By Emilio Iasiello, LookingGlass Cyber Threat Intelligence Group (CTIG)
It has become almost systemic for people to immediately question, “Who did it?” when a major breach occurs in the public or private sectors. Understandably, the victimized have a keen interest in identifying their faceless attackers especially when they have been publicly exposed. There is also a competitive aspect, as the first person to make attribution can add credibility to his or her name. However, while providing information for public consumption is important, it’s equally as important to provide accurate information.
In the cyber security industry, a commonly heard mantra is that attribution in cyberspace is difficult. Cyber security experts and organizations, and even some government officials, have emphasized this point. If most agree that attribution is difficult and time consuming, why is there invariably a need to immediately attribute hostile activity that may end up being incorrect and misleading?
This is perplexing especially when one considers that some state actors are considered to be sophisticated and stealthy, yet once their operations are exposed, attribution appears relatively easy to assign. This contradicts the general premise of the attribution challenges that cyberspace presents and discounts the anonymization and obfuscation techniques employed by savvy actors to avoid those very identification efforts. Furthermore, reliance on technical evidence as indicators of attribution may become less important as actors may alter timestamps, use different keyboard languages, and change compile times to point blame in a different direction.
Three highly public cyber incidents have involved a rush to judgment over the identity of the perpetrators that may ultimately prove incorrect. In one incident, a state actor is strongly suspected as being the perpetrator; in another, later evidence suggested that the original suspects may not have conducted the activity; and the last, the high confidence accusation of a state government’s involvement in destructive activity is met with considerable criticism and doubt by the larger computer security industry.
- Office of Personnel Management (OPM): In June 2015, OPM announced that it had been breached and potentially exposed four million federal employee records to suspected nation state-affiliated hackers. State actors, or actors working on behalf of the state, were believed to have carried out this attack because, in addition to technical indicators and “unique” malware, the perceived stolen material was not found to be monetized on underground hacking forums. However, according to one source, 23,000 government e-mails from different agencies were found on an underground hacking forum two days later. While it can’t be concluded that these e-mails were harvested from the OPM breach, it certainly warranted further investigation that didn’t appear to occur. Rather, it was quickly concluded that the motivation for this attack was the compilation of information to be used for future espionage campaigns, or the creation of a database for all U.S. federal employees by the state actor in question. It appears little consideration was given to any other possible scenario. A June 2015 report further intimated that state actors were behind the attack; although it cited two possible groups – both suspected state hackers – as the perpetrators, a fact that only additional time and investigation would have helped to determine. In the end, Beijing arrested the actors in question claiming that the activity was a criminal manner. Given the confluence of cyber crime and the fact that cyber espionage activities are occurring more regularly, who’s to say that more espionage groups aren’t going to engage in similar moonlighting efforts?
- France’s TV5 Monde: In April 2015, France’s TV5 Monde was breached, shutting down transmissions and inserting pro-jihadist messages on its social media accounts. At the time, officials from the Islamic State of Iraq and Syria (ISIS) claimed responsibility for the attack. However, after further investigation, French security investigators suspected a Russian hacking group to have been responsible (the website was hacked and replaced with a pro-“Cyber Caliphate” message). The investigation is still ongoing, indicating that even the most seemingly mundane attacks can have more complex machinations behind them. The “easy” answer may not prove easy at all.
- Sony Incident: In 2014, Sony Pictures Entertainment was infiltrated by suspected North Korean hackers in protest of the release of a film. In addition to stealing confidential documents and intellectual property, the attackers may have also destroyed corporate data. The North Korean government was quickly implicated in the hack, a position that the U.S. government did not waiver from despite numerous criticism from cyber security experts and companies. While North Korea may have been behind that attack, the fact that there appears to be little consideration over other alternatives is deeply disconcerting, particularly in a domain that traditionally favors attackers’ abilities to obfuscate their locations and implement deception techniques.
It should be noted that cyber attribution, while difficult, is not impossible. Based on the amount of time and effort it takes to gain fidelity into what transpired in a breach, particularly those conducted by sophisticated actors, attributing blame shouldn’t be a “quick” process. This is especially true where suspected government involvement is concerned. It would be unwise to base a course of action before concretely knowing who is behind an attack, as implications can extend far beyond the cyber realm into economic and diplomatic consequences.
The United States government quickly levied economic sanctions against North Korea for its perceived implication in the Sony hack, but has treaded much more judiciously in assigning the same culpability to China, even though it indicted five members of the People’s Liberation Army for hacking. Potential consequences against states should be evaluated on a case-by-case basis, regardless of convincing attribution evidence.
There is little advantage to be gained by hurrying to call out particular governments or their agents as the orchestrators of hostile cyber activity, particularly since such a claim is subject to change as more information comes to light and is analyzed. One cyber security company received much criticism for a report in which it intimated that a nation state was behind a slew of attacks, a claim that it had to back away from later.
While attribution is important in assigning responsibility for an attack, it may detract from the most important next step for a breached organization – mitigating the damage caused, patching up security “holes,” and ensuring that business operations continue promptly and securely. There will be time later to determine who was behind the attack, or at least, as good as can be expected given the tools and information on hand.