Who really hacked that? Attribution of cyber attacks.
News agencies are full of headlines, where country-backed hacker groups are presented as originators of hacker attacks. Usually, we are given some kind of conclusion as indisputable truth. And it is based on a minimum set of facts. Such findings are often based on such points as someone left comments in the script using the Russian language, or that someone used code everyone knows is Chinese. Is it always so obvious?
The attribution problem is the problem of identifying the sources of the cyberattack. It is often complicated and challenging because there is no physical observation of an attacker using digital tools. The analysis is based on the review of traces left behind and indirect evidence.
Even in a perfect scenario with all knowns, the attribution question is far from being math. Different companies use their own methods. Here are some standard attribution criteria:
- Geo zone IP addresses that were used in the attack
- Comments in the code / script
- Programmer handwriting exercise.
- Studying the language style
- Darknet forums analysis and so on.
Different experts may come to contradictory conclusions, even if they use the same data and metrics. But this is part of the nature of such research.
The bigger problem is when someone picks up 2 criteria out of, for example, 50 defined in the "Q attribution model" and shouts that they know who is behind this incident. Now you know that this is unsustainable.
Keep in mind that attribution is subjective by its nature and turned to be a complex psycho-techno science. Just have a look at the "Q attribution model" if you have any doubts about that.
Follow me on LinkedIn, Twitter, Telegram and www.abocharnikov.com.