Faulty Attribution Analysis by RSA's VOHO Report Negates Its Findings

RSA's First Watch Research and Intelligence Team just released its VOHO report (.pdf) with the declaration that China was responsible (aka "APT"). Their attribution analysis was summarized in two paragraphs:
RSA FirstWatch research has revealed an exploit and compromise campaign with connections over the past 8 months.  The collected data suggests that this attack was orchestrated and carried out by threat actors commonly referred to in the industry as “APT”:
  1. Use of the “xKungFoo” script kit for victim redirection
  2. Use of attack methodology that matches motives seen in past APT attacks – most notably such as those seen in the Aurora and GhostNet campaigns
  3. Use of the “gh0st” remote access tool (RAT) in this and previous campaigns
  4. Use of command and control infrastructure in the Hong Kong area in this and previous campaigns
  5. Gross impact and on almost 900 unique organizations 
  6. Targets of Interest and Opportunity being geographically disperse in addition to industrial & vertical diverse with a heavy concentration in the following areas:
    • International finance & banking
    • Technology
    • Government – municipal, state, federal and international 
    • Utilities & energy
    • Educational 
    • Defense Industrial Base (DIB)
    • Corporate Enterprise
The possibility exists that this was intentional misdirection on the part of the attackers in
regards to their origin
(emphasis added). However, the RSA FirstWatch team believes the data supports our analysis and this is further evidence of APT intrusion into United States government and corporate assets.
Of those two paragraphs, only one sentence was dedicated to alternative analysis (the one in italics). While it may seem like I'm picking on RSA, they aren't the only InfoSec company that performs lazy, biased analysis. Every company that has issued a report which included a section on attribution has failed to assess the alternatives in a non-biased, rigorous manner (.pdf). RSA's VOHO report can serve as an example of what I mean. Readers are encouraged to look for these types of analytic errors in other InfoSec reports as well.

Use of "xKungFoo script"
The authors referenced the work of researcher Mila at Contagio Dump. While it's true that the xKungFoo script is written in Chinese, that doesn't mean that Chinese hackers were responsible, nor does it mean that a person of Chinese descent wrote it. I personally know Russian, American, and Indian engineers who speak and write Chinese fluently. More importantly, as Mia pointed out in the same blog post footnoted by RSA's researchers, the xKungFoo script is widely available for anyone to use so even if it was originally created by a Chinese hacker, it doesn't mean that it was used by Chinese hackers in all instances.

Use of Attack Methodology that Matches Motives Seen in Past APT Attacks
- Watering Hole Specifics
The authors acknowledge that "the idea of using a target’s interests and likely access points is not a new method of attack" but that its scale is notable. The authors go on to note the array of websites that were used as lures:
  • Related to Boston, MA
  • Related to political activism
  • Related to Washington DC Metro area
  • Related to the Defense Industrial Base
  • Related to Education
There's nothing in this grouping which would attribute this attack to any one State or non-State actor.
Additionally, the authors wrote that "one of the main sources of infection for these campaigns were sites that support the cause of democratic process in non-permissive environments, or the communication of information related to free speech. " That's way too broad an assessment to come to any conclusion on attribution. In fact, this entire section of the report doesn't include a single piece of evidence that would uniquely identify an attacker.

Use of GhostRAT
Under the reports' Attack Methodology section, it refers to the use of Ghost RAT, a widely available Remote Access Tool which anyone can use. The fact that it was used in an attack against the Dalai Lama in 2008 (GhostNet) doesn't mean that all of the later attacks which used this tool originated with the same group. In fact, even the GhostNet researchers refrained from attributing this attack to China's government.

Use of Hong Kong ISPs
The geolocation of command and control servers is probably the weakest evidence that one can give when assigning attribution, especially when the suspected attacker is China - the world's most popular cyber villan.

Targets of Interest
The targets of interest mentioned by the authors are too broad to be attributed to any one nation state. In fact, the targets of interest combined with the use of widely available malware and Hong Kong-based C&C servers makes it more likely that this was the work of an Eastern European hacker crew who was casting a wide net for data that it could sell to interested third parties.

Intelligence is a two-part process: collection and analysis. RSA and its peers, by virtue of their widespread customer base, do a very good job with the collection of data but they fail in performing rigorous analysis. Further, because RSA is a vendor in the business of gaining market share, it's good business today to blame China. I know from experience that many corporations, government and DOD organizations are more eager to buy cyber threat data that claims to focus on the PRC than any other nation state. When the cyber security industry issues PRC-centric reports like this one without performing any alternative analysis of the collected data, and when the readership of these reports are government and corporate officials without the depth of knowledge to critically analyze what they're reading (i.e., when they trust the report's authors to do the thinking for them), we wind up being in the position that we're in today - easily fooled into looking in one direction when we have an entire threat landscape left un-attended. We got into that position because InfoSec vendors have been left alone to define the threat landscape based upon their product offerings. In other words, vendors only tell customers to worry about the threats that their products can protect them from and they only tell them to worry about the actors that they can identify (or think that they can identify). This has resulted in a security awareness clusterfuck of epic proportions. For more information on how the threat landscape should be defined (versus how it's being defined by security vendors), see my paper "Intelligence Preparation of the Information and Communications Environment".