Attribution of Advanced Persistent Threats by Timo Steffens

Author:Timo Steffens
Language: eng
Format: epub
ISBN: 9783662613139
Publisher: Springer Berlin Heidelberg

6.2 Domestic and International Conflicts

Geopolitical analysis is very different from the other aspects in attribution, that cover artifacts like samples or server images directly linked to the attackers. In contrast, the cui bono is assessed on rather indirect information, typically from open source (OSINT). Therefore, it is important to realize that geopolitical analysis taken alone can only provide the weakest evidence of all MICTIC aspects. Cui bono can only be used to check whether an attribution hypothesis is plausible, i.e. whether the alleged actor has indeed a motivation for the cyber-operations in question. Still, often enough at the end of an attribution analysis it turns out that the first intuition based on geopolitical analysis was in fact correct.

Among other sources, strategic analysts regularly monitor international news from their region of interest in order to be aware of any upcoming summits, government plans for economic growth, trade negotiations, domestic or international conflicts. This is because APT attacks do not happen by coincidence and are not evenly distributed across regions or industries. For instance, they are more frequent in regions with international conflicts and hit organizations involved in these conflicts. Examples are the cyber-espionage incidents at the International Permanent Court of Arbitration in The Hague, shortly after the Philippines had lodged a complaint against China’s claim to large parts of the South China Sea [20]. Another example is the cyber-operation attributed to APT28 against the Dutch authority investigating the shooting down of the Malaysian plane MH-17 over Ukraine [21]. Ukraine is a hot spot for several APT groups since the annexation of Crimea [22–24].

Therefore, robust and convincing attribution also requires the assessment of current geopolitical situations. Intelligence agencies have been doing this since even before the cyber-domain grew relevant. Now also the portfolio of threat intelligence providers includes alerting their customers of potential cyber-activities in relevant regions if there are indications of escalating international conflicts.

A particularly large number of APT groups are currently active in India and Pakistan, the countries around the South China Sea, Ukraine, and the Middle East. The characteristic that all these (otherwise rather diverse) regions share is indeed territorial conflict.

India and Pakistan both claim Kashmir since 1947. In the aforementioned HangOver campaign Pakistani military personnel were targeted and samples contained references to individuals and companies from India (see Chap. 3). Also registration data of control servers pointed to India (see Chap. 4). Coming back to the MICTIC framework, evidence from the aspects malware, infrastructure, and cui bono are consistent, leading to a strong attribution hypothesis of MICTIC-3.

Not only international conflicts correlate with increased cyber-espionage activity. In non-democratic countries opposition politicians, journalists critical of the government, ethnic and religious minorities, and dissidents face high risks of being targeted with malware. In China the so-called Five Poisons are regarded as threats to the Communist Party [25]. The Poisons are Tibet, Taiwan (both parts of the sacred and inviolable Chinese territory according to the Communist Party), the Uyghur minority, Falun Gong, and the democracy movement. It is certainly no coincidence that these communities are regularly targeted by APTs [26–29].

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.