Thursday, January 19, 2012

Inconclusive Attribution Is Worse Than No Attribution

A China expert friend of mine just sent me a link to a Defense News article by Andrew Tilghman "Chinese Virus Targets DoD Common Access Card". Jaime Blasco, lab manager for AlienVault, said "the virus is linked to a “command and control server” that appears to be based in China; some flaws buried deep in the code revealed Chinese language characters, suggesting that only a Chinese speaker would be able to launch it." Tilghman's headline doesn't accurately reflect Blasco's findings. Instead, he chose a sensationalistic headline that would attract readers. Unfortunately, it also attracts researchers, pundits and U.S. government employees who harbor an anti-China slant and who collect stories like this to add fuel to an already hot anti-China sentiment on the Hill.

As I've said many times before, the geolocation of IP addresses mean absolutely nothing since IP addresses are easily obtainable by anyone - both legally and illegally. Chinese characters in the code only mean that a Chinese engineer was involved at some point. How many Chinese engineers work for Western companies or are naturalized citizens outside of the PRC? I shouldn't have to state the obvious fact that because you write using Chinese characters doesn't mean that you work for the Chinese government. That's beyond simple ignorance; bordering on Xenophobia.

Why I Oppose the 12 Chinese Hacker Groups Claim
Rep. Mike Rogers Needs To Re-Think His China Tactics
The Case Against The Case Against China


  1. You're wrong that Chinese C2 IP addresses and Chinese characters in malware code are meaningless. That there are viable alternative explanations may be true if you look at each occurrence in a vacuum; but over time, as multiple related incidents and malware samples are observed, the recurrence of Chinese IP addresses -- especially within the same netblock -- is meaningful. This is especially true if the IP addresses can be shown to be used by the same MAC or hostnames consistently over time. As for Chinese characters in malware code, again if the complexity and style of the code demonstrate consistent patterns across samples, then it is not satisfactory simply to write off the appearance of the Chinese portion of the code, saying that some innocent third party could have been the source. You're right that media reports are often incendiary and make unsupported statements, and you're right that dogmatists frequently abuse media reports like those. But the mere existence of an alternative hypothesis should not be used to distract analysts from clear lines of investigation. I think you often confuse legitimate concern over observed, validated behavior with China bashing and strike too hard in the opposite direction.

  2. Repeated use shows a pattern of behavior on the part of a person or persons but doesn't create a bridge leading to any specific government. That's my over-riding point and concern.

  3. Hi Jeffrey. I'm Jaime Blasco, the author of the original article:

    If you read it, you can see that we try to describe the technical aspects of the threat without digging too much on attribution. We did this effort on a previous post:

    So if you read the "whois is behind Sykipot" part you will see that we describe the evidences but we never say that China is behind. Nevertheless with this information and previous analysis of attacks from the same group we suspect that in fact China groups are behind. As you probably know if you work on this industry, you will never be 100% sure of who is behind an attack, attribution is a hard business. Anyway you mention that the geolocation of IP addresses doesn't mean nothing, ok, if you read the previous work you will find that in fact the domain names point to US ip addresses. These servers have been hacked and they have installed a small piece of code to redirect the traffic to servers based on China. If you mix this with the usage of the specific webserver software as well as other pieces of code that point to previous APT threats attributed to China groups, it is very likely that they are behind this. We have some more clues that we are following and we will disclose in future posts. As an example, the same group has been used targeting Tibet organizations for months, so if you have to bet who would you think is behind?

    Best Regards

  4. Hi Jaime, thanks for commenting. China has engaged in this type of activity for years but so has many other countries. A savvy gov't sponsored crew not from China would mimic the same TTPs in order to create a false trail. For this reason, and because policy makers who know next to nothing about computer forensics wrongly rely on media reports to give them their "facts", I think that any attempt at attribution is mis-guided and potentially damaging to U.S. national security interests. An SOP in standard use in the U.S. intelligence community is negative analysis, which is where you try to disprove your assessment. I'd really like to see that practice adopted by information security researchers.