Cyber Attacks – finding out where they come from


With the increasing frequency, complexity and sophistication of cyber attacks – such as Stuxnet, the Sony Hack – how is attribution done?

This podcast is an interview with Ben Buchanan about a paper he recently published with Thomas Rid, Professor of Security Studies at Kings College, London on Attributing Cyber Attacks The paper can be found in the Journal of Strategic Studies. Additional information about the various reports mentioned in the podcast are linked throughout the transcript.

This podcast was produced and is hosted by Adriene Lilly.


Adriene Lilly: With the increasing frequency of cyber attacks in the media I think it’s worth taking a few minutes to try and understand how attribution is done – how do we find out who is doing it, why, how, and where from.  What exactly is attribution in the cyber context, why do we try to attribute attacks? How is it different than it’s offline equivalent in criminal investigations? Where does data and forensic evidence come from? And who – be it the government or private companies – is actually involved in the process of attribution?
Today I’m talking to Ben Buchanan….

Ben Buchanan: good to be with you Adriene. So I’m Ben Buchanan, I’m a PHD Candidate at Kings College London.

AL: He’s recently published a paper with Thomas Rid in the Journal of Strategic Studies called “Attributing Cyber Attacks” their paper attempts to get to the essence of attribution in cyber crime and sets up a model that they hope can help streamline the process.
Before we begin though, there are a number of major cyber attacks that have popped up in the media over the past couple of years. So just in case you’re like me and may need a refresher, let’s start with a few of those stories.
Let’s begin back in 2010 with the discovery of Stuxnet. Stuxnet was a piece of malware – or malicious software – that is generally cited as being one of the most if not they most sophisticated computer viruses to date. And while no one has officially taken credit for it, best guesses it’s a product of the US and Israeli governments. The software was specifically designed to target a uranium enrichment facility in Iran by subtly changing how some of the mechanical structures in the facility operated. Specifically the spinning speed of a number of centrifuges. Stuxnet was designed to sabotage the Iranian nuclear program. It’s significant for a number of reasons, but the one that I want to emphasize here is the complexity and sophistication of the operation.. here’s Ben..

AL: Ok, now your brought up the centrifuges in Iran so I’m assuming you’re talking about Stuxnet..

BB: Sure, so Stuxnet was a long cyber operation against Iranian centrifuges that by some reports involved building a replica of the Iranian nuclear facility and testing the code against this model before it was deployed against Iran. That’s an operation that probably cost hundreds of millions of dollars when you consider all the physical expenses. It’s believed to have been conduced by the US, likely working in partnership with Israel, and it had the effect of manipulating the centrifuges in a number of ways over a number of years in an attempt to slow down the Iranian nuclear program.

AL: Who discovered it and who did it?

BB: So the tech side of the operation was discovered by researches who were alerted when a computer in Iran kept restarting for unknown reasons. They looked in the code and they discovered that it was what looked like a cyber weapon against the Iranian nuclear facility. People immediately assumed, or guessed, that it was the US or Israel but there was no concrete proof for quite awhile. And in that case, what is today the most credible attribution of the Stuxnet attack came from a reporter, came from David Sanger at the New York Times who working inside the beltway of sources found out that it was in fact likely a US or Israeli operation and then further reporting seems to indicate that’s the case, there’s not indications otherwise. But this is a case where technical indicators found by researchers were not enough to point the finger at a government. More reporting was necessary, traditional reporting.

[ For detailed information on Stuxnet ‘Countdown to zero Day‘ by Kim Zetter ]

AL: Now, let’s jump forward a few years to 2014. In an unprecedented move the US Department of Justice indicted 5 People’s Liberation Army (PLA) officers on charges relating to theft and cybercrime. This is the first time the US gov has ever indicted foreign officials on charges relating to cyber attacks. The attribution however came first to the public’s attention in the form of a report known as “advanced persistent threat 1” or the APT1 report. This was released by a private company, almost a year later the US DOJ released it’s own report on this PLA unit, here the private sector and the government are both looking at similar data and drawing similar conclusions. Here’s Ben talking about the APT1 report.

BB: The APT1 report was put out in 2013, by a company called Mandiant which is one of the leading companies in the space. It identified this group likely operating in China likely tied to the PLA that had conducted a wide series of operation. All indications are, retrospectively that the government agreed with the finding in the report and it lined up with what they saw internally. Mandiant’s report was splashed all over the NY Times, the government didn’t really way in at the time one way or another on if the report was right, but all indications are that they a were on the same page. So that’s one end of the spectrum where the government and the private sector are aligned. One of the reason it’s safe to say they are on the same page is that the government indicted 5 officers from the PLA that were named in the report.

AL: And this is the first time that’s happened..?

BB: that was the first time the DOJ indicted other military officers from another government for a cyber operation or in response to a cyber operation.

AL: the final cyber attack story we should mention actually happened after the release of this paper. It’s an extremely relevant story and it manages to bring together a few important points including the complex relationship between the private sector and the government, the illusive nature of attribution and the media frenzy it can cause. You may remember it as ‘the Sony hacks‘ in late 2014 attackers took private emails and other sensitive data from the computers at Sony pictures and published it online. The attacks were attributed to North Korea but met considerable controversy, here’s a little bit on how that happened and what exactly caused the controversy.

AL: So what was the controversy there…

BB: It’s a case of, the government made a claim that this was in fact North Korea, well actually let’s back up to the beginning and tell the story of the Sony hacks… the Sony hacks was, Sony was producing a movie “The Interview” which made fun of the leader of NK Kim Jong-un, and as this movie was nearing release there was an incident in the Sony computer networks in which a lot of data was stolen and key servers and computers were attacked. So it was a combination of an attack – actually doing damage to computers – and exultation – taking valuable data from the network. And the data in question here is personal emails and things of that sort, from the Sony networks of Sony executives. And these emails were dumped online, it’s an embarrassment to some Sony executives.. and the hackers did not identify themselves are part of a nation station but posted threatened messages online. Sony had to figure out how to respond, they had to figure out who did it.

Sony, since it was a very serious case got the FBI involved, and the FBI claimed very early on in the process that it was North Korea. And that it was tied to the geopolitical anxiety around the movie ‘The Interview’. They released some data, but not a great amount of data very early on, other private security companies looked at different data or had their own data who made contrasting claims. And there were a number of people who weren’t making contrasting claims but were saying “yeah this may be North Korea but you FBI, you government haven’t released enough tech data to prove that, why should we believe you?” and this is a case where the private sec actually has the appetite and the ability in cyber security to consume and analyze the technical nuts and bolts data, which may not be the case in other kinds of intelligence. So they were saying, until you release that data we’re not going to believe you. And in response, eventually the government released a little more data.

AL: Ok, now that we have an idea of the big media stories in cyber attacks in the past few years, lets get into a more detailed discussion about the paper and more specific elements of attribution.
I want to start simply and ask; What is attribution?

BB: It’s figuring out who is responsible for a certain activity in cyber space. Attribution is often thought of as a problem. So, if we’re a defender to a network the problem is finding out who attacked us. This is important for a number of reason:

[1] legal reasons, if you want to seek some legal remedy;

[2] state-craft reasons, if it’s a nation state and we want to conduct diplomacy or military ops in response; and this is important for

[3] forward looking reasons because we want to figure out who got it and how they got in to protect our network in the future.

AL: you begin in your paper talking about offline attribution…

BB: Exactly and one of the points we make in the paper is that attribution as a general concept is not new. So, we hear about it a lot in cyber security because it’s different but it’s important to remember that in the scheme of history and law, attribution is a problem that’s been with us for a long time. So the US has a legal system that attempts to resolve attribution, in international relations attribution, at least initially, and sometimes more than initially, has been in question for quite awhile. So the ones you mentioned the Malaysian airline flight is a good example, chemical weapons in Syria, the assassination of Archduke Ferdinand that started WWI is a good example. In each of these cases attribution is up for debate and contested by parties involved.

AL: And these are all political tools…

BB: right, in that case, attribution is of great political importance and that’s certainly the case in cyber security as well. So in cyber security an incident may involve a theft of politically sensitive data such as internal communications to a state or wiretapping a leader or it may involve an attack on a significant institution such as centrifuges in Iran, , and in those cases getting attribution right is immensely important because a state that gets it wrong runs the risk of attacking the wrong state or responding in the wrong way.

AL: So there seems to be an analogy that’s often made between cyber attribution and more traditional criminal investigations, where do you think this analogy proves to be useful and where does it diverge?

BB: it’s appropriate in so far as it’s an investigation. One side is tasked with finding forensic data and marshalling that data in the means of making a case and coming to a conclusion and acting on that conclusion. And in criminal process there’s reasonably clear standards that need to be followed in that process so when the FBI or police investigates a crime there’s standards for evidence for evidence collection, preservation, etc. And this is reasonably consistent. That’s something that diverges.. so in cyber security when the investigator is not trying to make a criminal legal case, there’s a lot more freedom to investigate in different ways. So we don’t have to, in cyber security, investigate according to strict chain of custody procedures because it probably won’t end up in court anyway in some cases. So we can be more free form, we can draw conclusions that may meet a standard that’s somewhat less than beyond a reasonably doubt. That’s important to consider as well, the tag line we use in the paper is “attribution is what states make of it” so states have the freedom to decide how they are doing attribution and what standards are good enough for them. Broadly speaking, police don’t have that freedom.. they have to follow certain standards if they want to win in court and they do so. But states can decide when it’s enough to stop, at what point it’s clear and at what point the process is done.

AL: What about in the private sector?

BB: Same thing applies except maybe even more so because they aren’t taking significant action in response, the private sector is not going to launch an attack. So they can decide at what point to we have enough data to go public with this, at what point do we have enough to brief out client about this, and how do we collect that data.

AL: Your paper is more governmental, but what about the private sector? In that case, do they care who’s doing it?

BB: That’s a great question and it’s one of the things that we asked a lot. So just as a back story, in doing this research we met with people from governments in the US and UK in the intelligence community and also leading private sector companies that do incident response. And we ask to them “why does your average private company that’s hacked, why do they care who did it, don’t they just want to fix the problem and move on?“ and they said “yeah in some ways that’s the case, attribution isn’t the most important thing, but in some ways it’s instinct for theses companies to want to know immediately who did this and why are they doing this” so you can imagine, you’re briefing a non technical group of people so you’re briefing a CEO and you’re saying “sorry sir, this bad thing has happened to your computers, this is effecting your business” a natural question for that person to ask is “well, who did it and why, want you can you tell me about them and I want to know right away” and.. for that reason alone attribution is an important question.
It can also be an important question because these operations can effect business themselves. So if sensitive data has been leaked or has been exfiltrated, the company involved wants to know where that data is. And it might mean something different if that data is in the hands of their competitors or if that data is in the hands of some third party that doesn’t really effect them.. so for that reason there’s some cause for them to want to know where their data is and what happened.

AL: Where does the data come from?

BB: So.. a good portion of the data that we’re talking about actually comes from the computers and the networks of the hacked party. One of the key things we often find on hacked computers is software that’s been used by the attackers. So they break in to our network and have loaded some software, this is essentially a tool for other stages of their operation. We can look at that tool and find out information about it and use that as sources for our investigation.

Al: So a lot of it is information that the security companies that come in gather because they have access to the computers, so that information isn’t necessarily shared by all the companies….

BB: Oh no, not at all. So it depends on the security companies that have been empowered to investigate a particular case. Now, sometimes cyber operations are not narrowly targeted so they will hit a number of places at once and security companies may already have relationships with one or more of those places and different places many have relationships. So if an attack hits 100k targets, then it’s reasonable to expect that a lot of information security companies will have some visibility. And that’s when you can get some degree of disagreement, where one company says our data shows this and another says our data says that. And that’s to be expected in the investigations world.

AL: What is the relationship between the private companies and the government?

BB: So you’ve put your finger on a really important point, which is that in cyber security there’s far more private sector involvement than in other forms of intelligence. So think back to the examples I mentioned before about the Malaysian airplane or chemical weapons in Syria.. in those cases while attribution was debated by some parties there’s very little private sector knowledge of the case, that’s not what’s going on in cyber security. So in cyber security there are genuine experts in the private sector who have technical data and can weigh in. those companies, like Mandiant, Fire Eye, Crowd Strike , produce reports based on data available to them and these reports were a major source of information for our research and can sometimes be quite good. So it changes the dynamic between the government because the government can make a claim and, in this case, the private sector can sometimes say “no, that claim is false” or “that doesn’t jive with what we’re seeing” or “our indicators show that you’ve neglected to point out this fact” and that’s a true sea change in how attribution is done.

AL: how is attribution done?

BB: So, let’s imagine we’re part of an organization. Our organization has been hacked and we’ve learned about being hacked. As an organization what we will do is empower an incident response team to figure out what happened. That could mean that we have an internal team – that’s less likely in this age of budget – so more likely we’ll hire an external company (Mandiant, Fire Eye, etc) and they will come in and investigate. So what they will do is look at our computers for forensic evidence, they will then look at that evidence and that will inform the investigation.
It may be worth taking a step back to look at what kind of data is involved. So when we talk about forensics in computers and particularly in incident response, there’s a number of different factors at play (the paper goes through quite a few of them) but to give a couple examples. A very commonly cited one is language: So what language did the attackers use in communication with the target. Are there any flaws, weakness, etc in that language. And then, what language did they use when they actually programmed their code, so you can see the keyboard configuration that they used in some cases, that’s also very easy to fake. The second forensic indicator that comes up a lot is time zones so, during what hours of the day did the attackers generally work. Were they working midday in California? Or midday in Russia or China or Israel.

So in general, if we can establish a pattern of life relating to timing and time zone, we can learn a little more about their habits and potentially who they are and where they’re located. It’s also important to note that the sometimes the timezone indicator drops out of the equation because sophisticated operations are 24/7. Another interesting indicator is infrastructure. When we say infrastructure we mean the computers that were used to carry out an operation. So, very frequently an operator might target a computer as an intermediary step and then use that computer to target another computer, very frequently they will reuse those intermediary computers across operations. So we can tie the intermediary computer to an operator in one case and if that computer – or hop point – that shows up in another operation then we have a good indicator that it was the same person. Essentially it’s a method of operations and if we can show some consistency in method of operations and particularly in what’s used to carry out the operation it gives us a good deal of data on who might be behind it.

AL: So what kind of indicators allow researchers to point the finger at a government?

BB: well, making the link to a government is actually quite difficult. This is something we talk about in the paper a fair amount, sometimes it’s possible to identify where the keyboard that launched the attack is and broadly speaking some characteristics of the person who launched it. So language indicators or something like that, but making the link to the government is actually quite difficult.

Some of the ways in which it’s done is people look at what else is on the computer that launched the attack. So there’s cases where PLA photos are found on the computer that launched the attack, or on his Instagram page or Flikr page and that’s called persona research. So figure out who the person is behind the operation and figure out what can be learned about that person. Are they a military officer, an intelligence official, etc. It’s worth remember that those kinds of people don’t only work for the government, so just because someone is an government official doesn’t necessarily mean they are conducting an operation on behalf of the military.

AL: if you could just go ahead and talk about the model that you set up in your paper.

BB: right, so we created a model called the Q model, which stands for a number of things, could be question, could be quartermaster (the root of the word cyber, steering) or it could be James Bond. And the Q model, which is a visual model so it’s difficult to describe in audio context, but the Q model essentially has three layers.[1] A technical layer, an [2] operational layer and a [3] strategic layer and what it seeks to do, among other things is, clarify and exhibit and surface some of the questions that happen at each layer. So technical people might be the ground level analysis who are collecting and working the forensic data and operational people might be political analysts who are taking the conclusions of the the team and marrying it with the non technical intelligence or regional expertise they have. And the strategic people are the ones that ultimately have to reach a conclusion and test out competing hypothesis generated by operation team and find a response. And one of the ways they do that is that they probe and stress test the analysis and try to make sure the rest of the people working in the model have done their job well. At each of those levels (technical, operational and strategic) we provide some of the questions at play. And you ca imagine that’s the circular part of the Q and the hook at the Q at the end is the communication part so that’s were we break out of that cycle and we, as a team, present our findings either internally to a government or private sector organization or externally to the public and that’s the last part of the model.

AL: And finally, how is it discussed to the public?

BB: We spent a significant amount of the paper on the challenge of communication, that’s the entire third part of our paper. The North Korea case, which came out after we wrote all of this, demonstrated a lot of the importance of communication and there’s two kinds of communication, there’s internal communication within the government. So, we’re a technical team briefing a non technical person within the government about what happened. And then there’s communication to the public. We’ve reached a conclusion and we’re presenting that, for whatever reason, to the public. And on the first side, one of the things that’s important.. metaphors are good and it’s good to understand what’s going on but, we try to establish a common vocabulary that’s not too technical that’s understandable to both tech and non tech people. So surfacing the indicators and surfacing ways of presenting the data to everyone at that table. So that’s why we tried to provide a fair amount of explanation in the paper about what is actually going on, and couch it in ways that people get. People get why time zones and language are important. Indicators like that are presented in ways that we hope non technical and technical people can get, and certainly I think that’s true in the government, we didn’t invent that. And then when it comes to communication to the public I think you see a lot of the same same, except that it may be less specific. So beyond time zones, the government may be a little reluctant to share some technical data or some information around that data. But yo udo hear in that cases, I think, particularly government people using metaphors or analogies to try to explain what happened. Those analygies are of varying quality because cyber and what happens in cyber operations is quite different in some cases then what happens else where, but you see allusions to espionage to warfare to attack. And those have some value in making it real for people who aren’t technically inclined.

AL: are there any particularly interesting stories that you think people might wan tot research…

BB: so the Department of Justice indictment is one (the PLA officers) has gotten a lot of play, now that’s legal so maybe that’s not the bests one to start with if you’re not a lawyer. The corresponding Mandiant report on that – the APT1 report from 2013 – is maybe more readable.

We try to provide an example for every paragraph in our report that discusses an attribution indicator. So whatever you’re interested in, time zones, language analysis, etc we offer examples. That’s all footnoted in the paper. We think it’s important for our paper– though it provides some answers and some clarity – to be a jumping off point because there is a very broad world of questions into attribution. We want to provide a pathway into asking those questions.

Picture: elhombredenegro


Tags: , , , , ,