In the wilderness of mirrors - attribution in the context of threat intelligence

One of the most polarizing and imaginative issues in the practice of analyzing hostile activity is attribution, i.e. an attempt to define specific entities, organizations or persons responsible for the operation. The interest in "who did it" should come as no surprise - the process of analyzing cyber activity often takes the opposite turn from investigating "ordinary" crimes. When the police and the prosecutor's office arrive at the burglary site, the priority is to collect evidence that will allow the perpetrator to be identified and held criminally responsible. If, on the other hand, they were to adopt the methodology of incident response teams and threat intelligence, they would focus on the break-in process, how burglars defeated security, and suggest to the victim what locks and alarms would stop the attacker. Police officers could, for example, say that the lockpicks used by a burglar will not work on a given type of castle and recommend replacing it with such a model. This difference in goals and approaches, in my opinion, is exactly why attribution polarizes the cybersecurity community. On the one hand, it is not difficult to be surprised by the natural need to understand who was behind the activities directed at us, on the other hand, on the other hand, this knowledge does not really have much impact on the actions of defenders - after all, they deal with the use of defense measures on their own territory, as a rule without having any tools enabling consequences to be drawn against the perpetrators, such as issuing an arrest warrant. The case is, of course, quite different in the case of state agencies, or even in a broader sense, states that may use their arsenal of coercive measures. In such a case, attribution may be of key importance as it allows actions to be taken that hit the perpetrators directly, sometimes end their activities definitively and send a signal that the offensive actions are not worth the potential consequences. We'll talk a little bit more about attribution in the context of its usefulness, now let's look at what the ways of doing it are.

In the post on the use of models for threat intelligence analysis, I mentioned the concept of "threat actor" and "activity group"”Relating to how we define our adversaries - depending on whether we focus on specific people / organizations behind attacks or groups of behaviors.

1. Attribution to a threat actor will mean an attempt to identify specific entities responsible for the operation of a specific group, such as a criminal organization or a military unit.
2. If, in turn, we assign an operation to an activity group, we follow a repeating pattern of behavior regardless of the identity of those responsible for it.

In common understanding, attribution usually means the first context - we hear about attribution most often in the context of government agencies or private intelligence organizations announcing that, for example: China is behind APT10 operations. And this is what kind of attribution we are going to be dealing with now.

So how can we even determine who is behind the operations? After all, between the person behind the keyboard and the target there are at least several degrees of separation - the operator uses a computer, this connects to the Internet via an ISP, so the operator connects to the C2 server, and this server connects to the selected host in the victim's infrastructure. And we are already talking about the interactive phase of the operation, when the attacker interacts with the victim's resources. Earlier phases such as reconnaissance or phishing e-mail delivery may separate even more degrees of abstraction. Several concepts were developed to systematize the attribution process. One of the first attempts to create a methodology within the framework of a scientific article is Attributing Cyber Attacks by Thomas Rid and Ben Buchanan. The authors created an extensive model that takes into account the technical, operational, strategic and communication aspects of the break-in, divided into many detailed elements describing the entire operation:

Picture for sureIt is not legible in this form - here you will find the original.

Such a detailed approach to the attack, taking into account the methods of gaining access, the modularity of the implants, and even the behavior of the attackers after the publication of information about the attack, certainly provides a very detailed look at the operation, but it can also overwhelm with its granularity. A much more general model was presented by the US Office of the Director of National Intelligence (ODNI). Mentioned there are five main factors to consider:

1. Mode of operation (tradecraft) - all the behaviors and techniques that were used to carry out the operation. It includes all the methods of action - TTP - that characterize the attacker's behavior leading to the achievement of the goal. According to ODNI, the most important element, because behaviors are much more difficult to change than tools.
2. Infrastructure - physical and virtual resources used to provide opportunities to the victim and control activities in the environment - Command and Control. ODNI indicates here possible ways of creating infrastructure, such as using cloud service providers, taking over the organization's data infrastructure, as well as the differences between groups that quickly change their infrastructure and those who use the same resources for a long time.
3. Malware - tools and implants delivered to victims to achieve goals such as information gathering and device control in the victim's environment. Again, ODNI highlights the difference between groups that use the same tools for a long time and those who change malware very quickly between operations.
4. Intentions - involvement of the attacker in the implementation of specific goals resulting from the context of the operation. Examples of operations carried out in preparation for a conflict or attacking people inconvenient for the authorities are shown here.
5. External sources of information - analyzes of analytical centers, threat intelligence teams and press reports that can provide additional information.

In addition, ODNI points to three good practices that help with attribution - looking for human error, exchanging information with other actors, and analytical rigor in assessing evidence. Finally, an example table showing the methodology in the context of the analysis of mutually exclusive hypotheses is given:

Contrary to the concepts of Rid and Buchanan, ODNI leaves a lot of freedom to analysts when it comes to the description of individual elements - in the "Q" model, the mode of operation was divided into elements such as break-in phases, required skills or methods of covering up traces. ODNI, on the other hand, distinguishes itself by the way it works, malware and infrastructure, using more of the framework of activity such as presented, for example, by the Diamond Model. After all, the last methodology I wanted to present was the one by Timo Steffens from the book "Attribution of Advanced Persistent Threats How to Identify the Actors Behind Cyber-Espionage". For those interested in attribution, I definitely recommend this reading, because it is probably the first study that approached the issue in such a comprehensive manner. Attribution in Steffens' model assumes six elements:

1. Malware - analysis of implants and tools used in the attack.
2. Infrastructure - analysis of the characteristics of the creation and maintenance of the Command and Control infrastructure in the context of an "external" footprint such as domain registration data.
3. Control server - technical analysis of the characteristics of C2 servers taking into account data obtained in consultation with service providers - such as traffic interception and analysis of server disks.
4. Telemetry - activity profile such as activity hours, IP addresses, malware families.
5. Intelligence data - data on activity from intelligence activities - acquiring and analyzing OSINT, SIGINT or HUMINT.
6. Cui bono - geopolitical and situational context of activity. Assessment of operations through the prism of political and economic events as well as the operating characteristics of entities such as intelligence agencies.

Steffens thus adopted a roughly similar set of aspects to the ODNI. Since Attribution of Advanced Persistent Threats is a much more detailed study, we will naturally find a lot more details on how to analyze particular aspects and what sources we should take into account.

However, these are theoretical models that can help us select the appropriate elements for analysis. Now let's take a look at what an attribute that combines technical, political and geographic aspects might look like. We will use a report by ThreatConnect analysts titled "CameraShy Closing the Aperture on China's Unit 78020". This report describes the attribution of APT Naikon's activity to the People's Liberation Army branch, and more specifically the Second Technical Reconnaissance Bureau of the Chengdu Military Region and Ge Xing's officer. To give an overview of the activity, we can quote the striker in the Diamond Model diagram:

Moving on to the content, in the first chapter, ThreatConnect presents the geopolitical aspect of actions - that is, what we could call cui bono, intentions, or here the socio-political axis of the Diamond Model. The conflict over the control of the territory in the South China Sea is imposed here on the business profile of the Naikon group. Victimology points to attacks against countries in the region such as Vietnam, Singapore, Laos and the Philippines, and among the attacked organizations are military and government agencies. Next, the authors describe the PLA structure in the context of responsibility for individual regions and indicate the branch (designated 78020), which, in their opinion, corresponds to the profile of Naikon's activity, due to its functions (computer operations, cryptography, SIGINT, economic analyzes) and regional assignment.

The second chapter presents the technical analysis of the infrastructure that connects Naikon's activities with the 78020 branch. Analysts based on DNS records and IP addresses of the elements used to create the C2 infrastructure, analysts linked them to the city of Kunming, headquarters of branch 78020.

The infrastructure analysis was based on the greensky27.vicp [.] Net domain, which was found in at least eight malware samples. Then, by observing that Naikon was using dynamic DNS, the domain-related IP addresses and ASNs were mapped.

In chapter three, analysts finally present how it was possible to establish the identity of the officer responsible for creating the infrastructure and his links with the Chinese military. ThreatConnect clearly goes beyond the analysis of incidents / offensive activity and moves to OSINT extending the investigation with external sources. In Timo Steffens' methodology, we now touch on an element of intelligence and combine the knowledge obtained from the observation of the Naikon operation with the acquisition and analysis of information from social networks and websites offering geographic data. In their investigation, analysts used a fairly classic operational security flaw consisting in the lack of separation between private and professional activity. They discovered that "greensky27" is the nickname Ge Xing uses on social networks like QQ Weibo. Of course, the mere coincidence of this phrase would not be convincing evidence, so analysts linked it to a military unit based on material posted on social media. It was established that he lives in Kunming, attends events organized by the PLA and is the author of scientific publications in which branch 78020 is mentioned as his affiliation. In the end, on the basis of satellite images from the street level, analysts determined that he was parking at the unit's headquarters.

As additional evidence to support the thesis, ThreatConnect analyzed the telemetry of Naikon's activities, which correlates the events of Ge Xing's life with the activity of cyber operations. Thus, the decline in activity coincided with important family events such as the birth of a child, vacation or a visit to the family memorial site. Attribution was also supported by a fairly classic technique that compares the hours of operation of operations with the hours of operation in a given time zone - which indicated the +0800 zone in Kunming.

Naturally, I encourage you to read the entire report, which describes in detail how the conclusions were drawn, summarized by me in the post. However, let's go back to the attribution methodology and look at what elements ThreatConnect analysts used:

1. Malware - yes, based on the analysis of the implants, it was possible to obtain the address of the C2 server that linked the offensive activities with conclusions about the infrastructure.
2. Infrastructure - yes, the analysis of the use of dynamic DNS allowed for the geographic profiling of the group's activity and potential geographic location.
3. Control server - no, nothing in the report indicates that the analysts have access to the intercepted network traffic, let alone the servers themselves.
4. Telemetry - yes, the times and dates of Naikon's activity have made it possible to associate Ge Xing with them by analyzing working hours and private life events.
5. Intelligence data - yes, analysts used OSINT to gather information on the nickname "greensky27" and associate it with a specific person, and then find out where he works.
6. Cui bono - yes, the attribution started with placing Naikon's activities in the context of the situation in the South China Sea, the parties involved in the ongoing disputes there, and the role of the PLA in operations in the region.

As we can see, a number of sources and analysis techniques were used here to reach the perpetrator and the army unit responsible for the attacks. It is worth emphasizing, as some might argue that the attribution was really only based on linking the phrase "greensky27" to the person using such pseudonyms on social networks. In fact, for the conclusions to be credible, the entire context of the activity and as many types of analysis as possible must be taken into account. If I were to be tempted to make a critical comment to the report, from an analytical point of view, it might not be the happiest to start from the geopolitical context of the campaign. It is a highly valued element and, compared to the technical analysis of artifacts, it leaves a much larger margin of interpretation. As a result, the report may appear to be a thesis, with the rest of the evidence fitting the context of the conflict in the South China Sea. Analysts may have started by mapping the infrastructure used for attacks, and based on this analysis, they could point to the regional aspect of the operation. However, I also understand that from the point of view of the report as a publication, the presentation of geopolitical aspects in the first chapter places the reader more in the broader context of the analysis and allows for a better presentation of the narrative.

Finally, let's look at the analytical model used. We looked at the report in terms of the methodology proposed by Timo Steffens, but the basic tool here was the Diamond Model. This should come as no surprise, as one of the creators of the model, Andrew Pendergast, works at ThreatConnect. Attribution was carried out here by analyzing the activity in the context of the model's axis - socio-political, establishing the context of Naikon and technical activities, finding connections between the implants and infrastructure used with a specific person. Let's not forget that the Diamond Model presupposes attribution by itself - the top apex is the striker. The practice of threat intelligence in the scope of grouping activities does not always require its determination, it is common practice to create groups based on two compatible tips of a diamond. If our needs so require, we can successfully analyze the activity in detail, down to attribution to specific organizations. One should only bear in mind that while the possibilities, infrastructure and victims can be objectively described by analyzing technical traces, the identification of the attacker will always be judged.

The above example was based entirely on the analysis of hostile activity, but let's look at other data sources that may help us.

Let's start with the fairly obvious - admitting surgery. The reason may be that an operation has been used as a deterrent or in a less formal context, it may be when officials with a greater degree of confidentiality give interviews or informally speak to the press. In the first context, we can quote The American Cybercommand, which confirmed that it carried out an operation against ransomware operators. On the other hand James Cartwright in 2016 admitted lying to the FBI concealing its role as a source in articles about Stuxnett.

Continuing in this climate, leaks can also be a source. In recent years, a very popular source, mentioning, for example, Edward Snowden or WikiLeaks. Especially the example of Snowden is relevant here, because "on the occasion" of leaks about morally questionable practices in the disclosed materials we could find information on Canadian and French operations or the activities of TAO - the NSA department responsible for offensive cyber operations.

We must not forget about the source inaccessible to ordinary mortals, but extremely important - direct access to the attacker's systems obtained as a result of intelligence operations - be it cyber or classic. Often we can meet a government declaring that a particular operation was carried out by the country without further details. This was the case with the attack on the Olympics in 2018 when, shortly after the attack, the U.S. government announced that Russia was responsible. While it is healthy to be skeptical about declarations from government agencies without evidence, it should be borne in mind that disclosure of the source of information may harm ongoing operations and is not always possible. Sometimes, however, countries decide to take a completely different path and publish in detail how the operators were caught. It was so when The Dutch government caught GRU officers conducting operations against the OPCW and disclosed publicly their identities and details of the detention. While still with the possibilities of the Dutch services in the 2nd018, the press revealed that the services of this country broke into the infrastructure of Russian services and, using cameras in the buildings, watched their work. This is a great example of access that only government agencies can get, and on the other hand, disclosing details of how access was obtained would make it difficult for officials to act.

Finally, I would like to mention an issue that often ignites the imagination and is sometimes used as an argument that attribution is impossible - false flag operations. After all, how can we determine the perpetrator of an attack when he may intentionally leave traces leading to other groups? Such a possibility should be taken into account in the analysis, but that is why the attribution should be supported by a number of evidence from various sources to make it as difficult as possible to replace all the real signs of the intrusion with those prepared by the attacker. In addition, the process of impersonating another attacker is not trivial and, due to additional complications that it introduces to the operation, may lead to errors in the safety of the operation. Let us mention, for example, the attack using Olympic Destroyer malware, where the developers tried very hard to resemble the malware used by the Lazarus group, however, these efforts were detected by Kasperky analysts. In summary, trying to attack under a false flag may make the work of analysts difficult, but whether or not the attribution is ultimately properly carried out will depend on the skill level of the attackers and analysts, as in any other case.

As you can see, attribution is a complex issue, but I would be far from the defeatism that we often see among commentators who say that in the field of cyber operations nothing is ever known and it is impossible to establish who is responsible. It is a difficult and complex process that requires multiple data sources, often beyond the reach of most teams. However, citing examples of private threat intelligence teams that managed to identify the perpetrators (going back to 2014 when Mandiant published the APT1 report) if many acts accusations issuedh by the US Department of Justice, we can see how thorough activity analysis and data merging allow us to identify the perpetrators.