Attribution for Malware

We have a shining example of the problems with international hacking attribution on display today, after the malware attack last week.  Russia's Putin proclaims that the U.S is responsible, which has everyone scratching their heads.  Some of the code looks like the same stuff used in the attacks on South Korea by North Korea, so the latter becomes the latest suspect.  The way the Dark Web is selling anything and everything that looks like a hacking tool makes it easy to buy code made by almost anyone.  None of the reasons given today have anything to do with who actually did this.

James Clapper, when he was the Director o National Intelligence, had several public statements about the diffficulty of attribution from the standpoint of someone who had to be right when he spoke to the leadership of the United States.  He said, among other things, it was important to know where the attack came from and who ordered it.  That information does not come in a day or two.  We will eventually find out because there are lots of electronic fingerprints on this one.  There are a number of governments anxious to make sure they are not blamed for what happened, so you can bet there will not be full disclosure if someone is caught.  These fingerprints already look Russian, but we have to remember that just because Russian gangs sell software to anybody with a pulse, they are not necessarily the ones who pull the trigger.  That analogy is a variant of the gun manufacturers motto:  Software does not steal.

But nobody in cyber security talks much about the second half of Clapper's comments - who ordered it.  In this case, that may have more importance than the origin of the attack.  If it was some under 30 something who bought the software on the Dark Web and launched this thing, not knowing the outcome, nobody is going to care except his mother and the government where he/she lives.  That is not likely from what I saw.  There are notifications in almost every language that a person can have on a computer screen, a place to pay "ransom" which does not seem to be well used, and not much of an attempt to release documents that were paid for.  That doesn't sound like the criminals we are used to.  Maybe, as some suggested, they were overwhelmed by the success of their efforts.  Maybe is the operative word in attribution.  Who ordered it?  No maybe, no guessing, just the facts.