Forensic Attribution

The second category of attack attribution is that of forensic attribution utilizing digital (computer) forensic science. In the instant matter, forensic attribution relates to the analysis of the computer code creating the malware, which was utilized to conduct a cyber-attack, to ascertain evidence of authorship. The evidence obtained may assist an injured state in finding the responsible actor, however, “attributing malicious code is always questionable…”¹⁰⁹ While it is doubtful, in the opinion of this study, that evidence obtained during forensic attribution is enough to attribute an attack to a state standing alone, evidence obtained from an attack may be combined with other elements to attribute an attack. The legal standing of such attribution (circumstantial) for the purposes of state responsibility is in doubt, however, and will be discussed further infra.

Forensic attribution for the purposes of this study is mainly utilized for those attacks that use malware or malicious code as a means to inflict damage, harm, or used for other malicious purposes as opposed to DDoS attacks which do not leave malware on the victim system. The Stuxnet variant attacks are arguably the most famous of these attacks to date (it must be noted that the Sauron/REMSEC malware espionage tool may be more advanced and dangerous than Stuxnet and is almost definitely state-sponsored due to the complexity

107 Id. at n. 104.

108 Id. at 86.

109 Nicholas Weaver, What Sauron Tells Us About What NSA’s Up To, and What It Should Do Next, Lawfare (Aug. 15, 2016), https://www.lawfareblog.com/what-sauron-tells-us-about-what-nsas-and-what-it-should-do-next.

166 of its design.¹¹⁰ As of this writing, however, this is an ongoing issue without many facts and as such, will not be discussed in depth). Stuxnet was used to attack the Iranian Natanz nuclear fuel enrichment center in 2012, becoming the first cyber weapon to cause physical harm.¹¹¹ Cyber weapons such as Stuxnet differ from previously discussed malicious cyber-attacks in that the vector of attack does not necessarily rely on the Internet. A cyber weapon may be delivered via the Internet, but it may also be delivered via a physical device such as a USB memory stick or other solid-state media. Many forms of cyber weapons are self-replicating, meaning that once they are on a system, they will attempt to infect other devices through various means of propagation, which may include the use of solid state media, the Internet or a local intranet. The computer code utilized in cyber weapons and the techniques to forensically analyze it does not differ from the forensics utilized in other types of malware.

Cyber weapons may be directed weapons in that they may be designed to attack a specific computer system or network, or they may be generalized weapons that attack a range of systems operating a specific operating system. Kaspersky Labs posited three broad categories of cyber weapons¹¹² “destroyers…espionage programs…, [and] cyber sabotage

110 Dan Goodin, Researchers Crack Open Unusually Advanced Malware That Hid for 5 Years, ArsTechnica (08 Aug., 2016), http://arstechnica.com/security/2016/08/researchers-crack-open-unusually-advanced-malware-that-hid-for-5-years/. Nicholas Weaver, What Sauron Tells Us About What NSA’s Up To, and What It Should Do Next, Lawfare (Aug. 15 2016), https://www.lawfareblog.com/what-sauron-tells-us-about-what-nsas-and-what-it-should-do-next. (Discussing the probability that the United States NSA is responsible for the Sauron 111 Ralph Langner, Cracking Stuxnet: A 21st-Century Cyber Weapon (Transcript), TED.com (March

2011), https://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_

cyberweapon/transcript. (Describing the Stuxnet virus as a target cyber weapon of mass destruction.) Thomas C. Reed, At The Abyss: An Insider’s History of the Cold War *4721-*4738 (Kindle ed., 2007). (Discussing the “Farewell countermeasure campaign” against the Soviet Union in the early 1980s and alleging that the United States Central Intelligence Agency, with the assistance of Canadian manufacturers, inserted a Trojan into a SCADA controller responsible for controlling pumps on oil pipelines that was eventually smuggled into the Soviet Union despite an ongoing trade embargo. The Trojan allegedly triggered a large explosion in the pipeline in 1982. These allegations have been denied by the Soviet Union/Russia and the account cannot be independently verified.).

112 Kaspersky Labs, Kaspersky Security Bulletin 2012: Cyber Weapons (18 Dec. 2012), https://www.securelist.com/en/analysis/204792257/Kaspersky_Security_Bulletin_2012_Cybe r_Weapons. (“Destroyers’. These are programs designed to destroy databases and information as a whole. They can be implemented as ‘logic bombs’ that are introduced into victim systems either in advance and then triggered at a certain time, or during a targeted attack with immediate execution. The most notable example of such malware is Wiper. Espionage programs. This group includes Flame, Gauss, Duqu and miniFlame. The primary purpose of such malware is to collect as much information as possible, particularly very highly specialized data (e.g. from Autocad projects, SCADA systems etc.), which can then be used to create other types of threats.

167 tools.”¹¹³ With cyber-espionage tools posting the greatest danger as they may potentially create physical damage,¹¹⁴ but all types will damage the infected systems if some preset criteria are met. Destroyers, as the name implies, attack a system and destroy data contained within; a destroyer attack may be executed immediately or have delayed execution at a preset time or when a specific condition is met.¹¹⁵ Espionage programs are tools that gather and transmit data; the more specialized the data, the better these programs work.¹¹⁶ While espionage, per se, is not illegal in international law, these programs may work as a reconnaissance program in that the data they gain may be used to create further exploitation to a service or harm the owner of the system. Cyber sabotage tools are cyber weapons that impact a specific system or component or a specific range of data. Sabotage programs blur the line between espionage and use of force, and as such, should be analyzed for the impact they have when activated.

Cyber weapons leave a payload of malicious computer code on each system it infects, allowing for forensic examination of the payload upon discovery. Once discovered, the payload may be forensically examined to provide evidence as to its creators, origins, and purpose. The forensic evidence derived from the examination of the cyber payload may be utilized to assist in the attribution of the cyber-attack to the state(s) responsible for their creation and utilization. However, the forensic evidence alone, without further evidence of state involvement, is not enough to attribute the attack to a state.

The examination of a cyber weapon payload may be accomplished through digital forensics and reverse engineering. Depending on the skill and technical knowledge of the creator of the cyber weapon, this may be relatively straightforward or extremely complex. The evidence gathered is generally circumstantial and consists of such information as the type

Cyber sabotage tools. These are the ultimate form of cyber weaponry – threats resulting in physical damage to targets. Naturally, this category includes the Stuxnet worm. Threats of this kind are unique and we believe they are always going to be a rare phenomenon. However, some countries are devoting more and more effort to developing this type of threat, as well as defending themselves against it.”)

113 Id.

114 Id.

115 Id.

116 Id.

168 of keyboard used, the language used, e.g., Lua, Python, C/C+, Assembly, etc., the time zone of the computer(s) that created the malware and so on. Truly knowledgeable and experienced programmers will leave scant details of who created such weapons unless, as has been posited regarding the Stuxnet attacks, the attackers want the systems attacked to know who attacked them.¹¹⁷

The biggest issue with technical attribution is that it does not conclusively say X or Y is the author (unless the author actually leaves their name on the code). Forensic attribution may only tell the injured state or researcher limited amounts of information which the state or researcher then draws an inference from. For example, the Sauron malware package which was discovered in August 2016 has been tentatively linked to the United States due to not only its complexity but its use of the Lua programming language (an obscure programming language seen in the Flame variant malware), and the age of the malware, reportedly built upon malware existing prior to 2001.¹¹⁸ Such inference, however, does not establish attribution to the United States as any number of other states or non-state actors may be capable of creating such malware. Without greater evidence linking the Sauron malware to the United States or acknowledgment or adoption by the United States, the malware will forever be a question mark as to authorship and responsibility, thus allowing the United States or whoever is responsible for the creation and use of the malware to escape responsibility for its use.

Forensic attribution, like technical attribution, can only establish a limited number of facts for consideration regarding attribution for the purposes of state responsibility. Technical attribution may be able to link an attack to a specific geographical area or IP address, but not connect that information to a state or non-state actor. Forensic attribution may tell us

117 Ralph Langner, To Kill a Centrifuge (Nov. 2013), http://www.langner.com/en/wp-content/

uploads/2013/11 /To-kill-a-centrifuge.pdf.

118 Nicholas Weaver, What Sauron Tells Us About What NSA’s Up to, and What It Should it Do Next, Lawfare (Aug. 15, 2016), https://www.lawfareblog.com/what-sauron-tells-us-about-what-nsas-and-what-it-should-do-next.

169 what, how, and where, but not who,¹¹⁹thus forcing a state to infer who may or may not be responsible for the attack. These drawing of inference questions will be addressed next.