The Cyber Whodunit and the International Blame Game
The U.S. government has officially attributed to North Korea the WannaCry ransomware attack, which encrypted hundreds of thousands of computer drives around the world in May 2017. And yet as with a series of other highly public cyberattack attributions, little evidence for the claim was made public. It's time for the cybersecurity world to follow the advice of the Rand Corporation and set up an unbiased international consortium that would seek to attribute attacks based on a common set of rules.
"We do not make this allegation lightly," President Donald Trump's assistant for homeland security and counterterrorism, Thomas Bossert, wrote in a Wall Street Journal op-ed Tuesday. "It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government."
That may be true, but he doesn't cite the evidence. Neither did U.K. Security Minister Ben Wallace and Microsoft President Brad Smith. And, as usual in such cases, some cybersecurity researchers have argued against the attribution. For example, business intelligence firm Flashpoint has suggested, based on the linguistic analysis of different language versions of the ransom note that appeared on infected computers' screens, that the original was written in Chinese, not Korean, suggesting Chinese involvement.
Usually, technical attribution judgments are based on a combination of two factors: similarities with other attacks (the use of similar software or the same attack servers, timestamps on the malware that suggest regular working hours in a certain time zone), and a basic understanding of commercial or geopolitical motive. For example, the 2014 Sony hack was linked to North Korea because some of the code and attack infrastructure was similar to those used in an earlier hack of South Korean banks, and because North Korea had a clear motive -- to punish Sony for its intention to release a comedy mocking Kim Jong Un. Similarly, last year's Democratic National Committee hack has been linked to a Russian "advanced persistent threat," or hacking organization, based on the malware, the use of a server that was also involved in an earlier attack on the German parliament, and the alleged group's target list that maps well onto Russia's geopolitical interests.
In an excellent summary of recent attribution cases and methods, Klaus-Peter Saalbach of Osnabrueck University in Germany argued that impersonating an "advanced persistent threat" for a false-flag operation is a tough proposition. "It is difficult to mimic the attack of an APT even when the malware of the respective hacker group is available on the black market," Saalbach wrote. "The attacker needs to be aware that the cyber security companies do not present their full knowledge to the public, that the intelligence of [a] state may also know more about the usage and of course the original hacker group knows their malware better than others."
Still, such an impersonation is all but impossible to rule out. As the Rand Corporation wrote in a report this year,
Sophisticated adversaries that want to avoid attribution will carefully dedicate resources to deploy false indicators and cast suspicion on other parties. For example, the Russian-speaking actor associated with the Cloud Atlas APT used a document written on a native Spanish-speaker’s computer and incorporated Arabic strings, Hindi characters, and rotated IP addresses -- probably to complicate attribution. It is conceivable that each of the technical indicators utilized in attribution -- timestamps, strings, code reuse, etc. -- could be manipulated in a similar way to delay or completely avert attribution.
The temptation for bad actors to go to the trouble is huge, what with the great powers engaged in a cool war, and the tools they use periodically leaking out. WannaCry used a U.S. National Security Agency-discovered vulnerability in the Windows operating system. It's especially difficult to make a meaningful attribution when technical and geopolitical elements don't quite align. For example, Russia was the country hardest hit by WannaCry, with Ukraine, India and Taiwan also suffering much damage. The last thing North Korea wants to do is hurt Russia, however: It's the most dovish of the great powers on the North Korean regime, even something of a situational ally against a U.S. threatening "fire and fury." Nor does it have a fight to pick with India or Ukraine.
It's easy for the U.S. to accuse its adversaries of cyberattacks. Nobody believes the denials, and the accusations often serve domestic political purposes. In the case of North Korea, they underscore the Trump administration's political priorities, in Russia's case, those of its rivals. Blaming China, with which the U.S. has more of a constructive relationship, is more problematic. Though some in the cybersecurity community have faulted China for the Office of Personnel Management hack, in which the personal data of millions of present and former U.S. government employees' personal data were stolen, neither the White House nor the intelligence community has come out with public accusations. A group of alleged Chinese hackers was recently indicted for breaching three companies, but no Chinese government involvement was mentioned in the indictment and personal gain was named as the motive.
Often, the only way to attribute a hack definitively is to use traditional intelligence or investigation methods. An investigation into the workings of Minecraft servers allowed the Federal Bureau of Investigation to unravel the mystery of the 2016 Dyn attack, which crashed a large part of the U.S. internet infrastructure and which some suspected at the time of being a Russian operation. (Three college-age men are the suspects, showing how much damage non-state actors can wreak). But intelligence services are tight-fisted with proof obtained through their spy networks and investigative work. Recent indictments -- that of the Chinese group, a Russian secret police team accused of hacking Yahoo, or Iranian hacker Behzad Mesri -- do not present much evidence.
Interestingly, the DNC hack took place before the events describes in the Chinese group and Mesri indictments -- but no one has been indicted for it, so the existing evidence in the case likely isn't even up to the standard exhibited by these rather bland documents.
So all the public has by way of evidence is the educated guesses of cybersecurity firms. There's a problem with them, though. "Private firms have their own economic interests in investigating incidents and attributing attacks, and there are incentives to publish findings as quickly as possible and in a high-profile manner as marketing for future clients," the Rand report notes. "Without a standardized methodology, or even an industrywide commitment to adhering to rigorous methodology that includes independent review, this might result in a confusing picture for non-expert audiences."
That's an understatement. Earlier this year, CrowdStrike, the firm responsible for the initial attribution of the DNC hack, was forced to rewrite a report that claimed a Russian hack of a Ukrainian artillery application caused heavy military losses.
It's not inconceivable that attack attribution can, in extreme cases, mean the difference between war and peace. Even in less extreme ones, it can sully relationships between countries. It's a serious matter -- but it is now the domain of government spokespeople expecting to be taken on trust and cybersecurity companies with their conflicts of interest and failures of execution. In its report, Rand recommends the creation of an independent international body, perhaps financed by top tech companies, that would work out a set of attribution rules and apply them to analysis of high-profile breaches, followed by a peer review process. Such attribution judgments wouldn't be 100 percent reliable, and spies would still hold their non-technical evidence close to the chest, but at least there would be more certainty for the general public that political biases and commercial considerations are accounted for. It's something to wish for in 2018: High-profile breaches will continue, and accurate attribution will be ever more important.
To contact the editor responsible for this story:
Therese Raphael at firstname.lastname@example.org