It Came From Where? Nation States and Cyberattack Attribution

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• Verizon Data Breach Investigation Report (2022)
• Cost of a Data Breach Report – IBM (2022)
• “Disturbing” Rise in Nation State Activity, Microsoft Reports – info security Group
• China state-backed hackers compromised networks of at least 6 U.S. state governments, research finds – CNBC
• Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure – CISA
• Conti Ransomware Operation Shut Down After Splitting into Smaller Groups – The Hacker News
• Microsoft Warns of Destructive Cyberattack on Ukrainian Computer Networks – NY Times

Episode Transcript

Brian: Hey, thanks for joining us on the Fearless Paranoia podcast where we seek to demystify the complicated and complex world of cybersecurity. I’m Brian cybersecurity attorney. He’s Ryan IT specialist. And last time we were discussing the increasingly complex world of cybersecurity where it intersects international relations or put more simply cyberattacks as a tool of war, or as a tool of one nation against another. And we talked a great deal about how we determine what qualifies as these types of attacks. But there’s in discussing how you can protect yourself against them, and more specifically, how your insurance policy could potentially be read to exclude these. One area we haven’t really talked about yet is how do we really know where these attacks are coming from in talking about all this attribution becomes critical. So Ryan, how in God’s name, do we attribute these attacks to a specific country?

Ryan: So that’s where that’s where the equation gets even trickier, right? So trying to figure out how to defend against these attacks and how to stay resilient against them is a complex equation in and of itself on that side, but taking it one step further, and trying to find the purpose behind the attacks. And then being able to positively attribute to who the actor is, in some cases can be relatively straightforward and easy. As the years have gone by and the attack chains have gotten to be more and more complex, the desire to stay quiet or to cover their tracks has become more actively built into the attack chain itself, I have in some of my experiences, doing some incident response, have seen actors that have done their best to cover their tracks right at the initial indicators of compromised. So first exploit of a system and through a perimeter, first thing they do is gain persistence by trying to move to other systems and build up some strong footholds and then go back and do their their best to scrub logs and clear their tracks not only to cover the way that they made their way in, but to cover where they went from there, you know, it’s equivalent to like trying to throw someone off of your path by walking through, you know, walking through the desert, you’re leaving obvious, but tracks so you start to kind of walk in circles in different places and around different features and things to do your best to try and throw them off of your scent. It’s very similar just in a in a digital fashion. So starting the attribution process is as complex as digging through the data itself. So it’s really trying to find some sort of evidence of some piece of the puzzle. And you really have to start with just finding a piece of the puzzle. And from there, you start to work backwards. And so whether that piece of the puzzle is the encryption of files on a certain file share, or the location of a web shell, or another persistence mechanism, whatever it was, that triggered the start of the response, the investigation, you start working your way backwards and start to look for Okay, so we found out we have a file share that started to get encrypted at midnight on a particular day. Okay, so you start looking at the logs and go midnight backwards and start to say, Okay, where did the last connections prior to the start of this incident come from? And you start to track those pieces backwards. So you eventually find the initial indicator of compromise, right? The initial method of breaching the perimeter or the initial method of starting the persistence, how did they first get into the system and from there, you have to really start kind of pivoting Then from now that you’ve got your IOC s figured out, you have to kind of work back towards another common acronym in the industry, which is TTP, which is your tactics, your techniques, your procedures, how different ransomware, gangs, different groups, different threat actors use different tools, different means and different ways to accomplish their goals. Again, the end and most of the goals is usually very similar with a lot of these different these different groups and different actors, they have a lot of the same end goals in mind, but they use different means to get there. And I starting to identify those particular T TPS and attributing those to known actors is where a lot of the kind of behind the scenes attribution really starts.

Brian: When of course, we’re also talking about, you know, the attribution here is cyberattacks from the United States don’t come signed by the director of Cyber Command or by Joe Biden, they are at least clandestine. Now, we do know that there are several specific groups in Russia, that who are identified by numbers or by names that have been given to them by US intelligence. And, you know, even if we say, okay, we know it’s Russian, because once you know, we’ve attributed to him with a high degree of certainty to this one group. That’s pretty much the best we were, you know, we can expect to get, isn’t it?

Ryan: I’d say at the public level, usually, yes, that’s the most you’re gonna get and usually what they’ve done at a very high level here is they’ve, again, they’ve identified the TTPs that They see and they’ve tried to correlate those with other activity that they’ve already attributed previously to these particular threat actors. There’s not so many advanced threat actors out there in the world that it’s that it’s not you know, that’s it’s really challenging to classify them. For the most part a really funded really effective threat actors are very few. They change allegiances, and makeups. And architectures frequently. And some of that is just by the nature of their business model. Some of that is for obfuscation behind the scenes every so often. So like Conti right now just ended up getting basically broken apart from the inside, a lot of their chat logs and everything were all dumped. So as a whole, they did their best to effectively reorganize really quick and redeploy and continue their activities. And now they’ve gotten to the point where I think they’ve made the decision really, it looks like to kind of splinter and scattered, which will make them much more challenging to really kind of track down individually because now instead of watching one really large target that has a lot of common assets and common architecture, you’re now tracking small Splinter Cells effectively of this one’s larger group that will be employing very similar tactics, but will also start to kind of modernize and mature independently on their own which will make them unique in and of themselves and much more challenging to continually get positive attribution.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: Slipping past attribution, there’s obviously two parts of this loss of damage caused from hostile or warlike action in time peace or war. You don’t conduct a hostile or warlike action in a vacuum, you have a target. So we’ve talked about this idea of attribution, that you can go back and determine or the intelligence communities at least can determine where to a good degree of certainty on attack came from. And then based on who that was, they can determine whether they were nation state supported or likely nation state supported. But then the second part is that how do you understand that an attack is part of an attack against another country, as opposed to simply China’s hacking groups are known for industrial espionage? I wouldn’t necessarily call that an act of war. But you know, Russia, essentially, using a wiper malware against most of Ukraine’s infrastructure probably goes very strongly the other direction, how do you know when something’s targeted, especially when it gets out of control like Not Petya?

Ryan: So I think you really kind of have to look at what the initial intended scope is. And again, a lot of it gets very speculative when you look at it, but you look at where the focus of the efforts are. And so it became very clear that in the case of not Petya, they started with I believe it was a Ukrainian based tax software, it was kind of one of the initial methods of compromise. So again, they’re taking something that seems like it’s a very regional very specific type tool that would be utilized in a very general region. And that’s what makes it attractive for them, because it looked as though it’s the type of delivery mechanism that would be very effective against the target that they’re going at, but be very ineffective beyond that, because the use of it probably diminishes greatly once you leave the borders of Ukraine just by the fact that the software is very, you know, just it was very Nation specific in its nature. So I think that they wanted to understand also that maybe not everybody in Ukraine  would use the software. So they had to add some capability for it to kind of expand beyond that scope, which is where the worming piece really came in and whether they really heavily leveraged eternal blue most likely in a configuration that they hadn’t fully scoped in or intended would go quite as far as it did. I doubt that. And again, speculative here, I doubt that the initial intention for not Petya was to have far reaching implications beyond Ukrainian borders like it did. Russia, while being pretty brazen in a lot of their attacks, seems to not openly take the more shotgun approach when the scalpel will accomplish their goals. And so to me, I think that their initial intention was to keep the scope pretty well tied in and I think that probably just due to the overwhelming capabilities of eternal blue at the time, not understanding how effective pairing it up with a very powerful tool like Mimikatz would be and then understanding that if it were to escape what they are probably thinking is there Ukrainian say sandbox how quickly that could reach out and work its way around due to the fact that lots of people systems are just generally under patched and under maintained globally, which made them exploitable by eternal blue. They unleashed it partly because they probably didn’t care if it spread too far beyond, but it definitely, I think, got past the initial scope and, and probably was a little bit more aggressive than they would have otherwise intended. But again, it just shows you that when you harness these really powerful cyber tools in the hands of people that didn’t create them probably initially and didn’t understand the initial scope of them, how quickly those tools can get out of hand and become much more you know, much more impactful.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian: It really is a stark way of looking at things you got. So Wanna Cry and not Petya end up becoming two excellent examples of what has been determined or attribution has found that they are state sponsored viruses. They you know, they were created largely by or with the support of a nation state and employed for that nation’s purpose. Now the difference other than the technical differences is that not Petya seems to be one that was intended to hit one specific target: Ukraine. Wanna cry was kind of more of a general, a general or at least it was not specifically targeted another nation. So it’s going to be interesting to see how insurance policies changed their approach to this. But one thing is absolutely clear. You cannot purchase cyber liability insurance or any insurance policy that has some sort of cyber liability protection without a full reading and understanding of the terms that it lists based on the room that you have. If you had the same language that Merck Pharmaceuticals had, you would have coverage for both of these. However, there are policies that the terms themselves may exclude cyberattacks that are launched by one nation against another. They may exclude cyberattacks that are launched by one nation against anyone. It cannot be harped on more by me that you need to know what is in your policy. If you haven’t listened to our episode on cyber liability insurance, please go back and listen to that they these policies are incredibly variable. There’s no standard, they’re brand new, and most insurance companies are still figuring out how they work. But just these two examples, and you know there there’s obviously going to be more and more to come. Ryan, I think you would certainly agree that we have not seen the last of a nation state attack that gets loose beyond its intended target.

Ryan: No, Brian, I again, I think that we’ve only seen the few limited ones we have. Because in the past, I think most of these actors, in most cases, nation states or other just well-funded actors have done their best to try and tread lightly in this water, dip their toe into the pond and kind of get a feel for what their capabilities are. But between the gathering of botnets and all of these different pieces of different software and exploits coming out nowadays, it’s clear that at some point in time, we will start to hit critical mass beyond the capabilities of staying silent with this and we will start to see more and more of these tools employed to achieve agendas, which means you’re going to have a lot of them in use. And we will see misconfigurations we will see these things continue to spill out. So it is more prudent than ever to stay on top of making sure that your cyber hygiene and your planning for incident response and disaster recovery are in place and are you know, modern and maintained. So that when these new things happen, not if but when these things start to happen, that you are not only making sure you’re protected to the best of your ability against them, but that when they do get past your defenses that you are able to recover from them. You’re covered from a liability standpoint, and that you’re able to effectively get your business running again.

Brian: Well, if you’re not too depressed, we hope you tune into our next episode of Fearless Paranoia. We’re trying to help you get ready for anything and the worst that might come. The bottom line is the best way to recover is to be resilient in advance. So we’re going to try to prepare you so you know what might be coming your way and so that you can best recover from it in the event that it happens for Ryan. I am Brian and we will see you next time. Thanks