On Attribution

Another day, another breach. Following each breach is a game of cyber who-dun-it. Shortly after someone makes a claim, someone else will make an opposing claim or introduce doubt to the original claim as a kind of attributional-well-actually. Some folks were recently discussing exploits, malware, infrastructure, et cetera, et cetera, and how any of those things could be repurposed which introduces doubt to claims of attributions. In the abstract this concept is true. In many cases, it is not. This essay discusses why attribution is hard, then why it is messy, and finally why attribution is actually easy, it just takes a while to build the case.

Why Is Attribution Hard?


Sure, there is limited evidence, high-techness and high-tech chicanery, and a jurisdictional mess of international borders, but when it all comes down to the root-cause of why attribution is hard, it is because of people. This is why so many technical experts want to hack-back. Then they have removed the people, and people are hard.

Who are these people making things hard?

Classical Intel analysts for whom attribution is often an inductive mix of world politics, national strategies, intentions and historical precedent. For the other two parties, these sorts of claims are less understandable than foreign languages.

Traditional computer scientists for whom everything must be explained by the code and systems artifacts left behind. If there is a gap in the evidence, then there is no way to tell what has occurred and we mustn’t guess.

Traditional law enforcement who will look for as much direct evidence following from one item to the next, but being the most reasonable of the humans at hand, the most likely explanation is good enough.

So we have a group of people trained to follow a byzantine rule set which moves at the speed of molasses, working with a group of people using the most precise definitions of words to bypass that byzantine rule set, interacting with a group of people focused on breaking the rules imposed by a finite state machine that operates at the speed of light. Of course everything will work out.

Why Attribution is messy?

I recently read something (that I’ve since lost :-( ) that alluded to attribution in Disorganized CyberCrime being harder than APT-attribution. There seems to be a common misconception that APT-Nation State-Very Organized malicious actor groups are characterized by an entire offensive activity performed by one cohesive organization. That is, one group:

· registers the domains

· stands up and administers the hop point / proxy / drop point infrastructure

· authors the toolkit

· creates any necessary exploits

· performs hands-on-keyboard exploitation

Meanwhile in Disorganized Cybercrime the concept of attribution is messier, such as:

· A mail service provider sends emails with links to an exploit kit

· A scan & exploit actor sells access to RDPs (compromised remotely accessible hosts)

· The exploit kit operator purchases access to these RDPs, and sells installations of a second operator’s malware.

· The second operator purchases Bulletproof hosting services for their C2 from someone like Abdullah hosts.

· That second operator also purchased the H1N1Loader from Phobos to load additional malware and gather credentials, not limited to financial credentials.

· The second operator then sells the gathered financial credentials to a carder, who monetizes the financial credentials through fraudulent purchases, reselling items, and transferring a portion of the proceeds via Western Union.

Only in real life, the APT-Nation State actor groups are actually much more similar to the Disorganized Cybercriminals than many would like to admit. Nation State operations may have:

· a group building and providing tools, like a “digital quartermaster”

· a group that is discovering and packaging exploits or acquiring those exploits via 3rd parties (including simply copy+pasta from open source toolkits like metasploit, leaks of exploits like HackingTeams, and stealing from the cybercriminals, because honestly, some of those folks are throwing some kick-ass sploits).

· Another group is registering domains, and administrating hop-infrastructure which results in multiple hands-on-keyboard operator groups using the same IP address for C2s and exfil drop points.

· The hands-on-keyboard actors will operate within the target.

Why is Attribution Easy?

Really, it is.

Follow the evidence. It’s that simple. Just follow the evidence and (ok, the hard part) give it time. When following the evidence, you will run into many dead ends. All evidence in the computer realm is volatile. It will age out. Evidence will be missing.

Example: Just because you see Dridex and the Equation Groups tools in a compromised org, doesn’t mean they are both used by the same actor. On the other hand if you can follow the c_time of Dridex with an RDP session to a 2nd host, where the Equation Groups tools are installed directly afterwards and a registry key is created for persistence. Then you can say the Equation Group had their tools installed through the Dridex botnet. But if the Equation Group and the Dridex group are both found inside a target org, even if they are using the same IP address for C2, it’s not enough evidence to say the Equation Group uses Dridex.

In the end, no matter what the malicious actors try to do, there is ALWAYS a tell, and eventually either they will mess up some little tiny bit of op-sec which lets you know who they are or you will eventually back-trace them up the spider web of hop points to their home. Always. Sometimes it takes dealing with the same actor 5 times, other times it is 100. Frequently it takes a bit of a long arduous investigation into the history of that actor, to a time when they had learned a bit less than they know now. But they always will make, or always have made a mistake.

To someone unfamiliar with computer intrusion actor work, and unfamiliar with performing technical attribution, this seems strange. Indeed, here be dragons.

There are countless ways you can misstep and screw up here. There are definitely terrible things used as attributional cues out there (e.g. single-byte XOR keys, people asking for folks to comment on the look-and-feel of the decompiled code when the only thing that’s usually indicative of is the compiler options). In hindsight when these things are explained it seems so easy. “oh an IP address gave the actors away” or “oh the malware had a digital fingerprint left in it”, only that specific IP address is probably strange in a way that can only be discerned by someone who spent hours looking at each one of millions of IP addresses, and that fingerprint is weird in ways only visible to a person who has been up all night staring at code while writing it, analyzing it, and decompiling it.

Sometimes the tell is related to the infrastructure operators. Other times it’s something in the loading of the exploit that’s unique. Or the way they structure the C2 channel. But the thing that is almost always the most telling, is the hands-on-keyboard operations. Whether it’s the way they setup passphrases, the order of hosts they compromise once inside, overall, it’s essentially the playbook. That playbook or muscle-memory has a look and feel that you come to recognize. Like the actor whose tools always go out in Monday & Thursday phishing runs, uses the net and sc tools, and moves from an initial host to the OWA server to a webserver for dropping a web shell. Only this week their tools were sent out on a Tuesday phishing run and when they landed on the host they popped an RDP connection, opened iexplore.exe, and browsed to the bookmark for the Sharepoint server. At that point we know we have a new member added to our cast of players.

The above conditions are also why people who don’t have a direct or at least 2nd hand touch to the intrusion evidence, are so frequently incorrect in attributing the activity.

Finally, someone much wiser than I am once told me:

The goal of intelligence work is to be less wrong than the next person.

Going back to our people described earlier in our post, we use those pedantic definitions and estimative terms to describe what we have found in a tangled web of words that make it hard to be wrong. Until a reporter re-writes things in the most sensational story of our time made possible by 4-zero-days and the most sophisticated malware ever seen, meanwhile the malware only downloaded and executed a 2nd executable via an HTTPS connection and was packed with vmprotect…

Will this hold up in a U.S. court of law?
Absolutely not.

Although your dreams of testifying about technical wizardry where evidence followed chain of custody rules and investigation was performed by C* G* certified peoples probably won’t either. A jury composed of average people is going to doubt nearly every piece of technical wizardry introduced. You may as well replace the word forensicate with magic. This is also why many indictments rely upon chat and email transcripts gathered after collecting digital evidence.

Like what you read? Give Aaron Shelmire a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.