Voodoo Attributions in Cyber Security

The Official Attribution of Network Breaches is Based on Conspiracy Theories

The DNC has not been hacked by the Russian hacking groups Fancy Bear (APT28) or Cozy Bear (APT29) for one simple reason: neither of these groups exists or existed at any time.

APT (Advanced Persistent Threat) was a code name for Chinese Espionage. There were attempts to detect specific groups under the broad umbrella of the APT. Then Mandiant (later acquired by FireEye) attempted to generalize the definition to include putative state-sponsored hacker groups from other countries. But such generalization cannot work. The attribution of cyber-security incidents to state backed sophisticated hacker groups worked only for China because it was a cyber-fortress surrounded by the Great Firewall of China.

But most breaches were not conducted by China or China-based criminals. The cyber-security market is very competitive. CrowdStrike and FireEye (FEYE) started making baseless and unverifiable attribution claims to other countries. In 2014, they invented Fancy Bear (APT28) and Cozy Bear (APT29), and attributed them to Russia, possibly taking advantage of the Russian invasion of Ukraine. These groups were constructed in the same way in which many classic conspiracy theorists construct their villains: multiple unrelated or weakly related individuals or groups are declared to be a single entity. Cherry-picked data is used to support such declarations. When a theory is formulated this way and begins to accumulate a critical mass of proponents and adherents, the theory becomes very hard to disprove because even flatly refuting evidence is re-interpreted by its adherents as confirmatory.

Note that the definition of APT is not a matter of convention. It’s used to assert existence of a group named as an APT, like so-called APT28 or APT29, without proof or evidence of the existence of this group.  Of course, there is a group behind each security breach, but there are different groups behind breaches collectively attributed to a specific APT.  Attempts to determine the properties of a non-existing object is a well-known logical fallacy. In this case, the attribution of network breaches conducted by multiple unrelated groups to a single entity is exacerbated by identifying this Entity with a nation state. Saying that the Entity is backed by a nation state is an attempt to endow the Entity with enormous power. That increases the fees that the attributing companies can charge their clients and allows them to explain any refuting evidence as counter-measures by the adversary.  In the current atmosphere the skeptics are frequently labeled as Russian agents. On social media, skeptics are also called Russian trolls or even bots. The incorrect attribution of cyber incidents to a nation-state also leads to incorrect interpretation of that state actions not related to cyber-security.  I don’t want to elaborate on the consequences of this when the U.S. government relies on this in its relations with foreign nations, especially Russia.

The inability of conspiracy theorists to prove the Entity exists convinces them that it’s powerful enough to avoid detection by ordinary people. Stating that the Russian government is behind APT28 and APT29 is a modern way of saying that. In the Middle Ages, when faced with exculpatory evidence the inquisitors used to say that the accused witches were aided by the Devil. Just like in the Middle Ages, only “experts” from the ranks of the “faithful” are able to detect it and mere mortals have to take their word for it. Of course, the first business of the “experts” is to secure the buy-in and the aid of the government in fighting the Entity and level-headed people (the skeptics).  A historical analogy of the alliance between self-serving “experts” and state is the Inquisition, widely known for witch hunts. The Obama regime launched other witch hunts based on voodoo science. It’s time to end them, to bring the worst culprits to justice, and to recover whatever as many damages as possible.

Of course, the “faithful experts” need to be well paid.  This is why CrowdStrike is currently valued at $2B and FEYE at $3B. Note that the single Entity has a single aim or several compatible aims by definition.  Of course, multiple individual hackers or hacker groups pursue different goals. But for the “faithful” this is only more evidence of the power and sinister motives of the Entity.

When everything else fails conspiracy theory proponents fall back on vagueness and world play. In this case, they mix allegations that the Entity (let’s talk about a single one, APT28) is a unit in an intelligence service of the Russian government with claims that they are “Russians.”  There are hundreds of millions of people who might be called Russians in various contexts, including hundreds of thousands of U.S. citizens whose native language is Russian. But even limiting the definition of Russian citizens living in Russia, there are about 150 million of them. They form hundreds of millions of informal groups and corporations.  There are many private hacker groups among them that are mostly criminal. These groups merge and split, sell or give away to each other malware, network infrastructure elements, and information about exploits. They make transactions with foreign groups as well. Some of them might sell their information to the Russian government. Nevertheless, they are individual groups, not a single entity.

More Voodoo Science Under the Obama Administration

The state-backed faith-based attribution of cyber incidents is not the only example of the Obama regime’s endorsement of voodoo science. Climate cult is another one. There isn’t just analogy here but a large overlap in culprits. James Clapper and John Brennan were very active in endorsing both climate alarmism and the false attribution of cyber incidents. Google has been generously financing climate alarmism from its corporate account, through the Schmidt Family Foundation, and the 11th Hour Foundation.  Google has also been funding CrowdStrike by its investments in 2015, 2107, and 2018. In both cases, Google’s funding was not limited to money. It also served to endorse voodoo science.

Climate alarmists have also invented a conspiracy of “fossil fuels interests” behind climate skeptics. Notice that labeling fossil fuels interests as the antagonist Entity is a more obvious fallacy. It’s similar in that it treats thousands of companies and millions of individuals as a single body, but it’s different because it’s infinitely expandable. It includes mining and drilling companies, then electric utilities (most electric energy in the U.S. is generated from fossil fuels), then large energy consumers, and so on. Climate alarmists also use evidence refuting their conspiracy theory to reinforce it. Climate skeptics have received no substantial funding from “fossil fuels interests” (or anybody else) since 2008. For the government-funded climate alarmists this is proof that money was transferred secretly!  The climate alarmism industry receives hundreds of billions of dollars per year, with some estimating the number to be as high as $1.5T. In both cases, the “faithful experts” claim to have a unique expertise that is possessed only by them. In both cases, they secured the unconstitutional endorsement of their “faith” through the Obama regime, then used this endorsement as a proof of their credibility. In both cases, they didn’t hesitate to use government power to persecute dissenters.

One of the most bizarre medieval practices was accusing and prosecuting people for “weather cooking.” Centuries later, climate alarmism has brought this practice back by replacing witches with “climate deniers.”  This is the official position of California Governor Jerry “Moonbeam” Brown. He also blames climate change for California’s degraded ability to cope with wildfires. The Mueller’s “investigation” predicated on the voodoo attribution of cyber-incidents is a witch hunt not only metaphorically, but literally.

VIPS are wrong, too

The only serious considered alternative to the false narrative of Russian hacking and leaking of the DNC is one from the Veteran Intelligence Professionals for Sanity (VIPS). It is well explained by Patrick Lawrence in The Nation, and followed up. Unfortunately, it contains multiple mistakes, the main one being relying on the last copied timestamp of the files dated by July 5, 2016.  VIPS notice that these times are very close, which indicates the copy speeds higher than network speeds, and concludes that the files were locally copied. The file timestamp is an unreliable indicator because it changes every time a file is copied from one volume to another. Hackers can easily change timestamps using timestomp on Windows or touch in Linux. Finally, the VIPS copy bandwidth estimate works only on the assumption that the files were copied consequently. If they were copied simultaneously or with time overlap, the bandwidth cannot be measured or estimated.

Another mistake is claiming that the NSA would be able to intercept the uploading of the files from the DNC. Even if we assume that NSA monitors all traffic into or from the U.S., the files exfiltrated from the DNC were encrypted and could not be decrypted by NSA even if they were uploaded directly from the DNC office to the VPN server in France.  But there is the Tor network and many ways to upload files past anybody monitoring the non-existing cyber-border of the U.S., even accepting the most paranoid assumptions (“NSA’s known programs are fully capable of capturing all electronic transfers of data”) of some VIPS members. The DNC did not call the FBI in the time of breach, did not allow the FBI to investigate hackers’ activities in vivo, did not allow the FBI to take images of the affected computers, or to even copy firewall logs. They destroyed all of the evidence. CrowdStrike has got plenty of time to select servers (or even a single server), to delete, insert, and change everything it wanted on them. Then CrowdStrike provided “copies” of those servers to the FBI.

The central VIPS assertion that some of the DNC documents were leaked by the DNC insider on July 5 is “plausible,” but not accompanied by evidence. The DNC/DCCC might have been hacked by one or more outsiders and/or exposed by one or more insiders. This is off topic here.

Difficulty of Cyber Attribution, Introduction for Beginners

Cyber security companies have introduced military and intelligence jargon in their field, as well as improperly and excessively used military analogies. We trust attribution of military attacks, such as rocket fire, to states and armed groups. But cyber incidents are entirely different. The cyber-security companies mislead us by abusing military or intelligence jargon. A cyber-security breach by a sophisticated foreign groups can be attributed only in rare cases. In this section, I will compare what data is available for attribution of a military action and compare with what data is available to “attribution” of a network breach.

A Physical World Attack

Let’s consider a short or medium range rocket attack, like the one with which Yemeni rebels struck Saudi Arabia .  A lot of people saw the rocket explosion when it happened. Some might have seen the rocket in flight. There is no doubt that the rocket has been launched from somewhere nearby. The rocket launch and flight were probably observed by radar and confirmed by satellite imagery. So, the launch place is known. Who controls that area is also known — so we know who launched the rocket. The people who launched it belong to either state military or one of the local rebel or terrorist groups. We know who launched it, and why.

An intelligence officer can collect fragments and other remnants of the rocket and determine its caliber and size and find out its type and manufacturer. If there are multiple manufacturers of the same rocket, more careful analysis reveals technology (like forging vs machining), metal composition, and other parameters that determine the exact manufacturer. A fine chemical or radiological analysis combined with an existing database might even yield the mine where iron for the rocket was obtained. This data can be cross-checked with the information of who supplies this group with the weapons, and the match will seal the conclusion.

Faking any of the parameters in order to mislead the analyst would prove to be prohibitively expensive for the attackers. For example, manufacturing a rocket resembling a rocket of another nation might require building a plant like the plant where another nation manufactures its rockets, and would not guarantee success. Launching a rocket from someone else’s territory is possible, but carries obvious risks and is likely to be uncovered.

A Network or Email Breach

Now compare that to a breach of a corporate or governmental network in the U.S. The hacker or hackers might be located anywhere in the world. They might be in the office next to the victim’s office or on the opposite side of the globe. The hackers can connect to the victim network and download documents from anonymous networks or hijacked computers in any part of the world with good connectivity, including in the U.S.

Unlike a rocket launch, a network breach tells very little about the hackers who committed it. Even hackers’ intentions are widely open to speculation. It might be somebody practicing or demonstrating his hacking skills, a criminal group intent to steal valuable information from the victim to sell to the highest bidder, or a real state actor.

The hackers have choice of malware that’s frequently downloadable from the internet, and breach methods catalogued by cyber-security firms.  Hackers also develop their own tools. They don’t need to hire outside developers. Contrary to the marketing announcements of the cyber-security firms, the cost of developing malware and infrastructure for a successful breach is low.  Once the malware and the infrastructure are in place the incremental cost of each new breach attempt is very low. That allows a sophisticated hacker’s group to hide the real intrusion target among multiple decoys.

A hacker can “work” from anywhere in the world, from a Ukrainian village to Bahamas beaches, unknown even to its neighbors.  The location where the hacker develops malware cannot be established from the malware – unless the hacker wants the victim to suspect a certain location. No comparison to a rocket manufacturing plant!  Even a solo hacker can obtain sophisticated malware, reverse-engineer, and use it against a high value victim. A determined group of hackers can easily emulate behavior of other known actors, intentionally causing a false attribution. Thus, a sophisticated hacker leaves very few identifiable traces, and they are more likely to lead away from him then towards him.

“Indicators”

Most breaches attributed to Fancy Bear are committed by different criminal groups. The same is true for Cozy Bear.  Explanation of coincidences:

  • Overlap of IP ranges and/or name resolution servers is made more probable by the fact that the criminals use a relatively small number of service providers, providing fully anonymous service and good connectivity to the U.S., and asking no questions.
  • The same domain, like google-setting.com, can be used consecutively or even simultaneously by different crime groups. They don’t need to register ownership change with a registrar – simply transferring the username and the password suffices.
  • A person in whose name the domain is registered might not exist, might have identity used without his knowledge, or might do domains registration for multiple shady organizations.
  • Hacker groups share and open source malware with intent to hide their activities among activities of other groups using the same. Malware released “to the wild” is frequently reverse engineered and modified by groups other than the original developer. Some cyber-security companies, including CrowdStrike, used to aid criminal and foreign state sponsored hackers to obtain and reverse engineer malware.
  • The criminal hacker groups might have vertical work distribution. Writing or reverse engineering malware, preparing the infrastructure, infiltrating the network, and exploiting that by copying documents might be done by different people.
  • Dates of actual intrusion are driven by the existence of zero-day exploits (vulnerabilities) in browsers, Windows, and other software. Software updates is usually automatically delivered to users within a short period of time, and multiple hackers are likely to discover exploits in the same time. Even one hacker can share a finding with multiple unrelated hacker groups. Thus, multiple hacker groups are likely to attempt breaches against multiple organizations in the same time. Security researchers tend to see such event-driven activity as an attack by a single entity.
  • As Jaap Titulaer commented on ClimateAudit.org: “When we see lots of malicious sites using the same name servers and registered via the same companies, that says more about the nefarious nature of those ISPs and registration companies than about whether all those criminal operations are related.“
  • One of the most moronic types of “evidence” of the Russian government being behind an alleged hacker group is that the associated malware/infrastructure has been used to attack targets in Russia! In fact, this is evidence of the opposite — if the alleged group exists, it is not the Russian government. The Russian government does not need to go online to spy on its citizens and their businesses. And if it wants to do that online, it can spoof almost any domain (what is called “DNS poisoning”) and a matching security certificate. Nobody capable of defending against such an attack would fall for the google-setting.com or other simple trick. When”cyber-security” companies classify the Russian targets, they separately specify “dissident journalists.” What does this term mean in today’s Russia, and how do they know which journalists are “dissident?” They don’t. They just make things up as they go.

This said, any factoid confirming the desired attribution is alleged to be evidence by the interested parties. See my article Dangerous Pseudo-Science in Cyber Security in WUWT for debunking certain indicators, improperly used in the attribution of the DNC leaks.

Cyber-security companies making dubious attribution claims are notorious for repeating the each other’s conclusions instead of performing independent analyses, and for working only with the data, which confirms their opinion (confirmation bias and data cherry-picking their data). Thus, the opinions of multiple cyber-security companies are not independent, but rather echos of one opinion. And that original opinion is likely to have been made haphazardly and under the influence of disincentives to find the truth.

Frequently, cyber-security companies make attributions and other claims with “medium confidence,” and MSM usually loses this caveat in its reporting. Unfortunately, these companies borrow the definition of “medium confidence” from the intelligence jargon. When used outside of the intelligence context, this definition means that the conclusion is plausible, not even likely. A claim associated with 1% probability is still plausible. So, MSM viewers and readers are left with the impression that the attribution was made by independent experts with confidence, when the media has barely squeezed statements of uncertain approval from self serving special interests.

Alleged detection and attribution of all of the currently active “threat groups” sponsored by other nations, including China is also unreliable and untrustworthy.

Hacking and National Security

We should not connect critical infrastructure to the internet. We should not rely on the internet, as it is now, for critical tasks. It’s almost impossible to distinguish between a hacking done by a capable nation state and a hacking done by a criminal group. We shouldn’t retaliate against other nations for suspected hacking. The federal government must implement good security practices on its networks and should encourage good security practices by citizens and the private sector.  The current security practices are not enough for government agencies and their contractors dealing with classified documents. We might consider building a firewall that protects the U.S. internet from threats from the rest of the world.

We should not threaten other nations with military retaliation for future hacking because it’s similar to the practices of some Amazonian tribes (see Napoleon A. Chagnon, The Yanomamo) that declare wars on the grounds of suspicions of witchcraft, not traditions of American foreign policy.

Etc
  • Generally, absence of evidence is not evidence of absence. But after a long, thorough, and well-motivated search for evidence, the absence of evidence is evidence of absence. Mueller’s indictment of twelve Russian names shows no evidence that the individuals bearing these names and other descriptive characteristics from the indictment even exist. Russia is unlikely to even confirm or deny their existence, and Mueller knows that well. In this situation, absence of evidence becomes persuasive evidence of absence – absence of APT28 and APT29, absence of hacking of the DNC, DCC, and HRC by Russia, absence of Russian meddling in the 2016 election, and, of course, absence of a Trump-Putin collusion in such meddling.
  • CrowdStrike even used medieval terminology alluding to its efforts to remediate the DNC breach. It referred to its efforts as “expelling the intruder,” as if it was talking about an act of exorcism. Apparently, this narrative went down well with the DNC crowd.
  • By the way, FireEye, CrowdStrike, and other makers of dubious attributions work all over the world, including Russia. That further decreases their already dubious value for U.S. security and intelligence.