters," Brian Bartholomew, senior security researcher at Kaspersky Lab, said.
"We believe that accurate attribution is often almost impossible. Moreover, threat intelligence has deep and measurable value far beyond the question who did it'. There is a global need to understand the top predators in the malware ecosystem and to provide robust and actionable intelligence to the organisations that want it that should be our focus," Bartholomew added.
