Cyberattack attribution: Is it actually a deterrent?

3As the U.S. Department of Defense (DoD) builds up its cyberwarfare programs, what sorts of cyber ops are North Korea and other nation-state adversaries focusing on? Does attribution or admission of responsibility actually act as a deterrent to other would-be cyberattackers?

The incidence of cyberwarfare – akin to guerrilla warfare, used primarily to prevent and disrupt electronic communications that support combat operations – continues to mount, so the DoD is ramping up its cybercapability and screening capacity. Two programs in particular, the DoD Cyber Command unified platform and the Army-led persistent cybertraining environment, are gearing up to further gird the U.S. and its military against further cyber incursions.

To give you a hint of what the Pentagon’s up against just in terms of inbound email, officials at the Defense Information Systems Agency (DISA) say that the agency receives and scans on the order of 36 million malicious emails each day from hackers attempting to gain access to military systems.

“Cyber Command’s unified platform is the place that members of the cyber mission force go to work. It’s more akin to a system of systems that integrates current tools that have been in use by the cyber mission force,” says Bill Leigher, director of Raytheon’s government cybersecurity solutions business and a retired U.S. Navy rear admiral. “The persistent cybertraining environment program unifies what so far has been disparate service training into unified joint training that’s adaptable to all four services across the entire cyber mission force. It provides skills enhancement, but also experimental and rehearsal environments to develop new cybertechniques. This is a huge step forward in how cyber is maturing within the DoD.” (Figure 1.)

While it’s easy to “take for granted that cyber is high tech and must be great, the truth is that it’s a force less than 10 years old and barely – as of this year – has all of the right people in place,” Leigher notes. “If you compare it to another domain and go back to World War I, air-to-ground warfare was literally a pilot leaning out of an open cockpit and dropping a grenade. But by the middle of World War II, we had very sophisticated bomb sights and training and procedures for using them. We need to keep in mind that this cyberforce is still very young and early in its development lifetime.”

Figure 1: Personnel of the 624th Operations Center, located at Joint Base San Antonio – Lackland, conduct cyberoperations in support of the command and control of Air Force network operations and the joint requirements of Air Forces Cyber, the Air Force component of U.S. Cyber Command. (U.S. Air Force photo/William Belcher.)

North Korea’s cyber ops

North Korea – under intense scrutiny right now for its nuclear weapons development program – also is thought to be getting ready to mount more cyberoperations.

“Since the Sony attack in 2014, and their ongoing operations against South Korean power stations in 2013 and 2014, we haven’t seen a lot of development of specific ­disruptive or destructive capabilities from North Korea,” says Priscilla Moriuchi, director of strategic threat development for Recorded Future, a real-time cyberthreat intelligence provider. “But it’s likely that they’re developing them.”

Perhaps not surprisingly, North Korea relies heavily on U.S. technology for its internet and network operations. “The amount and variety of U.S. software and hardware we found indicates that a large percentage of it is U.S.-manufactured,” Moriuchi says. “If you look at reports about their actual cyberoperations during intrusions, you could make the argument quite easily that North Koreans are using and exploiting U.S. technology every step of the way. They’re exploiting Windows machines to use as command and control servers, and Cisco routers to get into victims’ networks; it would be more of a story if North Korea could do all of this without any U.S. hardware or software.”

Dual-use technology sales to China for military technology are regulated via export controls “because we don’t ever want U.S. technology to be used against our sailors and soldiers in a conflict,” Moriuchi says. “These dual-use technology regulations are also in place because the U.S. government doesn’t want to subject U.S. companies and entities to cyberattacks using U.S. technologies. So we need to figure out ways to restrict North Korea’s use of U.S. technologies – if the U.S. government is serious about stopping it.”

U.S. export controls for technology aren’t as useful as they are for other areas, though. “A broad segment called ‘computers and electronic products’ covers everything you can manufacture that has a chip in it,” she adds. “And the number of manufacturers is so widespread that, in many cases, it’s impossible to know who the end user will be. Export controls work for some things, but for technology it’s not been overly successful.”

While North Korea seems isolated and limited in terms of what it can do with technology and science, by examining its leadership’s internet activity and looking broadly at cyberoperations and the types of criminal activities they’re engaging in to generate revenue, Moriuchi and colleagues have found that while North Korean hackers can easily adapt a new technology or exploit, they are quick to abandon efforts that aren’t successful. “They’re also at the cutting edge of technologies supporting cryptocurrencies, which they exploit by finding weaknesses that they can use to their advantage,” she says.

Attack attribution

The U.S. moves faster today to push attribution of and indictments for cyberattacks than it has in the past. This policy began shortly after the attack on Sony in 2014, which was pinned on North Korea. “At the time, there was an undercurrent of ‘what a waste of time this is’ on blogs and social media, but the behavior we’ve seen since tells us that it has a deterrent effect,” Leigher says.

There’s likely “much more discussion at the policy level to release attribution faster than we would have had five years ago,” Leigher adds. “Releasing attribution facts as a policy is aggressive because it sends the message: ‘We know you’re out there and are going to call you out on it every time – you’re not as good as you thought.’ It’s a much more aggressive approach than when I retired from the Navy 4.5 years ago.”

North Korea’s cyberattacks and intrusions tend to be “designed to generate revenue for the regime,” Moriuchi explains. “While difficult to attribute, there are a number of unique fingerprints to North Korean activity, such as the way they write and compile their malware.”

In a May 2018 attack against a bank in Chile – which hasn’t been attributed yet to the malicious actor – attackers looted $10 million by deploying a master boot record wiper that destroyed records of numerous thousands of computers and servers in an attempt to hide the theft from that bank from the interbank transfer system. “A lot of the TDTS [tactical data transfer system] fits with the North Korean operations, but we hadn’t seen them conduct this type of destructive attack against a bank before,” Moriuchi says.

North Korea appears to be increasing its development and use of zero-day exploits, she points out, which exploit flaws or software/hardware vulnerabilities via malware before a developer has time to create a patch to fix it. (Figure 2.)

“Within the past three months, there have been two or three zero-days reported against South Korea targets,” Moriuchi says. “That’s quite unusual for North Korea actors; not to say they can’t discover their own zero-day vulnerabilities and develop exploits. But they more typically reuse vulnerabilities discovered by others. It may be an indication that North Korea is changing its tactics slightly, but in terms of cyberwarfare the information is a bit more limited within the public sphere.”

Figure 2: North Korea, already under intense scrutiny for its nuclear weapons development program, is also believed to be readying cyberattacks.

North Korea: We work alone

While some nations collaborate with others to conduct cybermissions, experts say that is unlikely North Korea is working with other countries due to the closed-off nature of its culture.

“We’ve never come across any evidence that North Korea’s state-sponsored hackers are working with other nations,” Moriuchi says. “But most of their operations are conducted from facilities outside of North Korea. We don’t believe that China, which has many of these bases operating within its territories, is working with North Korean hackers or is training or supporting them in any way. They’re in a very plugged-in society, with people who are tech-savvy, which helps them to be more adaptable than if they were operating from North Korea.”

Conducting operations within other countries is a huge risk for North Korea, because its cyberoperators must be trained and knowledgeable about their country’s cyber and military operations, but what they’re doing is illegal. “China has computer-use laws, so if China finds and arrests North Korean hackers they could easily end up in prison,” Moriuchi points out. “North Korea conducting its operations overseas is very unusual, as opposed to just compromising infrastructure in countries overseas, which is what most nations do.”

One sign that attack attribution “naming and shaming” is paying off lately is that China has started increasing its use of “commodity malware.” This is malware that’s “more or less open source, so it’s available to a wide range of users,” explains Moriuchi. “Chinese threat actors are taking that malware and tweaking it a bit to tailor it to their needs and then using that instead of writing a highly customized piece of malware themselves – basically a signature of their activities. Using commodity malware and exploiting tools on computers already – frankly, Microsoft PowerShow and things like that – helps them avoid detection and attribution. It’s an interesting technique.”

As far as Russia is concerned, the full scope of cyberintrusion is still to be seen. “They haven’t stopped any of their influence campaigns targeting the U.S. or Western countries,” she says. “We’ve seen them spread destructive malware via home routers. It’s a diversified and simple attack that doesn’t necessarily affect the end users, but attackers can use it to monitor communications as well. There are so many dimensions when we’re talking about really large, well-funded nation-state operators. There aren’t many things they aren’t into.”

Nation-state capabilities

Consider this: Nation-states can be broadly – in myriad ways – organized by their cyber capabilities: “Countries like the U.S., U.K., China, and Russia are full-scope actors with a full range of cyber capabilities, ranging from generic script kiddies and phishing to disruptive cyberattacks, supply-chain threat capabilities, and funding and resourcing,” says Moriuchi.

North Korea can’t quite be categorized as a full-scope actor “because they don’t possess a supply chain threat capability,” she explains. “But North Korea is a formidable adversary. They’ve demonstrated a willingness to invest months and months at a time for a single operation to develop malware for a specific piece of software or an end-user network they want to target. They can be very patient and be in networks for months, gathering information before doing anything, and they’re good at reconnaissance. They do, however, make some mistakes in the way they write their malware and code, leaving fingerprints behind. But no one is flawless, and every time we think we have a handle on them they go develop something different.”

North Korea’s hackers have a reputation for excelling in competitions. But “our own competitive hacking competitions, like Black Hat, are optimized for that particular competitive environment,” Leigher says. “Capture-the-flag games, which most of these competitions are called, aren’t exactly like cyberwarfare, so you’ve got to try to measure things with an equal yardstick. If you had the opportunity to go look at some of our nation’s best [hackers], you’d find that they’re every bit as capable as the best hackers at these events – if not more.”

The bottom line: Cyberwarfare’s price of admission is much lower than that of kinetic warfare, where combatants need weapons systems like a Joint Strike Fighter, Tomahawk weapons systems, and advanced infantry fighting vehicles, points out Leigher. It’s “just a different kind of warfare,” he says.

Expect to see AI play a bigger role in cyberwarfare

Artificial intelligence – already playing a key role in cyberwarfare – is expected to expand its domain. “Applications for machine learning can help us get a better picture of enterprise IT environments so that we can make much faster decisions about what it takes to defend really large network environments,” Leigher says, “because the massive number of DoD penetration attempts on a daily basis far outstrips the capacity for humans to deal with it.”

Leigher says he expects models developed from AI to provide much more predictive capability into what’s going to happen to the network. “My kinetic world analogy is that undersea you use sonar, on the surface you use a radar, but cyber really has no sensor that gets beyond their immediate platform,” he notes. “Models of what’s happening within the broader internet environment will eventually fill the gap of not being able to predict the environment outside of your own network, the way that we take for granted within every other warfighting domain.”