Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

12/21/2017
10:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

The Hard Work of Pointing Fingers

Pointing the finger at a perpetrator is difficult. Pointing it at the right perpetrator is even harder. That doesn't stop many organizations from trying.

Joining the initial call by the government of the UK as well as the US, the governments of Australia, Canada, New Zealand and Japan have all said this week that North Korea is behind the activities of the hacking group called Lazarus. This Advanced Persistent Threat (APT) actor has been determined to be behind the WannaCry malware that affected computers that were running Windows.

Microsoft announced the attribution on their blog, saying that they had worked with Facebook to disrupt the malware that the group relied on, as well as cleaning their customers' infected computers and strengthened the defenses inside of Windows to prevent reinfection. Specifics of how they did all of this were not given, but it was reported in a tweet that it had disrupted accounts that were being used by the group.

Microsoft also said that, "We are pleased to see these governments making this strong statement of attribution. If the rising tide of nation-state attacks on civilians is to be stopped, governments must be prepared to call out the countries that launch them."

This is something that sounds great as a ringing statement, calling on governments to protect innocents from n'er-do-wells preying on them. But knowing who the actual threat actor is can be very complex in execution, and not always simple.

In fact, part of the threat actor game is to disguise who is the actual threat actor. Part of the Vault series of leaks included a tool that automated that kind of thing. Attribution requires judgements be made by people about the code that is eventually discovered and those judgements may be inaccurate or ill-informed.

An attribution chorus
In this case, Kaspersky Lab, Symantec and BAE Systems all called out Lazarus (and hence North Korea) as the source just after WannaCry made its appearance. The exact data used by them to do this has not been publicly released. But the recent fingerpointing by the governments against North Korea is given additional credibility because the claim has some factual basis; these technical firms and their specialists made their call early and in unison.

The point for the rest of us here is that attribution of who wrote what code can be deeply flawed. It may be that a villain of some stripe may be an easy target for attribution of an attack. That doesn't mean that particular bad guy actually did it. Simple and quick reactions can be most misleading, unless backed up by hard data.

When governments get involved in making attributions like this, skepticism must be invoked. The governments will need to prove their accusations, not just make them. Politicization of cybersecurity will neither solve the problem, nor provide a defense. In this particular case, the attributions seem to be based on data rather than desire. But there is no guarantee that the next situation will be as fact-based. It is up to the community to require data be shown in such an attribution so that it cannot be used to just serve political ambitions.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25382
PUBLISHED: 2021-04-23
An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.
CVE-2021-26291
PUBLISHED: 2021-04-23
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be t...
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...