“We see the state fingerprints on this hack” has been a relatively common phrase in news articles over the past months, but what does it really mean?
Computer security professionals use a variety of criteria to decide if they think a nation may be behind any particular malicious cyber incident. Of course, different analysts may use different criteria or weigh evidence differently but there are a few themes that tend to be consistent. Below are some of these criteria, illustrated with references to recent incidents.
Claim of Responsibility: Very frequently, a hacker group will proudly announce they were behind a particular incident. For example, currently the group Lulz Security is happily boasting on their webpage and twitter about their hacked targets in the governments of the United States and United Kingdom as well as commercial sites. Nations have rarely taken credit for any attacks, though the recently MI6 purportedly intruded into an online journal for extremists to replace a bomb-making recipe with one for cupcakes.
Can the Information be Easily Sold: Often, information stolen in a malicious cyber incident can be easily used by the intruder to fraudulently obtain goods or sold onwards on the black market where bulk prices for credit card numbers can be as low as 7 cents each. Such information is said to be easily “monetized” and these incidents are a hallmark of criminal or hacking gangs. Recent incidents of this kind include the intrusion into Citi which captured “the names, account numbers, e-mail addresses and transaction histories of more than 200,000 Citi customers.”
Some intrusions don’t go after information so easily monetized, however. The recent incident at the IMF, for example, apparently targeted internal emails and documents. IMF documents must be extremely difficult to fence. Accordingly, investigators are likely to be suspicious of national intelligence services, which would be far more interested in internal IMF discussions than most hacking groups. An example of a recent intrusion that is an even stronger candidate for “nation-state fingerprints” is the intrusion into 150 computers at the French finance ministry “in an attempt to steal documents relating to the country’s presidency of the G20 Summit” in February 2011. Likewise, intrusions into Google’s Gmail service targeted “the private e-mail accounts of hundreds of senior officials, military types and journalists from America and Asian countries, chiefly South Korea.” None of this information is easily monetized, making it more likely – but not certain – a nation might have been behind the incident somewhere.
These incidents are considered to possibly have state fingerprints, as they go beyond a mere denial of service or webpage defacement (see next item) of a government site. This is an extremely important distinction as “hacking .mil and .gov networks is still considered a rite of passage in the computer underground,” according to one old-school hacker.
Triviality or Sophistication: This is the trickiest category, as many incidents are thought to be so sophisticated that only states could plan and execute them, only to find afterwards it was high school students. The incidents least likely to have a state behind them are those by groups like Lulz Security. For example, their denial of service attacks against online gaming sites are clearly trivial, intended to be taken a twinge of humor (though usually bawdy and juvenile).
On the other end of the spectrum is StuxNet, which took patience and sophistication (as well as going after a non-monetizable target). In between are incidents that are hard to categorize. For example, anyone can rent a “botnet” to conduct extremely large denial of service attacks and “spearphishing” attacks can use social media to craft extremely well-targeted emails with poison attachments, giving the adversary a toehold into target systems. Even the Holy Grail of hacking, “zero day exploits” (such as those used against RSA) which are unknown to the maker of the software itself and defenders, are discovered and sold within the hacker community. In some instances, a zero day exploit from an individual hacker might be immediately utilized by a nation state that also has access to it, further complicating attribution efforts.
Accordingly, any claim by the media, a target nation or company, or security researchers that relies solely on the purported sophistication of the incident needs to be examined skeptically.
Together, these elements of analysis help security researchers, intelligence analysts, and others to determine the attribution of an attack and if a nation might somehow be behind the incident, either directly (at the keyboard) or indirectly (purchasing or otherwise getting a hold of the illegal take).
Researchers and officials have recently been blaming China for many incidents, such as the intrusions into Google and the French finance ministry. This is at least in part because the information was not easily monetizable and was a state-related target, and there is moderate sophistication. Moreover, enough information on some of the intrusions, such as against Google, has become public to allow independent researchers to reach their own conclusions.
Other purported state-directed attacks, such as those that South Korea blames on North Korea lack many of these elements: they are unsophisticated denial of service, defacement, or simple intrusions often against commercial targets. Accordingly these claims are met with skepticism by many researchers, especially as detailed information is rarely made available to independent researchers.
To see how this affects researchers investigating actual incidents, the best open-source work is perhaps that by the Information Warfare Monitor, “a public-private venture between two Canadian institutions: the Citizen Lab at the Munk School of Global Affairs, University of Toronto and The SecDev Group.” In their cyber whodunit reports on “GhostNet” and “Shadows in the Cloud”, they use criteria like those above to show, step by step, why these incidents have nation-state (likely Chinese) fingerprints. In another report, on “Koobface” the researchers use these kinds of criteria but the result uncovers not a state, but a criminal gang. For those interested in a more detailed examination on this process, see the book Cyber Adversary Characterization.
Cyberspace is not that different than the physical world. If your wallet is swiped while in the park, it is likely a criminal act, perpetrated by a petty criminal. The same holds true in cyberspace, where even sophisticated and large-scale incidents are very unlikely to have a state behind them. However, states are active and hopefully the criteria in this blog will give a start to unraveling the confusing headlines.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber issues on Twitter, @Jason_Healey.
Please visit the Cyber Statecraft Initiative page for more information.