Attribution of data breaches and hacks is no simple matter. It has turned the hacking and publication of personal data around German politicians and celebrities into an embarrassing farce for many in the security industry. In the rush to attribute blame, may ignored the need to do the simplest of fact checks.
When the story first broke, like many journalists, my inbox was full of comment from dozens of different cyber security company spokespeople. Common to most of them were words like nation-state, Russia, China, APT, zero-day and political interference.
There was also a majority who believed the scale of the attack pointed to a hacking group and likely a state-sponsored actor. Underpinning this view was the problem of taking down the data once it was published. Many felt that the work involved could not have been completed by a single individual.
What do we know about the real attacker?
Not a lot as it happens. Aged 20, he is still in education and lives with his parents somewhere in the state of Hesse. Using the Twitter name @_0rbit he also called himself G0d. He is far from a seasoned and experienced hacker. Instead, it appears he was hacked [sic] off with the establishment and saw this as a way to make his point. In addition, he claims that he has an interest in security research. It may just be that his motive was as much about getting noticed as anything else.
As part of his cooperation he has provided the German police with extensive detail about the attack. This included evidence that the police admit they might not have located with his help. They have now seized his computers and are in the process of examining them for further information.
What will embarrass and worry a lot of security professional is that the claims of a highly skilled hacker are patently wrong. It will embarrass them because he admits to learning his skills off the Internet in the last year. This included how to exploit vulnerabilities in software. It will worry them because it shows just how easy it is becoming for people to turn to and become hackers.
A lesson in how not to do attribution
What is important about this while debacle is the speed with which everyone wanted to provide attribution. At a briefing with Carbon Black last year I asked how easy attribution was. The response was that it is very difficult and most attribution is little more than an informed guess.
One comment I received about this breach even opened with the line: “While actor attribution is notoriously difficult.” It still, however, went on to name Russian APT Turla as the likely suspect in this case. There was no clear evidence for the statement. No smoking gun, no code, no IP addresses, not even a digital fingerprint that tied back to a proven hacking group.
It seems that what most people were hanging their hat on was the fact that the German AfD Party was not included in the hack. They reasoned, presumably in their own echo chamber, that this had to be an attempt to destabilise the German government.
There is another issue here. Cyber security companies are generally keen to get mentioned in the press. As soon as there is an incident. the public relations teams want a quote that they send to journalists. Most journalists ignore the vast number of these emails and rely on those they have a long term relationship with. That speed to generate a quote undoubtedly added to the pressure to attribute the attack rather than sound caution.
Enterprise Times: What does this mean
There have been several incidents over the last year where young and inexperienced security researchers have carried out attacks in order to get noticed. Whether you agree or disagree with them it is likely we are going to see more of this.
A lot has been made of the shortage of security professionals and the amount of money that can be made by security researchers and white hat hackers. There has been an increase in the number and even the size of bug bounty’s as organisations seek help in securing their products. The problem for many researchers is that those bounty’s are hard to win. There are often a lot of strings attached and those that attract a decent sum are being chased by a lot of people.
What will happen to this individual has yet to be determined. They may, like some before them, be able to leverage this notoriety to get a job. Alternatively, as we’ve seen in the last year, they could just as easily become persona non grata and marginalised.
For security companies and their PR agencies, it would be nice to think that this is a wake up call. Rather than chase ambulances and offer “best guesses” as to the cause and the perpetrators, perhaps the next breach will mean waiting for more information and delivering better informed comment. The reality is that for many this will change nothing. Pointing fingers, getting coverage and eventually being wrong is seen as far more important than waiting for the facts and getting no coverage.