Whodunit? In cybercrime, attribution is not easy

The U.S. government’s announcement that North Korea was behind the hack of Sony Pictures Entertainment reignited the debate on how accurate cyber attribution can be

1 2 Page 2
Page 2 of 2

But he agrees that the Sony attribution, coming only days after the intrusion was discovered, was “highly suspicious.”

And critics like McGraw don’t buy the argument that government has much better access to cyber intelligence than the private sector. “That’s just BS,” he said, noting past U.S. intelligence failures like the claim of weapons of mass destruction in Iraq. “Everybody likes to pretend they’re more important than they really are,” he said.

Rogers, writing on his personal blog, also remained skeptical, noting that leaked information from U.S. intelligence agencies claimed evidence had been gathered from North Korean networks that had been compromised by multiple parties.

“It’s hard to say that anything coming from a machine that’s been ‘hacked to pieces’ by multiple parties can definitively be attributed to anyone,” he wrote.

And recent revelations have given more ammunition to the skeptics.

jeffreycarr

Jeffrey Carr, president and CEO, Taia Global

Carr’s firm, Taia Global, announced just a week ago in a paper titled, “The Sony Breach: From Russia, No Love,” that it had credible evidence that a team of Russian hackers had not only gained access to SPE in late 2014, but were still inside the company’s network.

Taia said it was possible that the Russian attack was separate from the North Koreans, or that North Korea was telling the truth when it denied the attack, and, “that other hackers did, and at least one or more of those that did were Russian.”

Taia relied on what it called, “a trusted Russian contact,” a black-hat hacker who uses the alias “Yama Tough,” who had served time in U.S. prison for cyber crimes and was deported to Russia upon his release.

Yama Tough made contact with who he said was a member of the team that hacked SPE, and provided Taia with documents and emails different from those that had already been made public – one of them as late as Jan. 23.

That, the Taia report said, means SPE, “is still in a state of breach … Yama Tough’s Russian source appears to have at-will access to the company.”

Carr, asked if his firm’s report undermines his assertion that good attribution is next to impossible, said it was the human element that clinched it.

“When someone knocks on your door and hands you an envelope, assuming that you aren't blind, attribution is pretty easy,” he said, adding that while he didn’t trust Yama Tough in the beginning, “over time he has earned my trust by delivering lots of solid data to me.”

Stewart, in a brief email interview, said the Taia revelation is, “interesting but doesn't draw the North Korea attribution into question.”

Whatever the level of attribution accuracy, experts say it is well worth continuing to try to get it right. Harding said while the U.S. cannot prosecute state-sponsored hackers in China for espionage, it should affect the relationship between the two countries.

“It is almost impossible to quantify the amount of intellectual property stolen from U.S. servers,” he said. “It is on a scale that defies belief.”

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline