There’s another nice example of attribution, in a recent piece by Brian Krebs [krebsonsecurity] “Who is Anna-Senpai the Mirai Worm Author?” I’m not going to walk through it in detail, because Krebs has already done that very well.
It’s a good example of how to do attribution of an attack; the $30+billion/year US intelligence community should be able to do as good a job as a blogger like Krebs, don’t you think?
I’m starting to sound like a broken record, but I guess that’s how you make a point. In a piece on attribution I wrote back in 2015[Tenable], I observed:
To accurately establish attribution, you need evidence and understanding:
- Evidence linking the presumed attacker to the attack
- An understanding of the attacker’s actions, supporting that evidence
- Evidence collected from other systems that matches the understanding of the attacker’s actions
- An understanding of the sequence of events during the attack, matching the evidence
Krebs’ analysis has all those elements. Briefly, he takes the attackers’ dump of the source for Mirai, and deconstructs the evolution of the software, matching its use to the attack his site experienced, and demonstrates how the attacks matched the software, finally reaching back to identify the authors and obtain a confession. There are a lot of moving parts, and Krebs explains how they all fit together and make his case.
Compare that to “it was Russians, trust us!”
Krebs’ analysis is a good example of how intelligence is done (ironic, huh?): he’s connected a lot of dots, starting with the one – the release of the Mirai source – and building from that. Like most detective stories, you can look at it and think, “if not for having that fact, you wouldn’t be able to make it work!” That’s how intelligence is done, except that we seldom remember that if you haven’t got a particular fact there are probably other facts that can be applied to the picture, until it comes clear. It takes patience. Sometimes the missing pieces don’t come for a long time, until the bodies are buried, like the attribution of Assistant Director of the FBI Mark Felt as “Deep Throat” Sometimes the pieces never appear at all, and we’re left with an enduring mystery, like the identity of Jack the Ripper.
Another good example of attribution coming together is the report Kaspersky Labs did on the “Equation Group” hacking tools. “Equation Group Questions and Answers” [kaspersky] Kaspersky’s analysis was careful not to say “It was NSA!” because, honestly, they had a compelling case but it was not conclusive. They mapped the many variations and techniques, including shared code and exploits that were not known in the wild, into an evolutionary tree of tools that were connected. Their conclusion was that it was well-funded and almost certainly state-sponsored because of the targets that were compromised – and, of course, there was the connection to Stuxnet, which required a high level of knowledge of the target, Iran’s nuclear enrichment facility at Natanz. When the US admitted it was behind Stuxnet, most of us accepted that the “Equation Group” was the NSA’s Tailored Access Operation(TAO) Now, however, there’s solid attribution thanks to another piece being dropped by the “Shadow Brokers” – the tool-chain they gave away had components that matched items on some of the slides Edward Snowden disclosed about TAO’s tools, and parts of that tool-chain were parts of the family of tools Kaspersky attributed to “Equation Group.” It’s a huge amount of material to wade through – I highly recommend the Kaspersky report – but I would consider it to be conclusive attribution that Stuxnet, “Equation Group”, Flame, etc., are the US National Security Agency’s TAO.
The interesting question that remains is whether the “Shadow Brokers” were a Russian op, deliberately hanging the entire “Equation Group” mess around the US’ neck. That actually is the level of cleverness I’d expect from them, not the trivial DNC hacks. But we may never know.
Thanks for showing the FBI, CIA, and NSA how attribution should be done, Brian! That was a really impressive piece of work!
I had my own attribution for Stuxnet before James Cartwright leaked that it was a US effort. Since Stuxnet was using a variant of the Aurora generator-cycling attack, which was developed at Idaho National Labs, a few years before, I asked myself how the attackers were able to test their code. I knew Aurora required intimate knowledge about the properties of the system being used, and I know that gas centrifuges are complicated wee beasties – so: who’d have Pakistani-made RP1 centrifuges to test against? Well, before Stuxnet whacked Natanz in 2010, Libya had stood down its nuclear enrichment program – which included some RP1s they had bought through the AQ Khan network. Where did the Libyan RP1s wind up? Oak Ridge, TN. It’s too circumstantial but I thought it was interesting.
My own theory about the identity of Jack the Ripper is based on about as much evidence as Alan Moore’s, Patricia Cornwell’s, and others: I think Springheel Jack was some insignificant psychopath who just didn’t get caught. Imagine if BTK Killer Dennis Rader had been hit by a bus and killed, without making the mistake that allowed him to get caught. My theory about Jack is that one night he went out to hunt, got coshed on the back of the head by a footpad, and him and his knife and the answer to the mystery wound up in a ditch. Or perhaps he suffered a heart attack and wound up face down in his soup. Maybe he choked on a chicken bone. Why imagine something complicated?