The Hard Work of Pointing Fingers

Joining the initial call by the government of the UK as well as the US, the governments of Australia, Canada, New Zealand and Japan have all said this week that North Korea is behind the activities of the hacking group called Lazarus. This Advanced Persistent Threat (APT) actor has been determined to be behind the WannaCry malware that affected computers that were running Windows.

Microsoft announced the attribution on their blog, saying that they had worked with Facebook to disrupt the malware that the group relied on, as well as cleaning their customers' infected computers and strengthened the defenses inside of Windows to prevent reinfection. Specifics of how they did all of this were not given, but it was reported in a tweet that it had disrupted accounts that were being used by the group.

Microsoft also said that, "We are pleased to see these governments making this strong statement of attribution. If the rising tide of nation-state attacks on civilians is to be stopped, governments must be prepared to call out the countries that launch them."

This is something that sounds great as a ringing statement, calling on governments to protect innocents from n'er-do-wells preying on them. But knowing who the actual threat actor is can be very complex in execution, and not always simple.

In fact, part of the threat actor game is to disguise who is the actual threat actor. Part of the Vault series of leaks included a tool that automated that kind of thing. Attribution requires judgements be made by people about the code that is eventually discovered and those judgements may be inaccurate or ill-informed.

An attribution chorus
In this case, Kaspersky Lab, Symantec and BAE Systems all called out Lazarus (and hence North Korea) as the source just after WannaCry made its appearance. The exact data used by them to do this has not been publicly released. But the recent fingerpointing by the governments against North Korea is given additional credibility because the claim has some factual basis; these technical firms and their specialists made their call early and in unison.

The point for the rest of us here is that attribution of who wrote what code can be deeply flawed. It may be that a villain of some stripe may be an easy target for attribution of an attack. That doesn't mean that particular bad guy actually did it. Simple and quick reactions can be most misleading, unless backed up by hard data.

When governments get involved in making attributions like this, skepticism must be invoked. The governments will need to prove their accusations, not just make them. Politicization of cybersecurity will neither solve the problem, nor provide a defense. In this particular case, the attributions seem to be based on data rather than desire. But there is no guarantee that the next situation will be as fact-based. It is up to the community to require data be shown in such an attribution so that it cannot be used to just serve political ambitions.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.