Blog

What is attack attribution, and why have we dedicated today's blog to its complexities?

In a recent trial, two British teenagers, Arion Kurtaj (18) and a 17-year-old boy whose name was not disclosed due to his age, were convicted by a London jury for a series of computer crimes, blackmail, and fraud as part of the Lapsus$ hacking group. The victims included major companies like Nvidia, Uber, and Rockstar Games. Prosecutors labelled both teens as "key players" in the Lapsus$ gang, which specialized in theft and extortion.

The Lapsus$ cybercrime group, operating from late 2021 through late 2022 targeted numerous organizations online, employing techniques like stealing cell phone numbers and phishing employees to access proprietary data. Their attacks were low-complexity but highly effective, and the group boasted about their exploits while demanding ransoms or stealing cryptocurrency from victims. 

Throughout their hacking campaign, the cybercriminals frequently flaunted their illicit activities in the public domain, openly revelling in their crimes and taunting their victims on the messaging platform Telegram, using both English and Portuguese languages. It is believed that some members of the gang remain at large.

So, why has it taken so long for authorities to reign in only a few members of a notorious hacking group known to brag online publicly about their exploits?  Let's explore many of the reasons that attack attribution is so difficult.

What is Attack Attribution?

One of the most challenging and critical aspects of cybersecurity is understanding and identifying the sources behind cyberattacks. Known as "attack attribution",  the goal of determining who is responsible for a cyberattack, and uncovering their identity, motives, and affiliations between individuals, groups, or organizations has proved extremely difficult.

Attack attribution involves a meticulous forensic investigation into the tactics, techniques, and tools employed by the attackers to trace the digital evidence they leave behind.

How Does Attack Attribution Support Cybersecurity?

Attack attribution is essential for incident response, cybersecurity policy development, and mitigating future threats because knowing the details about the attacker provides valuable insights that allow an informed, evidence-based approach to developing defensive strategies and legal actions when applicable.

Why is Attack Attribution so Difficult?

Attack attribution is a formidable challenge in the realm of cybersecurity, primarily due to a myriad of factors that adversaries exploit to conceal their identities and origins. Some of the key reasons why determining the source of cyberattacks is so elusive include:

• Botnets Of Stolen Assets: Attackers often wield powerful botnets like the infamous Mirai botnet. These vast networks of compromised devices, including IOT devices and computers, can be hijacked to launch attacks on behalf of the attackers. Since the attacks are executed from assets not owned by the perpetrators, attributing them to their true source becomes exceedingly complex

• Anonymity Services like Tor: Anonymity networks such as Tor (The Onion Router) allow attackers to obfuscate their locations and obscure the digital trail of their activities. These services route traffic through multiple nodes, making it challenging to trace the origin of malicious actions. Other similar anonymity networks further complicate attribution efforts

• Unregulated Infrastructure-as-a-Service (IaaS) in Rogue Nations: Attacks often cross international borders, creating jurisdictional challenges for law enforcement and cooperation. Some rogue nation states provide unregulated IaaS platforms, allowing attackers to lease virtual servers and computing resources with minimal oversight. This enables malicious actors to launch attacks while maintaining anonymity, as these platforms are often beyond the reach of international law enforcement

• Identity Theft for Registering IaaS Accounts: Attackers can resort to identity theft, using stolen credit card numbers and personal information to register IaaS accounts for malicious purposes. This fraudulent activity not only obscures the true identity of the attacker but also poses significant challenges when attempting to trace back to the responsible party

• Public Websites for Hosting Payloads: Malicious actors have increasingly leveraged legitimate public websites such as Dropbox, Google Drive, and pastebin-like platforms to store payloads and operate command-and-control (C2) infrastructure for their attacks. The use of these platforms allows attackers to anonymously host malicious content, making it challenging to pinpoint the source

• Counter Forensics: Attackers often take measures to conceal their endpoint information within payloads. They may encrypt or obfuscate payload data, making it difficult for security analysts to extract meaningful information about the attacker's identity or location

• Proxying And Tunneling Protocols: Attackers can use proxies and tunneling protocols like SSH and VPNs in their attacks to encrypt traffic, making it challenging to monitor or intercept

• Public Internet Access: Public WiFi is not only a risk for the average user, but attackers often use public Wi-Fi networks for anonymity. By masking their device's MAC address attackers can ensure there is no digital trace back to themselves. Many businesses may not keep detailed logs of those who log in to the public hotspot or have video surveillance cameras installed

• Hacking As A Service: Sophisticated attacks involve multiple stages, each potentially conducted by different groups using different infrastructure, making it challenging to trace back to the source. Hacking as a Service also allows low-skilled attackers to contract help from more advanced hackers dedicated to the illegal craft

• Misconfigured security software and systems: While defenders may install security tools to help detect and monitor systems if misconfigured, these products will be of little use when called upon to provide evidence of an attack.  Therefore it's important to test that security products such as Intrusion Detection Systems (IDS), SIEMS, firewalls, and other security appliances are effectively and reliably capturing monitored information

• IT Security Talent Shortage: A shortage of skilled cybersecurity professionals can limit the ability to conduct thorough investigations and attribution efforts, as organizations may lack the necessary expertise and resources

Conclusion

Despite the challenges of cyberattack attribution, it remains essential for incident response, cybersecurity policy development, and mitigating the risk of cyber attacks. Attribution provides valuable insights for informed defensive strategies and potential legal actions.

The complexity of attack attribution arises from various factors exploited by adversaries to conceal their identities. These include the use of botnets, anonymity services like Tor, unregulated infrastructure-as-a-service in rogue nations, identity theft for registering accounts, hosting payloads on public websites, counter forensics techniques, tunnelling protocols, public internet access, hacking as a service, misconfigured security systems, and the IT security talent shortage.

Looking to learn more about attack attribution and other 2023 cybersecurity trends? Reach out to our team today (or sign up for our newsletter!)