Despite the proliferation of news on the targeting of government agencies and infrastructure providers for cyberattacks, pinpointing perpetrators is often a difficult task. In an interview with Scientific American, Citizen lab Senior Security Researcher Morgan Marquis-Boire explained the techniques and associated challenges in identifying the perpetrators of malware attacks. “Attribution is a curious beast,” said Morgan Marquis-Boire, “There are a variety of techniques that you can use to make educated assertions about the nature of an attack.” These include examining the sophistication of the tools involved, the techniques, the type of data stolen and where it was sent. “I call this strong circumstantial, and this is how a lot of the attribution is done in public malware reports.”
Marquis-Boire is working on a series of “malware profiles” that identify a particular program’s formatting styles and memory allocations. He explained that investigators can learn a lot from a programmer’s naming of certain program features or the way malware transmits purloined data. To this end, he gave a talk at the BlackHat USA 2015 conference to this end, titled “Big Game Hunting: The Peculiarities of Nation-State Malware Research.”
Scientific American mentioned the findings of the Citizen Lab research report entitled “From Bahrain with Love: FinFisher’s Spy Kit Exposed?,” in which Marquis-Boire and others analyzed emails received by Bahraini activists and discovered malware intended to steal information from their computers. The malware was found to be similar to the FinFisher surveillance tool sold by Gamma International.