On 04/10/2018 22:00, Naslund, Steve wrote:
The other thing I am highly skeptical of is the suggestion of attempting to tap sensitive intel agency systems this way.  Talking to a C&C server is suicide from within their network.  How long do you think it would take them to detect a reach out to the Internet from inside?  How are you going to get the data from the outside back into their network?  You still have to defeat their firewalls to do it.  If this was targeted to specialized video processing server then would it not be unusual for them to be talking to some random IP address on the Internet?

If I understand the article correctly, all the 'infected' systems were built for outsourced service providers so not intended directly for the most sensitive of systems. Still, I agree that network activity is inevitably going to be seen in any modern competent network. In fact, the article states that odd network traffic is how Apple found out about the implants.

I have observed that a common trait in technically complex stories like this is that we are not seeing the whole story. Key facts that cause everything to make sense to technical readers are often left out, either because those who have the information cannot release it (for safety or security reasons) or because it's perceived as too complex for the readership to understand. Sometimes these issues even result in deliberate inaccuracies being introduced.

To put it another way: Considering that, if true, these were carefully targeted attacks it is possible that there were other ways to exfiltrate the target data that have been glossed over.

That said, even in highly complex or high cost plans, people sometimes make basic errors. Misplaced decimal places, wrong units, etc. Perhaps relaying on network access was another basic error.

-- 
Mark Rousell