It is becoming more and more urgent to make progress in improving the accuracy of attribution – identifying who is behind a malware attack. Ever since Stuxnet proved that malware can be an effective weapon of war capable of destroying physical assets, the need to accurately attribute malware is apparent.

Currently, information on who launched a particular malware attack is obtained from analysis of the malware binary, analysis of the target, analysis of attacker behaviour (pre- and post- gaining access), and infiltration. Kim Zetter, in her book Countdown to Zero Day, provides an excellent detailed account of how Stuxnet was attributed to US and Israeli agencies through code analysis carried out mainly by Symantec. In similar fashion, Regin was attributed to the UK, partly through code analysis which identified code components named “Hopscotch” and “Legspin”. The FBI attributed the recent Sony attack to North Korea because the NSA had inside information obtained through infiltrating North Korean systems.

However, attribution through code analysis can be easily overcome through careful programming. The challenge is asymmetrical in that it is far easier for a hacker to obscure than for the analyst to establish meaningful information. Code analysis is also susceptible to bluff and double-bluff. It is easy for a nation-state to point the finger at another nation by inserting false indicators into the code. For example, a Russian nation-state hacker could name elements of his code “Hopscotch” or “Legspin”, in order to mislead attribution analysts. Regin attribution relied on a lot more than those names, but this serves as illustration. A nation-state could go one step further, with the double-bluff, and leave blatantly obvious indicators pointing toward themselves, in order to fool analysts into thinking another nation is trying to pin the blame on them. If carefully crafted, it would be very difficult or impossible to distinguish between a legitimate attribution indicator, a bluff, or a double-bluff.

The announcement by the FBI attributing the recent Sony hack to North Korea was greeted with such suspicion by the general information security community that US authorities felt they needed to leak classified information to prove it. Many had previously labelled Edward Snowden a traitor for leaking classified information.

A little research has been done to improve attribution techniques. VX Research focussed on analysis of DNS-IP pairs maintained by attackers, and the information available on the whois register when the DNS domain names were registered. Greg Hogland looked at methods of developing fingerprints from forensic toolmarks in the code which are unique to the developer and his/her development environment. It is an attempt to identify a sort of digital DNA. Other researches (here and here) have focussed on this area as well. The technique, known as TTP – Tactics, Techniques and Procedures – attempts to develop a fingerprint of the hacker. These methods, which are unlikely to reveal the exact identity of the hacker, go some way to establishing whether a particular attack is linked to others.

Some have suggested that because attribution is too difficult we should stop even attempting to do it. My view is that as malware is now a potential cyber weapon which can cause physical damage in a similar way to dropping bombs or launching missiles, accurate attribution is even more vital. For enterprises, attribution allows defenders to identify potential threat actors, and to develop appropriate response strategies accordingly. Attribution is therefore very important for nation states as well as for the enterprise protecting against industrial espionage and sabotage. This is an area which requires a great deal more research and creative input.