Data breach investigations: challenges in attributing cyber-attacks

The threat of cyber-security have once again come under the spotlight, following the recent allegations that China hacked into accounts of British MPs and peers.

Although its genesis is in the far-away realm populated by cybersecurity and law enforcement professionals, today, attribution of modern cyber-attacks also continues to penetrate into the daily lives of lawyers and other legal professionals. Misattribution of a cyber-attack may not only jeopardize interests of your client, but even lead to lawyer’s discipline for breach of ethical and fiduciary duties.

From a regulatory viewpoint, the US Office of Foreign Assets Control (OFAC) made it crystal clear, and then re-emphasized for any remaining naysayers, that ransom payments in cryptocurrencies to unidentified ransomware groups may violate US sanctions and trigger a broad spectrum of legal ramifications.

Talking about procedural aspects of litigation, upon discovery of a data breach, timely notification and transparent collaboration with law enforcement agencies (LEAs) may significantly reduce future penalties under applicable law, and even help in civil litigation. Incomplete, vague or alarmistic reports will unlikely trigger much attention of busy LEAs unless you operate a nuclear plant.

Contrariwise, if there are solid preliminary grounds to attribute the intrusion to a notorious hacking group being wanted by LEAs, the latter may deploy significant resources to the case. Importantly, if there have good reasons to suspect a non-sovereign entity to be behind the attack, one may get a court order freezing attacker’s assets to eventually recover damages if one later prevails in court.

Recent development of computer forensics science made intrusion, log and artefact analysis a comparatively uncomplicated and straightforward process for both on-premise and cloud environments.

Yet eventual attribution of tactics, techniques, procedures (TTPs) and IP addresses of digital perpetrators to an individual or hacking group, commonly remains the most unobvious, laborious and uncertain part of the investigation.

Firstly, publicly accessible databases and resources by governmental agencies and private cybersecurity companies offer detailed technical descriptions of TTPs used by well-known hacking groups. Invaluable intelligence is available to anyone, so both newcomers and well-established cyberthreat actors frequently utilize this information to impersonate or frame other cyberthreat actors, perfidiously misleading investigators. Likewise, at some point of time, intruders can just get tired of their sticky “fame” and amend their hacking style and habits, re-appearing as a brand-new group.

Second, many cybercrime groups are pure mercenaries, motivated exclusively by insatiable greed and easy money: they may have a major client for a long time and then, suddenly, switch to another one.

After establishing or inferring some exposing nexuses between the group and its clandestine client, digital investigators may have a temptation to mechanically attribute similar attacks in the future – actually procured by new client – to the former one. To make things ever more convoluted, under the cui bono analysis, most well-known puppeteers behind the attacks, who artfully pull the strings of cyber armies, will readily qualify as potential profiteers of the intrusion.

Third, individual members of cybercrime groups may decide to change their ‘employer’ for financial, personal or even political reasons, as increasingly observed in war-torn parts of modern world. If such individuals were, say, responsible for malware development at their former group, they will likely re-use their old source code, as well as some underlying TTPs for their upcoming projects in the new group, once again leading to misattribution of forthcoming attacks.

Finally, some hacking groups may cooperate and share tools, infrastructure and even counterintelligence – creative insights on how to fool law enforcement and cybersecurity professionals.

In recent years, cybersecurity vendors and law enforcement agencies are often compromised in sophisticated supply-chain attacks for, among other things, valuable intelligence they have collected about cyber gangs. Compromised intelligence will be exploited to neatly misdirect future investigations and spoil cross-border operations by law enforcement.

Typically, some nefarious attacks against small police departments were recently conducted just to backdoor the law enforcement’s infrastructure and then use them as a proxy in chained attacks against flabbergasted third parties.

Lawyers and legal professionals should invariably apply their professional skepticism and critical thinking when analyzing data breaches and assembling lists of possible culprits behind an intrusion.

Ilia Kolochenko is a Partner and Cybersecurity Practice Lead at Platt Law LLP and an Adjunct Professor of Cybersecurity at Capitol Technology University.