The Problem With Attribution of Cyber Attacks


…is that it is all but impossible.  A skillful black hat can easily lead investigators down paths they want them to take, while obscuring the true origins of a network breach.  Mimicking attack vectors, using code associated with known hacking entities, even using language in the coding that points to known entities or countries, are common methods employed by those who wish to leave a false trail as to the origin of network attacks or exploits.  (Of course, the most dangerous of that lot can hide for months or years the fact that there has been any network exploit at all.)

There was much discussion in the office this week about the FBI’s announcement that they had what amounts to definitive proof that the DPRK had perpetrated the now-famous hacking of Sony Pictures.   I was definitely in a minority with my skepticism, for two reasons.  The first is that I have a very hard time believing anything coming out of a Federal agency in this Administration.  The Department of Justice, the IRS, the EPA, The State Department, Homeland Security, have all promulgated bald-faced lies to the American people, largely to cover up criminal and unconstitutional activity and/or the incompetence of those in charge.  The second is the rather unrealistic understanding the Federal Government (and DoD in particular) has of how the Internet works.  They THINK they know.  But they don’t.

Apparently, I am not alone in my skepticism.   From the Daily Beast:

So, malware found in the course of investigating the Sony hack bears “strong” similarities to malware found in other attacks attributed to North Korea.

This may be the case—but it is not remotely plausible evidence that this attack was therefore orchestrated by North Korea.

The FBI is likely referring to two pieces of malware in particular, Shamoon, which targeted companies in the oil and energy sectors and was discovered in August 2012, and DarkSeoul, which on June 25, 2013, hit South Korea (it was the 63rd anniversary of the start of the Korean War).

Even if these prior attacks were co-ordinated by North Korea—and plenty of security experts including me doubt that—the fact that the same piece of malware appeared in the Sony hack is far from being convincing evidence that the same hackers were responsible. The source code for the original “Shamoon” malware is widely known to have leaked. Just because two pieces of malware share a common ancestry, it obviously does not mean they share a common operator. Increasingly, criminals actually lease their malware from a group that guarantees their malware against detection. Banking malware and certain “crimeware” kits have been using this model for years.

So the first bit of evidence is weak.

But the second bit of evidence given by the FBI is even more flimsy:

“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”

What they are saying is that the Internet addresses found after the Sony Picture attack are “known” addresses that had previously been used by North Korea in other cyberattacks.

To cyber security experts, the naivety of this statement beggars belief. Note to the FBI: Just because a system with a particular IP address was used for cybercrime doesn’t mean that from now on every time you see that IP address you can link it to cybercrime. Plus, while sometimes IPs can be “permanent”, at other times IPs last just a few seconds.

Now, the FBI’s conclusions may be correct, and the DPRK may be officially or unofficially behind the breach.  But TDB raises some important points.  The DPRK can claim that a skilled hacker can make the evidence point back to them with little effort.  And indeed this is a correct assessment.  Why the Administration’s jump to blame the DPRK?   Perhaps, as the article states, it is yet another example of amplifying and manipulating an event (a good crisis not going to waste?) as justification for yet more government control via draconian regulation.

Blaming North Korea offers an easy way out for the many, many people who allowed this debacle to happen; from Sony Pictures management through to the security team that were defending Sony Picture’s network.

You don’t need to be a conspiracy theorist to see that blaming North Korea is quite convenient for the FBI and the current U.S. administration. It’s the perfect excuse to push through whatever new, strong, cyber-laws they feel are appropriate, safe in the knowledge that an outraged public is fairly likely to support them.

I will be writing more about so-called “Net Neutrality” in the near future.  But be certain that the regulations proposed by the Obama Administration have little to do with true net neutrality (despite the rather infantile assertions of some) and much more to do with expanding the regulatory power of the Federal Government over the content of the internet.   With the mainstream news media either firmly behind the Far Left, or beholden to them for reasons other than intellectual agreement, trust in the Big News outlets is at an all-time low.  It is on the internet where the fabrications of both the Obama Administration and its lap-dog agents in the press are torn apart by people with facts and experience, and people like Holder and Hillary and entities like the NYT and MSNBC are shown to be liars.  So the assertion in the above citation is certainly plausible.  To some of us, it is at least as plausible as the FBI’s proclamations of incontrovertible evidence of North Korea’s guilt in the Sony breach.

9 thoughts on “The Problem With Attribution of Cyber Attacks”

  1. Don’t forget that there might be other evidence of North Korean involvement that hasn’t been released to protect sources and methods. If we had an agent in high position in the Nork military or Pyongyang wired for sound, we would want to keep that a secret.

    1. I have not forgotten. However, blaring to the world with the certainty this Administration did when everything that can be released publicly is absolutely refutable shows a fundamental misunderstanding of the problem set with which they are dealing. Either they have such a source that they have put in increasing jeopardy, or they don’t, which leads to very plausible denial by the DPRK. Neither is particularly smart.

  2. What is infantile is to make statements like your last paragraph. Lets start with the assertion that the so called “main stream media is beholden to the left”. Besides the fact there is no “main stream media” any more given the plethora of media outlets available now, the established TV and media outlets advance the right wing agenda as much as they do anyone elses. ( Or am I supposed to forget the rather sizeable market share that Newscorp controls?)

    Second, the statement that net neutrality is about expanding the government’s power is completely false ( and therefore there is nothing infantile about sticking up for it).

    This is not about “regulating the internet,” but making sure that the big broadband players don’t “regulate” the internet themselves, by setting up toll booths and other limitations, allowing them to pick the winners and losers. It’s about blocking monopolistic powers from putting in place systems to extract monopoly rents that harm the public and limit innovation and consumer surplus. Net neutrality frees the internet from such monopolistic regulations by putting common carrier rules at the infrastructure level to make sure that there’s true competition and freedom at the service level. And that makes total sense, because you don’t want competition of natural monopolies, you want to make sure natural monopolies don’t block competition.

    Given that Republicans like to claim that they’re pro-innovation, pro-business and pro-competition, they should absolutely be in favor of net neutrality as well because it creates the environment where there will be real competition and innovation at the service level. The argument that they’re using against it is to pretend that Title II regulates “the internet” when it really just changes the existing style of regulation for internet infrastructure, preventing a few monopolistic powers from squeezing monopoly rents from everyone else. Normally stopping monopolies is supposed to be a key tenant of conservative economics. It honestly seems like the only reason that isn’t the case here is because big broadband lobbyists have carefully spun this tale (and heavily funded some campaigns) to pretend that what they’re trying to stop is “regulation of the internet.”

    1. Sorry, Skippy. Stating again “facts” that are untrue do not make them true. No “mainstream media” hardly explains NBC, CBS, ABC, CNN, WAPO, NYT, Baltimore Sun, Boston Globe, LA Times, SF Chronicle, Miami Herald, US News, TIME, The New Republic, The New Yorker, The Atlantic, HuffPo…. all somehow broadcasting near-identical far-left viewpoints.

      As for your touching faith in the integrity of the Obama White House to not abuse the power given it by declaring wireless internet a “public utility”, you will have to explain the actions of the IRS, the EPA, Justice, the VA, HHS, DHS, etc.

      Grow up. Just because you choose to have your head up your backside, don’t expect me to stick mine up there with you.

    2. the established TV and media outlets advance the right wing agenda as much as they do anyone elses.

      Laughably stupid and false.

    3. What is the difference between “main stream media” and “established TV and media outlets”?

  3. Do a quick check with senor occam and ask yourself whether it’s more likely or less likely that is being a transparent upholder of Constitutional liberty. Hint: if you think tags like red-blue or dem-rep have any meaning in this context please immediately respond to the email I just sent you from nigeria.

  4. I am quite cynical about anything the current administration says, as well. They come to a conclusion, and look for evidence to back it up, rather than seeing if the evidence points elsewhere, because they, being Ivy leaguers, know best.

Comments are closed.