Friday, May 19, 2017

Shadow Brokers/NSA Malware Update - Haven't Patched? Do It Now.



The Shadow Brokers data dump is the gift that keeps on giving.

It wasn't just the victims and good guys who took notice of the unbridled spread of the WannaCry ransomware worm. The bad guys paid attention, too. And now more SMBv1-based attacks have been unleashed or are in active development.

If you have an older Windows machine and think you're out of luck there's good news. Microsoft recently released updates for their outdated/unsupported operating systems going back to Windows XP. The updates are unusual because Microsoft makes it a practice to never update end-of-life operating systems and software. They prefer to spend development cycles on new products and those under their support contracts. This is a special case, though, as many of the devices infected by WannaCry and being targeted by the new malware include embedded operating systems (things like ATMs and point-of-sale systems) that *can't* be easily updated.

It's also worth noting that, according to NetMarketShare.com, Windows 10 is lagging behind its older predecessors in terms of adoption. Windows 7 makes up nearly half (48.5%) of the current operating systems in use today while XP, Vista, 8 and 8.1 combine to make up over 16%. That's a whole lot of unpatched exposure.

For those with XP, Vista, 8, 8.1, Server 2003 or Server 2008, you can find standalone updates to protect against the SMBv1 exploits here:
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

For some reason Microsoft made the Windows 7 and Server 2008 R2 standalone updates separate from the above batch. You can find them here:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012215

What are you still doing here? Go patch now!

Saturday, May 13, 2017

Basic Hygiene aka Security 101

What the heck happened on May 12? Super-evil technical genius releases ransomware worm that invaded systems around the world and he made a gazillion dollars?

Nope.

A ransomware worm was, in fact, released in the wild. It did, in fact, cause mass chaos. This depicts the last 24 hours of infections worldwide (see MalwareTech for real-time stats):



The "evil genius" created this attack by using information released by Shadow Brokers a few weeks ago. As of this writing the miscreant has made a whopping $26K in Bitcoin. Meanwhile, the good guys are continuing to eradicate this mess through various truly genius means.

The real culprit in the exponential spread of this attack? You.

The worm (self-propagating code) leveraged a weakness in an outdated version of a Microsoft Windows feature known as Server Message Block, or SMB, to plant the ransomware and spread itself to the next machine. To grossly oversimplify, SMB is how Microsoft systems "talk" to each other. Microsoft released a patch for this vulnerability on its current products back in March.

The 2 important points in that last sentence: "current products," "patched in March."

Microsoft is well known for its upgrade path. Some people like it, some people hate it. Microsoft wants their customers to update to their latest operating systems to make money, sure. But it's also to keep their customers safer. Their engineers and threat researchers constantly work to improve the security of their products. This is why they release monthly security updates. This is also why they offered a free upgrade to Windows 10 for so long.

One of the key factors in the rampant spread of this ransomworm (as some of my peers have dubbed it) is versions of Windows that are so old (XP, for instance), they stopped being supported by Microsoft years ago. This means no security updates have been released for these systems. And that means they are vulnerable to multiple attacks, including this one.

Which brings me to the second point. As stated above, the vulnerabilities that made this worm possible were patched in March. For those who do have current systems, and left Windows Update enabled (the default), you probably just read about the hoopla and went on with your life. According to latest statistics, at least 90,000 people didn't get the memo and have spent the last 24 hours really wishing they had.

This entire event highlights failures in basic computer hygiene. I thought it an opportune time to remind folks of the simple steps to reduce the likelihood of becoming a victim to this and other types of online attacks. This applies to ALL computer and mobile systems, not just Microsoft, by the way:
  • Keep your operating system and installed software current
  • Turn on automatic updates for your operating system (at a minimum) and software popular with bad guys (Adobe, Java, iTunes, etc.)
  • Back up regularly
  • Install antimalware and keep it updated
The last point may or may not have helped with the ransomworm but it's still a good practice. And yes, Mac users, this means you, too. Last week also saw OS X take a direct hit by the Proton malware.

Prevention is so much easier than recovering lost time and, worse, lost data.


Sunday, April 2, 2017

Privacy Is Dead. Long Live Privacy.


There seems to be a lot of confusion about what happened on March 28, 2017 when the United States Congress affirmed the Senate vote the previous week to block the Obama-era adoption of safeguarding privacy of online activity. I want to try to clear that up.

First, let's get the legal mumbo jumbo out of the way. In October 2016, the FCC amended its interpretation of the Communications Act of 1934, Section 222. Prior to this amendment, Internet Service Providers ("ISPs") were required to protect their customers' online habits and personal information, although the method of protection isn't defined. What is defined are exceptions:
- in order to bill their customers for data usage
- in response to subpoena/warrant
- suspicion of harm to the ISP's own or partnering infrastructures
- to provide location data in the interest of public safety
- and if customers gave their permission to being served ads based on their personal information and/or usage.

These exceptions meant that ISPs were able to examine all customer data and traffic in order to satisfy the criteria.

Let me repeat that - ISPs have had the legal right and means to collect, analyze and sell customer data all along.

Popular wisdom is that, although they legally *could,* few ISPs actually *did* sell customer data because Section 222 didn't forbid it, it simply stated selling your information must be on an opt-in basis. People are under the impression that unless they gave consent, it didn't happen. However, the language for opting in may be buried in the terms of service in your contract as a condition of usage. You may have agreed to opt in unless you explicitly opt out. For example, Comcast/XFINITY contracts contain this perfectly legal twist of language.

The October 2016 amendment enforced a higher standard of care in protecting personal information and banned the sale of customer data without explicit permission by the user him/herself by removing the "not opting out is opting in" loophole. The law was scheduled to go into full force and effect in December 2017. What the current Congress and Senate voted on was halting this amendment, effectively preserving the status quo of selling user data and removing the stronger privacy/protection standards for personal information and online activity.

In the aftermath of the March 28 vote pundits are saying that nothing changed and until POTUS signs the new bill, it's not "law."

True? Not exactly.

Let's take the second point first because that's easier to explain. Yes, it's true that bills don't become laws until the sitting president signs them. In this case, though, the bill is a negative, that is, it takes prioritizing privacy in ISPs' data handling standards with penalties for non-compliance off the table. More simply stated, the ISP practice of collecting, analyzing and selling user data remains legal.



Now let's get into the trickier part and where there are even more misunderstandings. I drew the above gross oversimplification to explain this to someone and I'm finding it handy so I thought it worth sharing here.

In the "Before March 28, 2017" drawing you see the typical Internet traffic flow. We access Internet-based resources from our homes, offices, coffee shops, hotels, schools, mobile devices, etc. by way of routers and broadband lines leased to us by our ISPs. When accessing sites considered sensitive, like banks, shopping sites, and email, the session takes place using SSL or TLS hosted on those websites. SSL/TLS creates encrypted wrappers for the flow of data back and forth between your device and the destination, making it difficult for ISPs (or anyone else) to eavesdrop. They can't see or collect the information, they just see gobbledygook. The "Profit" box in the drawing means ISPs make their money directly from their consumers who pay for Internet and carrier services. They also make money by serving us ads based on the use they see that's not protected by SSL/TLS. When we see the ad, people get paid. These are called "ad impressions." If we click on the ad, people get paid more because ISPs, websites and advertisers make commissions on the number of clicks. Some ads are random and some are based on our online activity. Websites learn about us by incorporating user tracking like cookies or hidden pixels in images on the sites we visit. While not strictly illegal, nor technically infeasible, before March 28 it was considered unethical for ISPs to decrypt SSL/TLS sessions in transit for the purpose of serving ads or to sell to third parties.

That's the crux of ISP complaint against the October 2016 amendment. Google, Facebook, banks, shopping sites, etc. all get our decrypted data because they're sending your machine a certificate that acts like a key to unlock the SSL/TLS tunnel on their end of the conversation. This is how they're able to provide you the service you expect. It's also how they show you ads you're more likely to click on ("targeted ads"), because they get to see what you do while you're on their sites. ISPs want to be able to use the data they collect from you to do the same.

Wait a minute, I hear you saying. ISPs decrypting SSL? Is that possible?

It's not only possible, the capability been commercially available for a decade. Bad guys use SSL/TLS, too, in order to slip past defenses. The good guys needed a way to fight back. Corporate gateway inspection, intrusion detection/protection, firewalls and proxies sold by companies like Bluecoat, Palo Alto Networks and Microsoft all rely on SSL interception to decrypt and analyze SSL/TLS-encrypted traffic to identify and respond to encrypted malicious activity. Of course, government spies have been doing it much longer. And ISPs had the right to decrypt traffic in order to meet the exceptions noted above.

Why is this important? Because, contrary to popular belief, the Communications Act, Section 222 doesn't prevent ISPs from employing this same tactic in order to compete for advertising dollars. Public opinion has been the only deterrent. The October 2016 amendment aimed to rectify that. Which brings us to the "After March 28, 2017" picture.

In the lower drawing, we see the Internet as it exists today with a couple of hypotheticals in the current climate. Remember when I said the justification for killing off the October 2016 amendment was to allow ISPs to compete with website owners for higher ad revenue? They don't have to wait for something to *not* happen (increased restriction and oversight). Thus you see the data siphon flow, representing the ISPs' desire to create a database of their customers and their online behaviors. In some states it's illegal to store this data in plain text (unencrypted) but the point is that ISPs are free to use data they already collect on customers by searching through their data stores with tailored queries suited to advertisers' whims. They are free to serve highly targeted ads and redirect us from where we wanted to go to sites that pay them in order to maximize the ISPs' commissions. Theoretically, this data is also available to anyone willing to pay for it, including local, state and federal agencies, without notifying users should ISPs continue and even expand their definition of "not opting out is opting in." Remember, ISPs are only restricted by the broad language of Section 222 as it existed before March 28. That's why I used "warrantless searches" as one theoretical example.

So what can we do about this? Not a heck of a lot.

Deleting your browsing history on your own device has no effect whatsoever. Zero. Nada. The data collection we're talking about is your activity as it traverses your ISP's network, not your own computer or mobile device. Deleting cookies & history is a good practice against certain types of malware but it's no help here.

Privacy fans who are willing to put up with a slower Internet experience can run i2P and Tor to make a best effort at protecting their anonymity. If you go this route, use both. i2p acts as an underlying layer that complements Tor to increase the effectiveness of the privacy Tor provides. Just be aware that eventually your Internet traffic pops out of the private channel to reach its destination and those exit points can be monitored. Sometimes it's good guys, sometimes it's bad guys, sometimes it's both sitting and watching on the same exit node. Another downside is that Tor is blocked by many popular websites like banks, shopping, and streaming entertainment sites because anonymity is popular with bad guys, too. The same goes for other forms of free virtual private networks ("VPNs").

Speaking of VPNs, if your employer allows you to work remotely, chances are pretty good that you log into your office on a corporate VPN. Using your company's VPN may be an option to keep your ISP's eyes off your activity. The downside is your employer is probably watching and you will definitely be restricted by the employer's acceptable use policies.

Another alternative is to simply accept and assume that everything you do online is public.

The best thing we can all do is to keep the pressure on and support the folks on the front lines fighting for our privacy. The Electronic Frontier Foundation and the ACLU are leaders in this pack. Keep calling, writing, emailing, faxing, and showing up to let your elected officials know how you feel about your privacy and either volunteer and/or donate to EFF and ACLU.

Update: POTUS signed the bill on April 3. The bill rolling back privacy protections is now law.

Sunday, March 26, 2017

What the Phrack

Every wonder about all those "PH's" used in hacking terms like phreak, phrack and phishing? I watched a CBS Sunday Morning story about phone booths and it occurred to me that there are at least two generations who have no idea what "phreak" or "phrack" mean, or why phishing is spelled the way it is. It all goes back to phones.

Back when answering machines started to catch on, we could call our own landline from a pay phone to punch in a code on the keypad or, if calling from a rotary dial phone, hold a device up to the telephone handset that played a simulated tone sequence to tell the answering machines to play messages. Hackers of the 1970's and '80's figured out that those tones could be used in creative and unexpected ways to manipulate phone lines. Free long distance calls were a popular choice (and illegal, it must be noted, as it constituted fraud against telephone companies). Hackers also discovered that universities and governments sent data back and forth over phone lines, too. Remember the 1983 movie, "WarGames"? The act of these types of phone line shenanigans became known as "phreaking." I confess, I have no idea why hackers (also known as "crackers" back in the day) were called "freaks," but I can guess as early reverse engineers were considered social outsiders. Anyway, the spelling quickly evolved to marry the words "phone" with "freak."

Thus, a cultural pattern was born.

So, what's "phrack"? Well, it's actually capitalized. Phrack was the first and remains the longest-running hacker 'zine. Its founders named it by combining "phreak" with "hack." Understandably, early issues focused on the ways, means and underground culture of phone hacking, as it predated technologies like broadband and the Internet as we know it today. In its 7th issue in 1986, Phrack published, "The Conscience of a Hacker,"(sometimes referred to as "The Hacker Manifesto") which formed the basis for the archetype of a hacker as an outcast teenager in his mom's basement. In the 1990's data carriers moved from phone lines to Ethernet and Phrack branched out, too. They published arguably THE seminal article on uncovering and exploiting code bugs in 1996, "Smashing The Stack For Fun And Profit," by Aleph One (aka Elias Levy, the moderator of a popular network and host vulnerability disclosure forum at the time).

"Phishing" has similar roots in telephony. Phishing is a form of social engineering, more simply stated as a con job. It relies on the con artist, or phisher, tricking unsuspecting victims into supplying their user names and passwords to online properties in any number of ways. The term "fisher" was first used in 1995 in a multi-featured hacking tool targeting the then-king of the World Wide Web, AOL. The tool is long gone but AOHell's documentation is still online here (warning: strong language). "Fishing" transitioned to "phishing" in 1996 by members of the popular hacking forum (then known as "newsgroups") alt.2600 who adapted it in a nod to hacking's roots in phreaking.

As an aside, if you haven't seen "WarGames," you really should. Not only is it the phirst - er, first true hacking movie, it still holds up as one of the best IMHO.

Tuesday, March 7, 2017

Defeating Tech Support Scams, Mac Edition

Mac users are falling prey to tech support scams in growing numbers. Because of this, they're being increasingly targeted. Why? The myth that Macs are impervious to malware, scammers and fraud.

Let's start with that word, "myth." Mac does, indeed, have a lot of safety features built into its operating system. However, contrary to popular belief, this is not the reason the bad guys left them alone for so long. There was one simple reason for that - market share. Criminals put their time and energy into the technology that gave them the most bang for the buck because Microsoft had and continues to hold the highest number of users. See, e.g. netmarketshare.com for current statistics.

Apple is still behind Microsoft in overall users but the popularity of Apple products continues to increase for both home and enterprise (office) use. The rapid growth rate is what's put OS X and iOS in the crosshairs of the bad guys. The double whammy is the Apple user population is unprepared. While Windows users have had years of experience and resources available to exercise caution, Mac users have grown accustomed to taking things at face value and simply trusting the platform. This works out well for tech support scammers, in particular. Like most people unaccustomed to thinking defensively, a lot of Mac users are easy to scare. How do I know it's a lot? Because of the growing number of scams and scammers.



The primary purpose of these "warnings" is to get you to call or click.

Calling gives live humans the opportunity to heighten the scare tactic as they walk you through installing a malicious back door. Yes, they really are in a call center - they get paid by the number of installs by the criminals who will then lease out your computer to other criminals or use it themselves to launch further scams.

The automated method of this scam involves scaring victims into clicking on links, videos or ads that redirect you to these warnings then clicking to download a "fix" that's really a back door, ransomware or a payment screen to install a "fix" that essentially holds your web browser or computer hostage until you pay, click or call.

Defeating the scams is relatively simple. It starts with basic hygiene. Do you stay current with security updates for your operating system and apps? Do you run anti-malware in active mode? Do you regularly back up? If you said "yes" to all of these, move on to the next section. If you said "no" to any question, do it now, then move on to the next section.

Every computer needs to know where and how to find other computers. In order to do that, they each need to speak both human and machine. Humans type "cnn.com," a domain, which the machine translates to it machine-readable, numeric equivalent, an IP address. This is a gross oversimplification of the domain naming system or DNS but it gets us to the next step. Your computer's hosts file.

A hosts file is a sort of cheat sheet that performs that domain name-to-IP address translation that can override DNS servers. Updates to the hosts file only govern the machine that the file is on, which is one of the reasons why it's not a popular protection. It's high maintenance. But for home users, who have only 1-3 computers to worry about, it's worth the hassle because it's effective (in my opinion, of course).

At the bottom of this post I've linked a text file that contains a long list of domain names preceded by the IP address 0.0.0.0. This means that the domain names will translate to 0.0.0.0 only, making the domain unreachable by any browser or application that uses the hosts file on that computer. Why does this matter? Because the way these malicious redirects work on the tech support popups is by silently telling your computer to go to these domains to launch the code that makes the popup happen (or look like a popup) in the first place. By editing your hosts file to make the domains unreachable, you stop the attack before it happens. All you need to do is copy and paste that list. I've pulled it together through multiple sources and vetted extensively. Is this absolutely all of the tech support scam domains? It's all the ones I know about as of this writing. It'll likely change but these have been around and active for a while. So, while no single update will ever protect you from everything (be wary of anything or anyone that tells you otherwise), it's a darned good start.

There are a couple of ways to edit your hosts file. The GUI method is a bit clunky. You open Finder, select Go from the menu bar, then Go To Folder to open a search window. Type /private/etc/hosts in the search window and a new Finder window opens with the hosts file highlighted. You need to drag the file out of this window and to your desktop in order to edit it. After you copy & paste the list below to the end of the file, you drag & drop the edited file to the Finder window for /private/etc to replace the old version with the updated version. You'll also need to flush the DNS cache of your computer.

A much easier method is the terminal. There's a text editor built into the operating system that's accessible by opening a terminal window and typing "sudo nano /private/etc/hosts" like this:

You should be asked for your password then you'll see the terminal window change as it drops you into the hosts file:


Now it's as easy as cut & paste:
1) Highlight the list linked below by clicking Command (the key next to the space bar) and the A key simultaneously. This keyboard shortcut means "highlight all content."
2) With the entire list highlighted, click Command and the C key simultaneously. This keyboard shortcut means "copy."
3) Go to the hosts file in your open terminal window, place the cursor below the last line in the file, and click Command and the V key simultaneously. This keyboard shortcut means "paste."

The hosts file will scroll as the update occurs. When it stops, click Control and the O keys simultaneously (that's the letter "O," not a zero) to save the update. You should now see something like this:


Click Control and the X keys simultaneously to save and exit the hosts file editing. Restart your browser and you're done.

While not absolutely necessary, it's still a good idea to flush the DNS cache, which means forcing your computer to forget about recent domain name-to-IP-address resolutions. There are several ways to do this, depending on which version of OS X you're using. A good resource to find the correct command for your flavor is brought to us by the good people at OpenDNS here.

Here's the hosts file update list. I've included adware and first-stage browser crash sites in addition to the tech support scam sites to round out your safer Internet experience.






Saturday, January 28, 2017

"Calexit" Backed By The Kremlin

FYI, anyone thinking that "Calexit" is a good idea should take a look at who's behind it: Russia.

Why? Divide and conquer foreign governments while increasing the scope and power of its own:
 http://yaleglobal.yale.edu/content/putin-anti-globalization-hero

Interesting to note that Russia celebrates every country dividing except its own - talk of secession is illegal there:

"Moscow supports pro-Russian separatists in eastern Ukraine, but criminalizes calls for separatism or increased regional autonomy at home."
[https://themoscowtimes.com/news/russian-anti-globalization-movement-to-unite-separatists-from-western-countries-49589]

yescalifornia[.]org, the website set up for the Calexit initiative, was registered by Louis Marinelli:
Domain Name: YESCALIFORNIA.ORG
Registrant Name: Louis Marinelli
Registrant Organization:
Registrant Street: 606 27th Street
Registrant City: San Diego
Registrant State/Province: California
Registrant Postal Code: 92102
Registrant Country: US
Registrant Phone: +1.6195812403
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: louisjmarinelli@gmail.com

Who's he? Read for yourself:
http://ww2.kqed.org/…/from-his-home-in-russia-calexit-lead…/

Moscow hosted & funded anti-globalizationists from around the world in July 2016:
http://thediplomat.com/…/us-and-eu-separatist-groups-to-ga…/

http://www.businessinsider.com/yes-california-moscow-embass…

California’s “embassy” is the headquarters of Russia’s Anti-Globalization Movement:
http://anti-global.ru/?p=19183&lang=en

Google dork (search term) to see just how Marinelli is portrayed in Russian propaganda:
site:rt.com louis marinelli

Sunday, January 22, 2017

Attribution for Beginners

How do intelligence analysts know <nation-state/threat-actor> is behind malicious activity?

The simple answer is that criminals are human. Humans are creatures of habit. Humans follow certain constructs of behavior native to their geographic regions. Humans make mistakes. In intelligence terms, these human foibles translate to "tools, techniques and procedures," or TTPs.

This isn't the most illuminating answer to anyone new to threat research and adversary hunting. So in this blog, I'll go over a very basic example. I won't show a bad guy, real or based on a real adversary, for a number of reasons. First and foremost, the minute an adversary's TTPs are made public they change them up. This can set active investigations and legal cases back months. Instead, for illustrative purposes, I'll use the country's (reportedly) new cyber security czar's already-public website, Giuliani Security and Safety.

Attributing activity is similar to reconnaissance, the first step in the cyber kill chain. The only difference is that the analyst is backing into the information using artifacts collected in the initial stages of investigation. The typical first couple of the artifacts researched are the source activity's IP addresses and domain names. Let's say we found giulianisecurity.com in our logs. First, we look for the IP addresses associated with the domain:

Digging into the background on these IPs reveals that they were/are dedicated to giulianisecurity.com/www.giulianisecurity.com. Because they're dedicated, as opposed to residing on shared hosts with other domains, these IPs are interesting. We'll note these as solid leads on enumerating the infrastructure behind the domain. What we would do from here in a real investigation is use tools like Shodan, Censys, Nmap and others to identify what's on the IPs - software, versions, exposed services and ports, known vulnerabilities of software/versions and services, etc. For the sake of brevity and because this is not a real attacker/investigation, I'll skip that part here. Interested readers can find this information easily.

Let's move on to see what we can learn about the domain. One of the key factors is learning who registered the domain. There are multiple ways to do this. I'll use a graphical example:



There's a lot of information here. Interested folks can look up the RFC on DNS here. Meanwhile, let's focus our attention on the registrant details:



Who's Data Docket? Might be a website or IT company but it's best not to speculate. We let the data speak. As of this writing, the search term "Data Docket" fails to yield the domain name in the Registrant Email address in the first page of Google results. That means "datadocket.com" is buried in the nether regions of the results which means it's got low traffic numbers. Sounds oddly small potatoes for such a high profile customer.

Let's try the email address. The search results for that look more promising. Here's the top hit:


So who's David Haenel? All results, and I mean ALL, relate to a lawyer in Florida. Just to be sure, I tried searches on his name plus every keyword I could think of that could turn up a web designer or host ("web," "website," "developer," "web host,""technology," etc.). The only results that came up, time after time, were related to David Haenel, Esq. He has the corner on the Internet search results. So here he is:


Now we start to ask questions. Why is a lawyer registering the domain of a cyber security company? What's his relationship to the source domain? Sure, Rudy Giuliani was a lawyer but if you're going to outsource technology-based responsibilities, wouldn't a technology company be more appropriate? Which makes this deviation from the norm seem deliberate. Or does it? Let's see what LinkedIn has to say about Mr. Haenel.



That third entry is interesting. A simple search for "Scorch SEM" gives us the domain name scorchsem.com, no surprises there. A visit as of this writing showed a parked page (placeholder). Seems unusual for a 13-year-old company. So we take a look through the Wayback Machine and find this, circa 2013:


Note the contact email, "David@ScorchSEM.com." Interesting but inconclusive. David is a pretty common name. Until we turn our attention to the bottom of the page:


Copyright by Finebloom & Haenel. Where have we seen those names before? On the header of the pages for Finebloom Haenel & Higgins, as seen above. Seems like the same guy. Going back to the search results on the name "David Haenel" it's starting to make sense - Scorch and info@datadocket.com both tout SEO, search engine optimization. Mr. Haenel is clearly good at SEO given that he's managed to corner the search market on his name.

By the way, there's a reason I chose a lookback at 2013. It's the year giulianisecurity.com went live. They secured the domain name in 2004, added the first IP host in 2009, and parked the domain until Feb 2013.

From here, we would look for intersections between the lives of Haenel and Giuliani to see what, or who, brought them together. We would build relationship maps based on those intersections, the infrastructures, and end up with the story of who's who and why.

This (extremely brief) exercise has been based in what's called "OSINT" or open source intelligence. In other words, putting pieces together using publicly available information. Had this been a real investigation, we would have had non-public information to help us uncover the facts, such as logs from systems touched and traversed. If malware was involved we would have samples and/or artifacts like configuration files, supporting scripts, command and control infrastructures, and such.

Similar to a physical crime scene, all bits of data in and around the scene of cyber crime are sifted for breadcrumbs of trails that can lead to identifying the true source of malicious activity. Even when the bad guys try to trip up investigators to throw them off track, the specific tactics they use for disinformation are also fingerprints once you know how and where to look.