Euro Security Watch with Mathew J. Schwartz

Forensics , Incident & Breach Response , Managed Detection & Response (MDR)

Attribution Games: Don't Rush to Blame

Experts Decry Attempts to Rapidly Attribute Winter Olympics Hacking
Attribution Games: Don't Rush to Blame
Warning: Vendors rushing to attribute online attacks may appear faster than a skiathlon. (Photo: IOC)

Periodic reminder: Attributing cyberattacks is incredibly difficult, often involves underlying motivations and does little, if anything, to help targeted organizations defend themselves against all potential adversaries, be they intelligence agencies, cybercrime gangs or bored teenagers.

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

Nevertheless, some cybersecurity pundits have been quick to suggest that the Friday online attack against the opening ceremonies of the Olympic Winter Games in South Korea were most likely carried out by Russia because some of its athletes have been banned from the games on account of doping violations. The attack disrupted the Pyeongchang 2018 website as well as WiFi in the stadium where the opening ceremony was held (see Hackers Win Olympic Gold Medal for Disruption).

South Korean officials have historically been all too ready to blame every online attack against them on North Korean hackers. But the Winter Olympics organizers have pointedly not blamed anyone.

"We can confirm that the technology issues experienced on Friday night were caused by a cyberattack," the Pyeongchang 2018 Organizing Committee says in a statement to Information Security Media Group.

"The situation was quickly dealt with and as result, all systems have remained stable and no competitions were ever affected. They continue to run smoothly," it adds. "We are still investigating, and the team is continuing to work to ensure the systems remain robust. You will understand that maintaining secure operations is our focus, and in line with best practices for cybersecurity, we will not comment further on this incident."

Malware Analysis

On Monday, information security researchers at Cisco Talos published an analysis of wiper malware designed to render PCs unbootable, which they suspect was used in the Friday attack.

"Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony," Talos security researchers Warren Mercer and Paul Rascagnères report. "The samples analyzed appear to perform only destructive functionality. There does not appear to be any exfiltration of data."

At no point, however, did the researchers suggest who might have written or deployed the malware.

No Evidence

Others, however, quickly rushed to fill the gap. Cybersecurity firm Crowdstrike issued a report saying that it had tied credential-gathering attacks last November and December "against an entity operating in the international sporting sector" to the hacking group known as Fancy Bear. But it presented no evidence that the online attack against the Winter Olympics was launched by that group.

Fancy Bear is the company's name for a group of APT attackers - also known as APT28, Group 74, Pawn Storm, Sofacy, Strontium and Tsar Team - with apparent ties to Russia's GRU military intelligence unit (see Hackers Dump US Olympic Athletes' Drug-Testing Results).

Crowdstrike wasn't alone in guessing that the Russians did it. "We have anticipated an attack of some nature on the events for quite a while, particularly by a Russian actor," John Hultquist, direct of analysis at FireEye's intelligence analysis team, tells the Hill news website. "Actors like APT28 have unceasingly harassed organizations associated with the games and the Russians have been increasingly willing to leverage destructive and disruptive attacks."

Rush to Attribute Is 'Irresponsible'

But some information security experts caution that attempting to attribute the attacks in a hurry is irresponsible (see Ransomware Report: Is China Attribution Merely Hype?).

"In the first days and likely first weeks after a cyberattack occurs and it becomes public - it is absolutely irresponsible to jump to attribution," tweets Robert M. Lee, CEO of the industrial cybersecurity company Dragos.

Motive Is for Suckers

It's always easy to guess why someone might have wanted to hack someone else.

But motive doesn't count for much - if anything - unless you're Agatha Christie or an intelligence agency, says the operational security expert known as the Grugq in reference to "the speculation about the Olympic hack" and supposedly the "only big player with motive" being Russia.

"In police work, detectives don't really care about motive. Just how the evidence links the perp to the crime," he tweets. "That said, it was China."

Hacking Clichés

Early attribution reports are notoriously spotty. In the United States, hacks of government agencies are inevitably believed to be the work of the Chinese. If a bank gets hacked, it was the Russians (see US Power Grid: The Russians are Hacking! (Or Not)).

After uncovering network intrusions in 2014, for example, Bloomberg reported that JPMorgan Chase was eyeing Russian hackers, in what would obviously have been Moscow-ordered reprisals for U.S. government sanctions over Ukraine.

In fact, the culprits were two Israeli men living in Florida, plus an American accomplice who spent much of his time in Moscow and Tel Aviv, as part of an alleged pump-and-dump stock scheme, the Justice Department later alleged.

Russians Denied They Would Be Coming

The propensity to blame Russia for sports-related hacking is such a well-worn script that on Feb. 7, two days before the Winter Olympics opening ceremony, Russia's foreign ministry released a statement condemning anyone who might suggest that Russian-aligned hackers might later attempt to disrupt the event.

"We know that Western media are planning pseudo-investigations on the theme of 'Russian fingerprints' in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea," Russia's foreign ministry said in a lengthy statement. "Of course, no evidence will be presented to the world."

Security Defenders: Stay Frosty

The world may never really know whodunnit. Information security veteran Jeffrey Carr has long cautioned that behind every attribution, there's some type of motivation: a vendor trying to sell a service, lawmakers pushing a political agenda or a breached organization trying to deflect blame for its information security shortcomings.

For any organization that has suffered a breach, unless you're an intelligence agency, never waste time worrying "who did it," says breach prevention and response expert Alan Brill of corporate investigations and risk consulting firm Kroll. Instead, he says, identify the mechanics of the intrusion, contain the damage and guard against repeat incidents.

And when you're not doing that, take some time off and enjoy watching the Winter Olympics.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.