A Tale of Two Attributions

19 and 20 December 2018 will likely blend into the overall insanity of the entire year, especially when considered from a US/UK political perspective. Yet these dates, aside from being consecutive, also featured an interesting juxtaposition in the world of cybersecurity threat intelligence. On 19 December 2018, the company Area1 Security in conjunction with the New York Times (NYT) released a report blaming the People’s Republic of China (PRC) for intrusions into European Union diplomatic communication networks to much derision and criticism. The next day, the US Department of Justice (DoJ) released an indictment against two named PRC individuals, working for a contractor tied to the PRC Ministry of State Security (MSS), for intellectual property (IP) theft intrusions going back more than a decade, largely without significant criticism. From this cursory, very limited view, the two may appear very similar, yet resulted in dramatically different reactions within the cybersecurity community in general and the threat intelligence community specifically. The question, of course, is just why these received different receptions, and what we might learn from this.

First, to adequately address the question, we must consider the underlying reports. Area1’s report, and the article it birthed in the NYT, was founded on the release of private, sensitive information recovered during Area1’s investigation of phishing activity which, based on their own report, does not appear to be related to a client engagement. The report and especially the NYT story then utilize exfiltrated data from victims to flesh out a case with very little effort made to redact substance or details – in fact, before an alteration to Area1’s published report between 19 and 20 December 2018, one could recover ‘redacted’ elements of their report through simply copying text that was obfuscated by overlaid rectangles. But even this slipshod effort at victim masking failed considering both the depth of NYT reporting on the contents of diplomatic cables (shared without any clear reservation by Area1), and the level of detail concerning victim environments (domain names, internal IP address schema, etc.) that was left in plain sight in the original publication. All of this combined communicates a level of disinterest in the campaign’s victims, an impression furthered by intemperate and unprofessional social media postings.

The above merely delves into the method and nature in how Area1 communicated findings without even considering their substance. When considering the latter, Area1’s report features several assertions that are worth exploring – none more so than “The campaign was directed by the Chinese government and specifically undertaken by the Strategic Support Force (SSF) of the People’s Liberation Army (PLA).” While evidence presented in the report can support a claim to such attribution to some degree, presenting this as an unalloyed fact without hesitation is odd, and within the realm of threat intelligence work (with its emphasis on confidence in an uncertain environment) unprofessional. Specifically, the released evidence for this claim rests upon a dynamic DNS domain, a malware family utilized by multiple state-sponsored and criminal adversaries across multiple intrusions, and possibly some unspecified intuition or other unshared details which must be accepted without examination. Given the gravity of the accusation and its potential repercussions, this lack of effort beyond some unredacted system commands is unsatisfying, especially when compared to past attribution efforts such as the APT1 report or the Operation Blockbuster paper – in this company, the Area1 item has much more in common with Norse’s “Project Pistachio Harvest”. Essentially, the report leads with a claim of attribution, and then spends its remaining time in technical minutiae without even attempting to explore or support the fundamental argument of nation-state assignment.

Overall, the report and its implications (through leaking acquired victim data to the press) was repeatedly (and correctly, in this author’s opinion) pilloried by many elements of the security community. But underlying this assessment were fundamental errors in analysis, compounded by unprofessionalism in data sharing. By presenting attribution supported by vague (and unexplained) expertise sealed by the company founders’ signatures on the first page, the report attempts to make a claim for acceptance by authority, without even attempting to establish how or why such authority should exist. While the Area1 document may represent a compelling argument for some, those seeking analytical rigour and evidence-based claims were sorely disappointed and rightfully skeptical. While every element described by the Area1 authors may in fact be true, including their specific attribution to the PLA’s SSF, the manner in which this was presented and supported undermines the entire effort.

The next day, at 1030 Eastern time, the US DOJ unsealed an indictment against two Chinese individuals as part of a years-long cyber espionage campaign against US government assets and private companies. This was followed by similar reports from the UK, Canada, and Australia. As a legal document, the indictment is dry and fundamentally “unsexy” – yet stands markedly apart from the Area1 report. The document painstakingly moves from analytical element to element to lay out the case why these individuals (and more importantly, the institutions to which they are linked) were involved in numerous intrusions over the years. While this may appear pedantic and gratuitous to some, considering the weight of the charges (that a sovereign state sanctioned and directed economic espionage against public and private interests in other states), such rigor is not just recommended but required.

More importantly, the indictment was followed by the release of extensive technical data related to the reported events under the aegis of the US Department of Homeland Security’s (DHS) US-CERT. While much of what was collected consisted of known commercial and public reporting on the activities in question, the US government entities working this item coordinated release and publication to provide significant technical artifacts related to claims. While the majority of these items represented atomic observations, or debased indicators of compromise, the totality of evidence combined with the sourcing extending beyond the US government to include reports from external parties such as PwC provide a more robust (if still not perfect) support to attribution claims.

Overall, the work is not perfect, but stands head and shoulders above past US government blunders such as the initial GRIZZLY STEPPE report on election-related hacking operations. An important point to consider here is trust – while the US government is not an entity that can (or arguably should) be blindly trusted, one can infer from its actions, responsibilities, and interests that it is not an entity engaged in simple public relations or attention gathering, and that citation of sources that cannot be shared as evidence for observables at least carries a plausible explanation of relating to sensitive sources and methods. Ultimately, while US government authorities have made multiple mistakes within the cyber intelligence realm over the past decade, there remains a latent trust of intentions and understanding of methods which, when combined with a report as thorough and logically rigorous as the APT10 indictment, at least enables a degree of trust in findings that does not extend to many commercial enterprises – let alone startup organizations with thin resumes.

Thus, we are left with three differentiating factors between two reports both dealing with PRC-linked cyber operations:

1. The DOJ report utilized a rigorous, logical narrative supported by extensive technical evidence to make its claim, while Area1 simply lobbed an assertion at the start of their report followed by limited technical evidence for a supposedly widespread campaign.
2. The DOJ report was able to rest upon latent (if somewhat weaker than in the past) trust in the reporting and evidence gathering process for its underlying institutions to garner support for claims that could not be corroborated through evidence for whatever reason. Area1 lacked this degree of trust, thus leading to skepticism (if not mockery) for claims of “we have the data but cannot share” made in various public and private forums.
3. Excepting some external political shenanigans, the DOJ report and its supporting evidence are dry, dispassionate elements of an overall legal process. Area1’s report was followed by intemperate and unprofessional postings that only served to undermine the company’s stature and weaken its message.

When viewed in light of each other, two reports attributing malicious activity to the same government separated by approximately 24 hours become dramatically different in tone, reception, and impact. The lesson here for practitioners of information security and threat intelligence is that the manner and framework through which findings are presented matter – and in cases where not all data can be shared (or should be shared, to protect victim data), resorting to aggressive and unprofessional reactions will irredeemably harm an organization’s standing and stature.

One response which I’ve heard (including indirectly from Area1 personnel) is that the organization ultimately only owes full disclosure and information supporting attribution to paying customers, and not to the general public. Yet such a claim is both false and laughable when a company works diligently to seed a story in a major paper of record to gain the maximum amount of publicity possible for their work. If divulging sources and methods is such a concern, then a private body should either put in the effort over many years to develop a reputation such that their claims can be accepted with less than solid evidence (a position that Area1 is most certainly not in, and which few private security companies are), or forego such public reporting and focus only on those audiences where full reasoning and evidence can be divulged. Attempting to publicize work without either having sufficient stature to support by virtue of reputation or through the provision of evidence represents a classic case of attempting to have one’s cake while eating it too. This is not just unreasonable, but laughably unrealistic. A lesson to be drawn here is that if a private company wants to bask in the public glory of its discovery, it better be prepared to offer extensive evidence to support its work (especially in politically-charged cases of attribution) – while at the same time refraining from the sort of victim disclosure (and victim shaming) exhibited by Area1’s negligent sharing of compromised data with third parties.

Writing late on the evening of 20 December 2018, the past two days have offered dramatically different examples of just how to pursue an argument of attribution within the space of cyber security. On the one hand, Area1 took an immature and unprofessional route in an attempt to make a significant media splash. On the other, the US government, following past egregious errors in reporting, put forth an exceptionally dry, legalistic case backed by extensive evidence and supported by latent trust to make a very similar argument but devoid of Twitter hot-takes and splashy press interaction featuring purloined data. The lesson for practitioners of cyber security and threat intelligence are clear in my opinion. While no approach will ever be perfect, and any report or assertion of attribution should rightly be challenged by others (if only so we as a community continue to refine arguments and improve), the manner in which arguments are presented and how these are supported by evidence matter profoundly. Absent the very rare condition of a completely trusting audience, organizations should feel not merely obliged but pressured to present as much relevant information as possible, with ‘relevant’ meaning such data such also ensure protection of victims of cyber intrusions.