False impressions: How fake attribution makes fools of us all
In 2018, the world was faced with the Ryuk ransomware strain. The responsibility for this ransomware attack was originally placed squarely in the camp of a state-sponsored North Korean group. However, this turned out to be a false accusation — or rather, a false attribution. Researchers from several security organizations found inconsistencies in the attribution data used to blame state sponsorship by North Korea.
Human beings need fairness and justice. It is primarily why we have developed legal systems the world over. Striving to find the truth of a matter is important: it removes doubt, punishment is correctly targeted and it provides the knowledge to prevent further injustices.
False attribution can be every bit as important to stop as a false accusation in the world of physical crime. Here, I take a look at what constitutes a false or fake attribution in cybercrime and why it is important to avoid this.
Why is attribution important in cybercrime?
When a cyber-attack happens, security analysts gather data and analyze the evidence of the cybercrime. By doing so, they can understand some of the fingerprints of the cybercriminals behind it. Intelligence data, such as how the cyber-attack was set up, technical details of the execution of the attack, what vectors were used to propagate it and so on, can be gathered and analyzed.
One very important outcome needed from the forensic analysis of a cybercrime event is where it originated and who was behind the attack.
Attribution data can come in many forms, depending on the attack itself. Collecting it is a dedicated and highly skilled task requiring specialist knowledge. The collection of cyber-evidence is done using standard operating procedures; for example, the Scientific Working Group on Digital Evidence (SWGDE) publishes guidelines on the collection of various evidence during forensic analysis of a cyber-attack.
The Office of the Director of National Intelligence in the U.S. also offers a guide to cyber-attribution. The guide specifies that security analysts can attribute responsibility for a cyber-attack using:
- The point of origin, such as a specific country
- A specific digital device or online persona
- The individual or organization that directed the activity
Waving false flags over cyber-attribution
It must also be said that the perpetrators of cybercrime are adept at covering their tracks. Often, they will not only cover them but use someone else’s tracks to obfuscate and confuse the evidence.
The difficulty in discerning fake from real attribution was noted at a recent Blackhat conference where Jack Williams, a former member of the U.S. National Security Agency’s Tailored Access Operations hacking team, noted some methods used to trick security analysts. Williams described a number of tactics, known as “false flags,” that can be used to confuse the picture of the origin of an attack. He spoke of:
- How easy it is to purchase Virtual Private Servers (VPS) in Iran using Bitcoin and then direct traffic through them
- How browser settings can be adjusted to make it look like a hacker is in a known “bad country” (i.e., known for hacking). The example setting Williams describes is to set to accept-language to “Chinese” to confuse investigators
- How PowerShell can be used to deceive as well as inform
Research on cyber-false flag methods used by cybercriminals intent on hiding their tracks is being carried out to improve security analysts’ awareness of the issues of false attribution. In a 2020 paper by Skopik and Pahi, “Under false flag: using technical artifacts for cyber attack attribution,” the authors identify techniques and tools to create false flags used to thwart attribution attempts.
One interesting area that the paper discusses is the use of cyber-threat actor profiling. This technique allows investigators to look for complex patterns and correlations in attack profiles. Being able to map and identify dark patterns and mismatches helps in identifying possible false flags. The paper also points to the MITRE ATT&CK framework to locate technical artifacts to help identify perpetrators and cross-map against flags; this again, helps to identify any possible false flags.
Cyber-attribution is an art and a science
There used to be an excellent show on UK TV called “Time Commanders.” In this show, two teams used computer simulations to play out historical battles. In the end, a historian would take the players through the real outcome of the battle to work out strategies used in real-world conflicts.
Understanding the details of the behavior behind the decisions made on the battlefield is somewhat similar to attribution determination. Having a clear and accurate view of who did what, when and why, in both successful and unsuccessful cyber-attacks, provides insights applicable to response planning and strategy, as well as for evidence in bringing the perpetrators to justice.
However, in the world of cyber-attacks, you can end up with an awful lot of data. Having the know-how to look for false flags and correct attributions is not a perfect science. The fact is, having experience of looking for that needle in a haystack to find the evidence of attribution is as important as procedure and process. This is why using specialists in security forensics and services like MITRE ATT&CK are so important.
Effective attribution, not false attribution
Effective attribution is key to not only bringing criminals to justice but to ensuring a system is proven to work. Policing digital crimes is every bit as important as policing real-world crime. Cyber-attacks affect real people; jobs are lost, money is stolen and identity theft is rife. And cyber-attacks can also have the potential to cause serious conflict between nations.
One of the best deterrents to crime is to know there is a high chance you will be caught. As U.S. Department of Justice research has found: “The certainty of being caught is a vastly more powerful deterrent than the punishment.” False attribution plays into the hands of the cybercriminal.
We must endeavor to make our attribution efforts more effective to ensure that when we point the fingers at identified perpetrators of cybercrime, they are not false accusations. Importantly, when certain cyber-attacks occur, we need to determine if the attack was state-sponsored, a criminal gang or an individual actor. By making cybercriminals worried about being caught because our attribution methods are robust, we can have a better chance of reducing cybercrime overall.
- Was North Korea Wrongly Accused of Ransomware Attacks?, Security Week
- Scientific Working Group on Digital Evidence
- A Guide to Cyber Attribution, Office of the Director of National Intelligence
- How to fool infosec wonks into pinning a cyber attack on China, Russia, Iran, whomever, The Register
- Florian Skopik, Timea Pahi, “Under false flag: using technical artifacts for cyber attack attribution,” Cybersecurity, 2020
- MITRE ATT&CK
- Five Things About Deterrence, U.S. Department of Justice