How can a government, or a company, determine who launched a cyber attack? Attribution becomes even more difficult when the attackers disguise themselves as others. The Cipher Brief asked Hank Thomas, a partner and Chief Operating Officer at Strategic Cyber Ventures, what so-called false flags in cyberspace look like and what investigators need to break through the attackers’ deception.
The Cipher Brief: How do victims of a cyber attack find out who was behind it?
Hank Thomas: Unfortunately, in many cases it simply isn’t done. Most cybersecurity shops have determined that it is too resource-intensive and the return on investment in attempting to do so is too low. However, increasingly sophisticated security programs are incorporating multi-source cyber intelligence programs in support of their cyber defense efforts. Often, they outsource some of their efforts to managed services and participate in various information-sharing programs to help them do better malware analysis to attribute cyber fingerprints to the humans actors behind them. If you put some focus on the shooter and not just the cyber bullet, you can often better prepare for the next attack.
TCB: What are false flag operations and why might an adversary conduct them in the virtual domain?
HT: The origin of the name comes from naval forces that flew false flags to fool their targets to get close enough to quickly overtake them, raid them, or annihilate them. In cyberspace, actors can pretend to be someone else via social engineering to gain access to your network. I consider spear phishing to be a form of a false flag operation. The next step is to look enough like someone else while they are colonizing or raiding your network to provide just enough plausible deniability, should their unwanted presence be discovered.
TCB: How might actors go about misdirecting attribution through false flags? Could you provide examples?
HT: Iranian hackers often use Arabic when planning and conducting attacks on U.S. banks. It wasn’t until multiple sources of intelligence, to include linguists analyzing bank attack information, that we developed valuable intelligence that clearly showed an Iranian cyber operator using Arabic with hints of Persian Farsi influence. At that point we could tie the attacks back to Iran.
It was evident that the suspected Iranian actors were tied to specific time windows of operation. Through deep web sources of intelligence-gathering, there was significant chatter from various actors about the events in questions. Those actors were known to be in Tehran. The geographic locations discussed, and the other conversational elements suggested with a high degree of probability that they were students at a university in Tehran. Further analysis pointed to the operating windows associated with the average student, to include no activity on Shia religious or school holidays.
Since this was mostly a denial-of-service attack, not much electronic fingerprint evidence was able to be collected. But in situations where the attack goes beyond denial of service, malware and other evidence can add to your ability to confidently attribute an attack to an individual, organization or nation state. Multi-source intelligence, called all-source intelligence in the military, is designed to give military operators confidence that they know who, what, when, where, why, and how.
TCB: Is it common for a nation-state hacker to intentionally obfuscate its cyber campaign so that forensic investigators believe it is the work of a different actor? Or are actors like Russia, China, Iran, and North Korea unconcerned their operations can be traced back to them?
HT: Different state actors have used different tactics, techniques, and procedures to obfuscate their cyber campaigns. In many cases a state’s ability to conduct attribution depends on where it fits in its cyber hierarchy. Is the state considered an A or a B team? In other situations, the use of sophisticated tradecraft to obfuscate cyber attack campaigns can be tied to the overall sophistication and experience of the nation’s intelligence service. Let’s say the Russians have been at this espionage game far longer than the Chinese. But the Chinese are learning from their mistakes and are beginning to understand that they can’t just kick in the front door and raid your house with virtual Chinese military uniforms on. They should follow the Russian military’s lead in Ukraine and at a minimum take their patches off before they attack you.
TCB: Is a level of certainty in attribution impossible? Are private companies that attempt to determine the source of an attack through forensic investigation less likely to succeed than the government, which may have other intelligence as part of the attribution process?
HT: Experienced teams that have tracked the same threat actors tied to certain criminal syndicates or nation states can tie cyber-attributable evidence to new attacks. But intelligence must either drive your cyber operations or be actively integrated into your daily process. Often your best source of intelligence is the data off your network, if you have the analytics in place to tie evidence together. A hunt team that actively deploys user entity behavior analytics and deceptive technology to trap and collect intelligence on cyber intruders, unbeknownst to them, is a must.
TCB: Are false flags a significant problem in attributing cyber attacks or are they more of a nuisance?
HT: False flag operations are increasing in sophistication and are a major problem in interactions with cyber adversaries – especially in a democracy like the U.S. ,where the credibility and level of evidence must be high, to retaliate or convict someone. Sometimes a warm gun is not good enough. It must be smoking. False flags also lead analytic teams down the wrong path, wasting valuable time, resources, and effort. They make people want to get out of the difficult cyber attribution business even more.