Thursday, January 08, 2015

Incentives for Breaking Operational Security?

Thanks Adam Segal for posting a link to a fascinating Wall Street Journal piece titled Sony Hackers May Have Left Deliberate Clues, Expert Says. From the story by Jeyup S. Kwaak:

Apparent slip-ups by the hackers of Sony Pictures that have helped convince U.S. investigators the hackers are North Koreans have a precedent, and may even have been deliberate to win domestic kudos, according to a top cybersecurity expert and former senior North Korean official.

The head of a group of hacking experts that have analyzed previous suspected North Korean cyberattacks on South Korea said a record of a North Korean Internet address was also left in a 2013 attack on Seoul because a detour through Chinese servers was briefly suspended, exposing the origin of the incursion...

Choi Sang-myung, who is also an adviser to Seoul’s cyberwarfare command, said... [w]hile it was impossible to prove whether the hackers left evidence by mistake or on purpose, that they didn’t fully cover their tracks could mean North Koreans wanted to be known...

That theory is supported by Jang Jin-sung, a former official in North Korea’s propaganda unit, who says North Korean hackers likely have an incentive to leave some evidence because officials often secure promotions after a successful attack against enemies.

“People fiercely compete to prove their loyalty” after an order is given, he said. “They must leave proof that they did it.”

These are fascinating comments, from people who understand the DPRK hacking scene better than critics of the FBI attribution statements.

This theory shows DPRK intruders may have incentives for breaking operational security ("OPSEC" or "opsec"), and that they were not just "sloppy" as mentioned by FBI Director Comey yesterday.

In the 2013 Mandiant APT1 report I suggested the following language be used:

These actors have made poor operational choices, facilitating our research and allowing us to track their activities.

In the case of Chinese PLA Unit 61398, I think the OPSEC failures were unintentional. Others theorized differently, but the Chinese have fewer incentives to reveal themselves. They want information, above any other consideration. They would rather not have victims know who is stealing their trade secrets, commercial data, and sensitive information.

Intrusions into critical infrastructure, confirmed in an open hearing in November 2014 by NSA Director Mike Rogers, might be a different case. If a nation state is trying to signal power to an adversary, it will want the adversary to know the perpetrator.

In this case of DPRK intrusions, North and South Korean sources explain that DPRK hackers have tangible incentives to reveal their identities. Apparently hacking for the government is one ticket to a marginally better life in North Korea, as reported by Newsweek.

All of this demonstrates that technical indicators are but one element of attribution. Personal, not just national, incentives, facing the individual intrusion operators, should be part of the attribution equation too.

Remember to read Attributing Cyber Attacks by my KCL professor Thomas Rid, and fellow PhD student Ben Buchanan, for the best modern report available on attribution issues.


Update: Thanks to Steven Andres for pointing out a link mistake.


Unknown said...

Another interesting (to me) possibility is that of nation-state actors working with or infiltrating hacktivist groups, resulting in a hybrid threat. The scenario I'm envisioning is 1-2 HUMINT types infiltrating a hacktivist group and enlisting their support to attack a given target. They could provide targeting information and let the hacktivist groups do the technical heavy lifting. If this type of scenario hasn't happened yet, I doubt it will be long before it does.

Anonymous said...

It may be spelled profiling, but it is pronounced guessing. Study after study have thoroughly discredited the practice as something that says way more about the profiler's confirmation bias than it does about the supposed perpetrator. Looking at your argument you basically are saying "Assuming that it was North Korea, and assuming they intentionally exposed their IP address" and then muse on a handful of guesses why they might have done so.

There is a whole lot of assumptions in that, and that shows the confirmation bias involved. I could just as easily say "assuming it wasn't North Korea, and assuming they had the capability to relay email through that IP address" and make a bunch of guesses why they would, and it would be JUST as valid an argument (i.e. a pretty weak one - so feel free to point that out to those making it).

There is some credibility in hypothesizing a motive and then looking for evidence to support it (maybe so and so was killed for money - hey, look at this massive money transfer). However going the opposite way "Here is evidence, now lets guess at an explanation" is pretty shaky. One of those approaches is scientific, with a process of validation, and the other is without robust methodology, without validation.

None of this says North Korea did or didn't do it, but rather that the FBI is doing a crappy job publically making the case, and its defenders aren't doing an any better job. It impacts credibility quite a bit