Threat Intelligence: The Role of Nation-States in Attributing Cyber-Attacks

Written by

The cyber conflict that accompanied the war in Ukraine marked a shift in how nation-states respond to cyber-attacks.

The Five Eyes governments (US, UK, Australia, New Zealand and Canada) jointly attributed AcidRain, the wiper malware that shut down thousands of Viasat’s KA-SAT satellites in Ukraine and Western Europe, to Russia’s military intelligence agency (GRU) in May 2022. Over a dozen EU member states later aligned with the attribution.

This was one of the largest formal public accusations of a cyber-offensive operation against a named country in history.

Some NATO-member countries, including the US and the UK, also linked this attack to multiple families of wiper malware, including WhisperGate, that struck Ukrainian organizations in mid-January of that year.

“This consistent response by many governments is an important step in the practice of political attribution of cyber-attacks and greatly contributes to the development of states’ practice in this sense,” non-profit Cyber Peace Institute wrote in a case study of the Viasat cyber-attack published in June 2022.

Stepping Up Attribution to Crack Down on Criminals

This name-and-shame practice is likely to become commonplace as Ukraine and several Western nations have vowed to step up their attribution capacities.

Victor Zhora, deputy chairman and chief digital transformation officer of the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine, has claimed that the war in Ukraine has accelerated the need to attribute cyber-attacks.

“It’s true that, in the past, many cyber-criminal groups were formed, not only of Russian individuals, but also Ukrainians and other nationalities. Now, the situation, even in cyberspace, is more ‘black and white’:  when Russian hackers attack Ukrainian, European and North American organizations, they are on the side of evil. Our goal is to prove that these cyber-crimes are supporting war crimes,” he told Infosecurity during Logpoint’s ThinkIn conference in Copenhagen on March 7, 2023.

On March 1, 2023, France’s Minister of the Armed Forces Sebastien Lecornu admitted that France needed to make progress in three cyber areas: attributing cyber-attacks, hindering and blocking them and counterattacking when legitimate defense applies.

Also in March 2023, as part of the UK government’s update to the Integrated Review, the UK launched the National Protective Security Authority (NPSA), which sits within MI5 and is tasked with tackling state-sponsored threats to UK businesses, including the attribution of cyber-attacks.

Read more: Russia's Cyber Tactics in Ukraine Shift to Focus on Espionage

Flexing their Geopolitical Muscles

According to Clara Assumpção, an international relations researcher at Prague’s Charles University, the primary reason for nation-states to publicly attribute cyber-attacks is to flex their geopolitical muscles.

“The main goal of publicizing a cyber attribution is deterrence – the victim is making it known that it has enough capabilities to identify the perpetrators, and as such, emphasize its ability to punish and retaliate,” she wrote in a May 2020 essay, The Problem of Cyber Attribution Between States.

While the work behind state cyber attribution is largely secret, most governments have their own team of cyber threat intelligence (CTI) analysts, and some are very well equipped.

“The likes of the US National Security Agency (NSA) and the UK National Cyber Security Centre (NCSC) have much more human, technical and financial resources dedicated to cyber attribution than any vendor,” Feike Hacquebord, a senior threat researcher at Trend Micro, told Infosecurity.

Governments also benefit from the technical attribution work provided by cybersecurity vendors – both publicly, via threat reports and forensics analyses they publish, and through more confidential, common CTI investigations. In fact, nation-states have adopted naming conventions borrowed from CTI vendors (Advanced Persistent Threat groups, ‘Cozy Bear,’ ‘Fancy Bear,’ ‘Sandworm’…) when attributing cyber-attacks.

Read part 2 of our threat intelligence series: Do We Need A 'Rosetta Stone' of Cyber Attribution?

A good example of that is the behind-the-scenes threat intelligence timeline leading to the US attributing the 2020 US federal government data breach, caused by an attack on software supplier SolarWinds products, in April 2021, as told by Jamie Collier, an EMEA senior threat intelligence advisor at Mandiant.

"In cyber attribution between states, the core question is not 'Who did it?' but 'Who is to blame?'."Clara Assumpção, Charles University, Prague, Czech Republic

“Mandiant first discovered the incident, and at the time we weren’t 100% sure who was behind it, but we put out our report on what we still called UNC2452 for the incident response teams and the threat intelligence community to benefit from it. We later found out that APT29, a threat actor linked to the SVR, Russia’s foreign intelligence agency, was responsible. But the US publicly attributed the attack before we did, because we have our own process,” he recalled.

Such caution is the rule of thumb in the CTI community. Other vendors even refuse to link threat groups to nation-states altogether.

Trend Micro’s corporate policy, for example, is very clear: its threat analysts must never attribute a cyber-attack to a specific country.  “We believe that it’s not our mission to point the finger. Our mission is to defend against threat, and not to interfere with politics,” Hacquebrod said.

However, he also admitted that his company sometimes leaves its neutrality stance and refers to government attributions, demonstrating how porous the line is between technical and strategic, or even geopolitical, attribution.

Collier added: “As they have tremendous visibility into this space, governments are able to make some important contributions in helping the community understand attribution judgments, so a lot of the time their work helps us as much as ours helps them.”

Read part 1 of our threat intelligence series: Why Attributing Cyber-Attacks Matters

The real difference between vendors and government agencies when attributing attacks is their motives. “In cyber attribution between states, the core question is not ’Who did it?’ but ‘Who is to blame?’,” Assumpção wrote in her essay.

A Basis for Countermeasures

States use attribution not only to deter their adversaries, but to action changes in defensive and offensive strategy and take the culprits to court when possible.

Attributing a state-sponsored cyber-attack is useful to be able to prioritize national security measures, both in cyberspace and in the physical world, Aude Géry, a researcher in international legal issues of cybersecurity at France’s GEODE Institute, argued in an EU-funded collective paper on cyber defense, published in November 2022.

“Political and/or legal attribution can be the first step towards the conduct of (cyber) operations by the armed forces if a decision is taken to retaliate,” she wrote.

In fact, the UN International Law Commission’s 2001 Draft Articles on Responsibility of States Internationally Wrongful Acts stated that attribution is required for a state to implement countermeasures. However, little can be found in international law on what type of attribution is needed, or indeed how far it should go.

According to Ukraine’s Zhora, almost all Russian hackers targeting Ukraine – from the state-affiliated groups to the volunteers, hacktivists, or even cybercriminals – maintain a certain level of coordination with the overall Russian strategy.

“The accountability and responsibility of Russia for these types of crimes should be higher,” he said.

It is more important than ever to trace it back to the individuals in order to expose the Russian strategy with more confidence, Zhora argued. “Our task is to identify exact people, not organizations. We know these organizations, we even know their locations and their staff, but it is very important to know precisely who developed the piece of malware, who made the initial access, who was responsible for the lateral movement within our network and who pressed the key.”

Narrowing the attribution down to individuals would help expose the Russian strategy with more confidence, and would potentially make it possible to legally and economically retaliate.

Many Trade-Offs

Cyber attribution is not without challenges, the biggest one being raising false flags. As we uncovered in parts one and two of this threat intelligence series, technical attribution is a laborious, meticulous process, which partly explains why cybersecurity vendors are so cautious about the claims they made.

“We can make mistakes,” Trend Micro’s Hacquebord admitted.

Similarly, nation-states can make mistakes, which typically have much more serious consequences.

The adversaries are aware of that, and willing to do all they can to drive both private vendors and intelligence agencies into a corner.

To cover their tracks and fool threat intelligence analysts, threat actors use many deceptive tactics, including attacking unnatural targets and disguising as threat groups from a different country.

"In recent years victim states have often retaliated for cyber intrusions with their own cyber-attacks."William Banks, Syracuse University, London, United Kingdom

When the WannaCry ransomware attack struck in 2017, it was affecting so many systems in so many countries, including Western European countries, the US, but also Russia and Ukraine, that it was hard to attribute it at first.

“While press reports indicating that North Korea was responsible were quick to follow the attack, the official attributions took months. In October 2017 British Minister of Security Ben Wallace, without sharing any evidence, told the BBC that North Korea was responsible. By mid-December, the US, UK, Australia, Canada, New Zealand and Japan issued coordinated statements attributing the WannaCry actions to North Korea,” Banks, recalled in his 2021 paper.  

Chris Morgan, a senior cyber threat intelligence analyst at ReliaQuest, told Infosecurity that, in 2020, Russia-backed APT29 used Iranian infrastructure when deploying the SolarWinds attack, “to piggyback from their cyber espionage campaign and to attack government and industry organizations, all while masquerading as attackers from the Islamic Republic.”

Tom Hegel, a senior threat researcher at SentinelOne’s SentinelLabs, said that in the context of a kinetic and cyber conflict, the lines between friends and enemies could get blurrier. “In 2022, we have observed Chinese espionage campaigns in Russia, for instance – two countries that do not consider each other as adversaries,” he told Infosecurity.

An International Legal Vacuum

Another challenge that nation-states face in cyber attribution is that they are operating in a legal vacuum.

“The lack of a common understanding about whether cyber attribution is required – much less what evidence suffices for attribution of a cyber-attack for international law purposes – combined with the absence of consensus legal rules to limit cyber intrusions, has helped render the entire international legal response to cyberattacks weak and largely ineffective,” Banks wrote.

The 2017 Tallinn Manual 2.0 is the only document that comes close to an international legal basis on this issue but this academic document is non-binding – and therefore its recommendations are still rarely referenced by nation-states.

As we know, cyber attribution is complex and unlike cybersecurity vendors, who increasingly use levels of confidence in their threat reports, nation-states can only attribute an attack when they’re absolutely sure.

When the White House Homeland Security Advisor Thomas Bossert attributed WannaCry to North Korean APT group Lazarus in 2017, he insisted: “The US do[es] not make this allegation lightly. We do so with evidence, and we do so with partners.”

Informal state attributions are being used frequently as a means for nation-states to flex their geopolitical muscles without engaging in legal countermeasures.

“States typically accuse the attributed State of bad behavior (“malicious”) or of violating some normative standard, without specifying which norm or ascribing consequences for the violation,” Banks wrote in his paper.

Need For International Consensus

Some academics, including Banks and Assumpção, argue that without an international legal basis for responding to a cyber-attack, cyber attribution will rarely meet its goals.

The only scenario where deterrence can be achieved, Assumpção explained, is if the attack is planned and executed by non-state actors with no involvement of any state – which is largely outside the scope of this article. In all other scenarios - attacks that are planned, sponsored, or even tolerated by a state – deterrence would fail either because the links between the culprits and the sponsor state are too obscure, or because the state would carefully protect the attacker.

Worse, it leaves the room to what Banks called ‘a Wild West of cyber attribution.’

“Lacking an international legal regime for attribution and thus for state responsibility, in recent years victim states have often retaliated for cyber intrusions with their own cyber-attacks,” Banks added.

Meanwhile, a growing number of voices are asking international bodies to step up and adopt enforceable norms for state cyber attribution.

Banks, as well as Kaspersky’s Ivan Kwiatkowski and the Cyber Peace Institute, suggested to build on existing discussions already taking place at various multilateral forums, such as the UN Group of Governmental Experts on advancing responsible state behavior in cyberspace in the context of international security (UN GGE), or the Organization of Security and Cooperation in Europe.

This article is the third part of a three-part cyber-attribution series that has been published on Infosecurity’s website.

Part 1 - Threat intelligence: Why Attributing Cyber-Attacks Matters

Part 2 - Threat Intelligence: Do We Need A 'Rosetta Stone' of Cyber Attribution? 

What’s hot on Infosecurity Magazine?