There are two things you know about any online attack: Attackers don't want to get caught, and they will lie to cover their tracks.
This makes attribution, or figuring out who is behind a particular malware family or attack campaign, difficult. When you assume the attackers are lying about everything, how do you believe any of the clues you find?
You can't.
In the physical world, it’s easy to identify the perpetrator. Someone hits you, you hit back, or get an authority figure and demand justice. In the online world, things aren’t that clear. Proof can be faked. Evidence can be planted. It is possible to have all the facts and have it point to the wrong person. In the world of online systems, proxies, and spoofed addresses, attribution is notoriously difficult, and even the experts can make mistakes.
The cardinal rule of journalism applies to information security: trust, but verify. Don’t assume. Verify what happened, whether it is attributing an attack to a particular actor, dissecting an disinformation campaign, or tricking users into downgrading their security. At this year's Kaspersky Lab Security Analyst Summit, speakers emphasized that attackers leave behind a trail of evidence, but mixed in with the real ones are the forged clues designed to throw defenders of the trail.
Defenders have to assume everything the attackers say is a lie.
“Attribution is not just difficult, it’s getting impossible,” said Vitaly Kamluk, the director of Kaspersky’s global research and analyst team. “If it continues this way, you will see the industry making a lot of mistakes and people will lose trust.”
Assume everyone is lying, until you know for sure otherwise. And even after that, hedge your bets.
Fake Indicators for Olympic Destroyer
Kamluk was referring to the research his team had released at the conference, which found that the malware which had targeted various systems in South Korea during the 2018 Winter Olympic Games. Olympic Destroyer took the Olympics website offline, preventing ticketholders from printing their tickets, and took down the Wi-Fi network used by reporters. While South Korean authorities have declined to discuss the incident or name any suspects, some researchers have attributed the campaign to North Korea, and its shadowy Lazarus Group. Other researchers claim, with equal vehemance, that the perpetrators must be from China. And yet others who look at Russia.
“We can say with 100 percent confidence that it [North Korea as the culprit] is false. It is not the Lazarus Group,” Kamluk said.
The North Korean connection hinges on the fact that Olympic Destroyer’s data wiping module looks practically identical to the wiper used in the Bluenoroff malware responsible for the massive heist against the Central Bank of Bangladesh last year. Kamluk and his team uncovered some discrepancies, such as the fact that Olympic Destroyer appear to have been developed using Visual Studio 10 while the Bluenoroff malware is a C++ application. The Kaspersky researchers found that the attackers had gone to great lengths to plant false flags. They figured someone would find the overlapping components and draw the most obvious conclusion and point straight to Pyongyang.
“It’s as if a criminal had stolent someone else’s DNA and left them material at a crime scene instead of their own,” Kamluk said.
The lesson here is that attribution, no matter how tempting, has to be handled extremely carefully. Wrong attribution could lead to severe consequences on the international stage, leading to sanctions, and even war. While the motives are still unknown, the nation-state actor behind Olympic Destroyer took steps to sow confusion in the political arena and exert some influence into the geopolitical agenda.
"They wanted this error," Kamluk said. It is very possible that instead of a Russian group pretending to be the North Koreans, this could be some other group pretending to be Russians pretending to be North Korean.
Whenever there is a online breach or an attack, everyone wants to know who did it. Partly morbid curiosity, like the aftermath of a car accident, and partly because it’s human nature to crave punishment. Or retaliation. But relying on just the clues left behind by the attackers is a little tricky, especially when they seem to be engaging in their own disinformation campaign to divert attention.
It's easy enough to spoof IP addresses, modify email headers to make it seem like someone else sent messages, and use stolen personal information to register malicious domains or buy crimeware. Technology exists to mask user identity and hide location. Whoever is behind Olympic Destroyer has shown it is possible to manipulate even more elements and trick the experts. If the security industry is not going to be the boy who cried wolf too many times, it needs to slow down and not worry about doing attribution right out of the gate.
"We’ve always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this,” Kamluk said.
Security Mind Games
Kamluk also described a short experiment where a security employee was tricked into thinking there was something wrong with his computer and weaken his security protections. In this case, a user became extremely frustrated with his computer’s performance, when the poor performance was because a denial-of-service tool was overwhelming the network with junk traffic. The user tried a serious of actions, such as rebooting, before disconecting from the (safer) wired network and using the (more risky) Wi-Fi network. It took less than two hours for the user to downgrade his security in order to get better performance. An attacker could take advantage of user frustration to trick users into lowering defenses, such as turning off the VPN.
The security industry frequently gets described as a cat-and-mouse game, where the attackers and defenders take turns trying to outwit each other. Sometimes, it's not the adversaries laying down false trails or leaving behind misleading information. The defenders do it, too.
At the conference, security expert and former Illinois state senate candidate John Bambenek described how he spent two months talking with the online persona Guccifer 2.0 who had begun leaking documents stolen from the attacks against the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) during the 2016 United States presidential election. Bambenek, who was working for Fidelis Cybersecurity and investigating the DNC and DCCC attacks, told Guccifer 2.0 he was a "Republican operative" and interested in documents that could influence the election.
Bambenek didn't hide his security credentials, as they were easily found in news reports and on his Twitter profile. Guccifer 2.0 didn't look beyond the campaign website, and gave Bambenek some of the documents, which he hasn't dumped anywhere else. It took Guccifer 2.0 two months before he started suspecting he was being set up. Bambenek walked away with documents, which he promptly gave the FBI, and a great story.
Sometimes, it's not the adversaries laying down false trails or leaving behind misleading information. The defenders do it, too.
Wait and see what else happens before jumping to any conclusions. That’s good security advice--no matter what is happening, stop for a moment and assess what you know and what you don’t know. And keep verifying the facts.