When someone says they were hacked by an "advanced persistent threat" (APT)—parlance often used for allegedly government backed hackers—you might imagine some well organized, secret hacking unit that only uses the most sophisticated and specially crafted tools.
However, some of the most popular pieces of malware used by so-called APTs—to target everything from oil companies to dissident organizations—are littered with their own security vulnerabilities, according to new research to be presented this week in Las Vegas. The research may also have implications for the debate around hacking-back, the practice of victims retaliating against hackers in order to minimize the damage or learn more about the attackers.
Some of the tools are "very, very poorly written," Waylon Grange, a researcher from cybersecurity firm Symantec who analyzed the malware told Motherboard in a phone call.
Grange simply picked a selection of popular tools that repeatedly came up in APT reports, and then poked around for vulnerabilities. For example, hackers have used a piece of Windows malware called Gh0st RAT to target Tibetan activists and South Korean organizations. Gh0st RAT can switch on a victim machine's camera, steal data, and much more.
But when Gh0st RAT transfers a file from the victim to the attacker's server, it does not validate that the hacker requested the file in the first place, according to Grange's research. This means a victim could deliberately upload their own file to the hacker's infrastructure, and install a backdoor on the attacker's server.
"If I was to hack the hacker, I may want to sit on their box [computer], and just listen to who they're attacking, or see who else that they've victimized," Grange said, with both elements potentially being helpful for attribution.
Grange found issues with similar results in PlugX, a piece of malware linked to the infamous Office of Personnel Management hack.
"For both the PlugX and the Ghost RAT, the exploit gets code execution, which means I can then run whatever I want on the machine," he added.
Some vulnerabilities can also be used to extract files from the hacker's own server. Grange found one such issue with XtremeRat, which has been used in both targeted attacks and cybercriminal campaigns, Grange's research notes.
Of course, all of this has relevance to hacking back. Earlier this year, a Republican congressman proposed giving hacking victims the legal authority to strike back, in order to find identifying information about the hackers.
"I think it shows that were hacking back to be legal or allowed, it's very, very plausible," Grange told Motherboard.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.