The same tools and techniques that make targeted attacks now cheaper and easier are also revealing the identities of those behind them.
The recent Hangover operation documented by Norman ASA saw malware writers using the same customised malware for each sting, the same infrastructure for wildly different attack targets, and the same modus operandi for the maintenance of this infrastructure.
The process was highly commoditised with malware creation doled out in neat monthly tasks, manpower acquired from legitimate freelance employment services, and attack infrastructure made possible to track because arrays of attack computers were configured identically.
Offensive operations do not require a lot of resources which gives credence to the idea that malware-assisted surveillance was a natural part of ongoing conflicts.
Such a notion was abundantly illustrated in the Middle East, where espionage against various parties during the Arab Spring uprisings was well-documented.
Less known were the trojan attacks directed at FARC sympathisers in Colombia, or the recent disclosures of monitoring of Ethiopian and Angolan dissidents.
However offensive action in this realm is not without liability. Security professionals were constantly looking for targeted attack malware and would document and map these once found.
It's not personal. People like me are paid to combat malware, and the motives of the malicious creator aren't evident.
Whether driven by good or bad, right or wrong, if you make malware, you and I are adversaries.
That means that if you represent a state or any other entity for that matter, and are sponsoring the malware-based monitoring of your enemies, you must assume that information about your actions will become public.
For some, this might not be a problem, but for others it could mean no end of trouble.
The same rule applies in this realm as in other more conventional covert operations: Don't get caught. The risk of getting nabbed is reduced by following rules that are simple, but expensive: Hire skilled professionals, vary your methods and keep a keen eye on operational security. This is why cyber operations may not turn out to be so cheap and easy after all.
The Hangover operation should be a cautionary tale. It appears to have been a case of someone trying to get a lot for a little, because the attackers were not skilled. They had some sophisticated elements, but only a few.
At the time of writing, we don't know who the real clients in the Hangover case were. We speculate that there were several. If so, their various operations were mixed together in an unsightly hairball of attacks. When one was uncovered, the rest unraveled too.
