The trouble with attribution
During the 2018 winter Olympics in South Korea, there was an attack on various computer and network systems. This all occurred before the opening ceremony and it effected services like ski lifts, the Olympics website, Wi-Fi networks, and random display boards used to inform athletes and guests. Malicious software (malware) named Olympic Destroyer effected several hundred computer systems. That’s certainly an ominous term for something that may not have been so destructive in the global information security scale.
So, what is the big deal? According to malware researchers at Kaspersky labs, a well-known research and anti-malware company in Russia, Olympic Destroyer was one of the first to plant false information in the malware specifically to obscure its origin. It was originally believed to have originated from North Korea. Now, with new information, the finger points to a group in Russia. Is the story over? Can we ever learn exactly where this came from? That is the crux of this story.
Attribution, or links to who is responsible, is a big deal in security. It’s also a big deal in law enforcement or parenting. Lets make a cookie jar analogy. A cookie jar has clearly been breached. The lid is loose and crumbs lead to a nearby child. Oh, and this innocent looking child has chocolate chip smudges on their face. It’s fairly obvious who is responsible, right?
Attribution and Security
The anonymity and global reach of the internet along with some very clever hackers allows this to happen. Researchers rely on several methods to determine attribution. They break the malware down to its code, the raw instructions that tell it what to do. Reverse engineering, essentially. There will be certain “fingerprints” in the code such as how it is written, compiled, how it moves, and other patterns. These fingerprints are matched up to known samples from history to find the culprit.
At first glance, it seemed that Olympic Destroyer matched perfectly with a North Korean group dubbed Lazarus. Yet, Kaspersky labs dug a little deeper and found some inconsistencies. They learned that the portions of code which matched earlier used samples didn’t perform any functions. This code was specifically placed there to mislead.
Framed
It turns out, the original attackers had framed someone else. It was convincing and it’s a big deal because the deception worked. The security community and public believed it. I often notice that a breaking news story is all it takes to set our mind on a conclusion. Then, when the details trickle out, it’s confusing or difficult for us to see the truth.
The criminal and psychological issues certainly exists attacking computer systems is illegal. There is also another dangerous twist to this: incorrect attribution can lead to some uncomfortable political issues as well. Especially if blame is placed on a nation like North Korea, who already has trouble making friends.
Don’t jump the gun, lets take this slow
We should applaud Kaspersky for continuing the research efforts after releasing the initial results and calling it a closed case. As we often see in the general stream of news, those initial reports are often not the whole story. We should also realize that this is a trend that will probably increase in the future.