Who the hæck?Attribution in cybersecurity
While we are getting used to hearing news on a daily basis about hacking attacks, much less do we read details on who is responsible. The reason is clear: In cyberspace, there are many ways to cover one’s tracks or even lay a false trail. In other words, “attribution” – tying a responsible group or country to an attack – is difficult.
Importance of Attribution
The lack of attribution is problematic for several reasons:
- If cybercrimes are not punished, criminals will only be encouraged to attack more frequently and more often.
- IT security is always a question of cost-benefit. If victims know who in particular is targeting them and for what reasons, they can focus their investments in a much more targeted way, i.e. improving the cost-benefit ratio.
- Cyberattacks by nation states can be considered an act of war:
“[…] any American president could consider a variety of responses — economic sanctions, retaliatory cyberattacks or a military strike — if critical American computer systems were ever attacked.”(Sanger & Bumiller, 2011)
However, if you do not have proper attribution – if you do not know who is responsible for an attack – you cannot properly prepare and respond.
In 2016, the group “The Shadow Brokers” hacked the NSA’s own hacking department “Tailored Access Operations” and subsequently leaked top-secret information, hacking tools and extremely dangerous secret zero-day exploits. In the aftermath, Vice President Joe Biden stated:
“We’re sending a message. […] It will be at the time of our choosing; and under the circumstances that have the greatest impact.”(Biden, 2016)
The problem is just: How can you be sure that you are retaliating against the real culprit? And how do companies and nations proceed to have a “bullet-proof” attribution? After all, while the US accused Russia of the attacks, neither Russia, nor the Shadow Brokers ever confirmed this. The Washington post explained in a series of articles that indeed it might make sense for nation states to reveal their identity after an attack:
“[…] claiming credit afterward can send powerful signals about one’s overall capabilities to potential adversaries, ultimately enhancing the credibility of future deterrent threats.”(Sanger & Bumiller, 2011)
Nevertheless, at least what is visible to the public, most attacks remain without a “claim for credit”.
In contrary, countries might have an interest to secretly sabotage others without having to fear retaliation – as the USA and Israel tried with their Stuxnet operations against the Iranian nuclear program. Countries attacking NATO members will also have an incentive to not reveal their identity as they might otherwise be treated according to NATO article 5: If any member is attacked, NATO is responding as a whole in what they call “collective defence”.
However, if it is not clear who was behind an attack – as is mostly the case for cyberattacks – such response will be hard to justify. An example is given in Andy Greenberg’s book “Sandworm”, where he describes a (supposedly Russian) cyberattack against NATO member Estonia:
“Putin, it seemed, had tested a new method to bloody the nose of a NATO country with plausible deniability, using tools that were virtually impossible to trace to the Kremlin. And he’d correctly judged the lack of political will to defend NATO’s eastern European members from an innovative new form of mass sabotage.”(Greenberg, 2019, p. 87)
The problem with attribution at a national level of course is also that many countries proactively launch cyberattacks by themselves. It is hard to blame others for what you are doing, too:
“Of all the nations that have a cyberwarfare program, however, the United States and Israel are the only ones known to have unleashed a destructive cyberweapon against another sovereign nation—a nation with whom it was not at war. In doing so, it lost the moral high ground from which to criticize other nations for doing the same and set a dangerous precedent for legitimizing the use of digital attacks to further political or national security goals.”(Zetter, 2014, pp. 403–404)
As the aforementioned Shadow Brokers breach showed, the NSA itself is withholding known vulnerabilities to use them for their own attacks instead of responsibly disclosing them to the programmers. One of the leaked zero-day exploits was EternalBlue, later on used in two of the most devastating and costly malware programs ever developed: WannaCry and NotPetya.
Examples of successful Attribution
So, I think it became clear that attribution in cybersecurity is hard, but very important for legal, technical, economic and political reasons. Therefore, both, national secret services and private companies engage in attribution efforts. In some cases, the level of detail revealed in these activities can be impressive, as shown in the Mandiant (now FireEye) report on state-sponsored Chinese espionage performed by APT1:
“APT1 is believed to be the 2nd Bureau of the People’s Liberation army (PLA) General staff Department’s (GSD) 3rd Department (总参三部二局), which is most commonly known by its Military unit Cover Designator (MUCD) as unit 61398 (61398部队).
»Unit 61398 is partially situated on Datong Road (大同路) in Gaoqiaozhen (高桥镇), which is located in the Pudong New Area (浦东新区) of Shanghai (上海). The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007″(Mandiant, 2013, p. 3)
“The sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind APT1. We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398.”(Mandiant, 2013, p. 6)
Since attribution is never a “100% sure” thing, it is common to formulate alternative hypotheses. In the case of the Mandiant report however it becomes clear that it is after all 99.9% certain that APT1 is identical to the Chinese government’s hacking department “Unit 61398”, as the almost ironical report’s alternative hypothesis shows:
“However, we admit there is one other unlikely possibility:
A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”(Mandiant, 2013, p. 6)
Such attributions usually do not stand up in court, but they can result in sanctions against individual hackers or whole states and therewith act as a deterrent against follow-up attacks.
Update 17th of September 2020: Coincidentally, the day I wrote this post, the United States Department of Justice published a notice, informing that it had found guilty and had passed sentences on two Malaysian and five Chinese hackers (allegedly members of APT41). The latter remained fugitive.
How Attribution is performed
In the case of the aforementioned Mandiant report, many mistakes on behalf of the hackers helped to draw conclusions:
- Same email address used for exfiltration activity and domain registration; that address was identical with one previously used in an online forum where it is linked with a real name.
- The mobile phone number used to register the Google mail account was a number from Shanghai (where also the Chinese cyber unit 61389 is located).
- The infrastructure (computers etc.) used for attacks was also used for other activities such as registrations in online forums.
These and several more “flaws” helped Mandiant to assemble an impressive and conclusive report. While the sophistication of attackers has meanwhile grown considerably, the general steps to perform attribution remain the same. I can highly recommend Timo Steffens’ book “Attribution of Advanced Persistent Threats: How to identify the actors behind cyber-espionage” for more details. The following summary is also based on insights taken from the German version of that book.
4 Layers of Attribution
Steffens distinguishes four different layers of attribution:
- Link artifacts with group: This least difficult layer can be performed by private companies. Since artifacts like IoCs (indicators of compromise) such as IP addresses and TTPs (Tactics, Techniques, and Procedures) can be directly observed by the defender, they can be combined to a so-called intrusion set. They can then be checked against threat intelligence feeds to see if they same attributes were already observed in other attacks and are already linked with a certain group. If IoCs and TTPs are relatively consistent over time, it can be assumed that the threat actors across these attacks are identical. Some of the most well-known groups are assigned names by security research firms. In contrast to software vulnerabilities which are globally identifiable with a unique CVE number, names for hacker groups vary across different companies. This means that the very same threat actor can be referred to using many different names, depending on which company is talking about them.
- Link group with country: This level of attribution is already much more difficult to perform and usually not done by victim companies themselves, but by secret services and private security firms. A single attack will most likely not be enough to identify the country where the group is located, but small mistakes and recurring patterns across attacks (e.g. selection of victims) will need to be analyzed.
- Link group with sponsor: Another level of attribution aims to understand if an attacking group is sponsored by simply criminal intent or at a larger state-sponsored scale. For this, analysts try to understand if the primary aim is to make money (e.g. distributing a banking trojan via untargeted phishing attacks) or if the attack is performed in such a way that information is targeted that would be valuable to another state (e.g. watering hole attacks against semiconductor conference website targeting local producers)
- Link sponsor to organization and/or individuals: This highest level of attribution is only achieved in rare cases, but it is possible, as the Mandiant report above on APT1 shows. In that case, several Chinese officers were found guilty by US American courts.
6 Steps of Attribution
Independent of the layer of attribution that is pursued, Steffens describes the general steps as follows:
- Collect data: Even without attribution, vendors of antivirus software have an interest of finding new threats to keep their customers protected. The difficulty is to spot, understand and respond to the relatively few highly targeted malware programs launched by persistent groups amidst the sheer number of run-of-the-mill malicious software that is produced every day.
- Clustering: This step refers to the grouping of IoCs and TTPs as explained above in layer one. Different malware programs that might appear independent at first sight, could turn out to be from the same author, for example because they use the same command-and-control servers for their operations. Other similarities across different attacks might be a common industry of selected victims, identical passwords to encrypt data, same time-zone or keyboard settings in compiled software – although all of the latter points can be easily faked and therefore be a red herring. Identified clusters are then potential candidates to be added to an intrusion set.
- Identify country of origin: This step refers to what is described above in layer two. Often, attackers use own or hijacked servers located in other countries than their own. Nevertheless, an assumed agenda of the attackers might be linkable to a countries national agenda – for example China’s Five-Year Plan. Also, if analysts manage to intercept C&C traffic, they might be able to trace it back to its real origin, or at least to detect possible telltales such as language settings.
- Likelihood of state-sponsored attack: This step refers to layer three above. If tactics and techniques of the attackers seem to be aiming at “easy money”, the involvement of an intelligence service as sponsor is less likely than if the attack is highly sophisticated, targeting for example a company’s critical infrastructure or fundamental intellectual property.
- Linkage with organizations and persons: This step refers to layer four above. As explained, attribution at this level of granularity is seldom, but it does happen. While many hackers will never actually end up in court – either due to the lack of an extradition treaty or because of a country’s very interest to not cooperate – imposing sanctions on identified organizations or individuals can heavily impact lives (e.g. no freedom to travel, inability to access money due to frozen funds etc.) and act as deterrent for the future.
- Presentation and communication of results: This final step is important independent of the layer of attribution. Even if findings are not presented publicly, internal communication is crucial to create and maintain an overview on different threat actors, to scrutinize the plausibility of findings and to raise internal or public awareness. Especially in a political context (i.e. findings behalf of intelligence services), conclusions are usually not formulated in a completely definitive way, but rather by using some kind of likelihood to describe the certainty of conclusions and different hypotheses.
- 2017 cyberattacks on Ukraine. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=2017_cyberattacks_on_Ukraine&oldid=970871311
- Biden: ‘We’re Sending a Message’ to Putin. (2016, October 14). https://www.nbcnews.com/meet-the-press/video/biden-we-re-sending-a-message-to-putin-786263107997
- Botnet. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Botnet&oldid=976542410
- Casus belli. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Casus_belli&oldid=962994726
- Common Vulnerabilities and Exposures. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Common_Vulnerabilities_and_Exposures&oldid=969871549
- Critical infrastructure. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Critical_infrastructure&oldid=934414646
- Development Tradecraft DOs and DON’Ts. (n.d.). Retrieved 16 September 2020, from https://wikileaks.org/ciav7p1/cms/page_14587109.html
- EternalBlue. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=EternalBlue&oldid=975590147
- Fancy Bear. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Fancy_Bear&oldid=978514095
- Five-year plans of China. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Five-year_plans_of_China&oldid=968073210
- Greenberg, A. (2019). Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. Doubleday.
- Indicator of compromise. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Indicator_of_compromise&oldid=975063928
- Mandiant. (2013). APT1—Exposing One of China’s Cyber Espionage Units. https://web.archive.org/web/20130219155150/http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
- NATO. (2019, November 25). Collective defence—Article 5. NATO. http://www.nato.int/cps/en/natohq/topics_110496.htm
- Nuclear program of Iran. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Nuclear_program_of_Iran&oldid=976929101
- PLA Unit 61398. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=PLA_Unit_61398&oldid=967779804
- Red herring. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Red_herring&oldid=977551534
- Responsible disclosure. (2019). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Responsible_disclosure&oldid=929705004
- Sanger, D. E., & Bumiller, E. (2011, May 31). Pentagon to Consider Cyberattacks Acts of War. The New York Times. https://www.nytimes.com/2011/06/01/us/politics/01cyber.html
- Steffens, T. (2018). Auf der Spur der Hacker: Wie man die Täter hinter der Computer-Spionage enttarnt. Springer Vieweg. https://doi.org/10.1007/978-3-662-55954-3
- Stuxnet. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Stuxnet&oldid=977998687
- Tailored Access Operations. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Tailored_Access_Operations&oldid=946754026
- The Shadow Brokers. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=The_Shadow_Brokers&oldid=976891362
- WannaCry ransomware attack. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=WannaCry_ransomware_attack&oldid=976112147
- Zero-day (computing). (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Zero-day_(computing)&oldid=973988948
- Zetter, K. (2014). Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Crown.