False impressions: How fake attribution makes fools of us all

Introduction

In 2018, the world was faced with the Ryuk ransomware strain. The responsibility for this ransomware attack was originally placed squarely in the camp of a state-sponsored North Korean group. However, this turned out to be a false accusation — or rather, a false attribution. Researchers from several security organizations found inconsistencies in the attribution data used to blame state sponsorship by North Korea.

Human beings need fairness and justice. It is primarily why we have developed legal systems the world over. Striving to find the truth of a matter is important: it removes doubt, punishment is correctly targeted and it provides the knowledge to prevent further injustices. 

False attribution can be every bit as important to stop as a false accusation in the world of physical crime. Here, I take a look at what constitutes a false or fake attribution in cybercrime and why it is important to avoid this.

Why is attribution important in cybercrime?

When a cyber-attack happens, security analysts gather data and analyze the evidence of the cybercrime. By doing so, they can understand some of the fingerprints of the cybercriminals behind it. Intelligence data, such as how the cyber-attack was set up, technical details of the execution of the attack, what vectors were used to propagate it and so on, can be gathered and analyzed. 

Sponsorships Available

Sponsorships Available

Sponsorships Available

One very important outcome needed from the forensic analysis of a cybercrime event is where it originated and who was behind the attack.

Attribution data can come in many forms, depending on the attack itself. Collecting it is a dedicated and highly skilled task requiring specialist knowledge. The collection of cyber-evidence is done using standard operating procedures; for example, the Scientific Working Group on Digital Evidence (SWGDE) publishes guidelines on the collection of various evidence during forensic (Read more...)