Challenges of Cyber Attribution

By: Sarah Freeman

Today cyberattacks continue to rise, and security efforts have risen in response. In 2017, the global cybersecurity market was estimated at $92.7 billion with a projected growth of 10 percent between 2018 and 2026.[1] In spite of this market growth, organizations seem unable to counter the growth in cyberattacks. However, Snyder noted the importance of a two-phased approach that considers both defense and deterrence. Although defensive efforts remain the primary focus of organizations seeking to stem the tide of cyberattacks, nation security may require an active cyber deterrence strategy.

There is no universally accepted definition for cyber deterrence. Snyder noted in his seminal work, Deterrence and Defense: “The object of military deterrence is to reduce the probability of enemy military attack, by posing for the enemy a sufficiently likely prospect that he will suffer a net loss as a result of the attack, or at least a higher net loss or lower net gain than would follow from his not attacking.”[2] Central to this concept, however, is the assumption that the enemy is known. When applied to the field of cybersecurity, that is not always the case. In fact, the cyber domain is, by its very essence, a place that promotes anonymity.  For example, in 1996 Goldschlag et. al. identified an approach known as onion routing that challenged origin traffic analysis.[3] In this design, the onion routing obfuscates the point of origin by forcing the connection through a series of nodes defined by the first routing node. This concept would eventually serve as the basis for Tor in 2002, [4] which is still in use today, as well as modern proxy servers and services. In this modern space, attribution activity is challenged by both the attacker’s desire to remain hidden and the technology itself.

Suitable retaliation for a cyberattack is based on the premise that the perpetrator of a cyberattack can be identified, and that this identification will take place in a timely manner. Without the proper attribution (i.e., high confidence and timely assessments), accountability within the international space cannot be guaranteed. Although no international norms for cyber warfare have been adopted, the field of chemical and biological security provide some clarity on the significant of accountability. In 2012, a chemical weapons attack breached a twenty year moratorium, which has been followed by more than 200 chemical weapon attacks.[5] Although speaking on chemical weapons proliferation, Hersman emphasizes that without suitable accountability, entities will be encouraged to continue its use.[6] The same can be said about cyber weapons, however, and punishment in this context also assumes an international norm has been established. Although some work in this area has been done, more questions remain.

Following a July 2018 NATO meeting in Brussels, NATO participants emphasized the importance of defense and deterrence applied to cyber as well as kinetic domains. This announcement represented a key moment in NATO policy and the interpretation of Article 5 of the North Atlantic Treaty, recognizing that “Cyber defense is part of NATO’s core task of collective defense.”[7] Participants also acknowledged that although their efforts remained focused on ensuring a military outcome, efforts could not be limited to this response.[8] Additionally, the group acknowledged that military success is based not only on military infrastructure, but the continued availability and integrity of critical infrastructure (on which military missions are dependent). As cyberattacks directed against civilian and enabling critical infrastructure have become more prevalent, additional risk to defense and deterrence actions is introduced.

Adoption of Article 5 requires NATO countries to: 1) define when an adversary’s activities move from a cyber threat to a cyberattack; 2) identify the perpetrator in a timely manner; and 3) maintain the strategic capability and access to provide a response.

Case Study: TV5MONDE and the Cyber Caliphate

The following case studies highlight the challenges with post-attack cyber attribution since 2015.

In August 2015, a targeted attack in France directed against TV5MONDE’s networks disrupted broadcast services and corrupted a number of internet-connected hardware.[9] Interestingly, although this attack primarily targeted TV5MONDE’s operational technology, the adversaries also conducted a wide-reaching and sophisticated reconnaissance campaign to enable this cyberattack, even targeting a third-party provider of remote-controlled cameras based in the Netherlands. Custom malware was created to target and corrupt the specific technology used by TV5MONDE. TV5MONDE’s websites, Facebook, and Twitter pagers were publicly defaced by a group identifying themselves as the Cyber Caliphate.[10] Ultimately, restoration and recovery cost $5.6 million in the first year, as well as $3.4 million for increased protection services following the incident.[11]

Within two months of the initial attack, additional cyber forensic evidence contradicted the original claim (i.e., Cyber Caliphate) and instead indicated that this attack was likely conducted by APT28 (Advanced Persistent Threat),[12] a Russia-based, state sponsored group whose activity has been attributed to the Main Intelligence Directorate (GRU) of the Russian General Staff.[13]  Specifically, the Cyber Caliphate website was hosted on the same IP block that historically hosted APT28 attack infrastructure.[14] Additionally, this website used the same server and registrar as past APT28 activity.[15] According to FireEye, a U.S.-based cyber intelligence firm, the Cyber Caliphate employed several tactics, techniques, and procedures (TTPs) similar to APT28.[16] Additionally, and perhaps more significantly, FireEye noted that at the time of the TV5MONDE attack, APT28 also targeted a number of other journalists using the same attack infrastructure.[17]

Case Study: Yemen Cyber Army

Throughout the spring of 2015, the Yemen Cyber Army conducted a variety of cyberattacks against a variety of Saudi and pro-Saudi targets. An initial attack included the website defacement of the pro-Saudi London newspaper, Al Hayat, and the leaking of the names of Al Hayat’s subscribers.[18] The Yemen Cyber Army followed this attack with a more direct attack against the Saudi Ministry of Foreign Affairs on May 20, 2015.[19]

One news outlet reported that the Yemen Cyber Army gained control over more than 3,000 Saudi government computers following the May breach, allowing them to collect the personal information of key diplomats (e.g., addresses and phone numbers) but also emails.[20] The group also successfully gained access to classified government documents, including historical correspondence with other foreign governments that dated back to 1980.[21] To ensure widespread release, the Yemen Cyber Army disclosed these sensitive documents in conjunction with WikiLeaks.[22]

However, even early analysis raised questions of the origin of the attack, with some security researchers  hypothesizing Iranian involvement, primarily based on the perceived differences in cyberattack capabilities between Iran and the nascent Yemeni program.[23] Additionally, after the attack, a representative of the Yemen Cyber Army published a post in Pastebin taking credit for the event and identifying themselves as the “Cutting Sword of Justice.”[24] Interestingly, cybersecurity and open source analysis firm Recorded Future noted that this phrase had only been used in conjunction with a 2012 attack against Saudi Aramco (also known as Shamoon), during which Iranian hackers destroyed 30,000 computers with a malicious wiper.[25] Following the attack, sensitive Ministry of Foreign Affairs documentation was also published to the website, QuickLeak.ir, a website that is primarily used by Iranian hackers. Finally, the exploits of the Yemen Cyber Army were consistently published first by an Iranian media outlet, Fars News Agency, leading some to speculate that the news firm had insider knowledge.[26]

Case Study: NotPetya Ransomware Attack

On June 27, 2017, Ukraine’s Constitution Day, a ransomware campaign devastated multiple industries throughout the country. The ransomware was distributed through a supply chain attack, during which a third-party software supplier was compromised before pushing out a malicious update file to all of its users.[27] [28] Infected users’ computers then displayed text indicating that their files had been encrypted and unlocking access to these files required payment of $300 worth of Bitcoin.[29]

Attackers targeted MeDoc, a Ukrainian third-party software supplier, and manipulated its updates to initially spread the software. Because MeDoc’s user base is located primarily in Ukraine, this software served as a natural infection vector for attackers seeking to maximize their damage in that country. While infections would ultimately spread globally, the majority of activity remained in Ukraine.

Although the initial attack appeared as a criminal ransomware campaign, security researchers began to question the validity of this assessment. A thorough review of the malware source code revealed that although it shared large portions of the code associated with the Petya ransomware sold in criminal forums and marketplaces, significant alterations to the code had been made. For example, the new variant used the EternalBlue exploit for propagation within networks, a change from the original Petya variant.[30]

Additionally, the attackers were not financially motivated and failed to maintain working infrastructure to collect payment from their victims. For example, the email that the attackers created to receive payments was taken down by the email provider, and no attempt was made to create a new account.[31] Ultimately, payments made by victims would raise just over $10,000,[32] a relatively small amount given the number of computers that were infected globally.

Case Study: 2019 Co-option of APT34 Toolkit

In June 2019, U.S. cybersecurity firm Symantec published their findings that as early as November 2017 the APT Turla[33] compromised the command and control infrastructure owned by APT34.[34],[35] Afterwards, Turla employed this APT34 command and control infrastructure to drop their own malware on victim systems that had already been infected with APT34 malware. This first instance of command and control co-option for re-infection occurred in January 2018.[36] Turla continued to take advantage of this infrastructure to infect additional victims for the next 18 months.[37] Analysis of Turla’s activity indicates that they attempted to infect as many as 35 countries, mostly in the Middle East, and were successful infecting 20 of these.[38]

The success of this APT as well as those mentioned in the previous case studies emphasizes the importance of reviewing all cyberattack artifacts with a discerning analytic eye.

Today individuals, organizations, and governments continue to experience a barrage of cyberattacks, challenging existing defensive postures. For many, defensive investments are not enough to repel all of these attacks. However, deterrence by punishment is only possible in situations where the perpetrator of a cyberattack is known and identified quickly after an attack. Cyber weapons, by their very nature, allow for the creation of perfect copies through the copying and theft of source code, where only imitations are possible with chemical or biological weapons. Ultimately, analysts attempting to answer questions of attribution will have to come to terms with lower confidence assessments, at least for the near future.

[1] Reuters, “Cyber Security Market Size 2019, Share, Segments, Global Industry Overview, Trends, Growth, Regional Analysis and Forecasts 2026,” August 8, 2019, https://www.reuters.com/brandfeatures/venture-capital/article?id=141321.

[2] Glenn Herald Snyder, Deterrence and Defense, (Princeton: Princeton University Press, 1961).

[3] David M. Goldschlag et al. “Hiding Routing Information,” in Information Hiding, R. Anderson, ed., LNCS vol. 1174, Springer-Verlag, 1996, pp. 137-150.

[4] Ian Goldberg, “Privacy Enhancing Technologies for the Internet III: Ten Years Later,” in Digital Privacy: Theory, Technologies, and Practices, Alessandro Acquisti et al., editors, (New York: Auerbach Publications, December 2007).

[5] Rebecca K.C. Hersman and William Pittinos, “Restoring Restraint: Enforcing Accountability for Users of Chemical Weapons,” in CSIS International Security Program, June 2018, https://csis-prod.s3.amazonaws.com/s3fs-public/publication/180607_Hersman_RestoringRestraint_Web.pdf?vzlG2wFfZBmfAKs1yB1PmnAQD4EZBBSj.

[6] Ibid.

[7] NATO, “Brussels Summit Declaration: Issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Brussels 11-12 July 2018,” Press Release (2018) 074, 11 Jul. 2018, https://www.nato.int/cps/uk/natohq/official_texts_156624.htm.

[8] Laura Brent, “NATO’s Role in Cyberspace: Cyberspace as a Domain of Operations,” in the Three Swords Magazine, v. 34, 2019, pp. 56-59.

[9] Gordon Corera, How France’s TV5 was almost destroyed by ‘Russian hackers,’ Technology, BBC News, October 10, 2016, https://www.bbc.com/news/technology-37590375.

[10] Ibid.

[11] Ibid.

[12] According to MITRE, alternative names for APT28 include SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, and TG-4127.

[13] Robert Mueller, “Indictment – United States of America vs. Viktor Borisovich Netyksho et al.,” Department of Justice, July 13, 2018, https://www.justice.gov/file/1080281/download.

[14] Sheera Frenkel, “Experts Say Russians May Have Posed As ISIS to Hack French TV Channel,” Buzz Feed News, June 9, 2015, https://www.buzzfeednews.com/article/sheerafrenkel/experts-say-russians-may-have-posed-as-isis-to-hack-french-t#.rbO51WDnKm.

[15] Ibid.

[16] Pierluigi Paganini, “FireEye claims Russian APT28 hacked France’s TV5Monde Channel,” Security Affairs, June 10, 2015, https://securityaffairs.co/wordpress/37710/hacking/apt28-hacked-tv5monde.html.

[17] Ibid.

[18] “Yemen Cyber Army Hack Pro-Saudi Website, War Readers to Support Houthi Revolution” Jerusalem Post, April 14, 2015, https://www.jpost.com/Israel-News/Yemen-Cyber-Army-hack-Pro-Saudi-website-warn-readers-to-support-Houthi-revolution-398018.

[19] Ibid.

[20] “Yemeni group hacks 3,000 Saudi government computers to reveal top secret docs – report,” Russia Today, May 22, 2015, https://www.rt.com/news/261073-yemen-cyber-hack-saudi/.

[21] Ibid.

[22] Lorenzo Franceschi-Bicchierai, “There’s Evidence the ‘Yemen Cyber Army’ Is Actually Iranian: Researchers uncover clues that indicate the new hacking group has links to Iran,” Vice, June 26, 2015, https://www.vice.com/en_us/article/wnj9gq/theres-evidence-the-yemen-cyber-army-is-actually-iranian.

[23] Ibid.

[24] Ibid.

[25] Ibid.

[26] Ibid.

[27] Thomas Brewster, “Is This Ukrainian Company The Source Of The ‘NotPetya’ Ransomware Explosion?” Forbes, June, 27, 2017, https://www.forbes.com/sites/thomasbrewster/2017/06/27/medoc-firm-blamed-for-ransomware-outbreak/#5af6166573c8.

[28] Ellen Nakashima, “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes,” Washington Post, Jan. 12, 2018, https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html.

[29] Ibid.

[30] Kaspersky Lab, “New Petya / NotPetya / ExPetr ransomware outbreak,” June 27, 2017, https://usa.kaspersky.com/blog/new-ransomware-epidemics/11710/.

[31] Iain Thomson, “Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide: This isn’t ransomware – it’s merry chaos,” The Register, June 28, 2017, https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/.

[32] Bill Chappell, “’Petya’ Ransomware Hits At Least 65 Countries; Microsoft Traces It to Tax Software,” NPR, June 28, 2017, https://www.npr.org/sections/thetwo-way/2017/06/28/534679950/petya-ransomware-hits-at-least-65-countries-microsoft-traces-it-to-tax-software.

[33] According to MITRE, Turla is a Russia-based advanced persistent threat that has been active since 2004. Group activity is also tracked under the names Waterbug

[34] According to MITRE, APT34 is a suspected Iranian threat group that has been active since at least 2014. It is also known as OilRig and Helix Kitten.

[35] Catalin Cimpanu, “Russian APT hacked Iranian APT’s infrastructure back in 2017: Turla APT hacked Iran’s APT34 group and used its C&C servers to re-infect APT34 victims with its own malware,” June 20, 2019, ZDNet, https://www.zdnet.com/article/russian-apt-hacked-iranian-apts-infrastructure-back-in-2017/.

[36] Ibid.

[37] Charlie Osborne, “Russian APT Turla targets 35 countries on the back of Iranian infrastructure: The state-backed group’s hacking activities are more widespread than previously thought,” ZDNet, October 21, 2019, https://www.zdnet.com/article/russian-apt-turla-targets-35-countries-on-the-back-of-iranian-infrastructure/.

[38] Ibid.