Attribution is often the most difficult problem facing an incident response team following a cyber-attack or cyber fraud. "Attribution is hard" is the mantra of the cybersecurity industry, and in many cases it is, frustratingly so. However, determining who the culprit is sometimes requires dogged determination, the smart use of technology, sound inductive reasoning and the use of powerful legal tools.
Even partial attribution can help with understanding the motives of an attacker and assist in defending against future attacks. Full identification of the real people behind attacks can lead to criminal charges and the opportunity to recover stolen funds. However, the internet was designed for computers and not for the identification of human users. Not only that, there are plenty of legitimate privacy reasons why users would not want their identities revealed far and wide. For cybercriminals, a whole industry of anonymity technology, services and "operational security" (OPSEC) techniques have emerged to keep their identities secret.
In the case of the most sophisticated attackers, the answer to the attribution question can remain elusive. Some suspected nation-state cyber-attackers use well-honed tactics and some have been known to leave "false flags" - evidence intentionally planted to lead investigators towards making the wrong assumptions about their identities. In early 2018, US intelligence agencies concluded that a Russian cyber-attack on the South Korean Winter Olympics was designed to look as though it had come from North Korea. It can take the resources of a government, with all their intelligence-gathering, surveillance and interception technology to track down a capable adversary.
However, most cyber-attacks are not carried out by nation states for intelligence-gathering or economic espionage; they are carried out by criminals whose intention is to make money. This group of attackers have a different profile and a wide variety of capabilities and knowledge; from the careful hacker to the careless newbie, with little or no experience in hiding away from the attention of the authorities.
Clues must be methodically examined for anything that will help point to the culprit, and evidence must be examined, tested and corroborated. Unmasking some attackers can be achieved by implementing techniques available to civilian investigators and lawyers.
Internet Protocol (IP) addresses are the way in which computers are identified on the internet. Typically, cybercriminals will go to some effort to cover their tracks by using anonymisation technology and services such as "Tor", a Virtual Private Network (VPN) or some other form of "proxy" which masks their IP address. Internet providers keep records of who was using an IP address and therefore their "digital footprint" can sometimes be traced back, provided the investigator has the lawful authority to obtain this information.
In the case of a cyber-attack, sometimes the recorded IP address is the only trace of the suspect, and a hidden original IP address can be the end of the road for that line of enquiry.
Adverts found on the dark web or criminal forums claiming "no logs" solution services are often an attractive proposal to a cybercriminal, as it can give them false comfort that their true identities will never be known. In reality, many providers will log some activity for the purposes of managing their service. Legitimate VPN providers, when compelled to do so by a court of law, will hand over the details of their customers.
"We are for anonymity. We do not store any logs that would allow us or third parties to associate the IP address in a specific period of time with the user of our service. The only data that we store is the e-mail and username, but it is impossible to associate the user's activity on the Internet with a specific user of our service. We are not under any jurisdiction. There are no circumstances that would force us to provide information about our users."
Figure 1 - Example quote from a "no logging" VPN service advert on a Russian hacking forum
In cyber-enabled fraudulent activity, there are other clues that can be investigated. Criminals will often set up a range of false digital accounts to appear credible. These traces are the digital equivalent of fingerprints and can be examined, searched against multiple sources for further leads, or the providers can be compelled to provide the personal details of their customers through legal requests.
In several cases investigated by MDR Cyber, we have used legal tools for the purposes of forcing third parties that are "innocently mixed up" in the wrongdoing of fraudulent activity to provide relevant information that is likely to aid in the investigative process.
For example, Norwich Pharmacal orders can force domain registration services in the UK to reveal details relating to their customers. Norwich Pharmacal orders can also be used to force banks into providing key information relating to their account holders. This can be vital in tracing the flow and movement of funds obtained as a result of fraudulent activity. Put simply, this legal tool, combined with extensive open-source investigation techniques, can sometimes lead us to the culprits.
In some cases, other traces of suspects can be found by understanding the nature of attack and the subsequent likely use of the data that has been stolen. Cyber criminals may publicise their attacks or try to sell stolen credit card or personal details on criminal forums.
Is attribution always hard?
If investigators understand the technology and its limitations, use all the tools available, act with determination and think laterally, attribution is not always hard. MDR Cyber design and use automated tools to speed up our enquiries, keep up to date with the latest techniques and employ all the legal resources available.
To find out more about the broad range of work MDR Cyber carry out, please get in touch.