Our experts' unique discoveries, observations, and opinions on what’s trending today in Business Risk Intelligence and the Deep & Dark Web.

Blog > Cybercrime > Attribution is [not] Broken

Attribution is [not] Broken


Everyone has his or her little window into Pretty Pink Panda #53, which someone else calls Lucky Leprechaun 98, which is really Red Leader, but only if you have a secret handshake to know that name, then it’s RL, because clearances.

Attribution is broken. It has always been broken. And will always will be broken.

Attribution 1

Yeah, I said it. And here’s why.

If you consider the recent Wikileaks release of CIA information, the public reaction was overwhelming, and almost nonsensical. And yet another proof point in the challenge of attribution. You’re trying to tell me that because the CIA can use foreign malware…years of hacks, posts, and campaigns tied back to infrastructure really wasn’t caused by ? Just because it could be?

This is one of the biggest revelations of the CIA leaks. The current implications are devastating to the security industry that works with attribution daily, as this little piece of information discredits any current malware investigation, including U.S. Presidential elections. Is China Russia, or is Russia the new Brazil, but only on Tuesdays with chicken curry and rice? But what about APT28 being Wekby being slippery panda mixed with cyber APT threat cloud synergies and a North Korean kitten? Everything that we know about malware and attribution is wrong: what is real, what is not, and what is fantasy? Everything that we know is now wrong. Or right. Or somewhere between alive and dead, but neither at the same time. That poor cat.

Regardless of what you call something, our conclusions are drawn from the evidence at hand, and decisions are made based on said evidence (or better known as “intelligence”). If someone else is looking at the same threat group, work with them to see if their conclusions match your conclusions. And so on, and so forth, until a conclusion as a whole can be made. And while, again as an example, the CIA may have the ability to steal malware from a system and use it, the malware was still there. The money was still wired. Russian criminals are still behind Locky and Dridex, regardless of if, say, the CIA can send a wave or three of spam from their botnet. Cybercrime is still there, and the same people who say attribution isn’t completely broken also may scream “deception campaign” to say APT28 is really China. Or Canada. Or Equation Group and Hungarian collaboration.

Attribution 2

Sure, this leak dealt a massive blow to the security of the United States and allies, as current capabilities are now out in the open for both friends and enemies to see. Some of the revelations include the abilities to crack cell phones, computers, TV’s, and your mother’s toaster.

But it gets much worse. The CIA has the ability to hack every device in the known universe. From the leaked documents, the CIA collaborates with the NSA, FBI, and GCHQ on different projects. So now wherever you are, the government can find you, regardless of whether you’re on Android or an iPhone. Brush off that armadillo helmet, because they are coming after us.

Attribution 3

While some may see the CIA leaks as something groundbreaking, there is nothing new in them. Spies have to spy, and that’s the definition of well…spying. Some say attribution isn’t broken, while others will use the CIA as an example to muddy the waters and discredit analysts. But as we know, the CIA isn’t made of perfect 1337 hax0rs, because they were hacked and lost all their secrets. How’s that for muddy waters?

We’re all doomed! Before you put your hat on the hanger and close up shop because attribution is broken, let’s take a step back and look at the numbers. Just like hips, numbers don’t lie.

By definition, a hacker is someone who is beyond proficient with a computer and able to handle many things and aspects of a computer. Nielsen Norman Group published a great study at the end of 2016, detailing the proficiency of computer users across 33 countries. Of those studied, only 5% showed skills proficient enough to solve problems with computers. Hackers are an even smaller set of this, but we’ll use 5% (my point will still be made).

The federal government currently employs 2.79 million people. Let’s assume that 5% is our CIA / FBI / NSA hacker type, who are our 400 pound hackers living on destruction, binary, and Mountain Dew.

2,790,000 * 5% == 139,500 HoD (hackers of destruction)

Since every hacker is hacking everybody everywhere, let’s look at the current populace of the globe. Currently, we have 7.4 billion people on this dustball we call Earth.

7.4 billion / 139,500 HoD = 53,046 VICTIMS PER HACKER

As someone who previously worked incident response for a company of 40,000 users, our main concern was to protect the organization from attacks rather than watch Sally Smith in accounting download brownie recipes when she should have been working. Our team consisted of 20+ analysts, 20+ engineers, plus dozens of local and field support technicians in order to maintain security and monitor for attacks on a daily basis. It takes time and effort to deploy networks and maintain them, and what happens when one of those go out? To put this into layman terms, it’s impossible for one person to watch and actively monitor 53,000 people.

Mathematically, you are not a special unicorn, and the government really doesn’t care about you. Attribution is hard enough as it is, regardless of what government agencies can or can’t do. Just because one of these organizations can use malware, it doesn’t mean that all analysis should be thrown out the window. We can continue to sensationalize and freak out that the CIA / NSA / GCHQ / 400 pound hackers can pretend to be someone else, or we can all go back to defending our networks and tracking the threats that are coming at us, because those threats and attacks are what really matters.

Attribution 4

About the author: Ronnie Tokazowski

Ronnie Tokazowski is a Senior Malware Analyst at Flashpoint who specializes in APT, crimeware, and cryptanalysis. When he’s not cooking, he’s reversing new strains of malware and breaking different malware protocols in order to understand how they work.