Attribution Games: Don't Rush to BlameExperts Decry Attempts to Rapidly Attribute Winter Olympics Hacking
Periodic reminder: Attributing cyberattacks is incredibly difficult, often involves underlying motivations and does little, if anything, to help targeted organizations defend themselves against all potential adversaries, be they intelligence agencies, cybercrime gangs or bored teenagers.
Nevertheless, some cybersecurity pundits have been quick to suggest that the Friday online attack against the opening ceremonies of the Olympic Winter Games in South Korea were most likely carried out by Russia because some of its athletes have been banned from the games on account of doping violations. The attack disrupted the Pyeongchang 2018 website as well as WiFi in the stadium where the opening ceremony was held (see Hackers Win Olympic Gold Medal for Disruption).
"In the first days and likely first weeks after a cyberattack occurs and it becomes public - it is absolutely irresponsible to jump to attribution."
South Korean officials have historically been all too ready to blame every online attack against them on North Korean hackers. But the Winter Olympics organizers have pointedly not blamed anyone.
"We can confirm that the technology issues experienced on Friday night were caused by a cyberattack," the Pyeongchang 2018 Organizing Committee says in a statement to Information Security Media Group.
"The situation was quickly dealt with and as result, all systems have remained stable and no competitions were ever affected. They continue to run smoothly," it adds. "We are still investigating, and the team is continuing to work to ensure the systems remain robust. You will understand that maintaining secure operations is our focus, and in line with best practices for cybersecurity, we will not comment further on this incident."
On Monday, information security researchers at Cisco Talos published an analysis of wiper malware designed to render PCs unbootable, which they suspect was used in the Friday attack.
"Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony," Talos security researchers Warren Mercer and Paul Rascagnères report. "The samples analyzed appear to perform only destructive functionality. There does not appear to be any exfiltration of data."
At no point, however, did the researchers suggest who might have written or deployed the malware.
Others, however, quickly rushed to fill the gap. Cybersecurity firm Crowdstrike issued a report saying that it had tied credential-gathering attacks last November and December "against an entity operating in the international sporting sector" to the hacking group known as Fancy Bear. But it presented no evidence that the online attack against the Winter Olympics was launched by that group.
Fancy Bear is the company's name for a group of APT attackers - also known as APT28, Group 74, Pawn Storm, Sofacy, Strontium and Tsar Team - with apparent ties to Russia's GRU military intelligence unit (see Hackers Dump US Olympic Athletes' Drug-Testing Results).
Crowdstrike wasn't alone in guessing that the Russians did it. "We have anticipated an attack of some nature on the events for quite a while, particularly by a Russian actor," John Hultquist, direct of analysis at FireEye's intelligence analysis team, tells the Hill news website. "Actors like APT28 have unceasingly harassed organizations associated with the games and the Russians have been increasingly willing to leverage destructive and disruptive attacks."
Rush to Attribute Is 'Irresponsible'
But some information security experts caution that attempting to attribute the attacks in a hurry is irresponsible (see Ransomware Report: Is China Attribution Merely Hype?).
"In the first days and likely first weeks after a cyberattack occurs and it becomes public - it is absolutely irresponsible to jump to attribution," tweets Robert M. Lee, CEO of the industrial cybersecurity company Dragos.
Attribution is entirely complex intelligence analysis of an ambiguous situation. It is NOT malware analysis. Code and tradecraft similarities are sometimes of the least important elements.— Robert M. Lee (@RobertMLee) February 12, 2018
Motive Is for Suckers
It's always easy to guess why someone might have wanted to hack someone else.
But motive doesn't count for much - if anything - unless you're Agatha Christie or an intelligence agency, says the operational security expert known as the Grugq in reference to "the speculation about the Olympic hack" and supposedly the "only big player with motive" being Russia.
"In police work, detectives don't really care about motive. Just how the evidence links the perp to the crime," he tweets. "That said, it was China."
Here's "Homocide" on the crucial elements of an investigation in the real world. pic.twitter.com/D8p9lPYfFj— the grugq (@thegrugq) February 13, 2018
Early attribution reports are notoriously spotty. In the United States, hacks of government agencies are inevitably believed to be the work of the Chinese. If a bank gets hacked, it was the Russians (see US Power Grid: The Russians are Hacking! (Or Not)).
After uncovering network intrusions in 2014, for example, Bloomberg reported that JPMorgan Chase was eyeing Russian hackers, in what would obviously have been Moscow-ordered reprisals for U.S. government sanctions over Ukraine.
In fact, the culprits were two Israeli men living in Florida, plus an American accomplice who spent much of his time in Moscow and Tel Aviv, as part of an alleged pump-and-dump stock scheme, the Justice Department later alleged.
Russians Denied They Would Be Coming
The propensity to blame Russia for sports-related hacking is such a well-worn script that on Feb. 7, two days before the Winter Olympics opening ceremony, Russia's foreign ministry released a statement condemning anyone who might suggest that Russian-aligned hackers might later attempt to disrupt the event.
"We know that Western media are planning pseudo-investigations on the theme of 'Russian fingerprints' in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea," Russia's foreign ministry said in a lengthy statement. "Of course, no evidence will be presented to the world."
Security Defenders: Stay Frosty
The world may never really know whodunnit. Information security veteran Jeffrey Carr has long cautioned that behind every attribution, there's some type of motivation: a vendor trying to sell a service, lawmakers pushing a political agenda or a breached organization trying to deflect blame for its information security shortcomings.
For any organization that has suffered a breach, unless you're an intelligence agency, never waste time worrying "who did it," says breach prevention and response expert Alan Brill of corporate investigations and risk consulting firm Kroll. Instead, he says, identify the mechanics of the intrusion, contain the damage and guard against repeat incidents.
And when you're not doing that, take some time off and enjoy watching the Winter Olympics.