The development in any attribution documentation for cyber related attacks, is to review all information from collected digital evidence to any other pertinent facts founds. While the topic is broad in nature, we will review a cyber attack that was perpetrated from ally countries and third world countries. However, after further investigation found to be a state-sponsored attempt. Attribution of attack will be looked at and how the attribution was clarified.
Think of attribution in regards of a playground fight, where a teacher breaks up two students and asks both those involved and witness, “Who started this?” This is our very first attempt at attribution. When looking at attributions, we begin to look at Advanced Persistent Threats (APT), the scale and resources are assessed and then a determination on the best incident response is evaluated and correlated from possible previous attacks or known attacks. Identifying and knowing malicious users behind any attack is important, understanding is the teenager is just proving his/her capability or a nation state proving their superiority.
Weather a single person angry about not getting the job they wanted like Todd Gori, who was sentenced to 37 months in prison for threating a cyber attack against a healthcare software company or Kamyar Jahanrakhshan of Seattle charged with extortion can and will be attack vectors to be exploited. Regardless of the medium, cyber extortion will remain a persistent threat as long as cybercriminals find it lucrative. However, cybercriminals don’t usually demand employment at the company they attack. Earlier this year, Kamyar Jahanrakhshan, of Seattle, was charged with extortion after the FBI claimed he launched a cyber attack against Leagle[.]com and several other media companies after the companies refused to remove the link to a court documents involving him from their site.
The attack on Estonia supposedly, without enough data collected it can only be summarized the location was only part of the attack. When looking at different groups, possible motives are also deemed necessary evidence weather nation state or personal cause. Looking at the offending users, it also appears that private citizens were involved, only showing their actions will be even further difficult to prove. Any attacked Nation by this possible group would need to prove the private citizens received direct instructions from the Nation State, not to mention the sophisticated malware that was used in the attack. Looking at the NSA documentation released to the public, the attack itself was treated as espionage, but not an act of war. Currently both United States and Nations abroad have no legal definition of an act of war in regards to cyber attack or what the potential for use of force for reaction. Attacks lasted months and were targeting public infrastructure, with severe affects in both government and civilian daily life. Malicious users were using servers in numerous countries to perpetrate attacks making it increasingly difficult to gather evidence.
This was the first instance where a nation was attacked on this scale. Security researchers even believed this to be a testing ground or precursor to the attack on the Democratic National Committee by a hacker known as Guccifer 2.0. United States. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow. Guccifer 2.0 previously claimed responsibility for high-profile hacks of political entities, including the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC).
However again since majority of evidence is never released or evaluated by a neutral or third party we can only summarize what is told to us by the government and gathered by open source intelligence methods security researchers employ.
Numerous factors are to be considered when looking at possible nation state cyber attacks. From physicals affects from the severity of such attacks, possible proliferation, validity, directness. A botnet was seen and monitored, however there was not physical damage involved and no evidence reflects that the power plant in the United States was the intended target when looking at the malware. The vulnerabilities exploited compared to what the malware was capable of doing did not align. Looking at the line the attack followed, seeing the infrastructure from other smaller countries, whose infrastructure was used to route the attack is warranted and they should have no reason not to comply since they are a United States ally. Doing so allows a proper response towards Estonia, and how to protect in the future other smaller nations when such an attack happens.
When Nation States attribute a particular group or another country some of their evidence is often left out of public view, for reasons of National Security. The United Kingdom’s decision to publicly attribute this incident is significant, as the UK has previously stated that they, and their allies, will not tolerate malicious cyber activity. The Russian press security responded stating that they: categorically reject such accusations, we consider them to be unsubstantiated, groundless, and, in fact, it’s nothing more than the continuation of such a Russophobes campaign, which is not based on any evidence. The United States government does not often attribute cyber activity, but when it does so officially, it usually does so with a range of credible information, beyond technical intelligence. Additionally, it is not unusual for North Korea to issue harsh rhetoric in response to statements by Washington and/or Seoul. Kremlin sponsored cyber actors APT28 (or Fancy Bear, named by Symantec) were publically accused of US election meddling and critical infrastructure targeting in sanctions issued last week by the Department of Treasury. While the US, UK, and others have publically accused the Kremlin of such activities, there is no indication that the Russian government intends to slow down or halt these campaigns, as they have been wildly successful in advancing Russia’s interests globally. It is attribution’s like these that are developed and analyzed by only the government’s that lead numerous security researchers baffled that the evidence is not at the very least allowed to be analyzed by a third party for verification of evidence.
Because of the unchecked methods of attribution companies are hurt drastically as well. For instance, looking at Huawei and ZTE… Concerns about Huawei and ZTE are not new. A 2012 House Intelligence Committee report identified both companies as a national security threat, encouraging private companies to consider the long-term security risks of doing business with either Huawei or ZTE. Even applications we download on our phone have the passivity to be exploited for both state sponsored attacks and private citizen’s capability. Anyone can submit applications to the stores for anyone to download without any oversight. Notoriously the Google Play store is plagued with applications that be leveraged for attacks without knowing who has uploaded the applications for the public consumption.
While most apps appear to be in the Google Play Store, it was noted that some were on Apple’s App Store, as well. Analyst Comment: This revelation is the latest in an ongoing conspiracy theory that tech giants (like Facebook) secretly listen-in on conversations in order to offer-up relevant ads. Whether the conspiracy is true or not, the security researchers encourages all users to regularly audit their privacy settings on their mobile devices and the apps on those devices.
The data a company collects on its user’s can also be seen as information to figure out an attribution evidence. Take Strava for instance, a fitness social network that allowed for the sharing of your running routes and times. While to the everyday user this is great because you can find new routes from friends. Looking at a military aspect, a nation station could see military layouts based on heat maps. The greatest risk factor introduced the Strava global heat map is that military and diplomatic users in high danger zones do not have anonymized data. Strava’s platform aggregates over a billion activities that can be exploited by malicious actors to gain tactical information such as the geolocation and route timetables of high value assets. This kind of data while may not seem serious to the everyday user, to a nation state it is another point of data that can assist in the best area to target to cripple lesser or stronger nation states.
The Global Commission on the Stability of Cyberspace, GCSC, is currently working on two things: a definition of an online non-aggression pact, and a definition of what should not be attacked in a cyberwar. The group recently agreed on the wording “public core of the internet” to describe the online resources that should be out of bounds for state-conducted cyber attacks.
Numerous experts believe and agree, cyber space does not need a governing body of law, “application of international law to cyber activities is accordingly a matter of identifying the relevant legal principles that bear on the person, place, object, or type of activity in question” (Schmitt, Michael N.). While no one government can measure how a society could be free from cyber attacks, nations can invest more into the preventive measures and the resources associated in their protection. However, it is also mindful that any laws need to be responsive to the current trends in technology and not become severely outdated.
...(download the rest of the essay above)