Cybersecurity and Attribution — Good News At Last?

No, we’re not suddenly turning into the Huffington Post.  But trust me, this photo is directly relevant to the topic at hand:  How the US should respond to massive state-sponsored cyberespionage.

Right now, policymakers are intent on improving network security, perhaps by pressing the private sector to improve its security, or by waiving outmoded privacy rules that prevent rapid sharing of information about attackers’ tactics and tools.

Those things would improve our network security, but not enough to change our strategic position – which is bad and getting worse.  The hard fact is that we can’t defend our way out of the current security crisis, any more than we can end street crime by requiring pedestrians to wear better and better body armor.

That’s why I’ve been urging a renewed strategic focus on catching attackers and punishing them.  Catching and punishing rulebreakers works for street crime.  It even works for nation states.  So why hasn’t it worked in the realm of network attacks?  Mostly because our intelligence community insists that attribution is just too hard.

I think that’s wrong, and I’ll spend this post explaining why.

My theory is simple: The same human flaws that expose our networks to attack will compromise our attackers’ anonymity. Or, as I put it in speeches, “The bad news is that our security sucks.  The good news is that their security sucks too.”

luckycatIn this post, I’d like to go beyond theory to show how hackers’ human frailties and errors make attribution easier. I’ll start with a groundbreaking investigation by  Nart Villeneuve and a team from Trend Micro. The team was the first to identify by name a hacker taking part in the vast China-based campaigns to steal the secrets of military and aerospace companies as well as Tibetan activists. This particular network campaign, dubbed “Luckycat” by researchers, followed familiar lines: careful social engineering of emails to lure the target into opening a poisoned attachment or link, followed by rapid compromise of the target’s computer, lateral privilege escalation to compromise the entire network, and a  leisurely, months-long strip-mining of the network for information. Dozens of campaigns like this have been spotted in recent years, almost all of them aimed at targets of interest to the Chinese government. But because the attackers use Internet cut-outs – intermediate command-and-control computers and domains located around the world – it has been hard to follow them home.

That’s still true, but it turns out that the attackers are only human.  They make mistakes when they’re in a hurry or overconfident.  They leave bits of code behind on abandoned command-and-control computers. They reuse passwords and email addresses and computers.

The Trend Micro investigators exploited these errors, tying one of the command-and-control domains to an email address and then to a QQ address. (QQ is China’s enormously popular instant messaging system. Owned by Chinese Internet giant Tencent, it has nearly as many users as Facebook — 711 million in September 2011, when Facebook had 750 million.)

That QQ address in turn was tied to two online nicknames, “dang0102” and “scuhkr,” whose users had posted in a notorious Chinese hacker forum and had “recruited others to join a research project on network attack and defense at the Information Security Institute of the Sichuan University.”

The University and its “information security” institute has several ties to the hackers; indeed, the nickname “scuhkr” looks like a tribute to SiChuan University, whose internet domain is The investigators identified a second attacker who, they concluded, “also worked and studied at the Information Security Institute of the Si Chuan University and has published several articles related to “fuzzing” vulnerabilities in 2006.”

Exploiting other mistakes made by the intruder, the investigators found that the Luckycat malware had first been road-tested on a Chinese version of Windows XP. Finally, they were able to establish that tools and tactics used in the Luckycat campaign overlapped with those used in the notorious Shadownet campaign against the Dalai Lama.

That wasn’t the end of Luckycat’s unraveling.  The New York Times was able to put a name to scuhkr

“The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense.

Mr. Gu is now apparently an employee at Tencent, China’s leading Internet portal company, also according to online records. According to the report, he may have recruited students to work on the university’s research involving computer attacks and defense.

The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign.”

The Times actually spoke to Gu, who knew enough about the Western press to declare  “I have nothing to say.” (A few days later, Gu would claim that the nicknames found by the investigators were used by two different people and deny that he was the hacker.  Tencent and the university similarly denied any knowledge of the attacks.)

This report is entertaining in many ways. And not just the part where we imagine Gu’s face when the New York Times gets him on the line. The investigators deserve great credit for their imaginative and determined exploitation of the digital clues that scuhkr left behind.

That said, there’s nothing inimitable about what they did.  Scuhkr’s lapses are typical of an intelligence operative in a hurry and not expecting much scrutiny.  It takes stern discipline never to reuse email addresses, nicknames, domains, and command-and-control machines. Inevitably, some attackers will fail to observe perfect discipline.  And those lapses will be increasingly costly because identifying data is proliferating everywhere; both the Trend Micro researchers and the New York Times used pre-existing databases to crime-scene data to real-world identities.

At last, it looks as though one aspect of computer technology is going to favor the defense. More and more data is being collected about network activities, making it harder for attackers to completely cover their tracks. At the same time, more data is being collected about perfectly innocent activities, and this information, like the university jobs forum used by the New York Times, can provide the crucial link that allows us to locate hackers in the real world.

That’s where the picture at the top of the story comes in. It’s a visual taunt posted by an Anonymous hacker after he had stolen and disclosed personal data from several US law enforcement agencies.  (Roughly translated, the sign says, “Pwned by Wormer and CabinCrew, Love You Bitches!”) The photo was taken in a suburb of Sydney Melbourne with an iPhone. We know that because Apple routinely buries GPS coordinates in each photo it takes, because … well, why not, when bits are free?

So when the FBI was assigned to track down the attacker, it used the coordinates to find the subject of the photo.  Open source map data, plus postings on Twitter and Facebook, led the FBI to an Australian woman. Her boyfriend turned out to be Higinio Ochoa, a Texas programmer whom the FBI promptly arrested.  The courts agreed that it was, er, a righteous bust; Ochoa has been sentenced to 27 months in federal prison for his hacking.

These investigations — Luckycat and Ochoa — are leading indicators of a trend that will make attribution easier over time.  Accretion of “well, why not?” data will only increase, and attackers will find it harder to avoid leaving bits of it behind.  At the same time, open source databases tied to the real world are also growing rapidly.  Big data tools will make it easier to search and find connections among these vast and mostly open networks. As a result, more and more attackers are someday going to find themselves in the shoes of Higinio Ochoa and Gu Kaiyuan.

That day can’t come fast enough, and US policymakers should be doing all they can to bring it about.  The defensive security tools used by government and private networks should put a premium on forcing network users to leave lots of information in immutable logs as they move through the network. Law enforcement agencies should put be collecting and sharing everything about the tactics, tools, and data lapses of network intruders. And intelligence agencies should be building their own storehouses of identifying information so they can eventually link foreign hackers to particular intrusions.

Of course, attribution is only half the answer.  It won’t deter attacks unless it leads to retribution. But that’s a post for another day …

PHOTO CREDITS: iStockPhoto; Gizmodo; Wikipedia

UPDATE: Corrected photo subject’s home town.  Thanks, Zack.

Powered by WordPress. Designed by Woo Themes