A journalist recently asked me for comment about the DNC hack and whether I had any idea who was behind it. I don’t, but I thought it a good opportunity to explain the problems with mid-to-high level hack attribution in some detail.

So last week I was in Silicon Valley giving a talk about my darknet market research and I got into a conversation with someone I met about the inherent problems with the attribution of ‘cyber attacks’.

It’s important to bear in mind that the more sophisticated an attack is, the more standardised the methodology must be. For example, if you could very easily distinguish state-sponsored attacks from lower-level financially motivated attacks, the state sponsored attacks wouldn’t be very anonymous!

As a result, it’s important to understand what mature standardised infrastructure from more sophisticated actor looks like, and how far one can go into tracing the source, within and beyond the law.

My case study

For example, a botnet once launched an automated attack at a large Wordpress installation I was running at the time, and because the attacker in this case got sloppy, I was able to explore a good deal of their operations without even having to run a honey pot.

The attack was an base64 encoded http request to a vulnerable wordpress plugin, which had I had that installed, would have compromised the site. The attacker should have launched a shorter more discrete attack to determine whether there was a vulnerability on the site first, and if that turned out positive launched the real attack. In any case my IDS (intrusion detection system) flags the attack and I examine it. The guy had tried to upload a webshell/bot combo, a commodity component in building simple botnets. I was able to download their webshell (off a hacked website of course) and examine its code. From its code I was able to see it had a hard coded ‘command and control’ server which was an IRC chat room based out of Malaysia I believe it was.

I join the chat room using the bot’s credentials and can see this medium-level operation at work. Every minute or so, a newly hacked site would ‘check in’ to the room, displaying its link to the botmaster, and me. From here you could observe him taking over about a couple of Wordpress sites every minute, and each time it was checking into a chatroom full of bots. One could visit these bots from the room on hacked websites around the world, each of which controlled most of the relevant website. From there you could see that many websites had not just been ‘pwned’ by this guy, but up to half a dozen different people had compromised the same website with a simple bot.

Such is the problem of botnets, they are such good infrastructure for launching anonymous attacks from. Plus, your typical bot can even delete its own http logs.

Botmasters are tough to take down

DNC Application

So, getting back to the DNC hacks, what do I think? Well we don’t (yet) know the breach methodology, but we can say with confidence that it’s probably nothing new, a spear phishing attack with a malware payload (launched from an email optimised botnet), a popular website used by DNC staffers that got hacked to deliver malware (hacked via a botnet) or a user account password breach, brute forced via a botnet.

What I’m getting at is you will most likely trace the initial vector back to an attack utilising a botnet, the standard fare of mid to higher level hackers.

Tracing botnet’s masters is difficult by definition. The cheap and lazy botnets get dismantled, meaning the ones we have left are highly resilient against technical and legal take down. Hosted across the world, often an attack against a western target will utilise non-western botnets as a staging area, meaning investigator first steps cannot be easy, they must ‘hack back’ the botnet (arguably illegal) or attempt international co-operation with less friendly governments.

Once they have identified the botnet in question (which as I mentioned, may share infrastructure with multiple different botnets), they must systemically study it through use of honeypots and other infosec intelligence to identify its common behaviours and attempt to identify its controller. The example I gave was from an amateur (a script-kiddie if you will), advanced botnets use all kinds of tricks to hide their controllers from getting instructions from randomised Twitter and Reddit accounts, from randomised domains, from the Tor dark web or via other botnets.

So I’m going to hazard a guess that US law enforcement has got this far at least so far for something like the DNC hack. They have profiled a botnet and have matched sigint and humint about the activities of Russian mercenary and state sponsored hackers to the known profiles of the botnet in question. Maybe they’ve also found this botnet is associated with attacks that deliver malware which uses the Russian language. Perhaps its target are Ukrainian government, western news media unsympathetic to Putin or any other business or organisation which could be argued to be working against Russia’s interest.

And this is where the attackers may give themselves away. If that same botnet is not also used for financially motivated crimes such as breaking into ecommerce sites, delivering cryptolocker-style ransomware, hacker-vs-hacker DDOS and so on, you can in fact profile the botnet as likely being state sponsored. For this reason, governments increasingly rent botnet time from general cyber-crooks in order better mask their attacks.

Additions

On top of what I’ve mentioned about botnets, you’ve bitcoin-rented virtual private servers (VPS) in uncooperative jurisdictions, the Tor network, open proxies, manually hacked servers, VPNs and other infrastructures that is utilised to harden key control points.

Botnets have many faces and may feed you to sharkticons

Conclusion

I doubt, short of hacking the Russian government we will ever see evidence of e.g. Putin giving the order to his intelligence officials to ‘hack the DNC to support Trump’ for example, one must simply create a plausible narrative aimed primarily at the US intelligence community that such a thing took place, often via presenting relevant digital forensic evidence tying the intrusion to a relevant network or botnet that can be argued is in use by Russian mercenary or state-sponsored hackers.

The details of this investigations seldom make the mainstream news because of the ongoing infiltration, hack-back, honey pot, profiling and dismantlement operations still in progress. Similar to how if you intercepted relevant chatter from an Islamist source, even if you get that person, it’s their network who is the real threat. And what if that source is also a conman, witness, scam-ee and half a dozen other hypothetical roles as well — attribution can be hard!

I hope this discussion about the murky world of botnets gives you something to go on, this is the battleground in which both cyber warfare and higher-end cybercrime takes place and crucial to understanding why sometimes we never straight answers to ‘who dunnit’ :)

Further reading, I recommend ICIT Report: Know Your Enemies 2.0 — The Encyclopedia of the Most Prominent Hacktivists, Nation State and Mercenary Hackers which manages to profile state and non state hacking groups via a range of forensic methodologies.