The Usual Suspects: Faith-based attribution and its effects on the security community

Published By:
Published ON:
October 21, 2016

The “problem of attribution” in the context of Cyber is not a new one, but it receives a relatively small share of coverage. When a high-profile breach is attributed to nation-state actors, the focus is often on the potential motivations and implications of the attack. While this is a worthwhile topic, attribution of the attack itself is equally – arguably even more – important.

After all, attribution forms the basic assumption underlying any discussion of why an attack occurred and what it portends. When this is applied to a state-sponsored attack, this ceases to be a matter of idle speculation and becomes one of national security or foreign policy – as evidenced by the following quote:

We know that Russian intelligence services hacked into the DNC and we know that they arranged for a lot of those emails to be released and we know that Donald Trump has shown a very troubling willingness to back up Putin, to support Putin.”

This strangely authoritative statement from Secretary of State and presidential candidate Hillary Clinton, was made in the wake of the DNC leaks published by WikiLeaks in July of this year.

Nation-State Actors

A number of authoritative statements of attribution have been made by reputable infosec firms such as CrowdStrike and FireEye. FireEye, in particular, attributed the attack to APT28, a group that they wrote a comprehensive threat profile about in 2014. In this report, it is stated that various targets were identified but were not included because they are “not particularly indicative of a specific sponsor’s interests.” Other firms identified a number of other unrelated targets, such as web services, energy companies and telecommunications providers.

Besides a few relatively inconclusive indicators, such as the presence of Russian language settings in malware samples, the profile of APT28 constructed in this original report relies largely on circumstantial evidence – such as the targeting of Eastern European, including Georgian, government authorities. The problem with this is, as we have already established, this report explicitly disregards targets that do not seem to indicate sponsorship by a nation-state. From the outset, the question being asked is not “who did this?” but “which nation-state did this?”. The framing of this question produces an obvious – though not necessarily correct – answer.

While attacks on Georgia, Eastern Europe and NATO seem damning when presented together, the report discards data points which do not confirm a specific narrative. This becomes more troubling in light of the fact that Mandiant (a firm owned by FireEye) asserts about the DNC hack that “the malware and associated servers are consistent with those previously used by APT 28”. If the evidence for APT28 being a Russian state-sponsored actor is, in effect, a few pieces of easily falsified metadata and some circumstantial and inconclusive evidence, we do not have anywhere near enough confidence to be able to make statements like Secretary Clinton’s.

A Convenient Scapegoat

Unfortunately, the fact of the matter is that any successful attack on a large organisation has political ramifications. The “nation-state” actor makes an ideal bogeyman – vaguely defined, foreign and highly capable. Recent events, in particular, have brought this to light – with Yahoo! claiming nation-state involvement in a breach that caused data from at least 500 million user accounts to be leaked.

Echoing JP Morgan in 2014, this tactic is intended to deflect blame from the company responsible, since the geopolitical ramifications and technical capability of a state-sponsored attack overshadow the responsibility a company has to protect user data. This claim was contradicted, however, by an investigation by InfoArmor, which concluded that the original breach was criminal in motivation after discovering the Yahoo! data was being disseminated throughout various dark web marketplaces.


The Yahoo! Breach, thought to total 500 million records or more, was found being sold in small pieces on marketplaces such TRDeal, seen above. [Source:]The financial pressure to blame an attack on foreign governments is not entirely on the shoulders of the victims, however. This year, FireEye has cut its full-year revenue forecast by about $70 million. The reason? Because attacks from China are on the decline, according to IBTimes UK.

None of this necessarily means that the forensic evidence left behind in a cyber attack is being deliberately mishandled, or even creatively interpreted. It does, however, establish that there are circumstances where it would be in a company’s best interest to blame a nation-state actor for an attack, even if it is not necessarily culpable.

The Burden of Proof

The underlying problem is a lack of accountability: an attribution claim might be made with strong confidence based on closed-source intelligence, but this does not change the fact that the information available to the community is inconclusive. The community as a whole can only work with the information that is available; if you ask us to accept that Russia hacked the DNC based on public intelligence of dubious conclusiveness and private intelligence that is unavailable for public review, the result is a faith-based process without accountability or transparency. Attribution claims are inherently difficult to disprove for the same reasons they are difficult to prove – and once such a claim is made by a reputable organisation, they are not responsible for how it is interpreted by the media.

Even reputable companies, such as FireEye, are not infallible; the $81 million Bangladesh bank heist of this year is proof of this. Initially attributed to North Korea because of similarities to the 2014 Sony breach, some reports now link the incident  to Eastern-European gangs associated with Dridex. Attribution to a specific nation-state can easily be made by drawing parallels to previous attacks, but what do you do when an attack contains identifying characteristics from two separate threat actors? Pick one? Conclude there were two different breaches? Or provide detailed analysis with responsible terminology?

This question is easily answered when you consider the possibility that there is significant cooperation between these actors – but this is an inconvenient assessment, because it muddies the waters of attribution. If tools and software related both to the Dridex gang and North Korean actors appears in the same attack, it makes attributing either of those actors more difficult in the future – and calls into question any previous attribution to either of these groups.

Attribution is very much an art, and one that necessitates an unfortunate amount of guesswork. The impossibility of conclusively attributing an attack to a specific actor – or, in some cases, even identifying specific actors – does not mean that we should not attempt to correlate the information about attacks with each other. But it is important to only state as truth what is known to be true; discarding inconvenient data as ‘anomalous’ in nature is not only counter-productive, but dangerous. It can lead to a “house of cards” effect: if the initial assumptions are flawed, then each layer built on them is undermined.

We can counteract this simply by communicating and sharing our analyses: as much as possible, as frequently and efficiently as possible. Guesswork and speculation should be accepted – but also challenged and qualified at every opportunity. The narrative that arises from this discourse will be richer, more nuanced and ultimately more valuable to the intelligence community. Only by cultivating accountability can we replace black-box reporting with informed, critical analysis.

Find out more about our cyber intelligence services: