Attribution: a puzzle
When an intelligence agency, like the UK’s National Cyber Security Centre (NCSC), attributes the WellMess malware to APT29 in a report endorsed by Canada’s Communications Security Establishment (CSE), the US’s National Security Agency (NSA) and Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA), you would expect these agencies to have solid evidence to back their claims. Intelligence agencies have additional sources of intelligence available to them that are not available to the private sector. Such intelligence is beyond the reach of private-sector researchers. Nevertheless, the private sector rises to the challenge to attempt to associate cyber attacks to threat actors using the intelligence available to them. This intelligence takes the form of open-source intelligence (OSINT), or analysis of the technical intelligence (TECHINT), possibly derived from proprietary data. The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analysing it and deciding who is responsible. Given this, it is interesting to examine the evidence available to us as a threat intelligence and security research group to support these conclusions. In this presentation we will present our research in attributing WellMess. We will also describe additional elements linked to the attribution process such as false flags and code sharing by using additional use cases such as OlympicDestroyer and ACIDBox. We will show how attribution is challenging, and why multiple sources of intelligence are important.