A Behind-The-Scenes Look At How Researchers Investigate Government-Backed Malvertising

Nation states exploit programmatic ad tech to attack rival countries. The prevalence of malvertising – the practice of serving ads infected with malware – is both a fact and a growing problem.

The challenge is proving it.

Researchers are often forced to rely on circumstantial evidence to demonstrate that a nation state is behind a malvertising campaign, which can be used to destabilize an enemy’s infrastructure, sow discord during an election or a time of war and serve as a conduit for corporate sabotage.

And malvertising is on the rise.

According to the Trustworthy Accountability Group (TAG), economic uncertainty and the recent slowdown in ad spend has opened the door for malvertisers to purchase more inventory at lower prices. At the same time, hackers are becoming more familiar with programmatic infrastructure, and generative AI will only accelerate the threat of ad-served malware attacks.

Fortunately, though, researchers are getting more proficient at identifying these scams, and their reports often point the finger at state actors.

But how exactly do watchdogs prove that a nation state is supporting malvertising?

Building a profile

Earlier this year, digital safety company The Media Trust and ad platform Admixer released findings about an uptick in malvertising activity targeted at users in Ukraine that coincided with Russia’s invasion.

Russia has a reputation in the cybersecurity industry as a hotbed of malvertising activity, so it’s logical to assume that it’s responsible for at least some of the many ad scams targeting Ukrainians over the past two years.

(To be fair, researchers have also observed malicious ads of Ukrainian origin targeting Russians since the war began in 2022.)

Beyond the timing of this increased activity, Admixer noticed a preponderance of .ru domains and Russian IP addresses associated with entities serving malware-infected ads on its network, said Yaroslav Kholod, Admixer’s director of programmatic operations.

But although these are all useful signals for cybersecurity researchers, said Mike Lyden, VP of threat intelligence at TAG, they don’t definitively prove that the suspicious activity is government-backed.

Which is why it’s important for researchers to work together.

Watchdogs look for commonalities between their own research and findings from other firms, Lyden said, and compare publicly shared evidence of network infiltrations. This allows them to build more detailed profiles of observed malvertising activity and get a better picture of the scope of these intrusions and the entities that are likely responsible.

For example, firms create tasks forces to investigate specific “advanced persistent threats,” which is how cybersecurity researchers typically refer to bad actors, including those suspected of having government support. When these groups find evidence that a network has been infiltrated by an “advanced persistent threat,” they share that information with others in the research community.

Malware modus operandi

Researchers also run forensic analyses to stitch together a pattern of behavior and trace it back to its origin, including inspecting the infected ad creative, the landing pages that users were redirected to and any infected software they were prompted to download.

Often, the malicious software itself provides a fingerprint within its code that leads back to a specific threat actor.

“Coders get sloppy,” Lyden said. They might leave code that reflects the time zone where the software was programmed, for instance, or there could be tells that point back to the developer’s mother tongue or country of origin.

A malicious landing page’s IP address can point to the DNS server associated with that page. Because DNS servers match domain names with their corresponding IP addresses, discovering a server used to manage an infected landing page can lead researchers to discover more infected IP addresses within the same server, said Tal Leibovich, VP of security and data at ad quality solutions provider GeoEdge.

Researchers can also reverse-engineer the data transfer path between an infected landing page and the command-and-control server a scammer is using to store data stolen by malware, Leibovich said.

There are several redirect hops that might occur between when a user clicks on an ad and when they arrive on the final landing page. Because this redirection infrastructure can be expensive to set up and maintain, bad actors often recycle the domains across numerous campaigns, Leibovich said.

If related scams trace back to IP addresses and servers associated with a specific country, researchers can determine with reasonable confidence that the bad actors are based there.

The point of the scam

But how do researchers make the leap that malicious activity is being supported by that country’s government? A lot depends on the purpose of the scam and the audience it targets.

If malvertisers seem to be targeting government employees or sensitive national security infrastructure, odds are they aren’t run-of-the-mill criminals, Lyden said.

But even scams targeting everyday citizens could be government-backed.

For example, Russia and Ukraine are heavily associated with ransomware attacks against financial institutions and corporate entities, said Jérôme Segura, senior director of threat intelligence at anti-malware software provider Malwarebytes. Meanwhile, threat actors in India are known for targeting older users in Western countries by serving malicious ads on recipe sites or in solitaire games.

Although many such scams have been uncovered, the fact that these scammers continue to use the same tactics without major intervention on the part of their home countries suggests potential government complicity, if not outright support.

It’s also a red flag when governments are selective about how they crack down on bad actors. For example, they might be quick to stifle a malvertising attack on home soil but turn a blind eye to bad behavior against targets abroad.

“We’ve seen Russian criminals develop malware to target Russian banks, and these guys didn’t last very long,” Segura said. “But if you’re targeting American banks or European banks, that’s not a problem.”

Some scams are also too sophisticated for most criminal enterprises to carry out without some kind of government support, Segura said. He pointed to the recently patched zero-day vulnerability in Google Chrome as an example.

Although the scammers that exploited this vulnerability could have sold their methods for millions of dollars on the black market, Segura said, the fact that they didn’t suggests they were being bankrolled by benefactors with deep pockets, which could point to government involvement.

There is also speculation that governments knowingly allow their cybersecurity employees to conduct scams on the side to prevent talent from being poached by hacker groups.

But although these observations are convincing, especially when taken altogether, they’re not conclusive.

Ultimately, researchers generally can’t prove definitively whether a nation state is behind a malvertising attack. They can only offer estimates of probability, Lyden said.

And the complexity of the advertising supply chain makes it easy for criminals to spread their activity across multiple jurisdictions, which makes it harder to prosecute, Lyden said.

But collaboration and transparency among cybersecurity firms, ad tech companies, Big Tech platforms and government agencies can at least make it easier to quickly identify scams and hold those responsible accountable.

“Stopping malvertising is really hard from a law enforcement standpoint,” Lyden said. “Doing so requires the industry to come together and self-regulate.”