Why Attribution of Cyber Attacks is a Puzzle that Sometimes Lacks More than One Piece

Being a cyber researcher is so exciting because it takes a bit from many jobs: a programmer, a mathematician, a forensic detective, a historian, an archaeologist and sometimes a psychologist.

The best and most challenging thing about being a security researcher is investigating APT attacks – the most complex, most persistent and stealthiest attacks.

When confronted with such an attack – and we have been doing this for more than 20 years, so our background is rich and diverse – there are three main questions we ask ourselves: first of all “what happened?”, then “can we fix it?” and the most intriguing question of all: “who did it?”. The answer to this last question is what we call “attribution” and sometimes it is as if looking for a needle in a haystack – and not a regular one, for that matter, but one filled with traps set by attackers to derail researchers from the right path.

However, let us start from the beginning. In GReAT (Global Research and Analysis Team) we rely on clues when confronted with an APT whose origins we try to track – and so do investigators from other research teams in the industry. Those clues are operational mistakes that threat actors make when putting their malicious plans into action.

They say there is no perfect crime and this also counts for cybercrimes. No matter how hard attackers try not to leave any traces, some things are just inevitable: they forget some keywords, they just copy-paste code from other projects or use the same personal account for attacks. To make our task more difficult, some are not real clues, but false flags planted to mislead investigators: words in a language that is not their own or using code from other campaigns, aiming to point at other APT groups. However, pretending that you have a different native language sometimes results in making mistakes – a word which is not spelled correctly can offer the right clue instead of the fake one as intended.

One of the most complex pieces of false flags that we have ever dealt with was the case of Olympic Destroyer – the criminals forged an artefact that is very hard to forge and even harder to prove the forgery, almost as if someone else’s DNA had been stolen and been left at the crime scene by the real criminal. However, we were able to prove that the artefact was fake – in other words, a false flag.

No matter how hard they try, cyber attackers are humans and cannot fake everything. Usually, the charts containing their workflows – when they start working, when they take a break, how many hours per day they work – offer some valuable insights. By carefully analysing the available clues – usually language and time zone – we get to call some APT groups Chinese, Russian, Korean or English-speaking attackers, among others.

We consider it our main job to answer the first two questions and leave full-fledged attribution to law enforcement agencies, which can have a wider view than private companies. However, we also believe that co-operation between governments and players from the cybersecurity industry is essential for making the world a safer place and allowing for more threat actors to be brought to justice. We are a strong supporter of such initiatives, promoting transparency and trust in cybersecurity, with the Paris Call for trust and security in cyberspace being an important step in this direction.

Co-operation is especially important nowadays, with the virtual space being more dangerous than ever, as cyberwarfare has no rules and no borders. We believe that cyberweapons will play an increasingly important role in a nation’s warfare capabilities and future attacks will target critical infrastructure more and more – we have already seen such examples in Ukraine, Saudi Arabia and Venezuela.

Looking at the bigger picture – the number of cyberattacks and their continuously evolving complexity – it can easily be seen why attackers remain unknown in the majority of cases and only a limited number are thoroughly investigated and attributed. If investigating cyberattacks were a puzzle game, then understanding what happened would complete the first level of the puzzle, and fixing it – with a decryption key, for example – would be the second level. Finally, linking the attack to a threat actor would almost complete the puzzle with the use of APT names like Equation, Desert Falcons, or Lazarus. The rare and lucky case when the puzzle is completed would be when cyber investigators and law enforcement organisations work together and manage to catch the attackers, as was the case with CoinVault.

One thing is for sure: it is our mission to put together as many puzzle pieces as possible, but only co-operation between cybersecurity companies and governments can make completing the puzzle possible.

About the Author

David Emm is Principal Security Researcher at Kaspersky Lab, a provider of security and threat management solutions. He has been with Kaspersky Lab since 2004 and is a member of the company’s Global Research and Analysis Team. He has worked in the anti-malware industry since 1990 in a variety of roles, including that of Senior Technology Consultant at Dr Solomon’s Software, and Systems Engineer and Product Manager at McAfee.

Featured image:  © beebright