Threat Management, Threat Management

Incident attribution: beware of jumping to conclusions 

Threat intelligence

When a major cybersecurity incident happens, it can seem obvious which group was behind it.  

But is it really that obvious? Things aren’t always as they appear and sometimes someone could have planted deliberate false flags. Consider the post-intrusion ransomware attacks carried out by the Pandora, Rook, and Night Sky ransomware groups. Those might have initially appeared as the work of cybercriminals, but it turned out they were cover for cyberespionage activity by Chinese state-sponsored threat groups. 

Or consider the recent denial of service (DoS) attacks on Swedish targets by Anonymous Sudan. Those looked like they were carried out by Sudanese hacktivists protesting the burning of a Quran in Sweden. It turned out that they were the work of pro-Russian groups keen to sabotage Sweden’s application to join NATO. 

There have been several other examples of attacks where early judgements about the group responsible turned out to be mistaken.  

One of the most famous examples was the Olympic Destroyer malware used in the PyeongChang Winter Olympics attack in 2018. This was initially blamed on North Korea. That was in large part thanks to the efforts of Russia’s military intelligence service, the GRU, working to disguise its own responsibility for the attacks. 

The 2015 attack on French television network TV5 Monde was another example. A group calling itself the Cyber Caliphate and boasting links to the Islamic State claimed responsibility. Again, it was the work of a Russian threat group. 

It's often difficult to identity the group responsible for an attack. It certainly isn’t normally as straightforward as pointing the finger at a particular country or ransomware group. But it’s important to get it right, especially when it comes to incident response. Not knowing who was behind an attack can make it harder for organizations that have been attacked to make sure that they have discovered the full extent of the attack. That in turn makes it difficult to ensure they have fully evicted the threat actor responsible from their systems. It leaves them at risk of return visits from the threat actor and ongoing damage to their organizational interests. 

It’s often tempting to form judgements about incidents based on limited information or to make an attribution from just one observed overlap in tooling, but the chances are that it’s wrong. And it’s not a useful approach for detecting future similar attacks either. From a detection standpoint, which group did it is interesting but by itself, it’s not as helpful as knowing how they did it. 

Obviously, on an emotional level, people want to know which group was responsible for hurting them or their business. But accuracy is essential. On a high level, attributions can impact the broader political debate, for example when the FBI points to hostile activity from China or Russia. It’s especially important for law enforcement action against the threat actors.  

When companies like us are ready to attribute an attack, we use a confidence level: high, medium, or even low. Confidence levels follow the definitions from the U.S. Director of National Intelligence and depend on the quality and quantity of corroborating data. They show the likelihood of an attribution being correct – although even a high confidence attribution isn’t guaranteed correct.  

Usually, attribution isn’t reliable without multiple different evidence points. However, many threat groups use the same tools for aspects of their attacks, making some tooling overlaps misleading. It’s especially true for cybercriminals because of the easy availability of commodity malware tools for sale or as a service on underground markets. Hacker-for-hire groups may work for several different customers but use similar tools each time. State-sponsored threat groups from countries such as China are also increasingly turning to commodity malware and other tools to disguise their tracks. Living off the land binaries (lolbins) or frameworks such as Cobalt Strike may not offer many specific clues about who actually uses them. IP addresses are often reused by a series of non-related threat actors. In addition, using last jump infrastructure can make an attack look like it’s coming from one country when it’s actually coming from another. 

Sometimes, there’s potentially a lot of evidence from different sources that all points to a single conclusion. However, that’s often the result of circular reporting. For example, there have been several reports linking the now defunct Conti ransomware operator to the newly active Royal ransomware group, but analysis shows that all those reports point to a single hypothesis from one single source. 

There are no two ways about it: Attribution requires skill and experience. But whether it’s part of helping an organization to recover from a compromise or simply a matter of commenting publicly about a cyber event, it’s always important to get it right. 

Jane Adams, information security research consultant, Secureworks 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.