Strife

The Academic Blog of the Department of War Studies, King's College London

You are here: Home / Archives for hacking

hacking

Strife Series on Cyberwarfare and State Perspectives, Part II – Deception in Cyberspace: Nation States and False Flag operations

by

Examining the use and effects of false flags in nation state cyberattacks, and how geopolitical analysis may be add value to attribution efforts.

By Amy Ertan

Credit Image: sangoiri (123RF)

 

‘The Problem of Attribution’

The problems with cyber attribution form a labyrinth that continue to trouble all those involved in cyber defence and wider security. The challenges determining what has taken place, to whom and by whom is an process that lacks repeatability and often any clear solution. Nonetheless, the value of attribution makes it an indispensable exercise on which to concentrate resources. Without the ability to tie a cyber-attack to an individual, group or nation state, there can be no political or legal enforcement of regulation or counter-action. This represents a huge limitation on international relations where cyber activity continues to grow, influencing diplomacy and conflict. What some may consider a technical investigation has, therefore, shown itself to be a major geopolitical problem. As Thomas Rid summarises, ‘attribution is what states make of it’.
 

Introducing False Flags

Attacks involving nation state actors involve unique challenges that further complicate attribution attempts. Amongst other factors, the use of ‘false flags’, where an attacker pretends to be someone other than themselves, is a tactic to ‘frame’ other threat actors. A false flag operation could be as simple as malicious ‘marketing’, inserting imagery appearing to show another threat actor claiming responsibility. It could also be as simple as inserting other languages into payload headers or malware. From 2012, Iranian hackers used Arabic rather than Farsi when attacking US banks, while suspected North Korean state-sponsored Lazarus group is often known for attempting language imitation. As well as enabling attackers to avoid detection, false flags may be used as a form of manipulation, directing the victim’s attention to potentially target third-party actors. Should investigators of an event fail to realise that the false flags are not genuine hints, they may incorrectly attribute an attack, which may extend to misdirected retribution.
 

Nation State Case Study: Russia

False flag operations are not a new aspect of Russian military strategy. The justification for deception can be explored through Russian military doctrines such as ‘provokatsiya’, (‘provocation’), whereby agents act surreptitiously to cause secret political effects, helping Moscow whilst damaging Moscow’s enemies. Further doctrine ‘maskirovka’ specifically concerns deceiving victims while also hiding the true intent of operations, complementing the ‘konspiritsiya’ (‘conspiracy’) doctrine and Russian espionage tradecraft. Themes displayed most obviously through and beyond the Cold War period, it is perhaps unsurprising that intelligence tactics have led to cyber false flags acting as ‘the Kremlin’s hidden cyber hand’. These tactics assist in furthering Russian geopolitical goals, typically through attacks against Western governments. Interference in elections are a clear example, with French and US elections compromised to suspected Russian actors. Similarly the NotPetya attacks, which the US, UK, Canada, Australia and New Zealand publically attributed to Russia, may be understood as part of a wider Russian state disregard for Ukranian sovereignty.

In 2015, ‘Cyber Caliphate’ jihadist propaganda flooded TV-Monde’s social media during a destructive cyberattack, an act ultimately traced back to Russian-based ‘Fancy Bear’, a group with links to Russian military intelligence. The flag was relatively simple: creating a fake online persona, a tactic mirrored by separate Russian threat actors with the ‘Guccifer 2.0’ persona in the 2016 DNC hack. These examples highlight a few Russian threat actors using false flags, alongside DC Leaks and Shadowbrokers.

In the 2018 Winter Olympics, Olympics IT systems were temporary disabled, with WiFi, monitors and the Olympics website unavailable. Analysts concluded Russian actors used North Korean IP addresses and attempted to forge malware used by Lazarus Group, a flag uncovered due to an error forced header. Analysts looked beyond the technical information to argue that the attack was designed to gain attention, where perpetrators ‘wanted to be discovered… as Lazarus Group’, concluding this attack was likely ‘setting the stage’ for further campaigns. Russia’s actions were assumed to link with their enforced non-participation in the event, alongside wider geopolitical tensions.

A Strategic Approach

Attribution capabilities are currently highly asymmetric, with only a handful of states thought to be capable of successfully attributing cyberattacks with high confidence. Given typical characteristics of false flag indicators, technical analysis is necessary but not sufficient when attempting attribution, for three reasons. Firstly, it is unreliable to be dependent on attackers making errors when determining whether evidence is a false flag. Errors such as poor language translation are unlikely to be repeated frequently in the long-term, given the capabilities of nation states dedicated to achieving cyber goals. Secondly, nation states and state-sponsored groups represent the most able threat actors. As offensive actors, states will often have multiple cyber units, alongside distributed command-and-control servers and resources to continually update sophisticated evasion techniques. It is expected this makes them considerably harder to detect and attribute against, compared with less skilled, purely criminal counterparts. Finally technical indicators of compromise for a cyber incident are often identical whether the event was a malicious cyberattack or not. Technical analysis, even if conducted by the most sophisticated and capable of actors, may not reveal information that proves itself to be actionable intelligence.

To understand false flag operations driven by nation-state actors, one must understand the context in which the attack took place. Professor Thomas Wingfield argues that ‘strategic attribution – fusing all sources of intelligence on a potential threat – allows a much higher level of confidence and more options … strategic attribution begins and ends with geopolitical analysis.’ Geopolitical threat profiling and strategic intelligence functions therefore become entwined with the technical attribution operation.

 

Concluding Thoughts

As Symantec security analyst Vikram Thakur neatly summarises, ‘We think the future is going to get even more complicated with actors relying more and more on false flags… throwing another group [under] the bus from an attribution standpoint.’ False flags are a tool for nation states. Not only can they deceive, misdirecting attention from an attack, but they can change agendas, create imaginary threats, or be used to communicate between states who can detect subtle flags (versus those who cannot). It is a task that matters - NATO CCDCOE stressed that without sufficient attribution, there cannot be official consequences. Getting to grips with the challenges and counter-approaches to an attack is a task that will weigh heavily in the context of rising geopolitical tensions observable today across the globe.

Amy Ertan is a PhD researcher within the Centre for Cyber Security at Royal Holloway, University of London. Amy previously studied Philosophy, Politics and Economics at the University of Oxford, where she first developed an interest in international security. Amy was part of the winning team in Atlantic Council’s international relations / cyber security 9/12 competition, and was also awarded Cyber Security Student of the Year at the 2018 SC Media Awards. Her main research interests continue to focus on international relations and cyber-warfare, as well as emerging cyber security threats relating to artificial intelligence.

Image Source: https://www.123rf.com/photo_67396671_russia-spying-on-america-russian-hackers-threaten-us-computer-networks.html

Cyber risks to governance, Part II – The Attribution Game: the challenges and opportunities of cyber attribution in policymaking

by

By Yuji Develle and Jackson Webster:

Hacker

In an era of Snowden, Wikileaks, Dark Web and data breaches there have never been so many cyber risks associated with governance. This article is the second of a 3-part Strife series which examines three diverse aspects of cyber risks to governance. Last week Andreas Haggman began by looking at the online market place Silk Road and its transformation of the online market place. This week, Yuji Develle and Jackson Webster will examine cyber attribution in policymaking, and finally Strife Editor Christy Quinn will examine on the implications of hyper-connectivity.

‘Human lives and the security of the state may depend on ascribing agency to an agent. In the context of computer network intrusions, attribution is commonly seen as one of the most intractable technical problems… as dependent mainly on available forensic evidence.’ ‘Attributing Cyber Attacks, Prof. Thomas Rid & Ben Buchanan

The question of “Who-done-it?” dominates all efforts from the crime scene to the court of law; a case can only be considered solved when the culprit of the crime has been identified and convicted. In the era of DNA identification and video monitoring, this strict guilty-versus-innocent divide poses little issue in the physical realm where an excellent standard of criminal investigations can be observed in most developed countries.

This vision is nevertheless out of touch with the reality of the attribution process in cyberspace. While forensic evidence can be acquired – ‘Indicators of Compromise’ (IP addresses, domain names, etc.) and unique attack signatures (patterns of behaviours, malware utilised, etc.) – it is extremely difficult for experts to identify any one set of culprits without significant risk. High potential cyber attacks are typically designed to cloak the identities of their designers and are often founded on the basis of deceiving the target from realizing the true extent of the damage incurred until it is too late, often resulting in infection of IT networks without visible effect for months after the network intrusions were made. This lag allows for infections to assimilate themselves into the crowd of Internet traffic before the attack by displaying regularly innocent patterns of behaviour. For example, cyber security firm Fireye’s investigation of Operation Poisoned Hurricane in 2014 detailed how malware trying to infiltrate the networks of several Asia-based internet service providers and other private businesses by disguising itself as routine internet traffic with genuine digital certificates. As the extent of damage of cyber-attacks are unknown, hidden or unforeseen, ‘digital crime scenes’ cannot be investigated in the same vacuum that forensic experts enjoy in the tangible sphere.

The issues of attribution are both what makes cyber such an enticing realm for would-be attackers and such a problematic issue for statesmen. Extending the issues previously detailed into the context of International Relations, it’s easy to see how incorrect attribution can cause a cascade of undue escalation and insult by the accusing party. Tracing a given attack to a server or network of servers within a state does not clearly implicate that state’s government itself as a perpetrator nor does it assume that state is passively complicit or even aware of the attacks being launched. Individuals and small groups are perfectly capable of launching major cyber attacks, as the computer is the ultimate force multiplier, and IP addresses can be easily ‘spoofed’, or bounced endlessly around the globe through proxies to confuse solid attribution.

Many policymakers may be willing to make logical jumps in the attribution process due to its inherent lack of clarity. The lack of certainty surrounding cyber attack attribution allows statesmen to blame geopolitical adversaries for the attacks. No one is standing in the room pointing a smoking gun at the targeted computer. Furthermore, ‘militant’ cyber actors are not necessarily associated with a state, and governments can easily distance themselves from inconveniently uncovered hacking groups they covertly support. For example, were an attack akin to the Shamoon Attacks perpetrated by the Shia-affiliated ‘Cutting Sword of Justice’ on the Saudi state oil firm Aramco in 2012 to happen again, Iran would inevitably be blamed for tacit complicity if not direct involvement, regardless of its actual agency in the attacks themselves. Attribution in this circumstance is not concerned with technical evidence of guilt, but rather with the Saudi government’s foreign policy narrative that Iran is behind all seditious actions in the region, from chemical weapons in Syria to Shi’ite militia atrocities in Iraq, to the Houthi movement in the Yemen.

On the other hand, intentional misattribution -in the form of scapegoating to non-state actors- presents a convenient tool for statesmen in some circumstances. Offence is at a massive advantage in cyber. When securing a network from attack, one must ensure the constant safety of every single system on the defended network. When an attacker attempts to access a target network, only one server or device must be compromised to gain access to a network. The logical threshold for the use of force in cyberspace is thus low. This incentive towards offensive action is amplified by the fact that statesmen can easily pass off responsibility and liability onto non-state actors, such as so-called ‘hacktivists’, from which they can disassociate state intelligence agencies and militaries. ‘Hacktivists’ represent both an easy scapegoat for aggressor states and a convenient culprit for victim states because, as pointed out in a WIRED article pointed out last year, ‘[hacktivists”] geopolitical interests and motives often jibe with a state’s interests.’ Cyber is not simply a revolutionary gimmick to be dealt with by niche experts and private corporations. Just as the airplane quickly went from being invented to being a crucial part of national defence, commerce, and transportation, states are already realising the political utility the Internet provides is now central to the execution of policy. Cyber is both damaging and useful to states’ national interests, but it cannot be ignored, as its uses and effects are clearly set to increase, not decrease.

The unconvincing inaccuracy of cyber attribution has also led to a growing mistrust of the public sector. Some corporate actors have even sought help from private contractors which hire ex-hackers to conduct retaliatory attacks on behalf of those companies. The lack of confidence in the state’s ability to perform its most basic security duties is a threat to the very raison d’être of law enforcement. This phenomenon reduces the state’s ability to control its response in the face of potentially politically damaging cyber attacks. Furthermore, as Thomas Rid coins it, when it comes to conducting investigations as they, unlike private companies, often have the mandate to collect from a wider scope of information, covertly or otherwise. The outsourcing of cyber-security dulls down the credibility and efficiency of a state’s response to cyber-attacks.

Ultimately, attribution is what the actor makes of it. Avoiding ‘attribution fixation’, the obsession of ascribing agency to an actor, will be essential in how successfully governments and companies can use the cyberspace as a means to their ends. It can be a tool for geo-political advancement, a technical obstacle to overcome, or a damaging libel risk for states with active domestic hacking communities. Cyberspace cannot be viewed as a problem, nor as a solution. It is an operational space like any other, though currently popularly misunderstood and lacking the regulations and norms of kinetic battle spaces.

Yuji Develle, is a French and Japanese student reading a B.A. (Hons) War Studies with a strong interest in Cybersecurity and a Russia & CIS regional specialisation.

Jackson Webster, a native of Manhattan Beach, California, is currently studying at the Kings College London Department of War Studies reading a degree in International Relations with a specialisation in the politics of the Middle East and a strong interest in multilateral security practices.