Is North Korea a cover for rising cyber attacks?
Beijing could be involved but no one wants to ruffle the dragon for fear of reprisals
The US government has officially attributed to North Korea the WannaCry ransomware attack, which encrypted hundreds of thousands of computer drives around the world in May 2017. And yet as with a series of other highly public cyberattack attributions, little evidence for the claim was made public. It’s time for the cybersecurity world to follow the advice of the RAND Corporation and set up an unbiased international consortium that would seek to attribute attacks based on a common set of rules.
“We do not make this allegation lightly,” President Donald Trump’s assistant for homeland security and counterterrorism, Thomas Bossert, wrote in a Wall
Street Journal op-ed on Tuesday. “It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government.”
That may be true, but he doesn’t cite the evidence. Neither did UK Security Minister Ben Wallace and Microsoft President Brad Smith. As usual in such cases some cybersecurity researchers have argued against the attribution. For example, business intelligence firm Flashpoint has suggested, based on the linguistic analysis of language versions of the ransom note that appeared on infected computers’ screens, that the original was written in Chinese, not Korean, suggesting Chinese involvement.
Usually, technical attribution judgments are based on a combination of two factors: Similarities with other attacks (the use of similar software or the same attack servers, timestamps on the malware that suggest regular working hours in a certain time zone) and a basic understanding of commercial or geopolitical motive. For example, the 2014 Sony hack was linked to North Korea because some of the code and attack infrastructure was similar to those used in an earlier hack of South Korean banks, and because North Korea had a clear motive — to punish Sony for its intention to release a comedy mocking Kim Jong-un. Similarly, last year’s Democratic National Committee hack has been linked to a Russian “advanced persistent threat,” or hacking organisation, based on the malware, the use of a server that was also involved in an earlier attack on the German parliament, and the alleged group’s target list that maps well onto Russia’s geopolitical interests.
In an excellent summary of recent attribution cases and methods, Klaus-Peter Saalbach of Osnabrueck University in Germany argued that impersonating an “advanced persistent threat” for a falseflag operation is a tough proposition. “It is difficult to mimic the attack of an APT even when the malware of the respective hacker group is available on the black market,” Saalbach wrote. “The attacker needs to be aware that the cyber security companies do not present their full knowledge to the public, that the intelligence of [a] state may also know more about the usage and of course the original hacker group knows their malware better than others.”
Still, such an impersonation is all but impossible to rule out. As the RAND Corporation wrote in a report this year: “Sophisticated adversaries that want to avoid attribution will carefully dedicate resources to deploy false indicators and cast suspicion on other parties. For example, the Russian-speaking actor associated with the Cloud Atlas APT used a document written on a native Spanishspeaker’s computer and incorporated Arabic strings, Hindi characters, and rotated IP addresses-probably to complicate attribution. It is conceivable that each of the indicators utilised in attribution could be manipulated in a way to delay or completely avert attribution.”
The temptation for bad actors to go to the trouble is huge, what with the great powers engaged in a cool war, and the tools they use periodically leaking out. WannaCry used a National Security Agency-discovered vulnerability in the Windows operating system. It’s especially difficult to make a meaningful attribution when technical and geopolitical elements don’t quite align. For example, Russia was the country hardest hit by WannaCry, with Ukraine, India and Taiwan also suffering much damage. The last thing North Korea wants to do is hurt Russia, however: It’s the most dovish of the great powers on the North Korean regime. Nor does it have a fight to pick with India or Ukraine.
It’s easy for the US to accuse its adversaries of cyberattacks. Nobody believes the denials and the accusations often serve domestic political purposes. In the case of North Korea, they underscore the Trump administration’s political priorities, in Russia’s case, those of its rivals. Blaming China, with which the US has more of a constructive relationship, is more problematic. Though some in the cybersecurity community have faulted China for the Office of Personnel Management hack, in which the data of millions of US government employees’ personal data were stolen, neither the White House nor the intelligence community has come out with accusations. A group of alleged Chinese hackers was recently indicted for breaching three companies, but no Chinese government involvement was mentioned in the indictment and personal gain was named as the motive.
So all the public has by way of evidence is the educated guesses of cybersecurity firms. There’s a problem with them, though.
Earlier this year, CrowdStrike, the firm responsible for the initial attribution of the DNC hack, was forced to rewrite a report that claimed a Russian hack of a Ukrainian artillery application caused heavy military losses.
It’s not inconceivable that attack attribution can, in extreme cases, mean the difference between war and peace. Even in less extreme ones, it can sully relationships between countries. It’s a serious matter — but it is now the domain of government spokespeople expecting to be taken on trust and cybersecurity companies with their conflicts of interest and failures of execution. In its report, Rand recommends the creation of an independent international body, perhaps financed by top tech companies that would work out a set of attribution rules and apply them to analysis of high-profile breaches, followed by a peer review process.
Such attribution judgments wouldn’t be 100 per cent reliable, and spies would still hold their non-technical evidence close to the chest, but at least there would be more certainty for the general public that political biases and commercial considerations are accounted for. It’s something to wish for in 2018: High profile breaches will continue, and accurate attribution will be ever more important.
The denials and the accusations often serve domestic political purposes. In the case of North Korea, they underscore the Trump administration’s political priorities.