Security Experts:

False Flags and Mis-Direction in Hacker Attribution

Dangers of False Flags and Hacking Attribution

On October 7, 2016 the U.S. government officially called out Russia and accused it of involvement in cyber attacks against American political organizations. Two days prior, at the Virus Bulletin (VB) Conference, Kaspersky Lab researchers presented a paper on the problems of attribution: Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks

Cyber attack attribution has long been a thorny problem. It is difficult to develop norms of international cyber behavior if attackers can hide behind plausible deniability. Microsoft recently proposed an independent international committee of experts to ascribe responsibility. The Kaspersky paper, however, questions whether absolute attribution is even possible.

The paper, written by researchers Brian Bartholomew and Juan Andres Guerrero-Saade, seeks to "prove a cautionary tale". At a time when the Obama administration warns Russia that "We will take action to protect our interests, including in cyberspace, and we will do so at a time and place of our choosing," Kaspersky Lab warns that misattribution can have a heavy cost. 

To be clear, Kaspersky is not saying that America is wrong in blaming Russia -- it is simply saying that attribution is difficult. Like all conference papers, this one was written months ago. Its timing now is purely coincidental. Indeed, in separate conversation, Guerrero-Saade told SecurityWeek that if any organizations are equipped to accurately attribute attacks, it is the large nation signals intelligence agencies; that is, governments, because they have access to a much wider range of communications than is available to researchers and research private companies.

The paper (PDF) first discusses the means by which researchers seek to identify perpetrators. These range from the infrastructure and backend connections used, the toolkits (including timestamps, reuse of existing code, language clues, and even re-used passwords within the attack), to motivation (who is the target). This makes attribution of attacks to specific attack groups relatively easy. The real difficulty comes in attributing those groups to geopolitical regions and/or nation state sponsors.

The paper discusses examples of this difficulty, including Cloud Atlas and Turla. Of particular interest, however, are Sofacy, TigerMilk and Wild Neutron.

Sofacy is also known as APT28, Pawn Storm, Tsar Team, and Fancy Bear. Two years ago, FireEye linked APT28 to Russia. In October 2016, Crowdstrike linked the DNC hacks to Fancy Bear, and therefore Russia.

While Sofacy, APT28 and Fancy Bear are different names for the same group, Kaspersky believes that a number of 'separate' groups are also Sofacy. One of these is CyberCaliphate. CyberCaliphate first appeared at the end of 2014 when it took control of the Albuquerque Journal's mobile application, and broadcast propaganda; and followed this in January by seizing control of the United States Central Command (USCENTCOM)'s Twitter and YouTube accounts. The world believed that a new pro-ISIS hacking group had arrived.

When French TV station TV5Monde was hacked and almost destroyed in April 2015, CyberCaliphate claimed responsibility. Since it had an established presence this was at first accepted as the likely explanation. A few months later FireEye found that an IP address associated with Sofacy had been used, and blame switched from CyberCaliphate to Sofacy (and by implication, Russia). Kaspersky believes, however, that CyberCaliphate and Sofacy are the same group.

"It is believed," write Guerrero-Saade and Bartholomew, "that CyberCaliphate was created to provide the Sofacy actors a way to conduct psychological operations against certain targets of interest while providing a level of plausible deniability." Given that Russia has sided with the Syrian government against ISIS, it is far from an automatic assumption to describe CyberCaliphate as Russia.

In fact, Kaspersky also links CyberBerkut and the Yemen Cyber Army groups to Sofacy. The unspoken danger is that if the identity of one hacking group can be misrepresented as a false flag, then so could any hacking group.

TigerMilk is not so well known. Its inclusion here is based on one surprising fact: it employs the same digital certificate as the one used in the Stuxnet attack against Iran. "As such," says the paper, "the only imaginable value of signing these samples with this particular certificate is to fool incident responders and researchers into casting blame on the notorious Stuxnet team for an attack on Peruvian military and government institutions."

Wild Neutron is a group surrounded by mystery -- nobody knows who it is. This is because of a widely differing range of targets and a "hodgepodge of indicators". One suggestion is that it is a highly competent mercenary group that attacks to order. This raises a completely different attribution complexity: state sponsors could employ mercenary hacking groups to obfuscate their own involvement.

The stated purpose of this paper is not to deny the possibility of accurate attribution, but to describe the difficulties and dangers in doing so.

"In place of a summary conclusion," say the authors, "we instead leave open questions in need of deeper reflection, on the part of both producers and consumers of threat intelligence, to serve as our final takeaways in furthering a much needed conversation."

Those questions are: What is solid attribution? What is actually needed? Who can really do attribution? and Who are you hacking back?

Related: Microsoft Proposes Independent Body to Attribute Cyber Attacks

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.