The hackers are not alone.
Researchers from cybersecurity firm Kaspersky on Wednesday revealed several cases of mysterious groups breaking into the infrastructure of suspected state-backed hackers. The cases highlight the murky world of spies targeting other spies, how hackers working for nation states could be collecting data out in the wild in unconventional ways, and how the practice can muddy the idea of attribution—ultimately determining who was behind a particular hack.
“It can be all sorts of people for all sorts of reasons,” Costin Raiu from Kaspersky said during a presentation at the annual Virus Bulletin malware conference in Madrid. Juan Andres Guerrero-Saade also co-authored the research.
Gaining signals intelligence comes in many different forms: Perhaps an agency solely uses its own resources to gather information, other agencies share data, or maybe a third party, such as an internet service provider, hands over the goods.
But sometimes, spies will piggyback off the work of another state’s hackers, as a part of “fourth-party” collection. As Der Spiegel previously reported using documents acquired by Edward Snowden, fourth-party collection is essentially letting other people do the dirty work, and then stealing the results, with the National Security Agency apparently making use of the technique.
By the Kaspersky researchers’ definition, this approach can also include one intelligence agency disrupting another’s operation by hacking their infrastructure.
In one case, the researchers explained how they previously dug into a group known as Energetic Bear. This group is likely linked to the Russian government, and has hacked an array of gas- and oil-industry targets.
Energetic Bear used a network of hacked websites to control its operations, and collect data or deliver commands to compromised machines, according to the researchers’ paper. The hackers could log in to their own control panel to manage the information stolen from victims, it adds.
For a brief period, something strange happened to that panel. In March 2014, the researchers noticed it included a tiny snippet of code that pointed to a computer based in China. The code was a 1x1 pixel-wide image—meaning whoever placed it there was likely trying to do so quietly.
According to the researchers, this tweak was probably intended to gather some identifying information about Energetic Bear when it logged in and managed its hacking operations.
Things are even more messy, however. The computer in China was compromised as well, leading researchers to believe that whoever used it to spy on the suspected Russian hackers was consciously trying to muddy the waters.
“Whoever did it also had the resources to hack into a Chinese server and use it [in my opinion] as a false flag,” Raiu told The Daily Beast. It’s not clear who exactly was behind this operation, but it probably was not your run-of-the-mill cybercriminal: Raiu said there was no financial profit in interfering with a panel like this.
A second case shows how so-called Advanced Persistent Threats (APTs) hacking each other can confuse researchers when it comes to attributing operations. A group dubbed DarkHotel used a compromised website to deliver attacks to targets. However, another team of hackers successfully breached the same website, and used it to deliver its own malware. At the time, in 2016, this led researchers to believe the groups were one and the same.
“It is now clear that this is not the case,” the Kaspersky research paper states.
In another example, Kaspersky tracked NetTraveler, a hacking group likely operating out of China that targets organizations in Russia, Mongolia, and other countries. Kaspersky obtained a copy of a NetTraveler server, but made a curious discovery: Someone else, and seemingly not the NetTraveler hackers, had hidden a backdoor on the server, allowing the shadowy party access.
This backdoor probably wasn’t just placed in an attempt to get some attribution details on the NetTraveler hackers, but also to identify the victims of their attacks, and leverage the collected data, Raiu added.
“That backdoor is super unusual and we never saw it again,” Raiu said.
Full disclosure: This reporter was invited to speak at the Virus Bulletin conference about an unrelated subject. Virus Bulletin paid for the flights and accommodation.