Advertisement

Attribution of Cyber Attacks

  • Klaus-Peter SaalbachEmail author
Chapter

Abstract

We define cyber attribution as the allocation of a cyber attack to a certain attacker or a group of attackers in a first step and the unveiling of the real-world identity of the attacker in a second step. While the methods of attacker allocation have made significant progress in recent years, digital technologies often still do not provide sufficient evidence for the real-world identity of an attacker. The situation is different if attribution is handled as cyber-physical process, i.e. as combination of digital forensics with evidence from the physical world. Bits and bytes are not really virtual, but still bound to a physical infrastructure which opens different ways to detect adversaries. Gaps can also be filled by conventional espionage. The chapter gives an overview of the current methods and practices of cyber attribution with real-world examples.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

Recommended Readings

  1. Rid, Th., Buchanan, B. (2015): Attributing Cyber Attacks. The Journal of Strategic Studies, 2015 Vol. 38, Nos. 1–2, 4–37, http://dx.doi.org/10.1080/01402390.2014.977382.
  2. Lin, H. (2016) “Attribution of Malicious Cyber Incidents,” Hoover Working Group on National Security, Technology, and Law, Aegis Series Paper No. 1607 (September 26, 2016), 56 pages.Google Scholar
  3. Tran, D. (2017): The Law of Attribution: Rules for Attributing the Source of a Cyber Attack. Yale J. L. Tech 376, 76 pages.Google Scholar
  4. Tsagourias, N. (2012): Cyber attacks, self-defence and the problem of attribution. Journal of Conflict & Security Law Oxford University Press 2012, 16 pages  https://doi.org/10.1093/jcsl/krs019.

Bibliography

  1. Alexander, K.B. (2007): Warfighting in Cyberspace. JFQ, issue 46, 3rd quarter 2007, p. 58-61.Google Scholar
  2. Alperovitch, D. (2014): Deep in Thought: Chinese Targeting of National Security Think Tanks 07 Jul 2014, 8 pages www.paper.seebug.org.
  3. Baches, Z. (2016): Wie Hacker eine Notenbank knacken. Neue Zürcher Zeitung, 10 Oct 2016, p. 7.Google Scholar
  4. Baumgärtner, M., Neef, C. Stark, H. (2016): Angriff der Bären. Der Spiegel 31/2016, p. 90-91.Google Scholar
  5. Best, R.A. (2009): Intelligence Issues for Congress. CRS Report RL33539 www.fas.org.
  6. Brächer, M. (2016): Das fragile Netzwerk. Handelsblatt No. 155/2016, p. 26-27.Google Scholar
  7. Brown, G., Poellet, K. (2012): The Customary International Law of Cyberspace. In: Strategic Studies Quarterly. Volume 6 Fall 2012 Number 3, p. 126 ff.Google Scholar
  8. Carmody, N.F. (2005): National Intelligence Reform. USAWC Strategy Research Report. US Army War College.Google Scholar
  9. Denker, H., Roodsari, A.V., Wienand, L., Kartheuser, B. (2019): Wie konnte ein 20-Jähriger den Riesenhack schaffen? T-Online Nachrichten. 08 January 2019. www.t-online.de.
  10. DNI Handbook (2006): An overview of the United States Intelligence Community 2007. Published 15 December 2006.Google Scholar
  11. DoD (2018): Summary of the 2018 DoD Cyber Strategy, 10 pages. Published by US Department of Defense (DoD).Google Scholar
  12. EUROPOL (2016): ‘Avalanche’ Network dismantled in International Cyber Operation. Press Release 01 December 2016.Google Scholar
  13. EU (2016): Commission Services Non-paper: Progress Report following the Conclusions of the Council of the European Union on Improving Criminal Justice in Cyberspace. Brussels, 2 December 2016 15072/16 136, 15 Jun 2013, p. 1.Google Scholar
  14. FAZ (2015): “NSA hat Computer in Nord Korea schon vor 4 Jahren infiltriert”. Frankfurter Allgemeine Zeitung, 20 Jan 2015, p. 5.Google Scholar
  15. FireEye (2014): APT28: A Window into Russia’s Cyber Espionage Operations? 45 pages www.fireeye.com.
  16. Fuest, B. (2014): Uroburos –Russisches Supervirus greift die Welt an. Welt am Sonntag online 10 March 2014, 3 pages.Google Scholar
  17. Gerstein, DM (2015): Strategies for Defending U.S. Government Networks in Cyberspace. RAND Office of External Affairs Document CT-436 June 2015, 7 pages.Google Scholar
  18. Huber, M. (2013): Der entkernte Staat. Der Spiegel 25/2013, p. 18-19.Google Scholar
  19. Jennifer (2014): Breaking the Code on Russian Malware. The Recorded Future Blog Posted in Cyber Threat Intelligence 20 Nov 2014 www.recordedfuture.com.
  20. Johnson, A. et al. (2013): Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries. US Naval Research Laboratory.Google Scholar
  21. Kaspersky (2013): “Winnti” Just more than a game. April 2013, 80 pages plus appendix www.securelist.com.
  22. Kaspersky (2014): Unveiling Careto – The masked APT February 2014 www.securelist.com.
  23. Kaspersky Lab (2015a): Equation Group Questions and Answers. Version 1.5, February 2015, 32 pages www.securelist.com.
  24. Kaspersky Lab (2015b): The Duqu 2.0 Technical details. Version 2.0, 9 June 2015, 45 pages www.securelist.com.
  25. Kaspersky (2016): The Project Sauron APT August 2016, 14 pages www.securelist.com.
  26. KrebsonSecurity (2016): Carbanak Gang Tied to Russian Security Firm? Official Security Blog of Brian Krebs 2016 www.krebsonsecurity.com.
  27. Krekel, B. (2009): Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network. Exploitation Prepared for the US-China Economic and Security Review Commission. Northrop Grumman Corporation. October 9, 2009.Google Scholar
  28. Kurz, C. (2017): Jetzt ist es an der Zeit, die Lücken zu schließen. Frankfurter Allgemeine Zeitung No. 31, 06 Feb 2017, p. 13.Google Scholar
  29. Lin, H. (2016) “Attribution of Malicious Cyber Incidents,” Hoover Working Group on National Security, Technology, and Law, Aegis Series Paper No. 1607 (September 26, 2016), 56 pages.Google Scholar
  30. Mandiant (2013): APT 1 Exposing One of Chinas Cyber Espionage Units, 74 pages.Google Scholar
  31. McDonald, G., O’Morchu, L., Doherty, S., Chien, E. (2013): Stuxnet 0.5: The Missing Link. Symantec Report 2013, 18 pages www.symantec.com.
  32. Mueller, R.S. (2018): Indictment in the United States District Court for The District of Columbia. Received 13 July 2018, 12 pages.Google Scholar
  33. Novetta (2015): Operation-SMN-Report June 2015, 31 pages www.novetta.com.
  34. Novetta (2016): Operation-Blockbuster-Report February 2016, 59 pages www.operationblockbuster.com.
  35. Paganini, P. (2018): The Dutch Intelligence AIVD ‘hacked‘ Russian Cozy Bears for years. Securityaffairs. co from 26 Jan 2018 Securelist.com.Google Scholar
  36. Perloth, N., Shane, S. (2017): How Israel caught Russian hackers scouring the world for US Secrets New York Times online, 10 Oct 2017 www.nytimes.com.
  37. Radsan, A.J. (2007): The Unresolved Equation of Espionage and International Law. Michigan Journal of International Law Volume 28, Issue 3, pp. 596-623.Google Scholar
  38. Rid, Th., Buchanan, B. (2015): Attributing Cyber Attacks. The Journal of Strategic Studies, 2015 Vol. 38, Nos. 1–2, 4–37, http://dx.doi.org/10.1080/01402390.2014.977382.
  39. Rüesch, A. (2018): Die Jagd nach Putins Agenten. Neue Zürcher Zeitung, 19 Oct 2018, p. 4-5.Google Scholar
  40. Shane, S. (2013): No morsel too small for a US spy agency. New York Times International 8 Dec 2013, p. 1/4.Google Scholar
  41. Shields, N.P. (2018): Criminal Complaint United States vs. Park Jun Hyok at the United States District Court for The District of Columbia. Received 08 Jun 2018, 179 pages.Google Scholar
  42. Süddeutsche Zeitung Online (2013): Hacker aus China klauen Google Datensätze. 21 May 2013 www.sueddeutsche.de/ digital/gegenspionage aus China google gehackt spione gecheckt-1.1677106.
  43. Symantec (2016a): The Waterbug attack group. Security Response Version 1.02 Symantec, 14 Jan 2016, 44 pages www.symantec.com.
  44. Symantec (2016b): Strider: Cyberespionage group turns eye of Sauron on targets, Symantec Official Blog, 07 Aug 2016 www.symantec.com.
  45. Symantec (2016c): Odinaff: New Trojan used in high level financial attacks, Symantec Official Blog, 11 Oct 2016 www.symantec.com.
  46. Tran, D. (2017): The Law of Attribution: Rules for Attributing the Source of a Cyber Attack. Yale J. L. Tech 376, 76 pages.Google Scholar
  47. Tsagourias, N. (2012): Cyber-attacks, self-defence and the problem of attribution Journal of Conflict & Security Law Oxford University Press 2012, 16 pages  https://doi.org/10.1093/jcsl/krs019.
  48. USAF (2010): US Air Force Doctrine Document (AFDD) 3-12, Cyberspace Operations 15 July 2010, 55 pages.Google Scholar
  49. Wittmann, J. (2017): Gesucht: Bond. Jane Bond. Neue Westfälische 11 Feb 2017.Google Scholar

Copyright information

© Springer Fachmedien Wiesbaden GmbH, ein Teil von Springer Nature 2019

Authors and Affiliations

  1. 1.University Osnabrück, Institute of Social SciencesOsnabrückGermany

Personalised recommendations