Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

12/21/2017
10:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

The Hard Work of Pointing Fingers

Pointing the finger at a perpetrator is difficult. Pointing it at the right perpetrator is even harder. That doesn't stop many organizations from trying.

Joining the initial call by the government of the UK as well as the US, the governments of Australia, Canada, New Zealand and Japan have all said this week that North Korea is behind the activities of the hacking group called Lazarus. This Advanced Persistent Threat (APT) actor has been determined to be behind the WannaCry malware that affected computers that were running Windows.

Microsoft announced the attribution on their blog, saying that they had worked with Facebook to disrupt the malware that the group relied on, as well as cleaning their customers' infected computers and strengthened the defenses inside of Windows to prevent reinfection. Specifics of how they did all of this were not given, but it was reported in a tweet that it had disrupted accounts that were being used by the group.

Microsoft also said that, "We are pleased to see these governments making this strong statement of attribution. If the rising tide of nation-state attacks on civilians is to be stopped, governments must be prepared to call out the countries that launch them."

This is something that sounds great as a ringing statement, calling on governments to protect innocents from n'er-do-wells preying on them. But knowing who the actual threat actor is can be very complex in execution, and not always simple.

In fact, part of the threat actor game is to disguise who is the actual threat actor. Part of the Vault series of leaks included a tool that automated that kind of thing. Attribution requires judgements be made by people about the code that is eventually discovered and those judgements may be inaccurate or ill-informed.

An attribution chorus
In this case, Kaspersky Lab, Symantec and BAE Systems all called out Lazarus (and hence North Korea) as the source just after WannaCry made its appearance. The exact data used by them to do this has not been publicly released. But the recent fingerpointing by the governments against North Korea is given additional credibility because the claim has some factual basis; these technical firms and their specialists made their call early and in unison.

The point for the rest of us here is that attribution of who wrote what code can be deeply flawed. It may be that a villain of some stripe may be an easy target for attribution of an attack. That doesn't mean that particular bad guy actually did it. Simple and quick reactions can be most misleading, unless backed up by hard data.

When governments get involved in making attributions like this, skepticism must be invoked. The governments will need to prove their accusations, not just make them. Politicization of cybersecurity will neither solve the problem, nor provide a defense. In this particular case, the attributions seem to be based on data rather than desire. But there is no guarantee that the next situation will be as fact-based. It is up to the community to require data be shown in such an attribution so that it cannot be used to just serve political ambitions.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20037
PUBLISHED: 2021-09-21
SonicWall Global VPN Client 4.10.5 installer (32-bit and 64-bit) incorrect default file permission vulnerability leads to privilege escalation which potentially allows command execution in the host operating system. This vulnerability impacts GVC 4.10.5 installer and earlier.
CVE-2021-39229
PUBLISHED: 2021-09-20
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin (which just comes out of the box) are subject to a denial of service attack...
CVE-2021-41083
PUBLISHED: 2021-09-20
Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor was logged in themselves. This includes changing any ma...
CVE-2021-34650
PUBLISHED: 2021-09-20
The eID Easy WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error parameter found in the ~/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.6.
CVE-2021-41082
PUBLISHED: 2021-09-20
Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were n...