Attribution in Cyber Attacks is Difficult, But Not Impossible

The recent media attention surrounding Google’s admission that actors originating from China attacked its network highlights an apparent problem plaguing any cyber defense posture. In the aftermath of Google’s announcements commentators and experts alike lamented the difficulty of assigning direct attribution for the attacks to the Chinese military or its government. Conventional wisdom dictates that it is nearly impossible to assign attribution of a cyber attacker. According to this school of thought the open nature of the Internet allows an attacker to spoof their IP address and obfuscate their identity by routing through a series of proxy servers or utilizing a botnet. Further, it is believed that even with the technical capacity to accurately trace the origin of an attack, it is impossible with current technology to know who is at the keyboard executing the attack.

As the attribution problem is central to a number of vexing cyber security predicaments, it is important to study and validate the assumption that attribution is nearly impossible. While it is technically difficult to trace the origin of attack through a confusing maze of proxy servers or infected bots, attribution is not solely dependent on the technology needed to identify an accurate IP address.

A number of others technical and non-technical data points can help identify the source of an attack. For example, if the source of an attack is a bot investigators can attempt to identify who wrote the bot code and who currently controls the bot. In the summer of 2008 a large botnet was used to launch DDoS attacks against targets in Georgia. While the use of a botnet appeared to complicate the task of identifying those responsible for the attack, a closer examination revealed that the botnet used during the attack was known as “Machbot”. According to Arbor Network’s Danny McPherson, “Machbot is primarily a Web-based Russian DDOS botnet written in Russian, used by several different groups, but not widely available.” While the identification of the botnet used for the attacks on Georgia does not provide irrefutable proof of Russia’s responsibility for the attacks, it certainly does provide compelling evidence that Russian nationalist hackers and possibly the Russian government were involved in these attacks.

Additionally, analyzing the attacker’s target may help reveal his or her identity. The target of the attack reveals information about the intentions of the attacker and can therefore aid in attribution. Returning to the example of the cyber attacks against Georgia, the corresponding phsyical conflict between Russian and Georgian troops in South Ossetia led many analyst to suspect that Russian nationalist hackers, possibly at the direction of the Russian Government, were responsible for the DDoS against Georgian websites.

Finally, patient and clever cyber intelligence gathering can reveal a tremendous amount of information the individuals or entities responsible for an attack. After the presence of the Ghostnet cyber espionage network was revealed by the Citizen Lab at the University of Toronto, Heike and Jumper from the Dark Visitor blog demonstrated that patient cyber intelligence gathering can aid in attribution. Specifically, via clever analysis of whois registration data and patient trolling of chinese hacker forums, Heike and Jumper were able to identify at least one individual believed to be responsible for the Ghostnet cyber espionage network.

In short, it vitally important to understand that attribution is difficult, but not impossible. There may not be fancy technology that can discover the origination point of an attack and identify the individual at the keyboard. However, through patience and old school detective work it is possible to identify the hackers, criminals, spies, or terrorists responsible for a cyber attack.

4 thoughts on “Attribution in Cyber Attacks is Difficult, But Not Impossible

  1. Dan L. says:

    Further, should we not hold nations accountable for actions that take place in their cyber domain? Since the vast majority of hacking activities originate in either Russia or China, whether by actions of their governments, their citizens, or due to the poor security posture of systems within these countries (usually related to pirated operating systems that cannot be legally patched) should it not be the responsibility of these nations to police their own internet? If these domains are not kept safe by their own governments so that the rest of the internet can be operated in a secure manner, then should we not be able to take them offline? To use a real world example, if piracy or criminal gangs were operating out of these countries, nations would take actions to either secure a border or protect shipping lanes. The government of the nation from which the illegal actions occurred would be requested to assist, or to allow law enforcement into their country to take action. Therefore, it seems logical that the rest of the world should be asking these nations to police their own cyber domain, and if action is not taken, then the offending IP’s should be take offline, or block their domain spaces entirely from traversing our cyber domain.

  2. Ned says:

    Dan, you raise a valid point that has been discussed by others. Many policy makers have advocated holding nations responsible for the cyber activities in their borders and I tend to agree that this step is a necessary one. However, before we point the finger at other countries we, as a country, need to clean up our own cyber domain. The US is often cited by security vendors as hosting the most compromised servers. Check out Arbor Networks ATLAS Dashboard at for up to date statistics. While the hackers may not be physically based in the US we’re doing a pretty good job of leaving around unsecured weapons that they can use in their attacks.

  3. A number of others technical and non-technical data points can help identify the source of an attack.

  4. Reino says:

    Nigeria is not cleaning up their crime, the rest of the world is. In the same way, you are responsible for what comes into your network. If you start cutting countries out of the Internet, the Internet will lose it's value.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: