Who hacked you?
In cybersecurity, attribution helps understand attacks, plan defenses
When investigators began dissecting a cyberattack that infiltrated U.S. and European power companies, they found something curious: strings of code with words in both Russian and French.
But this wasn’t some sloppy mistake by shadowy hackers — in fact, the experts concluded, the attackers probably coded in two languages on purpose.
Leaving false clues is one of the many ways hackers can conceal their identities. They also spoof IP addresses, switch toolkits and use other techniques to confuse the analysts who are trying to track their tradecraft. All that makes attribution, or the act of identifying who is behind a hack, a complex and costly affair.
But knowing who is behind a hack is useful in defending against the next wave. And it is something the United States is doing more aggressively, Homeland Security Secretary Kirstjen Nielsen said in a keynote address at the National Cybersecurity Summit in 2018.
"Our adversaries have the capability to destroy. So we cannot afford to bide time as they prep the battlefield and identify our hidden digital evacuation routes or try to outmaneuver us. We must act now," she said. "That starts with calling out the offenders. Whether it is the North Koreans or the Russians, we are identifying countries that have compromised our systems or have unleashed destructive malware."
In late 2017, the U.S. government formally identified hackers from North Korea as the perpetrators of WannaCry, a cyberattack that locked up computers around the world and held their contents ransom. Identifying the attackers should sound an alarm for companies everywhere, said Michael Daly, Raytheon's chief technology officer for cybersecurity and special missions.
"The message for any company doing business on the internet is that North Korea sees you as a target," he said. "So do other rogue nation-states, and so do transnational crime organizations. For them, ransomware is an irresistible crime."
While identifying attackers is useful to the private sector, the act of doing the identification itself is best left to military and intelligence agencies, experts say. Commercial information-security specialists should focus their resources on protecting whatever it is the hackers might be out to get.
"All you know is, you're being attacked and will be again tomorrow," said Carl Leonard, a principal security analyst for Forcepoint, a commercial cybersecurity company jointly owned by Raytheon. "If you cannot afford to spend the resources finding out who has done it and instead can put them into fending them off or defending yourself, you’re probably better off doing that."
In other words, it’s law enforcement’s job to hold hackers responsible and a company’s job to protect itself. Cybersecurity consulting firms such as Raytheon and Forcepoint can help businesses that have been hacked determine when they can handle a hack internally, and when to contact authorities.
Many cybersecurity breaches stem from the actions of an authorized user on a network, or what’s known as “insider threat.” Knowing whether those actions were deliberate can help determine whether a hack is strictly an internal problem or a matter for law enforcement.
Part of that decision is determining intent. When an employee attacks a company on purpose, attribution would matter, and the company would likely want to contact the authorities. When an employee lets malware into the network by mistake – clicking on a malicious attachment in an otherwise normal-looking email, for example – the company might handle that with follow-up cybersecurity training.
And when an employee’s network credentials are stolen, which would allow hackers to assume that person’s identity and exploit their access to information, attribution is especially important, Leonard said.
"If you see Bob in accounting is taking upcoming quarterly financial results he could use to give to competitors or for insider stock trading, is it really him? Bob's been an excellent employee, years of great service, and there’s no indication and he’s suddenly gone rogue," Leonard said. "If it’s an insider situation, it’s vital to know whose credentials are being used. But then, do you really know if it’s that person doing it?"
While commercial companies may or may not need to know who’s behind an attack, government, military and intelligence agencies almost certainly do. Yet even when they can attribute an attack successfully, a different problem arises — whether to take action, or leave it alone and continue to collect information. Ever since the 2014 Sony attack, the U.S. has been publicly attributing attacks more than it had previously, said Bill Leigher, a retired U.S. Navy rear admiral who now leads Raytheon's government cybersecurity programs.
"The behavior we've seen since tells us that it has a deterrent effect," he said in an interview with Military Embedded Systems. "Releasing attribution facts as a policy is aggressive because it sends the message: ‘We know you’re out there and are going to call you out on it every time – you’re not as good as you thought.’"