EyePyramid and a Lesson on the Perils of Attribution
In the past weeks, information-stealing malware EyePyramid made headlines after it was used to steal 87GB of sensitive data from government offices, private companies and public organizations. More than 100 email domains and 18,000 email accounts were targeted, including those of high-profile victims in Italy, the U.S., Japan and Europe.
The natural assumption for many would be that EyePyramid was a state-sponsored cyberespionage campaign. It wasn’t. It was ultimately attributed to a brother-sister team who used the malware for profit.
Playing Whodunit is Hard
If there’s anything EyePyramid can valuably teach us, it’s that playing whodunit is hard. Attribution is one of the most complicated aspects in cybersecurity. It’s partly because of the Internet’s underlying architecture and the many ways perpetrators can cover their tracks.
While we can attribute cyberattacks to certain threat actors, most threat researchers and information security professionals are cautious and often avoid attributing them to a specific person, group, or country. Doing so is fraught with slippery slopes. For instance, artifacts found in malicious code are a common sample of forensic evidence available to the security community. Unfortunately, malicious code cannot give clues to its authors, as they can be commercially available underground. They also cannot give away its operators, as there are many anonymizing and spoofing toolkits and techniques at their disposal. Even victims, objectives, or the operation they were employed for are difficult to determine.
Even if we attribute incidents based on the nature of stolen information, these have political, economic, and sociological influences. As much as possible, we attribute certain threat actors based on what is technically provable, such as texts from source codes, usernames, domain registration, and other information recycled across various sites.
Groups versus Individual Threat Actors
There are several dynamics involved in attribution. EyePyramid’s case, like Limitless’, was mainly a result of their operators making a mistake. Individual threat actors have certain habits (such as reusing words), quirks, techniques, and a certain identity that can be linked back to them. Groups like Pawn Storm have many of them. Their “fingerprint” is the effect of various individuals with their own peculiarities. This multiplicity, along with their resources, is what makes a group fingerprint harder to generate. It is a completely different story when tracking an individual threat actor. The bigger they are, the more it is like finding a needle in a haystack.
In the same vein, professionals and cybercriminal syndicates are organized with tradecraft that can be shared and honed by others. They are likelier to have the skill to obfuscate traces they leave behind. Being in a group also provides members the means to learn from their fellow cybercriminals. On the other hand, amateurs, script kiddies, and sometimes individual attackers, usually don’t have the infrastructure to carry out attacks that groups can deploy. They mostly rely on existing malware, and do it usually for recreation or earning a measly income.
In threat security research, it’s difficult to initially determine the kind of attack you’re dealing with. Delving between ill-equipped individuals and professional organizations is very different in terms of the opposition and their quality of work. Even private or smaller cybercriminal groups like exploit kit authors, ransomware developers, and clickjacking scammers Rove Digital, are hard to attribute. What more for well-funded nation-states?
Dangers of Attribution
Whether we like it or not, hacking and politics are increasingly becoming intertwined. The problem, however, is that most alleged attributions are being discussed in highly politicized environments where the motivations and objectives of those involved are suspect. Unfortunately, needless emphasis is placed on them and mainstream media is all too eager to play them up with fear, uncertainty, and doubt.
Let’s take the recent news about a purported cyberattack on the U.S. power system as an example. The attack, which was attributed to Russia, allegedly used an electric grid in Vermont as an entry point. The news was written with the usual narrative. It quoted officials “speaking on the condition of anonymity,” recounted related past incidents, and played out the worst possible scenarios.
The problem? It didn’t really happen that way. In fact, the incident was actually rather simple. The malware, found on a single laptop, was not even connected to the grid. This and many others show an increasing trend where fake news, cyber propaganda, and unverified stories that lack context are being pushed to proselytize an unknowing public. Even if we assume that they mean well, they create an expectation of compelling evidence against the perpetrators. Sadly, none are often given. This only elicits distrust among individuals and organizations (and countries, for that matter). Causing tempers to flare will only provoke a negative response.
Does Attribution Matter?
When you hear about high-profile attacks, put yourself in the victim’s shoes. What’s more important for my organization? Can my company manage an attack like that? For enterprises and many information security professionals, it’s more critical to know what has to be defended, and the kinds of attacks that can be used against it. Among them: how the intruders got in, what they did to the systems and their data, if they’re still in the network.
To a large degree, the tools and techniques of high-profile or state-sponsored attacks aren’t all that different from ones commonly encountered by organizations. New tactics employed by these attacks ultimately filter down as well. Focusing on proactive incident response, best practices, and defense-in-depth provides enterprises better means to protect themselves in the long-term while also steering clear of partisanship and politically charged speculations.
Of course, attribution is valuable. Knowing the kind of adversary you’re up against can help you understand their motives and what they’re after. Depending on their target’s risk profile, it can be financial data that can be monetized in the underground, or a company’s trade secrets. Even access to a compromised network can be a commodity to cybercriminals. Carefully researched attribution provides working and informed assumptions that can be operationalized in incident response and remediation.
Attribution is a reflection of the attacker’s sophistication. It’s also a reflection of resources, skills, and time available to researchers. It should not be a result of sensationalism being cultivated about high-profile attacks, along with the salesmanship and fearmongering influencing mainstream media’s discussions on cybersecurity.
As EyePyramid showed, high-profile attacks aren’t just for nation-states. From the point of view of those who defend the enterprise’s perimeter, it’s more a matter of knowing what to do, and acquiring the necessary tools and expertise to tackle these threats down the line.