By Marcus J. Ranum
Summary: Identifying the attacker is the key to modern military defense, so one can launch a reprisal or counter-strike. But attributing cyberattacks is difficult because nothing in cyberspace has to look like anything familiar. How do you attribute a weapon that was created out of thin air and used by an enemy that has no physical location? Links to other chapters of this series are at the end.
- Cyberspace, Novel Weapons, and Location Independence
- Technology, Language, Culture, and Cui Bono
- A Model For Attribution
- For more information
(1) Cyberspace, Novel Weapons, Location Independence
Cyberspace does have some unique attributes which are not mirrored in the real world. Such as the nonexistence of ”territory.” There is no “there” there. Some of the things we are accustomed to taking into account in warfare are missing: hostile forces do not need an ‘assembly zone’ that can be detected and watched. Nor do they have to cross ground — where they leave traces of the type that we’re used to dealing with.
Imagine if a hostile power was going to insert a cover operations team into a target area and wanted to be stealthy enough to achieve plausible deniability. In the past troops could be outfitted with uniforms that had been carefully scrubbed of clues to their origin, “sanitized” weapons, etc. Providing such kit was expensive and exacting work. Inserting them into a target, nowadays, would entail avoiding the ubiquitous video-surveillance cameras, providing false identities under which to travel, laundering funds for the operators, and then having an equally carefully scrubbed extraction plan.
In the real world, this kind of thing is expensive and complex. In cyberspace it is relatively easy and practically free. There are some caveats about the “easy and free” claim, depending on the quality of the defenses that are being attacked but — as we’ve been assured over and over again by our government’s own technical experts — our defenses, to put it bluntly, suck.
To imagine what mounting a covert operation via cyberspace is like, pretend that you can not only create your special operations team out of thin air, with no history or distinguishing features, you can create as many of them as you want and they don’t even have to be recognizable as anything anyone has seen before. They can be a completely different size, shape, and color from anything that the target would expect to see — and their weapons likewise. Since the weapons and the special operations team are unique and novel, nobody on the receiving end would be able to say “they were wearing French paratrooper’s boots and carrying AK-47s” or anything useful like that.
To extend the analogy further while keeping things accurate: the target might have surveillance cameras that successfully recorded the assault team and, upon review, all they show is a large pink badger teleporting in and throwing cartoonish custard pies then evaporating. Oh, and the badger didn’t leave footprints. Or, if the badger did leave footprints you’re left with the certain knowledge that whoever designed it wanted it to leave footprints or else they wouldn’t have gone to the effort to make it leave footprints.
This is all relevant because, the media embarrass themselves whenever they try to tackle attribution of cyberattacks. The FBI or CIA say “it came from an IP address in China” to which anyone who understands cybersecurity can only respond “so does approximately 1/2 of all the traffic on the planet!” If an attacker wanted to arrange it so that their attack came from a Chinese IP address block, it would take about 10 minutes to set that up. Or, would you prefer it to come from Luxembourg? Also 10 minutes. To give you an idea: in 1997 I was involved with backtracking an attacker who was physically in the UK, but was laundering his connection through a server in Amsterdam that gave him access to a university computer in the US, from which he was dialing into a corporate system and then attacking another corporation through the first’s firewall. If the IP addresses were how the attack were attributed, it would have looked like a major investment bank was attacking a web hosting firm. Backtracking and attributing the attack required a month of work from several high-level experts and – most importantly – two glaring errors on the part of the hacker.
A professional intelligence officer with hacking experts at their disposal and time to set up a covert operation could, literally, make it look like it came from anywhere, with the investment of a relatively small increment of work. When it comes to cyberweaponry, everything you think you know has to be thrown out the window, every time, so your investigation has to start at square one. You’re not just in a wilderness of mirrors; you’re in a wilderness that is made entirely out of mirror.
(2) Technology, Language, Culture and Cui Bono
What could we plausibly use to attribute cyberattacks? The first axis is the most fragile, namely technology. As I wrote earlier regarding Stuxnet, the AURORA attack scenario appears to have been first published by US researchers at Idaho National Labs. But in the 3 years between the AURORA publications and the release of Stuxnet, it is plausible that some group of hobbyists decided to weaponize AURORA. Plausible, but only barely so, because another crucial clue that Stuxnet’s author(s) had uncommonly available information was that Stuxnet appeared to encode insider knowledge about the Iranian’s gas centrifuge cascade.
We can start to make an assessment about ‘who may have written Stuxnet?’ based on the possible sources of all the technical elements of the attack but in a very real sense, Stuxnet was so single-target that it would be relatively easy to try to attribute technically, compared to a more generic piece of malware. For example, a crafted E-mail message with a Microsoft Word document containing an exploit that installs a common-or-garden piece of malware like the Zeus trojan: that would be nearly impossible to attribute because Word is a big target and Zeus is widely available. I could have a copy in under an hour for $700 if I wanted it — whether I was American, Chinese, or Luxembourgeois.
Another possible way of attributing an attack would be looking for language or cultural clues. Both of these clues are also relatively weak. In the example above, if I were a Luxembourgeois cyberwarfare commando using a purchased copy of Zeus, if the target attempted to decode my malware to look for clues, they’d discover that there was nothing useful. I suppose my initial MS-Word document might have been written in poor English and the target might try to infer my nationality, but how accurate would that be?
A honeypot consists in an environment where vulnerabilities have been deliberately introduced in order to observe intrusions. See here for details.
Ditto cultural attribution: I recall an incident in which a honeypot research team (were monitoring the activities of a hacker group and their exchanges were primarily using an IRC server with conversations in Romanian. The server, BTW, was in Pakistan. Hacking culture is very cosmopolitan, though admittedly the attacker’s use of language for internal communications could be a giveaway. I saw one hacker who was penetrating systems who made copies of data using names like “carduricredit.txt” – perhaps a real Romanian. If I were hacking systems, I’d be using “thẻngânhàng.txt” thanks to Google translate. In other words, the only plausible way to attribute origin by language and culture is if you’re able to get very deep inside the attacker’s command-and-control, assuming the attack is happening in real-time.
That leaves “who benefits?” but, again, that’s not a very solid chain of attribution, either. To take Stuxnet, again, as an example – Iran might plausibly point to the U.S. or Israel but the evidence is pretty circumstantial. It would be fascinating, indeed, to see a lawsuit happen over something like this – whenever I hear the FBI say that “Chinese cyberattacks are stealing data…” I find myself daydreaming a bit about how it would play itself out in court. “Well, that’s where their IP address was…” – wow, I’d enjoy being a testifying expert on the other side of that case! In cases of intellectual property theft, the legal proceedings are usually pretty drawn-out and the plaintiff only wins if there’s external supporting evidence, such as copies of the stolen data in the defendant’s custody. Again, these are the kind of gifts that you only get if your attacker is very, very sloppy – or someone is trying to frame them.
(3) A Model For Attribution
I, for one, am thoroughly sick of hearing the U.S.’ senior law enforcement agency — which, presumably understands how standards of evidence work and that you don’t go making accusations unless you can back them up — making empty accusations about other nations’ activities. Pointing and yelling isn’t how to do attribution and the FBI and CIA can be expected to know that.
What might a mature cyberwar attribution process look like? I imagine it would look a bit like the investigation of the sinking of the ROKS Cheonan (see Wikipedia). Briefly, a South Korean naval vessel sank following an explosion; foul play was suspected. Immediate analysis did nothing to dispel those suspicions, and the ship was recovered. An assessment team consisting of experts from several countries (South Korea, the US, Sweden) performed a detailed investigation and presented a report that attributed the attack to a North Korean-made torpedo – presumably fired from a submarine of similar origin. The report, of course, was contested by North Korea and, ultimately, we should state that “opinions are divided” (but not evenly divided) on who was responsible, but there is no question of it being an accident.
What’s important about the attribution process following the Cheonan’s sinking is that it was evidence-based and included experts from multiple parties. Furthermore, it had a built-in mechanism whereby if the analysts producing the report did not agree completely, they could air that disagreement. This is a great example of how to do it right, and how major accusations of cyberwarfare should be approached.
Depending on the target, the type of damage, and the expression of the attack, a cyberattack might be either an act of war or, more likely, state-sponsored terrorism. International law already covers these adequately, and dictates the legal limits of a state’s response. If cyberspace continues to become militarized, we will eventually have an incident leading to serious damage and loss of life. Until that time we need to be encouraging our law enforcement and intelligence agencies to prepare to present the highest possible standard of evidence at all times, and to treat computer intrusions as crimes, first and foremost, to be investigated and prosecuted procedurally.
Unless and until they do, we should not be expected to act based on “he said/she said” assertions. Important decisions must be made on the basis of fact and evidence, not demands like “trust us, it’s the Chinese” which would leave us open to retort from Iran, “trust us, Stuxnet came from the US.”
(4) For More Information
See the Wikipedia entry for more information about forensic science.
Other posts in the series Cyberwar: a Whole New Quagmire, by Marcus J. Ranum:
- The Pentagon Cyberstrategy, 2 September 2011
- “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
- Conflating Threats, 14 September 2011
- About Stuxnet – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
- When the Drones Come To Roost, 8 October 2011 — About the malware affecting U.S. drones’ software
This post by Marcus J. Ranum originally appeared on Fabius Maximus and is reproduced here with permission.