Who's to blame for that cyberattack? Here's why nobody's really sure

Nation state or script kiddie? Pointing blame after a cyberattack was never easy, but now it's almost impossible.
Written by Zack Whittaker, Contributor

There are two things certain in life -- "death" and "taxes," they say. There's a third, thanks to the security community, and that is "nothing is unhackable."

Look no further than the recent massive cyberattack, which crippled hundreds of thousands of computers in dozens of countries, paralyzing hospitals, car plants, and banks across the world. The WannaCry ransomware attack was by far the most public, international, and wide-scale cyberattack since the US internet outage led by an army of thousands of badly-secured, internet-connected devices.

In both cases, questions remain about who's responsible for these two major attacks. Look a little further back, and many other major hacks and cyberattacks entirely unattributed. Hackers already have a wealth of tools to cover their tracks, and without a body of evidence -- unlike at a crime scene -- it almost impossible to know who was behind an attack.

That's what security researchers call the "attribution problem," which makes it difficult -- if not impossible -- to launch a response, or a retaliatory strike.

And sometimes things can be far from what they first seem.

Case in point: Symantec researchers on Thursday discovered what they thought was a nation-state actor using highly sophisticated malware and techniques typically employed by a government, but was in fact a low-level cyber-criminal, who was just out to make a few bucks. In other words, what could've easily been the Russian government turned out to be a fairly amateur individual.

It was an unusual win for researchers whose efforts to pin blame are "rarely conclusive," said Cristiana Kittner, a senior analyst at cybersecurity firm FireEye.

"Even with copious amounts of data, it is incredibly difficult to find that one smoking gun," she said.

Russian security firm Kaspersky has too noted that the use of open source and readily available tools has in part made detection and attribution "almost impossible."

"Much depends on the attacker's 'opsec' practices if they can be identified based on the used tools and procedures," said Timo Laaksonen, who heads cybersecurity firm F-Secure's Americas business, in an email.

Simply put: If the hacker or attacker is sloppy, it can be easier to pin the blame -- and strike back.

But that all that changed when US spy agency, the National Security Agency, lost control of its hacking tools last year. They were posted online for anyone to use.

Unknown hackers -- nation state or lone wolf hackers -- took those tools and infected thousands of computers with one of the agency's backdoor tools. Then, on a quiet, unassuming day in mid-May, used that backdoor channel to deliver the WannaCry ransomware on infected computers.

By the time the attack hit, Microsoft had already patched the bulk of the exploits that were published, but there's a looming threat that more tools could soon leak -- opening a whole new can of worms as to whether the agency should disclose its entire arsenal of hacking tools to vendors in order to prevent another WannaCry-style situation.

Who was behind one of the most disruptive and lengthy cyberattacks in modern history?


Thought to the be the biggest ransomware attack of its kind, the WannaCry ransomware was only successful thanks to the NSA losing control of its key hacking tools. (Image: file photo)

Some said it was North Korea, which was also officially blamed for the 2014 attack on Sony (even if experts remained divided and skeptical of the seemingly positive attribution), following the studio's release of a controversial movie about the country's young despotic leader, Kim Jong-un.

Security researchers said that the WannaCry code was also used by North Korean hackers, known as the Lazarus Group, and that seemed to be a conclusive link that many blindly accepted.

But a tangential connection isn't proof. Adam Meyers, VP of Intelligence at cybersecurity firm CrowdStrike, which had diligently monitored the attack, said that attribution was still a long way off.

"Analysts have reviewed all of the hard data associated with WannaCry -- they reverse engineered the code, analyzed the linguistics of the ransom notes, reviewed the victimology, and the infrastructure used for command and control -- and none of these things say they are explicitly linked to a specific adversary," he said.

Laaksonen too said that there was nothing to "ever conclusively" pin the nation state to the attack.

It's no wonder the government isn't rushing to conclusions.

When asked about who was behind the attack, Homeland Security adviser Tom Bossert told reporters: "We don't know," admitting that attribution "can be difficult."

The simple reality is that now anyone with nation state hacking tools can launch their own nation state-type attack with relative ease. Without a firm sense of who was behind what, holding those accountable for hacks and cyberattacks is impossible -- or worse, misguided and misdirected against a group or state with no connection whatsoever.

"Attribution might get to a point that we are careless enough to be misled by it. People are quick to jump on conclusions and sometimes it seems attribution is being used for political or marketing purposes," said Laaksonen

"It's no longer a science, it's seems to be a rush to the finish line," he added.

Editorial standards