Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

// // //
12/21/2017
10:35 AM
Larry Loeb
Larry Loeb
Larry Loeb

The Hard Work of Pointing Fingers

Pointing the finger at a perpetrator is difficult. Pointing it at the right perpetrator is even harder. That doesn't stop many organizations from trying.

Joining the initial call by the government of the UK as well as the US, the governments of Australia, Canada, New Zealand and Japan have all said this week that North Korea is behind the activities of the hacking group called Lazarus. This Advanced Persistent Threat (APT) actor has been determined to be behind the WannaCry malware that affected computers that were running Windows.

Microsoft announced the attribution on their blog, saying that they had worked with Facebook to disrupt the malware that the group relied on, as well as cleaning their customers' infected computers and strengthened the defenses inside of Windows to prevent reinfection. Specifics of how they did all of this were not given, but it was reported in a tweet that it had disrupted accounts that were being used by the group.

Microsoft also said that, "We are pleased to see these governments making this strong statement of attribution. If the rising tide of nation-state attacks on civilians is to be stopped, governments must be prepared to call out the countries that launch them."

This is something that sounds great as a ringing statement, calling on governments to protect innocents from n'er-do-wells preying on them. But knowing who the actual threat actor is can be very complex in execution, and not always simple.

In fact, part of the threat actor game is to disguise who is the actual threat actor. Part of the Vault series of leaks included a tool that automated that kind of thing. Attribution requires judgements be made by people about the code that is eventually discovered and those judgements may be inaccurate or ill-informed.

An attribution chorus
In this case, Kaspersky Lab, Symantec and BAE Systems all called out Lazarus (and hence North Korea) as the source just after WannaCry made its appearance. The exact data used by them to do this has not been publicly released. But the recent fingerpointing by the governments against North Korea is given additional credibility because the claim has some factual basis; these technical firms and their specialists made their call early and in unison.

The point for the rest of us here is that attribution of who wrote what code can be deeply flawed. It may be that a villain of some stripe may be an easy target for attribution of an attack. That doesn't mean that particular bad guy actually did it. Simple and quick reactions can be most misleading, unless backed up by hard data.

When governments get involved in making attributions like this, skepticism must be invoked. The governments will need to prove their accusations, not just make them. Politicization of cybersecurity will neither solve the problem, nor provide a defense. In this particular case, the attributions seem to be based on data rather than desire. But there is no guarantee that the next situation will be as fact-based. It is up to the community to require data be shown in such an attribution so that it cannot be used to just serve political ambitions.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-26054
PUBLISHED: 2022-07-04
Operation restriction bypass vulnerability in Link of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Link.
CVE-2022-26368
PUBLISHED: 2022-07-04
Browse restriction bypass and operation restriction bypass vulnerability in Cabinet of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter and/or obtain the data of Cabinet.
CVE-2022-27627
PUBLISHED: 2022-07-04
Cross-site scripting vulnerability in Organization's Information of Cybozu Garoon 4.10.2 to 5.5.1 allows a remote attacker to execute an arbitrary script on the logged-in user's web browser.
CVE-2022-27661
PUBLISHED: 2022-07-04
Operation restriction bypass vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Workflow.
CVE-2022-27803
PUBLISHED: 2022-07-04
Improper input validation vulnerability in Space of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Space.