Cyberwar: About Attribution (identifying your attacker)

Summary:  Identifying the attacker is the key to modern military defense, so one can launch a reprisal or counter-strike.  But attributing cyberattacks is difficult because nothing in cyberspace has to look like anything familiar. How do you attribute a weapon that was created out of thin air and used by an enemy that has no physical location?  Links to other chapters of this series are at the end.




  1. Cyberspace, Novel Weapons, and Location Independence
  2.  Technology, Language, Culture, and Cui Bono
  3.  A Model For Attribution
  4. About the author
  5. For more information

(1)  Cyberspace, Novel Weapons, Location Independence

Cyberspace does have some unique attributes which are not mirrored in the real world. Such as the nonexistence of “territory”.  There is no “there” there.  Some of the things we are accustomed to taking into account in warfare are missing:  hostile forces do not need an ‘assembly zone’ that can be detected and watched. Nor do they have to cross ground — where they leave traces of the type that we’re used to dealing with.

Imagine if a hostile power was going to insert a cover operations team into a target area and wanted to be stealthy enough to achieve plausible deniability. In the past troops could be outfitted with uniforms that had been carefully scrubbed of clues to their origin, “sanitized” weapons, etc. Providing such kit was expensive and exacting work. Inserting them into a target, nowadays, would entail avoiding the ubiquitous video-surveillance cameras, providing false identities under which to travel, laundering funds for the operators, and then having an equally carefully scrubbed extraction plan.

In the real world, this kind of thing is expensive and complex. In cyberspace it is relatively easy and practically free. There are some caveats about the “easy and free” claim, depending on the quality of the defenses that are being attacked but — as we’ve been assured over and over again by our government’s own technical experts — our defenses, to put it bluntly, suck.



To imagine what mounting a covert operation via cyberspace is like, pretend that you can not only create your special operations team out of thin air, with no history or distinguishing features, you can create as many of them as you want and they don’t even have to be recognizable as anything anyone has seen before. They can be a completely different size, shape, and color from anything that the target would expect to see — and their weapons likewise.

Since the weapons and the special operations team are unique and novel, nobody on the receiving end would be able to say “they were wearing French paratrooper’s boots and carrying AK-47s” or anything useful like that.

To extend the analogy further while keeping things accurate: the target might have surveillance cameras that successfully recorded the assault team and, upon review, all they show is a large pink badger teleporting in and throwing cartoonish custard pies then evaporating.  Oh, and the badger didn’t leave footprints. Or, if the badger did leave footprints you’re left with the certain knowledge that whoever designed it wanted it to leave footprints or else they wouldn’t have gone to the effort to make it leave footprints.

This is all relevant because, the media embarrass themselves whenever they try to tackle attribution of cyberattacks. The FBI or CIA say “it came from an IP address in China” to which anyone who understands cybersecurity can only respond “so does approximately 1/2 of all the traffic on the planet!”  If an attacker wanted to arrange it so that their attack came from a Chinese IP address block, it would take about 10 minutes to set that up. Or, would you prefer it to come from Luxembourg? Also 10 minutes. To give you an idea: in 1997 I was involved with backtracking an attacker who was physically in the UK, but was laundering his connection through a server in Amsterdam that gave him access to a university computer in the US, from which he was dialing into a corporate system and then attacking another corporation through the first’s firewall. If the IP addresses were how the attack were attributed, it would have looked like a major investment bank was attacking a web hosting firm. Backtracking and attributing the attack required a month of work from several high-level experts and – most importantly – two glaring errors on the part of the hacker.

A professional intelligence officer with hacking experts at their disposal and time to set up a covert operation could, literally, make it look like it came from anywhere, with the investment of a relatively small increment of work. When it comes to cyberweaponry, everything you think you know has to be thrown out the window, every time, so your investigation has to start at square one. You’re not just in a wilderness of mirrors; you’re in a wilderness that is made entirely out of mirror.

(2)  Technology, Language,  Culture and Cui Bono

What could we plausibly use to attribute cyberattacks? The first axis is the most fragile, namely technology. As I wrote earlier regarding Stuxnet, the AURORA attack scenario appears to have been first published by US researchers at Idaho National Labs. But in the 3 years between the AURORA publications and the release of Stuxnet, it is plausible that some group of hobbyists decided to weaponize AURORA. Plausible, but only barely so, because another crucial clue that Stuxnet’s author(s) had uncommonly available information was that Stuxnet appeared to encode insider knowledge about the Iranian’s gas centrifuge cascade.

We can start to make an assessment about ‘who may have written Stuxnet?’ based on the possible sources of all the technical elements of the attack but in a very real sense, Stuxnet was so single-target that it would be relatively easy to try to attribute technically, compared to a more generic piece of malware. For example, a crafted E-mail message with a Microsoft Word document containing an exploit that installs a common-or-garden piece of malware like the Zeus trojan: that would be nearly impossible to attribute because Word is a big target and Zeus is widely available. I could have a copy in under an hour for $700  if I wanted it — whether I was American, Chinese, or Luxembourgeois.

Another possible way of attributing an attack would be looking for language or cultural clues. Both of these clues are also relatively weak. In the example above, if I were a Luxembourgeois cyberwarfare commando using a purchased copy of Zeus, if the target attempted to decode my malware to look for clues, they’d discover that there was nothing useful. I suppose my initial MS-Word document might have been written in poor English and the target might try to infer my nationality, but how accurate would that be?

A honeypot consists in an environment where vulnerabilities have been deliberately introduced in order to observe intrusions. See here for details.

Ditto cultural attribution: I recall an incident in which a honeypot research team (were monitoring the activities of a hacker group and their exchanges were primarily using an IRC server with conversations in Romanian. The server, BTW, was in Pakistan. Hacking culture is very cosmopolitan, though admittedly the attacker’s use of language for internal communications could be a giveaway. I saw one hacker who was penetrating systems who made copies of data using names like “carduricredit.txt” – perhaps a real Romanian. If I were hacking systems, I’d be using “thẻngânhàng.txt” thanks to Google translate. In other words, the only plausible way to attribute origin by language and culture is if you’re able to get very deep inside the attacker’s command-and-control, assuming the attack is happening in real-time.

That leaves “who benefits?” but, again, that’s not a very solid chain of attribution, either. To take Stuxnet, again, as an example – Iran might plausibly point to the US or Israel but the evidence is pretty circumstantial. It would be fascinating, indeed, to see a lawsuit happen over something like this – whenever I hear the FBI say that “Chinese cyberattacks are stealing data…” I find myself daydreaming a bit about how it would play itself out in court.  “Well, that’s where their IP address was…” – wow,  I’d enjoy being a testifying expert on the other side of that case! In cases of intellectual property theft, the legal proceedings are usually pretty drawn-out and the plaintiff only wins if there’s external supporting evidence, such as copies of the stolen data in the defendant’s custody. Again, these are the kind of gifts that you only get if your attacker is very, very sloppy – or someone is trying to frame them.

(3)  A Model For Attribution

I, for one, am thoroughly sick of hearing the US’ senior law enforcement agency — which, presumably understands how standards of evidence work and that you don’t go making accusations unless you can back them up — making empty accusations about other nations’ activities. Pointing and yelling isn’t how to do attribution and the FBI and CIA can be expected to know that.

What might a mature cyberwar attribution process look like? I imagine it would look a bit like the investigation of the sinking of the ROKS Cheonan (see Wikipedia). Briefly, a South Korean naval vessel sank following an explosion; foul play was suspected. Immediate analysis did nothing to dispel those suspicions, and the ship was recovered. An assessment team consisting of experts from several countries (South Korea, the US, Sweden) performed a detailed investigation and presented a report that attributed the attack to a North Korean-made torpedo — presumably fired from a submarine of similar origin. The report, of course, was contested by North Korea and, ultimately, we should state that “opinions are divided” (but not evenly divided) on who was responsible, but there is no question of it being an accident.

What’s important about the attribution process following the Cheonan’s sinking is that it was evidence-based and included experts from multiple parties. Furthermore, it had a built-in mechanism whereby if the analysts producing the report did not agree completely, they could air that disagreement. This is a great example of how to do it right, and how major accusations of cyberwarfare should be approached.

Depending on the target, the type of damage, and the expression of the attack, a cyberattack might be either an act of war or, more likely, state-sponsored terrorism. International law already covers these adequately, and dictates the legal limits of a state’s response. If cyberspace continues to become militarized, we will eventually have an incident leading to serious damage and loss of life.  Until that time we need to be encouraging our law enforcement and intelligence agencies to prepare to present the highest possible standard of evidence at all times, and to treat computer intrusions as crimes, first and foremost, to be investigated and prosecuted procedurally.

Unless and until they do, we should not be expected to act based on “he said/she said” assertions. Important decisions must be made on the basis of fact and evidence, not demands like “trust us, it’s the Chinese” which would leave us open to retort from Iran, “trust us, Stuxnet came from the US.”

(4)  About the author, including links to other posts in this series

See the About the Authors page for information about Marcus J. Ranum

Other publications by Ranum:

The series Cyberwar: a Whole New Quagmire, by Marcus J. Ranum:

  1. The Pentagon Cyberstrategy, 2 September 2011
  2. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
  3. Conflating Threats, 14 September 2011
  4. About Stuxnet‏, the next generation of warfare?, 29 September 2011
  5. When the Drones Come To Roost, 8 October 2011
  6. About Attribution (identifying your attacker), 21 October 2011

(5)  For More Information

See the Wikipedia entry for more information about forensic science.

See all posts about Cyber-espionage and Cyber-war.




8 thoughts on “Cyberwar: About Attribution (identifying your attacker)

    1. See “Son of Stuxnet?“, Blake Hounshell, Foreign Policy 19 October 2011.

      This was the big debate, among the general public. Even if only a State had the resources to build stuxnet, could regular software engineers build the mark II version? We might soon have the answer, if some Mark II variant shuts down something important. Loks of industrial sites have enemies. Animal rights groups, greens, anarchists (still powerful in Italy), etc.


    2. I think it’s important to point out that regular software engineers could produce a Stuxnet. In many ways Stuxnet is much less sophisticated malware than Zeus or some of the transaction-intercepting commercial malware being used to hijack funds transfers, today.

      What was sophisticated about Stuxnet and was significant evidence that the authors had uncommon information was that Stuxnet appeared to be designed with knowledge of the specific gas-centrifuge cascades that were being used at Natanz. While any experienced system programmer can eventually turn out pretty workable malware (and a good systems programmer can quickly turn out pretty impressive stuff indeed) most programmers don’t have a specific type of centrifuge to test against, nor do they know how many centrifuge programmable logic controllers to attempt to manipulate in a given centrifuge cascade.

      Let me try an analogy: if someone breaks into your house by throwing a brick through the window, that’s one thing. If someone breaks into your house, bypasses your security system, and immediately goes directy to your wall-safe that’s hidden behind your fireplace – then they had inside knowledge. In the case of Stuxnet it’s the attackers’ understanding of the target’s layout that’s the interesting fact, not the actual code of the malware. Whoever did it knew a lot about that one target, and that knowledge was not anything close to common.


  1. It may be a precursor, it may be a successor, or it may be a different line of evolution entirely. The latter I would assess as least likely.

    It may be a red herring designed to point away from its real source.

    There’s a decent chance that futher analysis will turn up more. For example, people who collect network data are now (no doubt) rummaging frantically through archives to see if they have collected copies of the malware, so they can match the collection date to a time-line. This is a ‘basic’ forensic process and will proceed along multiple avenues of investigation; we simply don’t know enough yet at this time to speculate. We can be sure, however, that now that the pitbulls have their fangs sunk into this thing, more will be revealed over time.


  2. Marcus Ranum remarks: I, for one, am thoroughly sick of hearing the US’ senior law enforcement agency — which, presumably understands how standards of evidence work and that you don’t go making accusations unless you can back them up — making empty accusations about other nations’ activities.

    This appears to be the entire purpose of the ginned-up phony cyberwar scare. As with the bogus and thoroughly incredible Iran assassination plot, the current cyberwar scare appears to serve as a pretext for yet more military action in yet another third-world hellhole, resulting in yet another endless unwinnable war which will eventually be declared a ‘magnificent American victory’ when the U.S. military retreats in ignominy in antoher 10 or 15 years after having accomplished nothing of geopolitcal significance.

    And the essential reason for constant American military interventions in third-world hellholes is, of course, that American society and the U.S. economy has now become so thoroughly militarized by an all-embracing military-police-terror-surveillance complex that the 1950s policy of Miltary Keynesianism has morphed into Garrison State America, in which war has become the health of the state. So many U.S. jobs (more than 3 million directly, and many more than indirectly by means of military contractors) and so much of the U.S. budget (1.2 trillion dollars per year, roughly 9% of American GDP) is tied up with the military that the Pentagon E-ring must now embark on constant military interventions around the world…lest the America populace and our putative rulers begin to suspect that our gigantic military and its attendant anti-terror-surveillance-police network is no longer necessary (especially after the Cold War).

    Many Americans seem to operate under the foolishly mistaken notion that foreign policy and budget priorities are made by congress and the White House and the State Department. Not so. In 2011, foreign policy is made by nameless colonels in the Pentagon E-Ring, and the annual U.S. budget is set by competing politics within the Pentagon. After 9/11, only such pittance of budgetary scraps as remain after the U.S. military’s internal competing factions have finished fighting over budget priorities can be spent on U.S. social services or American infrastructure.

    America’s decision to bomb Libya seems baffling, until we recognize that the U.S. Air Force currently faces a threat to its budget in the form of a massive shift from human-piloted aircraft (expensive) to unpiloted armed UAVs (cheap). So the USAF must demonstrate that it still has a vital role to play, and therefore we see a spate of American aerial bombardments by piloted planes around the world. Likewise, the U.S. Navy now faces the total obsolescence of its aircraft carriers courtesy of supersonic Skhvaal-class torpedoes and pop-up radar-stealthed missiles. So we can expect large deployments of U.S. carrier groups in the near future in order to demonstrate the allegedly strategic crucial importance of U.S. naval carrier strike groups, and the consequent supposed need for continued navy budgets to support such white elephants.

    The current cyberwar scare undoubtedly represents the public face of some deep budgetary struggle hidden within the Pentagon E-ring. Perhaps the increasingly computerized USAF drone forces are battling the increasingly networked U.S. army for money for more computers, and the cyberway scare is a riposte by the army intended to discredit the Air Force; or perhaps the Marine Corps, faced with suggestions that it has become entirely obsolete, must now demonstrate their alleged utility by offering to track down the supposed author of these deadly pieces of malware and bring him to justice, the better to analyze its interal code.

    The current convulsions involving proposed cuts to Social Security and Medicare and the kabuki theater of the so-called “supercommittee” certainly represent the public face of the colossal budget struggles within the Pentagon. Each faction of the U.S. military fights with the others to demand the various basic American social services and infrastructure components (highway repair, social security payments, aid to dependent children, and so on) gets cut in order to assure limitless increase of the U.S. military budget. The cyberwar scare undoubtedly gives us an example of the same kinds of internal Pentagon struggles on a smaller scale.


    1. In general, I agree with what you said. The only quibble I’d make is that, from the perspective of the security ‘cyberwar’ industry, struggles like Air Force -vs- Marines for budget are less significant than the struggles within the intelligence community. There has been considerable maneuvering to see which agency/branch will get to carry the cyberwar football. The key players are DoJ (in the form of FBI) DoD (in the form of NSA) CIA and the anti-fear bureaucracy (in the form of DHS). None of them, of course, will actually do anything once they claim control – they’ll contract it all out to the beltway bandits that are standing by. End result is the same – the public coffers keep getting dumped into the bottom line of the big corporate allies of The Pentagon.


  3. “Refugees are individuals or groups of people in grave danger because their home government is either unwilling or unable to protect them.”


Leave a comment & share your thoughts...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s