Lentis/Cyber-attack Attribution

Cyber-attack Attribution
One of the first steps in mitigating and containing a cyberattack or a breach is attributing its source. Identifying the perpetrators early on and keeping track of their previous campaigns helps understand their motivation, determine the data they are after, and physically locate and apprehend them. On a more global level, associating an attack with a nation state can influence the policymakers in regard to foreign policy. Despite its importance, the current methods for attribution are nowhere near from perfect, and some decisions are made prematurely. This can lead to a variety of implications, and misattribution may cause countermeasures to harm victims rather than cybercriminals.

What is Attribution
Cyber-attack attribution describes the act of identifying the party responsible for a certain internet attack by correlating various indicators to trace the attack back to its source. Every kind of cyber operation leaves a trail, and analysts use this information, combined with a knowledge of previous events, to attempt identify the malicious actor. Knowing what data the attacker is after allows incident responders to predict the intruder's actions and concentrate their containment, mitigation, and preventative efforts. In terms of policy, it helps law enforcement differentiate criminal activity from state-sponsored attacks and act accordingly.

Attribution Methods
Cyber-attacks generally leave some form of logs on the system, so the information found in them or even the evidence of deleted logs can ring a bell. Any cyber-attack or regular use of a system interact with computer equipment through many services and on various networking levels, leaving some traces in almost every step. These indicators of compromise, such as failed login attempts, anomalous connections outside of business hours, IP addresses, records of traffic leaving a network with sensitive data, etc., point to malicious activity. Additionally, the demonstrated behavior and techniques used to conduct the attack are valuable because habits are harder to change than tools. Human factors such as socio-cultural references, language skills, and timezones help point to a country.

Attribution Difficulties
There is currently no standardized method for identifying the perpetrator. Attack methods and techniques are constantly evolving, each target system is unique, and both offense and defense require human actions that are difficult to generalize.


 * Pure technical indicators of compromise (such as IP addresses originating from a specific location) are no longer a reliable method of attribution . Threat actors can easily spoof their origin or use de-anonymization services such as the TOR network to make their traces meaningless. In some cases, the attackers may deliberately plant red-herrings to encourage missatribution.
 * Attackers reuse methods and tools from others, which leads to false positives. They can be obtained on the dark web or within white-hat hacking communities. For example, an attack called EternalBlue has become the standard method for exploiting Windows SMB service. It has been reportedly developed by the NSA.
 * An increased use of so-called "living off the land" tactics has allowed threat actors to perform attacks using only built-in tools already present in the target environment. This makes attacks more difficult to detect and avoids the use of any custom tools that would otherwise serve as valuable artifacts in investigations.
 * As internet usage grows, the number of web services increases and companies ramp up their infrastructure. This leads to an explosion of traffic volume that the security teams have to analyze and process. This makes it difficult to distinguish malicious traffic from benign, and automated solutions are not foolproof.
 * Attribution may result in disclosure of sensitive evidence or attribution methods, which would give the attacker an opportunity to obscure their trail . On the contrary, lack of released evidence hurts trust in the validity of the attribution.
 * Attribution methods that analyze attacker behavior and correlate independent attacks heavily rely on the knowledge of previous attacks. This requires strong and quick communication within and across the private and the public sectors, which is difficult due to the sensitivity of information, business competition, or reluctance to admit breaches.

Lack of government trust
In recent years, there has been a growing rift between the government and their constituents in the United States. According to a recent poll by the Pew Research Center, people are losing trust in the government to serve their best interests. This loss of trust consequently erodes the credibility of the government in the eyes of the public, which raises concerns on the process of cyber-attack attribution. When governments release official statements identifying the attack, many are skeptical. This distrust is not unreasonable. From unreasonable dairy consumption recommendations to the Vietnam war disaster, there are many historical examples of government dishonesty or poor decision making.

The government agencies are extremely reluctant to reveal their intelligence capabilities, sources, and methods. Some of this information is very sensitive to national security. In the case of the Sony Pictures hack in 2014, this could have revealed the details of NSA's attempts to eavesdrop on the North Korean government. Such disclosures also tell the threat actors what has been found and what needs to fixed in future attacks. Sometimes the public has no choice by to take government agencies at their word.

Findings motivated by political agendas
Political groups take advantage of the inherent difficulty in attributing cyber attacks and use this ambiguity in order to advance their own agendas. With the growing sophistication and aggressiveness of state-sponsored cyber attacks, nations are beginning to prioritize mitigating and responding to the threat of these attacks. This also gives political groups more opportunities to use these attacks in their favor, whether it be through premature attributing the attack to some particular group or implicating their opposition as liable or complicit.

Attributions by private companies
Private companies are gaining responsibility for cyber-attack attribution. This setup benefits government, which would typically be responsible for attributing cyber-attacks, by preserving options to retaliate and keeping intelligence capabilities secret. This setup benefits private security companies as well, since they gain valuable prestige and news coverage when making attributions. Since the standard of evidence to make an attribution is not clearly defined, private companies may make false premature attributions. Additionally, if different firms disagree on an attribution, then the trust and authority of attributions may break down further.

Geopolitical tensions
The power and potential damage of cyber attacks can be compared to that of actual physical weapons, so when a country threatens the US with a cyber attack, it is taken seriously. False accusations could raise unnecessary geopolitical tensions, and in some cases it might be rational to tolerate an attack rather than assign blame publicly and not be certain. In the aftermath of the Sony Hack, the White House proposed a 'proportional response' to North Korea in retribution, while many experts were not yet sure about the malicious actor. Another point of contention is that it is difficult to differentiate attacks carried out by a couple of lone hackers from ones backed by a nation-state military, and there is concerns that the government agencies have correlated independent attacks in the past without much evidence.

Grizzly Steppe
During the controversy about the 2016 presidential elections, Russia was blamed for meddling in the elections. This has been repeated many times by top government officials, but a lot of the detailed evidence remains unpublished, and some are skeptical of whether attribution to Russia is true for every attack. Over the years, there have been numerous reports that attributed individual small attacks to different malicious groups both in Russia and outside, which served as evidence to higher level reports that claimed all of those small attacks were the work of a single group tied to Kremlin.

The Department of Homeland Security and FBI did release a join report with a threat advisory containing a list of IP addresses and malware signatures that served as indicators of various Russian attacks, which does not constitute evidence. The intention was to help other agencies and private organizations protect themselves by spotting these IP addresses. Upon further analysis, of 875 IP addresses released and attributed to Russia, at least 425 (~49%) are IP addresses that correspond to Tor exit nodes. This means that anyone, any attacker or any benevolent user from any country can easily obtain those IP addresses both accidentally and on purpose. As such, these published indicators were both misleading and may suggest a level of technical inadequacy and a lack of trust in reports from the same agencies. This has led to missatributions as well.

For example, after December 2016 attack on a Vermont facility, officials publicly attributed it to the Russian military and civilian services. Vermont Representative Welch commented on the Russian involvement, "they will hack everywhere, even Vermont, in pursuit of opportunities to disrupt our country. We must remain vigilant, which is why I support President Obama’s sanctions against Russia and its attacks on our country and what it stands for." Despite these allegations, security experts could not claim that the attack was actually performed by the Russians. As a result, this Washington Post article was later modified to say:"'Editor’s Note: An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far. The computer at Burlington Electric that was hacked was not attached to the grid.'"

DNC attack
In 2015 and 2016 the Democratic National Committee (DNC) network was infiltrated through a series of phishing attacks, resulting in thousands of sensitive documents being leaked online. The leaks destabilized Clinton's campaign, and many believe played a role in her eventual loss. In December of 2016, the U.S. Intelligence community concluded that Russian intelligence services were responsible for the leak. In the time before the attack was officially attributed, both candidates in the 2016 election were able to exploit the fact that the attacker's identity was unknown. As the attacks benefited the Republican Party at the expense of the DNC, Clinton continually asserted that Russia was responsible, and that Donald Trump was complicit in this attack. Even though officially the identity of the attacker was unknown, Clinton was able to use this fact to erode the credibility of Trump to further advance her campaign.

CrowdStrike Conspiracy
CrowdStrike, a private security company, revealed the DNC attack when hired to monitor the DNC servers. CrowdStrike then linked the attack to Russian hacking groups. When the FBI investigated the attack, CrowdStrike provided a digital copy of the server to the FBI but not the actual physical server which CrowdStrike themselves never possessed. The CrowdStrike conspiracy believes that CrowdStrike is hiding the physical server from the FBI in Ukraine (the server is physically located in Ukraine) because this physical server may contain evidence the attack came from Ukraine instead of Russia. The conspiracy highlights the potential consequences of mistrust of private company attributions even if the mistrust is unfounded.

Olympic Destroyer attack
The Olympic destroyer attack was a cyber attack against South Korea during the 2018 winter games. Initial reports said that the attack could have come from North Korea of Russia. It took nearly 8 months for researchers to attribute the attack definitively to Russia. The Russian hackers placed false flags to try to pin the attack on North Korea. The Olympic Destroyer attack occurred during a detente of the Korean conflict. Just one month after the Olympic games, the Singapore summit between North Korea and The United States would advance peace further. While misattribution of the Olympic Destroyer attack did not derail these talks, it is conceivable how misattribution could have serious geopolitical consequences in a situation like this.