Iran hacking indictment highlights US naming and shaming strategy
The Justice Department's indictment of alleged Iranian hackers last week is just the most recent example of the US government and security firms pointing fingers at specific nation-states hackers for cyberattacks.
It's not hard to track the path of a bullet, bomb, or missile. But it can be much more difficult to figure out who's behind a cyberattack.
Still, in a sweeping indictment last week, the Justice Department said it did just that. It charged seven Iranians allegedly tied to Iran's powerful Islamic Revolutionary Guard Corps with breaking into the computer network of a small New York dam and attacking more than 40 US companies. Iran's foreign ministry denied the charges in a statement released last Saturday.
Security researchers once thought the process of attributing cyberattacks – requiring detailed analysis of log files that track computer activity, gathering intelligence on foreign agencies that conduct hacks, and combing through lines of malicious software – nearly impossible. Hackers can forge Internet protocol addresses, e-mail accounts, and registration details, which can all but vanish once they log off.
But last week's indictment showed that it's becoming more difficult for state-sponsored hackers to cover their tracks, said John Carlin, assistant attorney general for national security, at Thursday’s announcement. "National security state actors or terrorist groups are not anonymous," he said. "We can find them, we can do it publicly, and we will."
In recent years, Washington has pushed harder to attribute more state-sponsored hacks – and punish those responsible. In 2014, the Justice Department charged five hackers associated with China's People's Liberation Army for allegedly breaching US companies. Later that year, the FBI blamed North Korea for a costly intrusion into Sony Pictures – which led to US sanctions.
Experts say the naming and shaming effort could be aimed at creating a deterrence strategy: Holding malicious hackers responsible, even if they never appear in court, may turn out to be a relatively cost-free way to reinforce rules of the road in cyberspace and tamp down on espionage.
"No one thought it was going to make a difference, it was window dressing," Jason Healey, a senior research scholar at Columbia University’s School of Public and International Affairs, said of the 2014 indictments against Chinese hackers. "It turns out it was relatively low-effort and actually seems to have influenced Chinese behavior pretty significantly."
Even though the five Chinese nationals from the 2014 indictments have not appeared in US court, China appears to be increasingly engaged in international cybersecurity talks, signing landmark deals last year promising not to conduct cyberespionage to steal trade secrets from the US, Britain, and Germany. That ushered in a similar agreement between the Group of 20 nations in November.
With more data available on hackers than ever before, analysts can now pore over Internet data to learn about hacking suspects, such as social media accounts, geolocation data, and online forums to attribute cyberattacks. During last week's DOJ announcement, Ms. Lynch and FBI Director James Comey stood next to the mug shots of the seven Iranians – a level of attribution that experts believe might not have been possible just a few years ago.
"I think we’re in the middle of a revolution in terms of intelligence," said Richard Bejtlich, chief strategist at FireEye, a security firm. "The government, when it decides to swing the full apparatus of the intelligence community against certain types of [hackers], it will find out who is behind it."
That intelligence is not just on display in US government efforts to attribute hacks. Increasingly, private sector companies have released detailed reports naming state-sponsored hackers. That trend seemed to take off in 2013, when Mr. Bejtlich and his colleagues at Mandiant, later purchased by FireEye, spotted a Chinese cyberespionage campaign that had hit nearly 150 victims across 20 major industries in that seven-year period.
Using geolocation data, analysts traced the campaign to the headquarters of PLA Unit 61398 – a Chinese military unit that once specialized in digital espionage attacks. They also capitalized on poor operational security choices made by hackers – using their real names to register domain names, and logging into Facebook and Twitter accounts from attack infrastructure – to figure out their real identities.
That trend seems only to have ramped up. In September, the cybersecurity firm CrowdStrike appeared to catch dozens of alleged Chinese hackers trying to steal copyrighted data from American tech and pharmaceutical companies, just three weeks after Washington and Beijing struck a deal to end economic cyberattacks.
"The tempo of these attacks are increasing, so inevitably [hackers] make operational mistakes," said Dmitri Alperovitch, chief technology officer for CrowdStrike. In that case, Mr. Alperovitch said attackers left behind e-mail addresses, credit card numbers, and comments in the code.
For some experts, last week's Iranian indictments offered further evidence of the trend. "You read this, and you say ‘wow, how can attribution be difficult," said Columbia University’s Mr. Healey. "They’ve got it down to names, ages, and the rest."
With more cybersecurity experts flocking from government to digital security firms such as FireEye, Kaspersky, and TrendMicro, the private sector is gaining more expertise from the military and spy agencies when it comes to pinpointing attackers. But the government is still king, say most experts, and there's no agreed upon framework in the cybersecurity industry for when to make specific claims about foreign hackers.
Robert Lee, chief executive officer of the cybersecurity firm Dragos Security, worries that without transparency about the evidence in cyberattacks, agencies such as the DOJ leave an opening for false attribution.
"All of the attribution that’s been public for this case was based off of private security companies," said Mr. Lee, referencing Thursday’s indictment. "So you’re basically giving authority to these private sector companies and recognizing their attribution as foolproof when that's not the case."
Others think attribution can be improved by allowing experts in forensics, policy, and technology to team up and investigate cyberattacks.
"Just making a bold political statement without technical evidence isn't good quality, and reading something out of log files without any political context also isn't good quality,” said Thomas Rid, a professor of war studies at King’s College London and author of "Rise of the Machines," a forthcoming book about the evolution of cybernetics.
Rid may have actually come the closest to developing standards for attribution, putting together a 2015 study that aimed at getting policymakers, intelligence analysts, and computer forensics experts to consider both the political and technical elements to publicly attribute cyberattacks.
But last Thursday's DOJ indictments followed a similar trend: Government officials disclosed little information about how it discovered the Iranian hackers, mirroring a similar lack of data from one of the most controversial attribution cases in recent years. Soon after the 2014 breach of Sony Pictures, the FBI said North Korea was behind the attack based upon unmasked IP addresses from North Korea and the discovery of malware used in hacks into South Korean television stations and banks in 2013. But some security experts said that data didn't offer enough evidence to trace the attacks back to Pyongyang.
That skepticism remained until the National Security Agency backed up the FBI's claims by reverse engineering some of the malicious software involved in the attack. Rid of King’s College also helped ease concerns, pointing to a mechanism used by North Korean hackers to encrypt the stolen data possibly found by the FBI.
There's no fool-proof method for attribution, said Dragos' Lee, but by collecting more intelligence on hackers, data from similar hacks, and focusing on the broader political context, companies and governments can get better at pinpointing cyberattacks.
"You have a number of intrusions," Mr. Lee said. "You line up those intrusions over long periods of time, and you look for patterns and pieces and key indicators. It’s not like anything’s drastically changed on a technical level."