Concerning Attribution of Hacking

Organizations are getting hacked left and right these days, and that’s just what’s in the news. Naturally most organizations and people that get hacked either don’t know it or don’t want to tell anybody. It should be no surprise to anyone that the DNC’s emails got leaked. As is depressingly routine though, the news coverage is both sensationalist and lacking in depth. In this case I’m specifically referring to all of the media saying that the Russians did this with big pictures of Dr. Evil Vladimir Putin to go along with them.

Maybe they have sweet refrigerator magnets like me
Maybe they have sweet refrigerator magnets like me

I’m not saying that some Russian people didn’t do it, but I really feel like the reporting on the matter is irresponsible. Here’s why:

Attribution of hacks to individuals or nation-states is hard. It’s very hard for many reasons, not the least of which is that techniques, tools, attacks and compromised machines are shared. Someone in Bolivia may be using a Russian tool from a already trojaned host in China, connecting from a Romanian proxy. In the past many attributions have been made on extremely flimsy evidence, like seeing some Russian strings in a file and then saying it is the work of Kremlin-sponsored hackers. Or coming from a Chinese IP therefore it’s the CPC (e.g.: Norse-style attack maps). Or a machine that has been compromised by a trojan believed to be used by a couple people in Russia, even though others could be using the machine or the trojan.

My point being that there should be some basic level of skepticism from the public and reporters when attributing hacks at all, and maybe even more when connecting them to nation-state sponsored hacking. The Economist very recently said regarding hacking financial institutions:

the limited number of actors thought to have the capabilities to pull off something like this are tied to nation-states

I’m definitely no expert on financial information security, but I doubt the basic premise here that hacking techniques or tools can exist only in the hands of nation-states. Anything can be copied, especially an attack that’s been used before. Suppose a nation-state has a super sweet 0-day and trojan kit or whatever. Once they use it, it’s fair game for other people to replicate and use themselves. Case in point: stuxnet, the SCADA attack that wrecked Iranian nuclear enrichment centrifuges. This is suspected to be developed by the Israeli and American governments using highly specialized knowledge. Cool. But now a detailed analysis of it is on the internet for anyone to read and copy if they want. So even if a lot of work is put into development by a nation-state, others can copy it. And in most cases a person with a lot of time on their hands and a computer could do the same research and development if so inclined.

Now regarding the DNC hacking, all news articles eventually point back to a single press release by one guy at CrowdStrike that says the attack was done by “COZY BEAR and FANCY BEAR.” whom they know to be sophisticated Russian operatives. This is a pretty important assertion and if it was to be printed everywhere with scary pictures of Putin and likely lead to diplomatic responses I would expect more evidence behind it than essentially taking their word for it. Again, I’m not saying I don’t believe them, but not being properly skeptical about such assertions and considering plausible alternatives could lead to very serious consequences that would be in everyone’s best interest to avoid.

We have identified no collaboration between the two actors, or even an awareness of one by the other.  Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”

To me this says that people with no connection to each other are using the same tools to compromise the same systems. Why must it be only these two attackers? How do you know it’s them? If there are detailed reports on the tools, techniques and traces of these attacks how hard would it be for someone else to make it appear to be the work of Russians?

These are important questions because there are debates now on how to respond to hacks (or “cyberattacks” in the somewhat anachronistic terminology of the U.S. government), possibly with military force. In the past high-level American diplomats have warned China about their cybertanks rolling over our cyberservers or whatever the hell they imagine is going on. China denies any such attempts. Maybe China attacked us, maybe not? Let’s be as certain as we can before rushing to any conclusions about who attacked a computer through the internet, and who “sponsored” them. I don’t really know what sponsorship a hacker needs other than a few cases of monster, some pizzas and a laptop.


Typical Kremlin-sponsored nation-state operative workstation


There are definitely some points to mention that do back up the assertions from CrowdStrike. Dell Secure Works supposedly verified that it was Russians independently. In the press release it certainly does sound like CrowdStrike knows what they’re talking about and has been following these guys for a while. I’m sure they have lots more information than they’ve released and know a lot more than I do. I just have a problem taking their word for it about attributing it to the Russian Federation government when such attribution seems extremely problematic and pretty impossible to confirm unless you actually arrest them and look at their computers and network traffic. Of course if we could track them down to that point, it would mean that they were shitty hackers and the work they did could have been done by any other shitty hacker just as easily. And if these shady Russkiis have been at it for so long and are so well known, what’s to stop China or Venezuela or Iran from sponsoring hackers to imitate the Russian’s attacks to stir up some diplomatic incidents and nationalist fervor?

Oh also, the person who hacked the DNC started a blog and said they were responsible and it wasn’t Russians and laughed at CrowdStrike’s incompetence:

Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by “sophisticated” hacker groups.

I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy.

Guccifer may have been the first one who penetrated Hillary Clinton’s and other Democrats’ mail servers. But he certainly wasn’t the last. No wonder any other hacker could easily get access to the DNC’s servers.

Shame on CrowdStrike: Do you think I’ve been in the DNC’s networks for almost a year and saved only 2 documents? Do you really believe it?

So there’s that. CrowdStrike posted an update responding to Guccifer 2.0:

June 15, 2016 UPDATE:

CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016. On June 15, 2016 a blog post to a WordPress site authored by an individual using the moniker Guccifer 2.0 claiming credit for breaching the Democratic National Committee. This blog post presents documents alleged to have originated from the DNC.

Whether or not this posting is part of a Russian Intelligence disinformation campaign, we are exploring the documents’ authenticity and origin. Regardless, these claims do nothing to lessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public and the greater security community.

Now I’m not an information security professional and I’m not claiming to know more than CrowdStrike or American diplomats or anything like that. I’m just a software engineer who tries to keep up on security issues so that I can better protect my systems and applications. All I’m saying is that hard questions should be asked when attempting to attribute a hack to a particular person, group or nation-state before plastering the news with headlines like “Why Would Vladimir Putin Want To Leak The DNC Emails?

Screen Shot 2016-07-26 at 1.08.16 PM


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s