back to article Austrian foreign ministry: 'State actor' hack on government IT systems is over

Austria's foreign ministry has said a weeks-long cyber attack from a "state actor" against its systems has ended – amid local reports that pin the blame on a Russian hacking crew and its initial four-byte payload. The attack, which was announced to burghers of the state on a 4th January, was aimed at the ministry's IT …

  1. Anonymous Coward
    Anonymous Coward

    non state trolls

    Makes me wonder if these/there are hacker groups out there that just want to see wars start. Doing things in attempts to instigate physical violence. Maybe they want to know more innocent people are being burned, or hope to sell guns to one side or both. No matter what, none of these hackers are "good people". Their parents would be so ashamed.

    1. Claptrap314 Silver badge
      Childcatcher

      Re: non state trolls

      Anything is possible, of course, but that sort of attitude sounds a lot more like a teenage-wannabe than someone skilled enough to put together the type of attack described. This looks like the work of a highly skilled and disciplined team.

  2. Anonymous Coward
    Anonymous Coward

    Oh those Russians...

    “Definitely those nasty Russians, Putin’s at it again.“

    Yeah, right, pull the other one.

    1. LoPath
      Coat

      Re: Oh those Russians...

      Putin' on the Ritz!

      1. Fruit and Nutcase Silver badge

        Re: Oh those Russians...

        ...on the information super (duper) highway

  3. Brian Miller

    Source article interesting, kind of

    The attack of the 4-byte file

    The entire attack on a target network starts with a tiny command line module that sends a TCP request to an external command / control server, the command consisting of only four bytes of text [!]. This command brings in a so-called “dropper”, which then places the subsequent trojan in disguise.

    This is just sooooooooo bogus! They make it sound like it only takes four bytes to hack a server, and it's done with a request. What were they expecting, a treatise on nihilism?

    The attack starts because somebody in their network has said compiled code on their computer. The code from Kaspersky looks like something done as a demo of the attack, not the attack code itself.

    Many years ago, a programmer made the point that firewalls should be able to whitelist only connections to known services, not just any old thing out there. Since 13277 is off in the weeds, disallowing outbound requests on that port would stop the problem.

    1. Pier Reviewer

      Re: Source article interesting, kind of

      The good guys (as in competent, not white hat) don’t use random outbound ports. They use 443/tcp to a cloud host along with domain fronting to avoid TLS interception. All the victim sees is a request to a Microsoft.com domain or whatever.

      If you think detecting decent, custom, memory resident malware is easy you should go work as a front line SOC analyst and see just how easy it is to detect that kind of thing in amongst the network noise. Generally threat actors will compromise the network (maldoc, cred spraying, 0-day), quickly obtain persistence then lie low for a while. If you don’t manage to detect the initial compromise (often the riskiest phase as it’s noisy/prone to failure) you are flat out stuffed.

      I know what you’re thinking - don’t open random email attachments. Competent attackers don’t use random email addresses. They cred spray/phish your organisation then send emails/instant messages using your own infrastructure. Got a spreadsheet from Alice in Accounts? Must be safe to open, right?...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like