More on Attribution


There’s another nice example of attribution, in a recent piece by Brian Krebs [krebsonsecurity] “Who is Anna-Senpai the Mirai Worm Author?” I’m not going to walk through it in detail, because Krebs has already done that very well.

It’s a good example of how to do attribution of an attack; the $30+billion/year US intelligence community should be able to do as good a job as a blogger like Krebs, don’t you think?

I’m starting to sound like a broken record, but I guess that’s how you make a point. In a piece on attribution I wrote back in 2015[Tenable], I observed:

To accurately establish attribution, you need evidence and understanding:

  • Evidence linking the presumed attacker to the attack
  • An understanding of the attacker’s actions, supporting that evidence
  • Evidence collected from other systems that matches the understanding of the attacker’s actions
  • An understanding of the sequence of events during the attack, matching the evidence

Krebs’ analysis has all those elements. Briefly, he takes the attackers’ dump of the source for Mirai, and deconstructs the evolution of the software, matching its use to the attack his site experienced, and demonstrates how the attacks matched the software, finally reaching back to identify the authors and obtain a confession. There are a lot of moving parts, and Krebs explains how they all fit together and make his case.

Compare that to “it was Russians, trust us!”

Krebs’ analysis is a good example of how intelligence is done (ironic, huh?): he’s connected a lot of dots, starting with the one – the release of the Mirai source – and building from that. Like most detective stories, you can look at it and think, “if not for having that fact, you wouldn’t be able to make it work!”  That’s how intelligence is done, except that we seldom remember that if you haven’t got a particular fact there are probably other facts that can be applied to the picture, until it comes clear. It takes patience. Sometimes the missing pieces don’t come for a long time, until the bodies are buried, like the attribution of Assistant Director of the FBI Mark Felt as “Deep Throat”    Sometimes the pieces never appear at all, and we’re left with an enduring mystery, like the identity of Jack the Ripper.

Another good example of attribution coming together is the report Kaspersky Labs did on the “Equation Group” hacking tools. “Equation Group Questions and Answers” [kaspersky]  Kaspersky’s analysis was careful not to say “It was NSA!” because, honestly, they had a compelling case but it was not conclusive. They mapped the many variations and techniques, including shared code and exploits that were not known in the wild, into an evolutionary tree of tools that were connected. Their conclusion was that it was well-funded and almost certainly state-sponsored because of the targets that were compromised – and, of course, there was the connection to Stuxnet, which required a high level of knowledge of the target, Iran’s nuclear enrichment facility at Natanz. When the US admitted it was behind Stuxnet, most of us accepted that the “Equation Group” was the NSA’s Tailored Access Operation(TAO)  Now, however, there’s solid attribution thanks to another piece being dropped by the “Shadow Brokers” – the tool-chain they gave away had components that matched items on some of the slides Edward Snowden disclosed about TAO’s tools, and parts of that tool-chain were parts of the family of tools Kaspersky attributed to “Equation Group.”  It’s a huge amount of material to wade through – I highly recommend the Kaspersky report – but I would consider it to be conclusive attribution that Stuxnet, “Equation Group”, Flame, etc., are the US National Security Agency’s TAO.

eq

The interesting question that remains is whether the “Shadow Brokers” were a Russian op, deliberately hanging the entire “Equation Group” mess around the US’ neck. That actually is the level of cleverness I’d expect from them, not the trivial DNC hacks. But we may never know.

Thanks for showing the FBI, CIA, and NSA how attribution should be done, Brian! That was a really impressive piece of work!

divider

I had my own attribution for Stuxnet before James Cartwright leaked that it was a US effort. Since Stuxnet was using a variant of the Aurora generator-cycling attack, which was developed at Idaho National Labs, a few years before, I asked myself how the attackers were able to test their code. I knew Aurora required intimate knowledge about the properties of the system being used, and I know that gas centrifuges are complicated wee beasties – so: who’d have Pakistani-made RP1 centrifuges to test against? Well, before Stuxnet whacked Natanz in 2010, Libya had stood down its nuclear enrichment program – which included some RP1s they had bought through the AQ Khan network. Where did the Libyan RP1s wind up? Oak Ridge, TN. It’s too circumstantial but I thought it was interesting.

My own theory about the identity of Jack the Ripper is based on about as much evidence as Alan Moore’s, Patricia Cornwell’s, and others: I think Springheel Jack was some insignificant psychopath who just didn’t get caught. Imagine if BTK Killer Dennis Rader had been hit by a bus and killed, without making the mistake that allowed him to get caught. My theory about Jack is that one night he went out to hunt, got coshed on the back of the head by a footpad, and him and his knife and the answer to the mystery wound up in a ditch. Or perhaps he suffered a heart attack and wound up face down in his soup. Maybe he choked on a chicken bone. Why imagine something complicated?

Comments

  1. says

    There’s something that’s been bothering me. Are your politicians allowed to make accusations (particularly accusations that affect your foreign policy), before attribution has been properly established? In the election chaos, there were a million topics and near weekly scandals, so this fell into the back of my mind for a while. The Democrats have been yelling about Russia for quite a while, in a way that really doesn’t add up.

    “We know that Russian intelligence services, which are part of the Russian government, which is under the firm control of Vladimir Putin, hacked into the DNC. We know that they arranged for a lot of those emails to be released,” Clinton said in an interview with Fox News aired on 31 July.

    http://www.ibtimes.co.uk/clinton-us-should-use-military-response-fight-cyberattacks-russia-china-1579187

    That’s the earliest mention of “Russian hackers” I could find (I didn’t spend much time looking, admittedly). Hillary Clinton called it in July 31st, though she may have talked about it even earlier. The statement by the “17 intelligence agencies” was made on October 7.
    -On what grounds was she making that accusation, then?
    -Does the DNC somehow have better investigation capabilities than the “17 intelligence agencies”?
    -So much so that their presidential candidate can confidently make such inflammatory comments about a foreign nuclear nation more than two months before the intelligence agencies had finished their investigation and announced their conclusion?
    -Isn’t it insanely reckless for the supposed “calm and professional” Hillary Clinton, to instigate further conflict with Russia over a crime that hadn’t been investigated trough the proper channels yet?

    A pretty publicized accusation was made quite long before an official case could be built by your intelligence community. One would imagine that the standard procedure is done exactly the other way around, so that the press coverage and public outrage would not interfere with the investigation.

    The actual order of events makes it reasonable to assume that the entire investigation could just be an attempt to give respectability to the desperate narrative of a failing campaign.
    This without even getting into the lack of evidence, the dishonest reporting, the lack of independent sources, and the CIA’s dismal record on literally everything. Factors which really don’t give the investigation (or the conclusion they reached) much credibility to begin with.

  2. sonofrojblake says

    Two minor points of pedantry:

    That’s how intelligence is done, except that we seldom don’t remember that if you haven’t got a particular fact

    Eh?

    And: Springheeled Jack != Jack the Ripper. The one was an urban legend, the other was very real.
    ——————————-
    One of the things Trump has been criticised for has been his open conflict with the intelligence community. I have to say, in the light of recent posts on this subject, I’m approaching the disturbing conclusion that Trump might be in the right on this one. Say it ain’t so.

  3. says

    Shiv@#3:
    We demand time travel!

    Well, it’s forward time travel, which you can do at the usual rate of 60 seconds / minute by taking a lengthy nap. Since 2105 is a ways out, make sure you don’t do your forward travel in someplace near sea-level, so you don’t wake up and find yourself under water thanks to ice cap melt.

  4. says

    sonofrojblake@#2:
    And: Springheeled Jack != Jack the Ripper. The one was an urban legend, the other was very real.

    I did not know that!!!! (knowledge updated)

    SPOILER (about “The ruling class” 1972 film)
    I am pretty sure I know where the error crept into my mind!!! If you watch “the ruling class” at 1:54 there’s the scene where O’Toole describes himself as various Jacks incluiding Red Jack, Springheel Jack, Jack the Ripper. Since I had never encountered Springheel Jack anywhere else, I simply accepted that as knowlege. This was in my mind because I recently re-watched that wonderful movie. I always find it fascinating when I can identify how a mistake became part of my accepted body of knowledge – and the process of correcting the mistake has an odd feeling to it; it’s a very deliberate sense of overwriting something.

  5. says

    A Lurker from mexico@#1:
    There’s something that’s been bothering me. Are your politicians allowed to make accusations (particularly accusations that affect your foreign policy), before attribution has been properly established?

    That has been bothering me, too. For some time. The short form is: yes. It’s one of the reasons that congress is supposed to approve wars – a control which they have notoriously been shirking since WWII. So you can have something like the Gulf Of Tonkin Resolution which committed the US to Vietnam based on the president’s mis-attributing an attack (which we know not to have been not just a “misattribution” but an outright falsehood) We also saw Obama nearly pushed into Syria based on the presumption that sarin gas attacks were being launched by Syria — which is still contested. The upshot appears to be that if the president decides to accuse another country of hacking, they can start a war over it and nobody’ll do anything but salute. That is why I have been yelling about this issue for the last 10+ years…

    On what grounds was she making that accusation, then?

    Absolutely unknown.

    As a candidate, I don’t see any reason why the intelligence agencies would have provided her any sort of evidence, even classified, so I would assume she pulled that “fact” out of her back pocket the same way that everyone else has been doing it. Nice, huh?

    Does the DNC somehow have better investigation capabilities than the “17 intelligence agencies”?

    They should have minimal investigation capabilities, but … I doubt it. They appear to be boneheads about security.

    -Isn’t it insanely reckless for the supposed “calm and professional” Hillary Clinton, to instigate further conflict with Russia over a crime that hadn’t been investigated trough the proper channels yet?

    Yes. In Marcus-land the way this would have been handled would be if the intelligence agencies had solid evidence linking the attacks to a state actor, they would have presented it at least the level of thoroughness that Kaspersky’s team, or Krebs did. Proper channels would be for the agencies to brief the executive and request permission to publish their findings. Of course that didn’t happen because of the new Washington love of secrecy for its own sake.

    One would imagine that the standard procedure is done exactly the other way around, so that the press coverage and public outrage would not interfere with the investigation.

    One would imagine that, but then one would be disappointed.
    The FBI, which – as part of the Department of Justice – is familiar with the process of presenting a criminal case and evidence, understands that one does not interfere with an investigation in progress, and how to present a case. Presumably, the FBI could have/should have led the presentation of the case. Except that would mean that the intelligence community would have to work with the FBI, which will not happen. The FBI and intelligence community have been at various degrees of war since the founding of the CIA.

    Factors which really don’t give the investigation (or the conclusion they reached) much credibility to begin with.

    If they had any good evidence they could still present it and let the security community sift through it and form its own conclusion. That’d be how I’d do it. But I believe government should be open and the US government does not.

  6. says

    Marcus Ranum @7
    This is why people turn to religion and woo. Real life is fucking dumb.

    By the way. The alleged liberal media is now goading Trump into putting American troops on the Russian border.
    https://youtu.be/uHX031UoCXA?t=11m30s

    What a development! The democratic establishment and their goons are pushing for a direct confrontation with Russia!
    I mean, it’s not like I’ve been yelling about this for the last 6 months. I just hoped that the chances of this happening would die alongside Hillary Clinton’s career.

  7. says

    A Lurker from Mexico@#8:
    The alleged liberal media is now goading Trump into putting American troops on the Russian border.

    It’s probably the pentagon pursuing its own agenda and leaking bits of it to the lapdog media, to be honest.

    If you want a depressing read, try “Obama’s Wars” Woodward makes a good case that the military do what they want, within very wide parameters, and the president has some control, but not much. It would not be unlike the pentagon to “continue with planned deployments” or “extended maneuvers” without the president intervening. As long as the president hadn’t specifically ordered them not to, they might engage in provocation and pass the buck around as to who actually authorized it (in which case it would turn out to be Donald Rumsfeld, years ago and they only just now got around to it)

    There’s an account in “Obama’s Wars” of when Obama was approached by the pentagon wanting “the surge” – 30,000 troops or 100,000 troops. Obama said “I want a draw-down plan” and the pentagon came back with another “surge” plan. This kept going on until the pentagon came back with a “draw down plan” that was the “surge” – and Obama went along with it.

    It would not be unlike the military to go on planned maneuvers as a provocation, to create a situation for the president to have to deal with. You can look back through the news and find plenty of occasions when the military have gone around the president and socialized ideas with the media. Probably the best book on this topic is “The Operators” by Michael Hastings. It’s terrifying to see how loose the cannons are.

  8. Holms says

    #8
    I seem to recall you opposing Hillary and supporting Trump, because (my paraphrase of your position) ‘at least he isn’t a warhawk!’ Too bad about all of those tinpot dictator tendencies he displayed along the way.

  9. says

    @10
    I opposed both, not being quite sure who was the lesser evil. By the end of it I believed (and mentioned) that for all her bullshit Hillary was the lesser evil, as she could be reasoned with to let go of her most harmful policies. I was wrong, she’s too fucking arrogant to be reasoned with, too fucking authoritarian to be pressured. Turns out, HE was the lesser evil, although not by much.

    So you have Democrats and Democrat-leaning journalists pushing Trump to increase tensions with Russia. How the fuck is he the war hawk in this situation and what on earth prompted your random-ass comment?