Welcome to the SecAware blog

I spy with my beady eye ...

24 May 2017

NBlog May 24 - the risk of false attribution

News relating to the WannaCry incident is still circulating, although a lot of what I'm reading strikes me as perhaps idle speculation, naive and biased reporting, politically-motivated 'fake news' or simply advertising copy.

Take for instance this chunk quoted from a piece in Cyberscoop under the title "Mounting evidence points to North Korean group for global ransomware attack":
"In the aftermath of a global ransomware attack, which impacted more than 300,000 computers in over 150 countries, a small, select group of security researchers announced they had found evidence suggesting a group previously linked to the North Korean government was likely behind the international cyber incident. Their theory gained new found credibility Monday when U.S. cybersecurity firm Symantec said it too discovered “strong links” between WannaCry ransomware and the so-called Lazarus Group."
Cybersecurity incidents such as WannaCry are often blamed on ("attributed to") certain perpetrators according to someone’s evaluation of evidence in the malware or hacking tools used, or other clues such as the demands and claims made. However the perpetrators of illegal acts are (for obvious reasons) keen to remain undercover, and may deliberately mislead the analysts by seeding false leads. Furthermore, attacks often involve a blend of code, tools and techniques from disparate sources, obtained through the hacking underground scene and used or adapted for the specific purpose at hand. 

It's a bit like blaming the company that made the nails used in the Manchester bombing for the attack.  No, they just made the nails.


No comments:

Post a Comment