Following the news that the UK government has blamed Russia for last year’s destructive NotPetya cyberattack, Andy Norton, director of threat intelligence at malware detection firm Lastline explains why attribution of these types of attacks is generally a fruitless and pointless task and why it’s much more important to understand the behavioural capability of the threat.
Andy Norton, Director of Threat Intelligence at Lastline:
“Even though the attack was Anti-Ukrainian in nature, it does not mean that it was sanctioned by Russian Authorities. Even if it was, Russia have just denied it was them, stating certain Western countries are ‘Russophobic’.
“When talking about attribution many people think about the people behind the attack, such as the malware creators or the sponsors of the attack. It’s frequently difficult to determine, and can be a fruitless and pointless wilderness of mirrors. If we see that an attack was initiated by a particular IP address and that IP address is in Russia, that doesn’t mean that we can attribute the attack to “the Russians.” It is quite a simple matter to compromise a site and use redirection to obfuscate the original source of an attack.
“Another aspect of attribution is knowing how the attack came into the network, which can be key. Knowing for example that the malware was downloaded from a certain IP address can be used to fully track down how wide spread the attack is, and allow others to be protected. This is the foundation of many Threat Intelligence feeds. This information, however, as stated above, has nothing to do with the nationality or language spoken by the attackers. This type of attribution has little impact on the actual response process.
“It’s not who is behind the attack the matters; it’s important to understand the behavioural capability of the threat in the environment to ensure correct remediation. Then if you’ve got the time, blame Russia, or North Korea or China or Iran, afterwards.”