As with almost every global incident, attribution is difficult. Justified by inference and sometimes coloured by geopolitics, it is rare for security experts to agree on the origins of anything.
And yet the clamour for attribution continues grows louder with every incident. Much to the discomfort of the malware analysts, whodunnit as much as what happened is becoming the story.
This shift is important. In the old days, attribution was simple – there wasn’t any. Malware was the work of bad people and what mattered was countering it.
The moment this changed can probably be traced to the Google’s early 2010 disclosure of what came to be known as the Aurora cyberattack. As omertà caved, a mostly new generation of security vendors seized their marketing chance and named victims, overwhelmingly big US corporates.
People were astonished. What kind of attackers could get past the well-resourced defenders with such ease?
In Aurora’s case, the finger was pointed at Chinese Army unit PLA 61398, aka Comment Crew or Comment Panda. Cybercrime was suddenly being traced to buildings with a street address. It was being done by real people, not by mysterious young men in hoodies.
As new groups were uncovered, a problem emerged. Because vendors discovered them independently, each group might have more than one name. The answer was a system of numbers.
PLA6138 became APT1 (Advanced Persistent Threat 1) because it appeared to be the oldest. Today, using Mitre’s US government-backed Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) model, more than two dozen groups have APT numbers linking their pseudonyms to a single actor and timeline.
Fancy Bear, the group accused of being behind the 2016 email hack of the US Democratic National Congress, is APT28, while Cozy Bear is APT29. Similarly, Gothic Panda is APT3, and Dynamite Panda’ is APT18.
Notice, however, that while APT numbers express a group’s significance, names such as Panda and Bear indicate not only country of origin (China and Russia, respectively) but the perceived likelihood of government backing.
APT groups that can’t conclusively be tied to a country are now often simply described with the prefix Threat Group (TG) followed by a number while criminal entities just get names. Recently, new nicknames have appeared such as Stealth Falcon (UAE) and Kitten (Iran), and so the coded nomenclature expands.
Not all vendors indulge this trend – some make a point of not doing so – but the mere fact it exists at all is telling. It’s attribution with a nudge and a wink.
It could be that the gradual shift to finger-pointing reflects the reality of a world in which some nations are mucking about more with cyber-shenanigans than others. Or perhaps everyone’s at it in different ways but some are just better at hiding their origins.
Undoubtedly, long-cherished reservations about apportioning blame carefully are eroding fast. That could have negative consequences down the road because it will be open to manipulations designed to shift blame, assuming that’s not already happening. Attribution could end up like be a 21st century Jeux Sans Frontières with no laughs – or winners.