Header graphic for print
Steptoe Cyberblog

Good News for Cybersecurity and Attribution?

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

How should the US respond to massive state-sponsored cyberespionage? Right now, policymakers are intent on improving network security, perhaps by pressing the private sector to improve its security, or by waiving outmoded privacy rules that prevent rapid sharing of information about attackers’ tactics and tools.

This would improve our network security, but not enough to alter our strategic position – which is bad and getting worse. The hard fact is that we can’t defend our way out of the current security crisis, any more than we can end street crime by requiring pedestrians to wear better and better body armor.

That’s why I’ve been calling for a renewed strategic focus on catching attackers and punishing them. It works for street crime. It even works for nation states. So why hasn’t catching and punishing rulebreakers worked in the realm of network attacks? Mostly because our intelligence community insists that attribution is just too hard.

I think that’s wrong, and here’s why.

My theory is simple: The same human flaws that expose our networks to attack will compromise our attackers’ anonymity. Or, as I put it in speeches,

“The bad news is that our security sucks. The good news is that their security sucks too.”

In this post, I’d like to go beyond theory to show how hackers’ human frailties and errors make attribution easier. I’ll start with a groundbreaking investigation by Nart Villeneuve and a team from Trend Micro. The team was the first to identify a hacker taking part in the vast China-based campaigns to steal the secrets of military and aerospace companies as well as Tibetan activists. This particular network campaign, dubbed “Luckycat” by researchers, followed familiar lines: careful social engineering of emails to lure the target into opening a poisoned attachment or link, followed by rapid compromise of the target’s computer, lateral privilege escalation to compromise the entire network, and a leisurely, months-long strip-mining of the network for information. Dozens of similar campaigns have been spotted in recent years, almost all of them aimed at targets of interest to the Chinese government. But because the attackers use Internet cut-outs – intermediate command-and-control computers and domains located around the world – it has been hard to follow them home.

That’s still true, but it turns out that the attackers are only human. They make mistakes when they’re in a hurry or overconfident. They leave bits of code behind on abandoned command-and-control computers. They reuse passwords and email addresses and computers.

The Trend Micro investigators exploited these errors, tying one of the command-and-control domains to an email address and then to a QQ address. (QQ is China’s enormously popular instant messaging system. Owned by Chinese Internet giant Tencent, it has nearly as many users as Facebook — 711 million in September 2011, when Facebook had 750 million.)

That QQ address in turn was tied to two online nicknames, “dang0102” and “scuhkr,” whose users had posted in a notorious Chinese hacker forum and had “recruited others to join a research project on network attack and defense at the Information Security Institute of the Sichuan University.”

The University and its “information security” institute has several ties to the hackers; indeed, the nickname “scuhkr” looks like a tribute to SiChuan University, whose internet domain is scu.edu.cn. The investigators identified a second attacker as someone who, they concluded, “also worked and studied at the Information Security Institute of the Si Chuan University and has published several articles related to “fuzzing” vulnerabilities in 2006.”

Exploiting other mistakes made by the intruder, the investigators found that the Luckycat malware had first been road-tested on a Chinese version of Windows XP. Finally, they were able to establish that tools and tactics used in the Luckycat campaign overlapped with those used in the notorious Shadownet campaign against the Dalai Lama.

That wasn’t the end of Luckycat’s unraveling. The New York Times was able to put a name to scuhkr:

“The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense….The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign.”

The Times actually spoke to Gu, who knew enough about the Western press to declare “I have nothing to say.” (A few days later, Gu would claim that the nicknames found by the investigators were used by two different people and deny that he was the hacker. Tencent and the university similarly denied any knowledge of the attacks.)

This report is entertaining in many ways. And not just the part where we imagine Gu’s face when the New York Times gets him on the line. The investigators deserve great credit for their imaginative and determined exploitation of the digital clues that scuhkr left behind.

That said, there’s nothing inimitable about what they did. Scuhkr’s lapses are typical of an intelligence operative in a hurry and not expecting much scrutiny. It takes stern discipline never to reuse email addresses, nicknames, domains, and command-and-control machines. Inevitably, some attackers will fail to observe perfect discipline. And those lapses will be increasingly costly because identifying data is proliferating everywhere; both the Trend Micro researchers and the New York Times used pre-existing databases to crime-scene data to real-world identities.

At last, it looks as though one aspect of computer technology is going to favor the defense. More and more data is being collected about network activities, making it harder for attackers to completely cover their tracks. At the same time, more data is being collected about perfectly innocent activities, and this information, like the university jobs forum used by the New York Times, can provide the crucial link that allows us to locate hackers in the real world.

Investigations like these are leading indicators of a trend that will make attribution easier over time. “Well, why not?” data will only increase, and attackers will find it harder to avoid leaving bits of it behind. At the same time, open source databases tied to the real world are also growing rapidly. Big data tools will make it easier to search and find connections among these vast and mostly open networks. As a result, more and more attackers are someday going to find themselves in the shoes of Gu Kaiyuan.

That day can’t come fast enough, and US policymakers should be doing all they can to bring it about. The defensive security tools used by government and private networks should put a premium on forcing network users to leave lots of information in immutable logs as they move through the network. Law enforcement agencies should be collecting and sharing everything about the tactics, tools, and data lapses of network intruders. And intelligence agencies should be building their own storehouses of identifying information so they can eventually link foreign hackers to particular intrusions.

Of course, attribution is only half the answer. It won’t deter attacks unless it leads to retribution. But that’s a post for another day …