Apparently the “Psychosis of Targeted Attacks” is plaguing not only the end users but even the security researchers, leading to dangerous collisions and clamorous retractions.
Yesterday the security firm FireEye published a blog post about the well-known Gauss targeted attacks, concluding that there was some sort of relationship between the Gauss and Flame malware actors based on observing C&C communication going to the Flame C&C IP address.
Unfortunately they did not realize they were observing the activities of a sinkhole operated by Kaspersky in which the sinkhole process had been organized to monitor both the Flame and Gauss C&C infrastructure.
Kaspersky Chief Security Expert Alexander Gostev explains the reasons of the misleading conclusions:
After discovering Gauss we started the process of working with several organizations to investigate the C2 servers with sinkholes. Given Flame’s connection with Gauss, the sinkhole process was being organized to monitor both the Flame and Gauss’ C2 infrastructures. It’s important to note that the Gauss C2 infrastructure is completely different than Flame’s. The Gauss C2s were shut down in July by its operators and the servers have been in a dormant state by the operators since then. However, we wanted to monitor any activity on both C2 infrastructures.
During the process of initiating the investigation into Gauss C2s and creating sinkholes we notified trusted members of the security and anti-malware community about the sinkhole IP and operation so that they were aware of any activity. FireEye’s post about the Gauss C2 samples connecting to the same servers as Flame are actually our sinkholes they’re looking at.
With some easy Googling and checking on WhoIs, researchers could have verified all of this.
Since the investigation and sinkhole operation are still in progress we do not have any more information to provide at this time.