MASTER THESIS Cyber Attribution: Problem Solved?

Home , GData, Operation Ababil, Operation Cleaver, Operation Shady RAT, RSA SecurID

MASTER THESIS

Cyber Attribution: Problem Solved? Analyzing the Communication of Blame and Evidence for Nation-State Involvement in Cyber Operations, 1998-2018

Author: K.M. (Koen) van den Dool Student Number: S1747525 E-Mail: koen.vd.dool@gmail.com Date: June 6, 2018 Word count: 20237

Supervisor: Prof. Dr. B. van den Berg Second Reader: Mr. S. Boeke Program: MSc in Crisis and Security Management Faculty of Governance and Global Affairs – Universiteit Leiden Master Thesis | K.M. van den Dool Table of Contents

1. INTRODUCTION ...... 4

2. THEORY: ATTRIBUTION OF CYBER OPERATIONS ...... 8 2.1. Defining Cyber Operations ...... 8 2.2. Attribution in Cyberspace ...... 11 2.2.1. Identification ...... 12 2.2.2. Response ...... 21 2.2.3. Communication ...... 28

3. ANALYSIS: BLAME AND EVIDENCE IN CYBER ATTRIBUTION ...... 31 3.1. Methodology ...... 31 3.1.1. Case Selection ...... 33 3.1.2. Variables ...... 37 3.2. Analysis ...... 43 3.2.1. First Results ...... 43 3.2.2. Neutral Attribution...... 47 3.2.3. Territorial Attribution ...... 54 3.2.4. Nation-State Attribution ...... 62

4. CONCLUSION ...... 72

BIBLIOGRAPHY ...... 76

APPENDIX A: DATASET ...... 95

Master Thesis | K.M. van den Dool

LIST OF TABLES

Table 1: Levels of Identification ...... 13 Table 2: Levels of State Involvement in Cyber Operations ...... 20 Table 3: Law Enforcement vs. National Security Approach to Attribution ...... 21 Table 4: State Involvement and Response Types ...... 27 Table 5: Operation Levels (Examples) ...... 36 Table 6: First Results of Categorization ...... 43 Table 7: Number of Cases per Operation Type ...... 45 Table 8: Classification of Attribution Occurrences for CNA and CNE Cases ...... 45 Table 9: Number of Cases per Target Type ...... 46 Table 10: Classification of Attribution Occurrences per Target Type ...... 46

LIST OF FIGURES

Figure 1: Attribution of Cyber Operations, 1998-2018 ...... 44

LIST OF ILLUSTRATIONS

Image 1: Calvin and Hobbes ...... 4 Image 2: Parody of the 1993 New Yorker cartoon ...... 15 Image 3: Excerpt from the TRANSCOM report (screenshot) ...... 64 Image 4: ThreatConnect's Diamond Model and Attribution of FancyBear (screenshot) ...... 68

Master Thesis | K.M. van den Dool

LIST OF ABBREVIATIONS

ACSC Australian Cyber Security Centre APT Advanced Persistent Threat ARSIWA Articles on Responsibility of States for Internationally Wrongful Acts C2 (or C&C) Command and Control CFR Council on Foreign Relations CNA Computer Network Attack CNE Computer Network Exploitation CNO Computer Network Operations DDoS Distributed Denial of Service DHCP Dynamic Host Control Protocol DIME(LE) Diplomacy, Information, Military, Economy (and Law Enforcement) DNC Democratic National Convention DNS Domain Name System EU European Union FBI Federal Bureau of Investigation NSA National Security Agency GCHQ Government Communications Headquarters GDPR General Data Protection Regulation IO Information Operations IOC Indicators of Compromise ISP Internet Service Provider IAAF International Association of Athletics Federations MFA Ministry of Foreign Affairs NATO North Atlantic Treaty Organization NISCC National Infrastructure Security Coordination Centre RAT Remote Access Tool TOR The Onion Router US United States VPN Virtual Private Network VPS Virtual Private Server WADA World Anti-Doping Agency

Master Thesis | K.M. van den Dool 1. Introduction

Image 1: Calvin and Hobbes1

“Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators […] A graphical representation of data abstracted from the banks of every computer in the human system.”2 This is the original definition of the word ‘cyberspace’, first used by science fiction writer William Gibson in his book ‘Neuromancer’, published in 1984. 26 years later, the Pentagon defined it as “a global domain within the information environment consisting of the independent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”3 An important characteristic of cyberspace is the detachment of the physical identity from the technical identity. Digital identifiers such as IP addresses and domain names are not inherently linked to one person or entity in the same way as fingerprints or DNA profiles are. Put differently, strings of digital code in themselves are neutral and replicable. As a result, when trying to identify criminals and aggressors in cyberspace, Bruce Schneier says: “In cyberspace you can’t see anything directly, so it’s all going to be circumstantial.”4 This statement sheds light on one of the core dilemmas that decision makers face when responding to cyber attacks – the so-called attribution problem in cyberspace. A standard

1 “Calvin and Hobbes by Bill Watterson for Jan 20, 1994,” Go Comics (website), accessed May 22, 2018, http://www.gocomics.com/calvinandhobbes/1994/01/20. 2 William Gibson, Neuromancer (New York: The Berkley Publishing Group, 1984), 51. 3 Noah Shachtman, “26 years after Gibson, Pentagon defines ‘Cyberspace’,” Wired, May 23, 2008, accessed May 22, 2018, https://www.wired.com/2008/05/pentagon-define/. 4 VICELAND, “The Attribution Problems in Cyber Attacks: CYBERWAR (Extra Scene),” YouTube (website), July 14, 2016, accessed February 20, 2018, https://www.youtube.com/watch?v=OJ9myAO445w. 4

Master Thesis | K.M. van den Dool dictionary defines “to attribute” as “to explain (something) by indicating a cause”.5 After a violation of the law in the ‘physical’ world, a crime is (ideally) attributed to a criminal based on evidence, which is presented before a court, which may find the criminal guilty beyond any reasonable doubt. In addition, an attack in the context of interstate conflict is generally overt and attributable.6 This process can be complex, but the procedural rules and standards of evidence are relatively straightforward. Coming to grips with responding to cyber attacks is more problematic, because attribution is more ambiguous when the ‘crime scene’ or ‘battlefield’ consists of globally spread fragments of code. Joseph S. Nye Jr. illustrates the difficulty of cyber attribution by comparing it to conventional deterrence of nuclear attacks:

“Nuclear attribution is not perfect, but only nine states possess nuclear weapons; the isotopic identifiers of their nuclear materials are relatively well known; and although weapons or materials could be stolen by third parties, there are serious barriers to entry for non-state actors. None of this is true in cyberspace, where a few lines of malicious code can be written (or purchased on the dark web) by any number of state or non-state actors.”7

Attributing cyber attacks is an important issue for decision makers, as is explained by Susan Brenner, because knowing who is behind a cyber attack indicates what type of threat one is facing – i.e. terrorism, crime, warfare.8 This, in turn, indicates whether the threat requires a law enforcement response or a national security response. Although some have called attribution “perhaps the most difficult problem” in cyberspace,9 others are less pessimistic. Thomas Rid, for example, says “there is still this ‘attribution is impossible’ knee jerk reaction”, but “the idea that attribution is not possible doesn’t carry any weight in the technically informed community anymore.”10 Former top White House official and co-author of the book ‘Cyber War’ Richard Clarke once said:

5 Merriam-Webster, s.v. “attribute,” accessed February 8, 2018, https://www.merriam- webster.com/dictionary/attribute#h2. 6 Susan W. Brenner, “At Light Speed: Attribution and Response to Cybercrime/Terrorism/Warfare,” Journal of Criminal Law & Criminology 97, no. 2 (2007): 406-409. 7 Joseph S. Nye Jr., “Deterrence and Dissuasion in Cyberspace,” International Security 41, no. 3 (2016): 50. 8 Brenner, “At Light Speed,” 405. 9 P.W. Singer and Allan Friedman, Cybersecurity and Cyberwar (New York, NY: Oxford University Press, 2014), 73. 10 Lily Hay Newman, “Hacker Lexicon: What Is the Attribution Problem?” Wired, December 24, 2016, accessed May 26, 2018, https://www.wired.com/2016/12/hacker-lexicon-attribution-problem/. 5

Master Thesis | K.M. van den Dool

“With more time, I think we can solve the attribution problem. You can’t find the origin of an attack in real time. But ultimately you can do the forensics if you can hack into all the servers. The NSA [National Security Agency] can do that. And the NSA tells me that attribution isn’t really a problem.”11

If true, one may expect that governments are better able to determine nation-state involvement in cyber attacks and consequently call out those states. However, does this also happen in practice? This question is the point of departure for this thesis. To be more precise, the question I want to answer is: ‘How is nation-state involvement in cyber operations publicly communicated, and to what extent are such claims substantiated by evidence?’ Implicit in this question is not only a substantive objective to answer the question itself, but also a methodological objective to turn the focus in this field of study to empirical observation. Most of the literature on cybersecurity is highly conceptual and hypothetical in nature, requiring what Brandon Valeriano and Ryan Maness call “spectacular flights of the imagination”.12 They argue:

“The field of cyber security needs a clear return to social science in order to be able to definitively engage the cyber debate with facts, figures, and theory.”13

To reach this double objective, this thesis is divided in two parts. The first part looks at the existing theoretical literature on cyber attribution to answer the question: If the attribution problem is not a technical problem, what is it instead? Here I conclude that, although the technical problem is not necessarily solved, the extent to which it restricts response depends mostly on what response logic one follows – law enforcement or national security. In the latter approach, assessments with high confidence are sufficient to legitimize response, as opposed to complete certainty, which is required in the law enforcement model. However, without sufficient evidence, convincing others boils down to credibility and authority.

11 Andy Greenberg, “Security Guru Richard Clarke Talks Cyberwar,” Forbes, April 8, 2010, accessed May 26, 2018, https://www.forbes.com/2010/04/08/cyberwar-obama-korea-technology-security- clarke.html#7bf35589344e. 12 Ibid, 347. (Other examples include: Kello, “The Meaning of the Cyber Revolution”; Lindsay, “Tipping the Scales”; Rid & Buchanan, “Attributing Cyber Attacks”; Nye, “Deterrence and Dissuasion”.) 13 Ibid. 6

Master Thesis | K.M. van den Dool

In the second part, I present the methodology and results of an analysis of 203 cases that untangles the various ways in attribution of cyber operations is communicated in practice. After an explanation of my methodology and first results, this part is further divided in three chapters based on an assessment of the different levels of attribution of nation-state involvement in cyber operations. First, neutral attribution is mostly limited to just a threat assessment and does not mention any state is involved. Second, territorial attribution mentions country of origin but excludes government involvement. Here, the identification of a culprit or server that is not connected to a state allows the victim to prosecute or request action against that culprit. This follows the law enforcement model. Third, nation-state attribution occurs when the attributing authority is putting blame on a foreign country, resulting in principal attribution. In this situation, a government may take national security response measures. Overall, the collected information supports the notion that nation-states are increasingly called out for their alleged involvement in cyber operations. The substantiation of these public statements, however, does not show that the attribution problem is actually solved. Possible explanations for this phenomenon – such as the theses that attributing actors do not have the evidence, or are not willing to share it – remain speculative. Instead, the results point to the same conclusion that is drawn in the literature, namely: Rather than a purely technical issue, to decision makers the attribution problem is just as much a communication issue that hinges on credibility and trust.

Master Thesis | K.M. van den Dool 2. Theory: Attribution of Cyber Operations

As stated in the introduction, the attribution problem in cyberspace may pose a significant problem for decision makers who have to devise an appropriate response to detected cyber operations. But what exactly are the constitutive elements of this attribution problem, and how do they complicate response formulation for decision makers? This section answers these questions by looking at the existing body of literature on the attribution of cyber operations. Before answering these questions, it is important to arrive at a definition of ‘cyber operations’, and to clarify the various language conventions on the objects of attribution in cyberspace.

2.1. DEFINING CYBER OPERATIONS

In the cybersecurity literature, the term ‘cyber attack’ is often used as a container concept to include many different types of events in cyberspace. As will be discussed below, this ambiguity is not particularly helpful. Using the term cyber attack puts all events described as such in a frame of conflict and armed attacks with destructive effects. A possible alternative denomination could be a broader category of ‘cyber threats’. This, however, implies a hypothetical – that is, an event that is still to become. Instead, this research’s focus is on attribution of events that are ongoing or completed. This can include cyber attacks, but also other acts that have no offensive or destructive effects, such as cyber espionage. As a result, the term of use for this thesis is cyber operations. This concept is more satisfying than cyber attacks, because it is broader and includes non-destructive operations like espionage. The Tallinn Manual on the International Law Applicable to Cyber Warfare defines cyber operations as “the employment of cyber capabilities with the primary purpose of achieving objectives in or by the use of cyberspace”.14 This definition, however, is too broad. It provides no specification of ‘objectives’, meaning that all acts are included, even non- offensive common acts such as sending text messages or processing financial transactions

14 Michael S. Schmitt, ed., Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge: Cambridge University Press, 2013), 15. 8

Master Thesis | K.M. van den Dool online. So to get a better conceptualization of ‘cyber operations’ we must parse the different categories of operations that will be included in this research. Arquilla and Ronfeldt’s distinction of ‘Netwar’ from ‘Cyberwar’ may serve as a useful starting point.15 They define netwar as “societal-level ideational conflicts waged in part through internetted modes of communication”, or, “information-related conflict at a grand level between nations or societies.”16 Put briefly, Netwar aims to influence public and/or political opinion of an adversary through psychological manipulation and information campaigns. In doing so, it uses the Internet and its communication platforms to reach its audience. In recent years, we have witnessed an increase in reporting about so-called ‘trolling’ and ‘bots’ on social media. Trolling could be generally defined as an act “to antagonize (others) online by deliberately posting inflammatory, irrelevant, or offensive comments or other disruptive content”.17 This was the case in the run-ups to the U.S. presidential elections and the Brexit referendum in 2016, as well as the Catalan independence referendum in 2017, where botnets that were allegedly connected to Russian actors spread polarizing (and mostly false) content to instigate political instability.18 In some policy circles this is also known as ‘information warfare’, designed “to sever outside lines of communication so that people get their information only through controlled channels”.19 The use of the term ‘warfare’ in this case falsely creates an impression of armed conflict or declared war. Instead, these operations mostly use overt and not strictly illegal or destructive means to reach their ends. Therefore, in this research this category of operations is called Information Operations (IO). Arquilla and Ronfeldt’s second category of ‘Cyberwar’ refers to “conducting, and preparing to conduct, military operations according to information-related principles.”20 With due regard to the usefulness of this definition as a starting point, it needs some reconsideration. Since the current conceptualization leaves no room for operations outside the military realm, the definition should be expanded to include non-military operations such as espionage and attacks below the threshold of armed conflict.

15 John Arquilla and David Ronfeldt, “Cyberwar is Coming!” Comparative Strategy 12, no. 2 (1993): 27. 16 Ibid, 27-28. 17 Merriam-Webster, s.v. “troll,” accessed April 18, 2018, https://www.merriam-webster.com/dictionary/troll. 18 Hannes Grassegger and Mikael Krogerus, “Fake news and botnets: how Russia weaponised the web,” The Guardian, December 2, 2017, accessed April 18, 2018, https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia-weaponised-the-web- cyber-attack-estonia; Scott Shane and Vindu Goel, “Fake Russian Facebook Accounts Bought $100,000 in Political Ads,” The New York Times (online), September 6, 2017, accessed April 18, 2018, https://www.nytimes.com/2017/09/06/technology/facebook-russian-political-ads.html. 19 Grassegger and Krogerus, “Fake news and botnets.” 20 Arquilla and Ronfeldt, “Cyberwar is Coming!” 30. 9

Master Thesis | K.M. van den Dool

Moreover, this category can be further split up between computer network attack (CNA) and computer network exploitation (CNE), both of which can be thought of as subcategories of computer network operations (CNO).21 As the term suggests, CNA – or cyber attack – refers to offensive acts, aimed at “the deliberate disruption or corruption by one state of a system of interest to another state”.22 ‘Disruption’ and ‘destroying’ of data are elements that occur in similar definitions elsewhere.23 Therefore, CNA is relatively overt, since it has noticeable effects. CNE – or cyber espionage – on the other hand, is about espionage and reconnaissance, and considered less disruptive because of the covert nature of the operations.24 The crucial factor that sets CNO apart from IO is that of unauthorized access. Although the source materials used in IO are obtained from illegal or undisclosed sources, its dissemination does not involve strictly illegal activities on computer systems. IO uses computer systems to spread content, as opposed to CNO that has as its goal the intrusion or attack upon computer systems themselves. The distinction between CNA and CNE is admittedly imperfect, because in practice CNA and CNE methods may be very similar. In Schneier’s words, “the problem is that, from the point of view of the object of an attack, CNE and CNA look the same as each other, except for the end result”.25 CNE can be a reconnaissance mission as a prelude to a subsequent attack. Nevertheless, this critique does not render the distinction useless for this research. For attribution it is exactly that end result that one needs to look at. If an operation has had no destructive or disruptive effects, and if there is no additional proof that the operation was meant for such ends, it is assumed here that the operation falls under CNE.

21 Jason Andress and Steve Winterfeld, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (Waltham, Massachusetts: Syngress, 2014), 54. 22 Martin C. Libicki, Cyberdeterrence and Cyberwar (Santa Monica: RAND Corporation, 2009), 23. 23 “The varied ability of an actor to disrupt computer systems through either concentrated or stealthy digital assault”, in: Christopher Whyte, “Ending cyber coercion: Computer network attack, exploitation and the case of North Korea,” Comparative Strategy 35, no. 2 (2016): 97. 24 Libicki,, Cyberdeterrence and Cyberwar, 23; Kim Zetter, “Hacker Lexicon: What are CNE and CNA?” Wired, July 6, 2016, accessed March 2, 2018, https://www.wired.com/2016/07/hacker-lexicon-cne-cna/. 25 Bruce Schneier, “Computer Network Exploitation vs. Computer Network Attack,” Schneier on Security (Blog), March 10, 2014, accessed March 2, 2018, https://www.schneier.com/blog/archives/2014/03/computer_networ.html. See also Melissa E. Hathaway, “Cyber Security: an Economic and National Security Crisis,” The Intelligencer: Journal of U.S. Intelligence Studies 16, no. 2 (2008): 31. 10

Master Thesis | K.M. van den Dool

2.2. ATTRIBUTION IN CYBERSPACE

Finding an adequate response to cyber operations has been an issue in both academic and policymaking circles worldwide for years. In order to arrive at such a response, attribution, loosely defined as “to explain (something) by indicating a cause”,26 is considered key. In an early study of cyber attack attribution, Wheeler and Larsen define attribution as an act in which “the defender […] wants to identify or locate the attacker or at least an intermediary so a targeted response can be employed.”27 More specifically, Brenner argues that attribution has to answer two questions: who is the one responsible for the attack (attacker-attribution), and what was the motive of the attack (attack-attribution). As she puts it: “The first issue goes to assigning responsibility for committing an attack. The second goes to assigning responsibility for responding to an attack.”28 In Brenner’s analysis, the answer to the second question is largely dependent on the answer to the first question: If the culprit is a nation-state, one may expect a political or military response, whereas individual cybercriminals fall in the realm of law enforcement. However, in the context of the attribution problem, identifying the who is not always directly possible, and thus requires some guesswork about operation motives. Moreover, as Guitton notes, “determining if an incident is an act of crime or of terrorism rests solely on knowing whether the motives behind it are political. Again, the motives cannot be known before at least partial attribution. In such a model, the motive for the attack is simultaneously the solution to the problem and the variable on which the problem depends”.29 Despite this limitation, the identification processes on the one hand versus response processes on the other, as based on Brenner’s distinction, both deserve a closer look to get a better appreciation of the complexities decision makers face in this respect.

26 Merriam-Webster, s.v. “attribute,” accessed February 8, 2018, https://www.merriam- webster.com/dictionary/attribute#h2. 27 David A. Wheeler and Gregory N. Larsen, Techniques for Cyber Attack Attribution (Alexandria, VA: Institute for Defense Analyses, 2003), 2. 28 Brenner, “At Light Speed”, 405. 29 Clement Guitton, Inside the Enemy’s Computer: Identifying Cyber Attackers (New York: Oxford University Press, 2017), 32. 11

Master Thesis | K.M. van den Dool

2.2.1. IDENTIFICATION

Looking at attribution as a means to identify someone or something as the source of the attack, Clark and Landau suggest that there are three general categories of attribution: the machine, the person, and the aggregate identity (or sponsor).30 This categorization corresponds to Lin’s distinction between the machine, the perpetrator (or intruder), and the adversary (see Table 1 below).31 The first level of attribution aims to trace back an attack to a technical point of origin, being a computer or server IP address. According to Clark and Landau this is a ‘starting point for attribution’, thus implying that actual attribution should go beyond merely technical forensics and machine identification.32 Indeed, it is hard to call a computer to court. Boebert, who distinguishes technical attribution from human attribution, underscores this point.33 Technical attribution is defined as “analyzing malicious [activity], and using the results of the analysis to locate the node which initiated or is controlling the attack.”34 Boebert then defines human attribution as “taking the results of technical attribution and combining it with other information to identify the person or organization responsible for the attack.”35 Again, the goal appears to be to get from technical to human attribution. The second and third levels of attribution are both categories of human attribution and most relevant in the context of this study, because it is at these levels that attribution goes beyond digital forensics to identify an entity that can be held accountable – either a (group of) individual(s) pressing the keys, or an ultimately responsible directing entity. This distinction roughly correlates with the theoretical distinction between an agent (an individual or operational entity executing given instructions) and a principal (an entity giving instructions to the agent). The next two sections will look at these two levels of attribution, how they relate to one another, and what obstacles may be encountered.

30 David Clark and Susan Landau, “Untangling Attribution,” in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (Washington, D.C.: The National Academies Press, 2010), 37. 31 Herbert Lin, “Attribution of Malicious Cyber Incidents: From Soup to Nuts,” Journal of International Affairs 70, no. 1 (2016): 80. 32 Clark and Landau, “Untangling Attribution,” 26. 33 W. Earl Boebert, “A Survey of Challenges in Attribution,” in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (Washington, D.C.: The National Academies Press, 2010), 43. 34 Ibid. 35 Ibid. 12

Master Thesis | K.M. van den Dool

Boebert36 Clark & Landau37 Lin38 Technical Machine Machine Human Person Perpetrator Aggregate Identity Adversary Table 1: Levels of Identification

Agent Attribution Agent attribution is about identifying a physical entity – whether it is an individual or group – that is directly ‘pressing the keys’. Clark and Landau suggest that IP addresses are a valuable starting point to identify a physical agent behind malicious internet traffic: “IP addresses are usually allocated in blocks to Internet service providers (ISPs), corporations, universities, governments and the like. Normally, the ‘owner’ of a block of addresses is a public record, so one can look up an address to see who it belongs to.”39 However, this overlooks the fact that IP addresses can be manipulated or hidden in various ways. Wheeler and Larsen list some of these methods.40 First, IP addresses can be ‘spoofed’, simply meaning that the sending address is forged. Second, ‘reflector hosts’ in which the attacker uses the victim’s sending address to send a request to a host server. Third, protocols sometimes have loopholes that can be exploited. Fourth, attackers may use ‘laundering hosts’ as either ‘stepping stones’ or ‘zombies’ to attack a third party. This method is often used in Distributed Denial of Service (DDoS) attacks. Finally, attribution is complicated because attacks can use many different timescales, varying from mere milliseconds to weeks or months. In addition, Boebert lists several other technologies that may hide information about the sender’s identity or location, such as the use of Virtual Private Networks (VPNs), Onion Routing (TOR), or Dynamic Host Control Protocols (DHCPs).41 A recent addition to this list could be cryptocurrency, such as Bitcoin. This technology is popular for ransomware attacks – hijacking victims PC’s and servers to demand a compensation to be paid using cryptocurrency – because they facilitate anonymous payment.42

36 Boebert, “Challenges in Attribution,” 43. 37 Clark and Landau, “Untangling Attribution,” 37. 38 Lin, “Attribution of Malicious Cyber Incidents,” 80. 39 Clark and Landau, “Untangling Attribution,” 33. 40 Wheeler and Larsen, Techniques for Cyber Attack Attribution, 3. 41 Boebert, “Challenges in Attribution,” 43-46. 42 Simon Usborne, “Digital gold: why hackers love Bitcoin,” The Guardian, May 15, 2017, accessed February 27, 2018, https://www.theguardian.com/technology/2017/may/15/digital-gold-why-hackers-love-bitcoin- ransomware. 13

Master Thesis | K.M. van den Dool

Besides anonymity-enhancing technologies, a second problem that is often put forward in the literature is the fact that many incidents originate in another country and attacks often employ ‘multi-stage’ methods, directing traffic across multiple servers in multiple countries.43 Such tactics are especially noticeable with DDoS attacks, which make use of ‘botnets’ as a platform to launch their attacks indirectly. The ‘recruitment’ of such bots – i.e. spreading of malware across third-party machines prior to attack – often occurs in multiple sequences, spreading to thousands of nodes in many different countries. Beyond severely complicating the tracing of the initial attacker, the routing of traffic through multiple jurisdictions makes things even more complicated. The investigator might not have permission to search servers outside its jurisdiction; the host country might have other legal standards of what it considers legitimate or illegitimate traffic; and investigation becomes fragmented and decentralized. Not only does this pose an obstacle to successful attacker identification, it also makes retaliatory action less feasible. A third limitation to digital forensic investigation are privacy regulations.44 As Kello notes, obtaining only an IP address is insufficient for a punitive response.45 Historically, an IP- address host’s name and location could be retrieved via the so-called ‘whois’ functionality, administered by a Domain Name System (DNS) registrar. However, privacy regulations rendered this function almost obsolete, and legal procedures to obtain whois data can be time- and labor-intensive.46 More specifically, the whois functionality is close to its end because of its incompatibility with the pending General Data Protection Regulation (GDPR) of the European Union (EU), enforced since May 25, 2018.47 Other privacy problems would include the permission required to access data on personal drives or breaching encryption. The shooting incident at San Bernardino, CA, in December 2015 is an example in case where the FBI wanted access to the shooter’s iPhone to obtain information about possible connections to terrorist networks, but Apple refused to do so, fearing it would erode consumer privacy protection principles.48

43 William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,” Foreign Affairs 89, no. 5 (September 2010): 99; Lucas Kello, “The Meaning of the Cyber Revolution: Perils to Theory and Statecraft,” International Security 38, no. 2 (2013): 33; Clark and Landau, “Untangling Attribution,” 31. 44 Kello, “The Meaning of the Cyber Revolution,” 33; Clark and Landau, “Untangling Attribution,” 38; Boebert, “Challenges in Attribution,” 43. 45 Kello, “The Meaning of the Cyber Revolution,” 33. 46 Boebert, “Challenges in Attribution,” 45. 47 Dutch IT-Channel, “WhoIS nadert zijn einde,” Dutch IT-channel (website), April 17, 2018, accessed April 19, 2018, https://dutchitchannel.nl/597903/whois-protocol-voldoet-niet-aan-gdpr.html. 48 Evan Perez and Tim Hume, “Apple opposes judge’s order to hack San Bernardino shooter’s iPhone,” CNN, February 18, 2016, accessed February 10, 2018, https://edition.cnn.com/2016/02/16/us/san-bernardino- shooter-phone-apple/. 14

Master Thesis | K.M. van den Dool

A fourth and final problem has to do with authentication. A famous 1993 cartoon that said “on the Internet, nobody knows you’re a dog” (below) illustrates an important distinction between identity and authentication.49 Singer and Friedman define identification as “the act of mapping an entity to some information about that entity”, as opposed to authentication, which is “the proof of the identification.”50 This proof can be something you ‘know’ (e.g. a password), something you ‘have’ (e.g. a bankcard), or something you ‘are’ (biometrics).51 Therefore, even if one has been able to associate malicious activity with an identity, there is still a chance that the credentials were stolen, documents were forged, or biometric identifiers were compromised.52 As a result, Singer and Friedman say, “relying on the IP address would be like relying on license plates to identify drivers.”53 The problems mentioned here – anonymity, jurisdiction, privacy, and authentication – do not show that attribution is impossible, but they do demonstrate that agent attribution based on technical details alone is inherently limited. Evidence such as IP addresses may provide a useful piece of a puzzle to learn more about the applied methods and geographic locations, but for a more complete picture of the aggressor one will need additional information from other sources. Even if an individual culprit is identified, another remaining challenge is to verify potential external influences and motives, such as the involvement of a state sponsor.

Image 2: Parody of the 1993 New Yorker cartoon54

49 Singer and Friedman, Cybersecurity and Cyberwar, 31-33. 50 Ibid, 31. 51 Ibid, 32. 52 Ibid. 53 Ibid, 33. 54 Oliver Reichenstein, “Bots Need To Be Identifiable By Law,” iA (website), January 24, 2018, accessed May 22, 2018, https://ia.net/topics/domo-arigato-mr-roboto-tell-us-your-secret. 15

Master Thesis | K.M. van den Dool

Principal Attribution Principal attribution is about identifying the entity, organization or state sponsor that is ultimately responsible for an incident because it is instructing or supporting an agent. Healey emphasizes the importance of principal attribution:

“National policy makers often need to know the responsibility for an attack, not the technical attribution, to drive their decisions and responses. ‘Who is to blame?’ can be more important than ‘who did it?’”55

Identifying the one responsible is hard for several reasons. First, there is the notion that attribution in cyberspace suffers from a ‘large-N’ problem, largely due to the relatively low barriers for entry for other actors.56 Kello argues that this problem causes a ‘power dispersion’ to the disadvantage of states, benefiting non-state actors and individuals.57 Further still, Farwell and Rohozinski’s analysis of the 2010 Stuxnet attack notes that cybercrime plays a fundamental role in the development and sale of ‘off-the-shelf’ offensive tools on the dark web.58 This technological proliferation increases the pool of suspects from which one has to fish, making the identification of a culprit more difficult. As Nye’s explanation in the introduction illustrated, in the case of nuclear strike the pool of suspects is relatively small. Even launching kinetic military strikes requires significant resources that are available to everyone. In cyberspace, however, code is easy to replicate and, in theory, anybody with a computer could write lines of code for nefarious purposes. Another fundamental problem for attribution in cyberspace is assessing the involvement of a state sponsor. This is mostly because of the use of ‘proxies’, defined by Maurer as actors that “act as intermediaries that conduct or directly contribute to an offensive cyber action that is enabled knowingly, whether actively or passively, by a beneficiary.”59 The use of proxy actors is as old as warfare itself and not unique to cyberspace, but because of the ease of

55 Jason Healey, “The Spectrum of National Responsibility for Cyberattacks,” Brown Journal of World Affairs 18, no. 1 (2011): 57. 56 Kello, “The Meaning of the Cyber Revolution,” 33; Emilio Iasello, “Is Cyber Deterrence an Illusory Course of Action?” Journal of Strategic Security 7, no. 1 (2014): 59. 57 Kello, “The Meaning of the Cyber Revolution,” 33. 58 James P. Farwell and Rafal Rohozinski, “Stuxnet and the Future of Cyber War,” Survival 53, no. 1 (2011). 59 Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power (Cambridge: Cambridge University Press, 2018), 20. 16

Master Thesis | K.M. van den Dool proliferation of cyber offensive technology, it is considered particularly receptive to proxy strategies.60 There are different ways to categorize state-proxy relationships. An overview of these categorizations is presented in Table 2 at the end of this section. Boebert identifies four levels of state involvement that may serve as a point of departure for analysis: state-mounted, state- sponsored, state-tolerated, and non-state non-sponsored.61 Each has a different level of state responsibility, which is also found in international law principles, as presented by Guitton and Korzak.62 The first category of state-mounted operations originates from official governmental entities, most notably armed forces or intelligence agencies. Guitton and Korzak note that state responsibility for these types is laid down in Articles 4 and 5 on the Responsibility of States for Internationally Wrongful Acts (ARSIWA), stating that a targeted state can hold another state responsible if it finds that the perpetrator is a military or civilian branch of government.63 This also includes “the actions of persons or entities empowered by national law to exercise some degree of governmental authority”.64 As Boebert states, in these cases “attribution becomes obvious,” because these types of operations usually occur in the context of an ongoing conflict.65 For purpose if interstate (military) conflict, states are increasingly developing ‘Cyber Commands’ and offensive cyber capabilities that operate under a military jurisdiction.66 In the second category, state-sponsored operations are conducted by non-state actors, but they act under some sort of active direction or with the support from a state sponsor. Such actors are sometimes called Advanced Persistent Threats (APTs). Singer and Friedman define an APT as “a cyberattack campaign with specific targeted objectives, conducted by a coordinated team of specialized experts, combining organization, intelligence, complexity, and

60 Kello, “The Meaning of the Cyber Revolution,” 36; Justin Key Canfil, “Honing Cyber Attribution: A Framework for Assessing Foreign State Complicity,” Journal of International Affairs 70, no. 1 (2016): 220. 61 Boebert, “Challenges in Attribution,” 51; Healey further elaborates on this work and provides a list of ten possible relationships, varying from state-prohibited (i.e. the state ‘will help stop the third-party attack’) to state-integrated (i.e. the state ‘integrates third-party attackers and government cyber forces, with common direction and coordination’). He ranks these relationships based on their level of ‘ignoring’, ‘abetting’, and ‘conducting’ the attack. The first entails the refusal or incapability to respond to an attack, thus forming a permissive environment for malicious third parties. The second occurs when states deliberately encourage or support third parties. The third factor designates the extent to which the operations are conducted by state organs or based on a national government decision. Healey, “The Spectrum of National Responsibility for Cyber Attacks,” 62. 62 Clement Guitton and Elaine Korzak, “The Sophistication Criterion for Attribution: Identifying the Perpetrators of Cyber-Attacks,” The RUSI Journal 158, no. 4 (2013): 66. 63 Ibid. 64 Ibid. 65 Boebert, “Challenges in Attribution,” 51. 66 Some examples include: CYBERCOM in the U.S., ‘Information Troops’ in Russia, and the ‘Defence Cyber Command’ in the Netherlands. 17

Master Thesis | K.M. van den Dool patience”.67 According to cybersecurity company FireEye “APT attackers receive direction and support from an established nation state”.68 Maurer subdivides this category in ‘delegation’ and ‘orchestration’.69 Delegation occurs when the state sponsor (or ‘beneficiary’) has ‘effective control’ over its proxy actor. Orchestration is the act of supporting a proxy with less direct control or no specific instructions. State responsibility for such acts is reflected in ARSIWA Article 8 and the case concerning Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. USA), that set high standards of evidence for ‘strict control’ and ‘effective control’ over ‘conduct directed and controlled by a state’.70 The third category is state-tolerated operations in which the agent operates independently from the state but may have compatible or aligning interests with that state, and the state deliberately refuses to take action.71 Maurer calls this category ‘sanctioning’, which sets itself apart from the aforementioned two types because the relationship is characterized by passive support (‘omission’), as opposed to the active role (‘commission’) assumed by the principal in the other two.72 State responsibility for such activities is stipulated by the International Court of Justice in the Corfu Channel Case, stating that states have an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other states.”73 Fourth, non-state non-sponsored operations are a diverse group of threats that can have different motivations. Actors in this group include script kiddies, cyber terrorists, hacktivists, and cyber criminals. These actors have no sponsor and could be prosecuted in their host state. Following the same principle mentioned in the Corfu Channel Case above, host states have an obligation to take action against such actors on their territory or within their jurisdiction. Nevertheless, these actors may still flourish in states that do not have the capacity or a desire for prosecution.74 In addition, it is also possible that the conduct that the victim country considers aggressive or illegal is allowed in the host state.

67 Singer and Friedman, Cybersecurity and Cyberwar, 293. 68 “Advanced Persistent Threat Groups,” FireEye (website), accessed March 5, 2018, https://www.fireeye.com/current-threats/apt-groups.html. 69 Maurer, Cyber Mercenaries, 20. 70 Guitton and Korzak, “The Sophistication Criterion,” 66; International Court of Justice, Case Concerning Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States of America) (Merits), June 27, 1984, para. 115, accessed May 22, 2018, http://www.icj-cij.org/files/case-related/70/070- 19860627-JUD-01-00-EN.pdf. 71 Boebert, “Challenges in Attribution,” 51. 72 Maurer, Cyber Mercenaries, 125. 73 Guitton and Korzak, “The Sophistication Criterion,” 66; International Court of Justice, The Corfu Channel Case (Merits), April 9, 1949, p. 22, accessed May 22, 2018, http://www.icj-cij.org/files/case-related/1/001- 19490409-JUD-01-00-EN.pdf. 74 Romania is a known example of a hot spot for cyber criminals. See: Yudhijit Bhattacharjee, “How a Remote Town in Romania Has Become Cybercrime Central,” Wired, January 31, 2011, accessed May 22, 2018, https://www.wired.com/2011/01/ff_hackerville_romania/; Allan Hall, “The scourge of Scamville: Romanian 18

Master Thesis | K.M. van den Dool

Assuming agent-attribution is possible, the relevance of principal-attribution varies per category. For the first type, principal-attribution does not pose a problem – identifying the agent is the same as identifying the principal. For the fourth type, principal-attribution is also less of an issue, since it is less likely that the agent receives protection from a sponsoring state. Principal-attribution becomes more relevant for the third type, where it appears that the agent at least receives some passive support by a sponsor. An important condition for a case to become one of the third type as opposed to the fourth type is that the operation has to violate a commonly agreed rule or principle. Perfect principal-attribution in the third type would demand a very high standard of evidence to demonstrate effective or strict control. This high standard of evidence permits the principal a degree of ‘plausible deniability’. Guitton defines plausible deniability as a situation in which “it is not possible for a victim to conclusively prove the involvement of the entity they suspect of having instigated an attack.”75 This is especially true if the state or non-state actor directing the attack tries to hide such a relationship on purpose. An overview of these relationship types is presented in Table 2 on the next page. Based on the literature so far it is possible to draw a conclusion that attributing cyber operations with one hundred percent certainty is not strictly impossible but still very unlikely. For agent attribution, it requires conclusively linking technical evidence to a physical entity, and for principal attribution, it requires conclusively identifying a principal-agent relationship. These objectives are complicated not only because of the Internet’s technical features, but also because of the involvement of non-state actors. Therefore, attribution would require some tolerance for uncertainty. This begs the question if it is possible to act on less than complete certainty, and if so, how.

town is the cyber-crime capital of the world – where hundreds of fraudsters rake in millions from gullible online shoppers,” Daily Mail, November 21, 2014, accessed May 22, 2018, http://www.dailymail.co.uk/news/article-2840697/The-scourge-Scamville-Romanian-town-cyber-crime- capital-world-hundreds-fraudsters-rake-millions-gullible-online-shoppers.html. 75 Guitton, Inside the Enemy’s Computer, 164. 19

Master Thesis | K.M. van den Dool

Boebert76 Healey77 Maurer78 Guitton & Korzak79 Agent-Principal Relationship ARSIWA Arts. 4 and 5: State-mounted: “Conduct of organs of a State”; Type 1: “Conducted by the armed forces or Conducting: -- “Persons or entities empowered by Agent-attribution automatically covert action agencies of a nation “Executing a decision made by the national law to exercise some leads to principal-attribution. state.” national government or as a result degree of governmental authority.” of attacks carried out by elements Delegating: of their government without “The beneficiary has significant, at Type 2: State-sponsored: official approval.” least overall or effective, control ARSIWA Art. 8 jo. Nicaragua v. Principal-attribution needs to “Involvement of non-state actors”; over the proxy.” USA para. 115: establish an active supporting “Relationship between an Orchestrating: “Conduct directed or controlled by relationship with agent, which identified non-state actor and some Abetting: “The state supports the proxy a State”; “Effective control” requires a high standard of state.” “Directly or indirectly encouraging without necessarily providing evidence. or supporting the attack.” specific instructions.” State-tolerated: Sanctioning: Type 3: “So-called ‘patriotic hackers’ of a Ignoring: “The state provides an enabling Principal-attribution becomes particular nation independently “Refusing to acknowledge the environment for non-state actors’ relevant when the host states launch attacks whose nature and attack.” malicious activity by deliberately refuses to take action, which timing coincide with the interests Corfu Channel Case p. 22: turning a blind eye.” establishes a passive relationship. of that nation.” “State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of Non-state non-sponsored: Type 4: other States.” “Not sponsored, nor independently Principal-attribution is irrelevant as -- -- acting in the interest of a particular long as the host state is willing to state.” take action.

Table 2: Levels of State Involvement in Cyber Operations

76 Boebert, “Challenges in Attribution,” 51. 77 Healey, “The Spectrum of National Responsibility for Cyberattacks,” 61-63. 78 Maurer, Cyber Mercenaries, 20. 79 Guitton and Korzak, “The Sophistication Criterion,” 66. 20

Master Thesis | K.M. van den Dool

2.2.2. RESPONSE

The ability to respond with less than hundred percent certainty, the academic literature suggests, is largely dependent on what nature the operation is interpreted to be. A distinction that is frequently made in the literature is one between a law enforcement approach and a national security approach.80 According to Guitton, attribution is not a ‘problem’, but a “two-pronged political process”, one following a legal path, the other adopting national security principles.81 These two approaches differ significantly in their operating principles, as is summarized in Table 3 below. The next section will provide further explanation on the differences between these two approaches, followed by an assessment of the factors that determine which approach applies.

Law Enforcement National Security Individual: Political: Issues at stake Criminal cases National threats

Authority Judiciary Executive

Digital forensics and public Evidence (All-Source) Intelligence evidence Binary: Degree: Verification Beyond reasonable doubt Estimative probability

Timing Irrelevant Urgent

Response Criminal charges DIME(LE)

Attribution level Individual Aggregate entity

Table 3: Law Enforcement vs. National Security Approach to Attribution

80 Brenner, “At Light Speed,” 429; Clark and Landau, “Untangling Attribution,” 36; Guitton, Inside the Enemy’s Computer, 30. 81 Guitton, Inside the Enemy’s Computer, 11. 21

Master Thesis | K.M. van den Dool

Approach: Law Enforcement versus National Security In a typical case of (domestic) crime, the attribution process would be fairly straightforward and linear to the common observer. Guitton summarizes the process in four steps: ‘identifying the criminal conduct’, ‘gathering forensic material’, ‘turning it into evidence’, and ‘presenting it before a court of law’.82 Rid and Buchanan similarly describe the law enforcement process as starting with identifying a crime or offense, then investigation, after which collected evidence is combined into a case and presented before a jury where ‘the final question of attribution will be settled’.83 Brenner notes that criminal prosecution models often hinge on determining a physical location, being either a point of occurrence of crime or a point of origin. However, she notes, in cyberspace a ‘place’ is difficult to determine, because “cyberspace eliminates the need for physical proximity between attacker and victim, and thereby creates the potential for increased differentiation between point of attack origin and point of occurrence.”84 Moreover, as the previous section on identification has concluded, finally settling attribution at a standard that is required before a criminal court is rarely possible. It is for this reason that some have suggested adopting a looser approach to attribution based on national security principles, or at least a combination of the two.85 Without delving too deep into the legal-constitutional implications of such an approach, several crucial characteristics set a national security approach apart from a law enforcement approach. First, the two approaches have a different decision making authority for settling attribution and determining the response. In the case of law enforcement, the ultimate authority rests with the judicial branch of power – at least in (liberal) democracies – whereas the executive branch is in charge on attribution in national security cases.86 As is explained in detail below, this has important procedural implications: the former decides based on codified rules of law, while the latter has more freedom to decide, if the constitution allows it. Second, the type of evidence used for attribution varies. In criminal cases, attribution is generally based on (forensic) evidence that has to be disclosed to the other party and the court.87 Clark and Landau add nuance to this point, saying that evidence in cybercrime cases is more

82 Guitton, Inside the Enemy’s Computer, 47. 83 Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks,” Journal of Strategic Studies 38, no. 1-2 (2015): 5. 84 Brenner, “At Light Speed,” 412. 85 Brenner, “At Light Speed,” 429; Clark and Landau, “Untangling Attribution,” 36; Guitton, Inside the Enemy’s Computer, 30. 86 Guitton, Inside the Enemy’s Computer, 11. 87 Ibid., 11 22

Master Thesis | K.M. van den Dool likely to be of physical nature, rather than a ‘forensic quality computer-based identity’.88 The national security approach is different in the sense that it may use less conventional intelligence methods. According to Rid and Buchanan, successful attribution depends on the ability of the investigator to combine different types of (all-source) intelligence and create a picture that is as complete as possible – an ability they call ‘aperture’.89 Obviously, better intelligence collection and analysis leads to better attribution, which is why some scholars consider successful attribution to be mostly a ‘resource problem’.90 A related issue regarding the use of intelligence for attribution is that of source protection. Disclosing intelligence can harm those sources and disqualify them for future use, and the use of illegal methods may lead to a political backlash. Third, and quite fundamental, is the different verification principle (or standard of evidence) adopted. In criminal cases, attribution is considered a ‘binary’ affair – it is either ‘solved’ or not.91 This either-or decision is made by the judiciary, which has to decide if the evidence provided has established a causal link beyond reasonable doubt. In any case, the suspect is considered innocent until proven otherwise. When talking about cyber attribution, this principle is often criticized by scholars that opt for a national security-oriented approach. Rid and Buchanan substantiate their punch line “attribution is what states make of it”, by arguing “attribution is a matter of degree”.92 Even though on a technical level it may not be possible to pinpoint an aggressor with complete certainty, technical attribution is only part of the picture. On an operational and strategic level, attribution also entails enriching the technical elements with political context and intelligence from other sources to make an informed estimation.93 A related argument is presented by Lupovici, who argues “the effects of anonymity on deterrence are derived from social conventions, which legitimize retaliations only if the defender is able to fully identify the source of attack.”94 What this suggest is that a state may – or in some cases must – take retaliatory measures if it has strong suspicions, regardless if it has not fully established a technical link. Fourth, the issue of timing is less relevant in criminal prosecutions, contrary to national security issues where time pressure is paramount. The collection of evidence and building a

88 Clark and Landau, “Untangling Attribution,” 39. 89 Rid and Buchanan, “Attributing Cyber Attacks,” 11-12. 90 Jon R. Lindsay, “Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack,” Journal of Cybersecurity 1, no. 1 (2015): 53; Rid and Buchanan, “Attributing Cyber Attacks,” 12. 91 Rid and Buchanan, “Attributing Cyber Attacks,” 5. 92 Ibid, 4, 7. 93 Ibid, 8-9. 94 Amir Lupovici, “The ‘Attribution Problem’ and the Social Construction of ‘Violence’: Taking Cyber Deterrence Literature a Step Forward,” International Perspectives 17 (2016): 330. 23

Master Thesis | K.M. van den Dool case for attribution is time consuming. Because legitimacy for a retaliatory response is assumed to decrease over time, an attack victim may have to blame based on incomplete evidence, or risk losing an opportunity for retaliation.95 Moreover, international criminal proceedings are considered less attractive because of the attribution problem and the time it may take to get a verdict.96 If the objective is to have a quick remedy, whether it is mitigation or retaliation, nation-states are more likely to depend on their national security instruments. Fifth, law enforcement and national security approaches are also set apart by their means of response to attribution. In criminal cases, suspected attribution is usually communicated through criminal charges, and potentially confirmed by a conviction before a court. In national security cases, the available response options are greater. These responses can be categorized using the DIME(LE) model:97 Diplomatic measures include high-level statements and diplomatic sanctions; Informational measures may include public naming and shaming, and other means of public information dissemination; Military measures can be thought of as conventional displays of power and kinetic military force; Economic measures are mostly economic sanctions such as the freezing of assets or trade embargoes. Finally, perhaps counterintuitively, law enforcement is also a possible response strategy for national security. As Maurer notes, in some cases public criminal charges may serve as an information channel for naming and shaming strategies.98 Sixth and finally, criminal prosecutions are generally targeting some specific individual, whereas national security attribution cases are mostly aimed at the level of an ‘aggregate identity’.99 This circles back to the question of levels of attribution as discussed in the sections on agent and principal attribution. What it implies is that national security processes operate on the level of principal attribution, while law enforcement functions on the level of agent attribution. In short, this section has distinguished the law enforcement and national security approach based on six operational features identified in the literature: decision making authority, type of evidence, standard of verification, urgency, response mechanisms, and attribution level. This leaves unanswered the question when one process is preferred over another, or in other words, when something becomes an issue of national security.

95 Lynn III, “Defending a New Domain,” 99; Kello, “The Meaning of the Cyber Revolution,” 33; Lupovici, “The ‘Attribution Problem’,” 329; Nye, “Deterrence and Dissuasion in Cyberspace,” 51. 96 Farwell and Rohozinski, “Stuxnet and the Future of Cyber War,” 33. 97 Maurer, Cyber Mercenaries, 139. 98 Ibid, 142. 99 Clark and Landau, “Untangling Attribution,” 36-37. 24

Master Thesis | K.M. van den Dool

Subject: Criminal Cases versus National Threats Turning to the question when something transfers from being ‘mere’ crime to a threat to national security, Guitton identifies five factors that may be of influence: severity of the incident; political character of the target; point of origin; operation means; and political context.100 First, highly severe and publicized incidents may push governments to act even though there is incomplete evidence. However, it seems unlikely that victim states have a predefined ‘threshold’ that needs to be crossed in order to invoke a national security response. Furthermore, as Lindsay argues, if such a threshold would be explicit, it may invite others to commit operations just below that threshold, where it would avoid retaliation.101 The second influencing factor is the type of operation target. Attacks and operations on governmental entities are said to be more likely to provoke a national security response, as is also the case for crucial organizations such as defense contractors or critical infrastructure companies.102 At face value, this seems plausible, although there are cases of operations on private companies that provoked an official governmental response. Examples include the 2010 ‘Aurora’ espionage operation against Google and the 2014 attacks on Sony Entertainment.103 Third, if the point of origin is found to be in another country it may also lead to a national security response, especially if that country has an adversarial relationship with the victim according to Guitton.104 However, this criterion is not that easy to confirm. It is possible to look at Brenner’s “internal/external threat dichotomy” as a point of departure.105 Typically, law enforcement bodies are purely responsible for maintaining internal order, thus mostly acting against criminals within their territorial jurisdiction, whereas threats to external order would typically fall under the purview of national security.106 However, as was explained in the previous section, this internal-external threat dichotomy is less appropriate in cyberspace where a point of origin can be ambiguous and dispersed. Nevertheless, while looking for a point of origin (using law enforcement procedures), traffic may be traced to a foreign country. If that process is inconclusive on attribution or if an aggressor has been identified, the victim may

100 Guitton, Inside the Enemy’s Computer, 39. 101 Lindsay, “Tipping the Scales,” 63. 102 Guitton, Inside the Enemy’s Computer, 41. 103 U.S. Department of State, Statement on Google Operations in China, January 12, 2010, accessed April 20, 2018, https://2009-2017.state.gov/secretary/20092013clinton/rm/2010/01/135105.htm; U.S. White House, Statement by the Press Secretary on the Executive Order Entitled ‘Imposing Additional Sanctions with Respect to North Korea’, January 2, 2015, accessed April 20, 2018, https://obamawhitehouse.archives.gov/the-press-office/2015/01/02/statement-press-secretary-executive- order-entitled-imposing-additional-s. 104 Guitton, Inside the Enemy’s Computer, 41-42. 105 Brenner, “At Light Speed,” 429. 106 Ibid. 25

Master Thesis | K.M. van den Dool request forensic cooperation or enforcement cooperation, respectively. When the other party refuses such cooperation, Guitton notes, the case will transform from crime to national security.107 Fourth, if the used methods in the operation are considered highly sophisticated, it will be more likely to provoke a national security response.108 This assumption is based on the notion that building highly sophisticated malware tools requires an amount of resources that are only available to a nation-state. This factor is also criticized. Some have pointed to the role of cyber criminals and black markets, where governments can buy off-the-shelf vulnerability exploit kits.109 In another article co-authored with Korzak, Guitton himself also mentions the limitations of the ‘sophistication criterion’, saying that it lacks definition and does not get close to the international legal requirements for establishing state involvement.110 Finally, the perceived political motives of the operation are also considered important.111 It is not possible to use motives as evidence in criminal cases, but they may provide circumstantial evidence for national security threats. However, guessing whether the motive behind an attack or operation was political or not brings us back to the aforementioned issue by Guitton that this requires at least partial attribution for interpretation.112 In sum, this list shows that there is no clear-cut approach to determining an appropriate response to cyber operations. It seems reasonable to assume that the factors mentioned above influence decision making in their own respect, but we cannot speak of a flip switch model. Instead, it is more appropriate to conclude that such a decision is highly context dependent and based on policy makers’ judgments. To create a better appreciation of the dilemma the decision maker faces, it is possible to connect the two approaches to the four types of principal-agent attribution presented in the previous sections. In the first type, a state-mounted operation, there is a clear direct link between the agent and the sponsor, because the agent is the sponsor. Responding to such an attack would demand a national security response. For the fourth type, regardless whether agent-attribution is successful or not, a law enforcement response is most likely as long as no passive or active principal is in play.

107 Guitton, Inside the Enemy’s Computer, 42. 108 Ibid. 109 Farwell and Rohozinski, “Stuxnet and the Future of Cyber War,” 25-26. 110 Guitton and Korzak, “The Sophistication Criterion,” 62. 111 Guitton, Inside the Enemy’s Computer, 43. 112 Ibid, 32. 26

Master Thesis | K.M. van den Dool

When criminal investigations are stranded because of incapacity or reluctance of cooperation, things get messier. For both the second and third types of state-sponsored and state-tolerated operations, it would be likely to expect increased involvement by national security authorities. However, because of the lack of clear criteria it may be appropriate to think of this area between the first and fourth type as a spectrum, where increased suspicions of nation-state involvement is increasingly likely to provoke national security responses. This suspicion, in turn is influenced by the five aforementioned factors: severity, target type, point of origin, sophistication, and political context. (See Table 4 below.)

State Involvement Principal-Agent Type Response Type

State-Mounted Type 1: Integrated National Security

State-Sponsored Type 2: Active support Spectrum based on judgment/suspicion of State-Tolerated Type 3: Passive support nation-state involvement.

No state involvement Type 4: No support Law Enforcement

Table 4: State Involvement and Response Types

To summarize, this section on attribution responses has sought to explain how national security threats are more likely to call for action based on imperfect attribution. Deciding whether a cyber attack or operation is a national security threat or an act of cybercrime is most likely to be a political judgment, based on the suspected (active or passive) involvement of a (state) sponsor. In Guitton’s words:

“It will be up to a state official to make the political decision of attribution and to answer the following question: is the cost of misattributing the attack to the claimed group, and taking retaliatory measures against it, greater than the cost of not attributing the attack and not responding to it?”113

This brings us to the next question of communicating attribution.

113 Guitton, Inside the Enemy’s Computer, 43. 27

Master Thesis | K.M. van den Dool

2.2.3. COMMUNICATION

Rid and Buchanan state, “Communicating attribution is part of attributing.”114 Communication of findings based on intelligence or estimative probability is a challenge for the defender in this case, as incomplete claims may face plausible deniability on the side of the attributed party. Nye and Schneier explain that there are generally three types of audiences with regard to attribution.115 First, there is the ‘I know X did it’: the audience in this case is the defender itself. This can be a national government, private company or other entity. This actor wants to make sure that it makes a correct assessment of the nature and origin of the threat. Convincing oneself generally falls under the interpretation challenge of the attribution problem, as outlined in the previous chapter. The second level is about ‘convincing X I know X did it’. This is more complicated than convincing oneself. The victim may be convinced that a certain actor is responsible, but confronting that actor may require the victim to disclose sensitive intelligence sources and methods. Third, ‘convincing the world or other third parties that I know X did it’ is most challenging. The audience at this level is the wider public. Closer analysis of the first two categories is difficult. Internal and bilateral communication about attribution of cyber operations occurs behind closed doors, so these processes are rarely visible to the outside world. Communicating with the public audience, obviously, is overt. Turning to the conclusions of the previous section about response, this distinction between overt and covert communication is also relevant. Why should anyone want to go public about attribution? Moreover, in doing so, how does this occur? The next two subsections will briefly look at these two questions, respectively.

Motives: Credibility and Legitimacy If action based on imperfect attribution is possible, part of attribution is also garnering trust and authority in order to convince the audience of the ‘judgment’.116 Failing to do so may induce ‘audience costs’ upon the one communicating blame. The concept of ‘audience costs’, as introduced in a domestic context by Fearon in 1994, is defined as costs that “arise from the action of domestic audiences concerned with whether the leadership is successful or

114 Rid and Buchanan, “Attributing Cyber Attacks,” 26. 115 Nye, “Deterrence and Dissuasion in Cyberspace,” 51; VICELAND, “The Attribution Problems in Cyber Attacks.” 116 Guitton, Inside the Enemy’s Computer, 82. 28

Master Thesis | K.M. van den Dool unsuccessful at foreign policy.”117 In the context of this thesis, audiences can be both domestic and international. Communicating blame – and acquiring public support – may serve several purposes. First, it may be merely informational, in order to alert an audience about an ongoing threat and to create awareness. Second, attribution-as-retaliation may be a way to publicly discredit an aggressor. In his writings on ‘soft power’, Nye describes the importance of credibility as an asset, and how political reputation may be source of power.118 Third, attribution-for-retaliation can be a means to receive public support and legitimacy for subsequent countermeasures.

Modes: Channeling Attribution Davis et al. describe several frequently used communication channels, divided in the public and private sector.119 Governments have various ways to communicate blame, divided between official and unofficial channels.120 Formal, on-the-record communication of attribution includes all forms of official and open public statements, speeches and/or reports. These forms of communication are directly connected to the public office without intermediary, such as a statement in an international or national assembly, or an official press release. On the other hand, off-the-record attribution occurs through unofficial channels, yet the government is still the source. This may include news reports interviewing public officials, either in function or anonymous. A second unofficial channel mentioned by Davis et al. is the use of government leaks that disclose official documents without the holder’s consent.121 Besides the public sector, private sector reports – private cybersecurity industry in particular - are believed to be of increasing importance for attribution.122 Guitton notes that private cybersecurity industry attribution reports are sometimes regarded skeptically as they are commercially driven and perceived to be instrumental for governmental interests.123 Nevertheless, such reports may indeed serve governments because these companies do not have to endure the consequences of misattribution as much as governments do. They may actually

117 James D. Fearon, “Domestic Political Audiences and the Escalation of International Disputes,” American Political Science Review 88, no. 3 (1994). 118 Joseph S. Nye Jr., “Public Diplomacy and Soft Power,” The Annals of the American Academy of Political and Social Science 616, no. 1 (2008): 100. 119 John S. Davis II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace (Santa Monica: RAND Corporation, 2017), 17. 120 Ibid. 121 Ibid. 122 Rid and Buchanan, “Attributing Cyber Attacks,” 28; Jon R. Lindsay, “Stuxnet and the Limits of Cyber Warfare,” Security Studies 22, no. 3 (2013): 368. 123 Guitton, Inside the Enemy’s Computer, 113. 29

Master Thesis | K.M. van den Dool take away such risks from the government.124 In addition to private cybersecurity industry, Davis et al. mention the role of investigative journalism that may bring to light new information for attribution.125

In sum, looking at the literature on the ‘attribution problem’, there appears to be a general acceptance that attribution in cyberspace – based on standards of evidence that would hold before a court – is difficult. Even if such attribution is possible, when there are suspicions of state sponsor involvement, providing evidence to prove such a relationship is also problematic. Instead of a legal either-or approach, some have suggested to adopt a national security approach in which these two problems of attribution are less constraining and action may be undertaken based on incomplete evidence. Attribution in such circumstances is not just a technical issue, but primarily a strategic one that hinges on credibility and authority. In this strategic game, decision makers have various instruments at their disposal, not only for retaliation, but also for communication.

124 Guitton, Inside the Enemy’s Computer, 132-133. 125 Davis II et al., Stateless Attribution, 17. 30

Master Thesis | K.M. van den Dool 3. Analysis: Blame and Evidence in Cyber Attribution

So how is evidence presented in various means of communication about attribution? Now turning from theory to practice, this chapter presents the findings of an extensive analysis of attribution for 203 recorded cases. Starting with some notes on methodology, the sections after that will serve two general purposes. One is procedural: to describe the research process, the obstacles encountered, and suggestions for further improvement. The other is substantial: to come to a better understanding of attribution practices in cyberspace, with particular regard to the communication of blame and evidence.

3.1. METHODOLOGY

For this study, I have used a somewhat unconventional approach, in part inspired by Valeriano and Maness’s study on the dynamics of cyber conflict in international rivalries.126 Most of the literature on cybersecurity, including the reviewed research in the previous chapter, is highly conceptual and theoretic in nature, requiring what Valeriano and Maness call “spectacular flights of the imagination”.127 In their study, Valeriano and Maness adopted a formal approach to a dataset of 110 incidents between selected rivals, categorizing the events based on a set of predetermined variables. Instead of getting at an in-depth understanding of these rivalries and specific incidents, the authors’ goal is “to exhaustively collect information on cyber interactions between rival states in the last decade so that we can delineate the patterns of cyber conflict as reflected by evidence at the international level.”128 Moreover, they motivate this decision as follows:

126 Brandon Valeriano and Ryan C. Maness, “The dynamics of cyber conflict between rival antagonists, 2001- 2011,” Journal of Peace Research 51, no. 3 (2014). 127 Ibid, 347. (Other examples include: Kello, “The Meaning of the Cyber Revolution”; Lindsay, “Tipping the Scales”; Rid & Buchanan, “Attributing Cyber Attacks”; Nye, “Deterrence and Dissuasion”.) 128 Ibid, 347. 31

Master Thesis | K.M. van den Dool

“The field of cyber security needs a clear return to social science in order to be able to definitively engage the cyber debate with facts, figures, and theory.”129

Based on this motivation, the use of a large sample of cases was preferred over specific case studies for two reasons. First, a larger collection of cases allows for the observation of patterns. This increases external validity, admittedly at the cost of internal validity in some cases.130 Second, it is an attempt to reduce selection bias. Some cyber attacks and operations are highly mediatized, making it more likely that these cases appear more frequently as research objects. However, there are also smaller incidents that received less attention. In order to get a complete as possible understanding these cases should also be included in the analysis.

129 Ibid. 130 External validity means that findings are generally applicable to other cases as well, while internal validity means that the findings are true to the nature of a specific case. Although strictly speaking not mutually exclusive, the level of detail required for internal validity would likely be at the expense of generalizability required for external validity. 32

Master Thesis | K.M. van den Dool

3.1.1. CASE SELECTION

Despite the popularity of the topic of cybersecurity and the amount of research that is being published on cyber warfare, there is no universal database recording all cyber operations, let alone one that records their intended purpose and responsible actor. To arrive at a sample of cases (or records), several existing lists of cyber incidents served as a starting point for this study:

1. The Council on Foreign Relations’ (CFR) Cyber Operations Tracker:131 This dataset lists 191 cyber operations ranging from 2005 until the present and is updated quarterly. One drawback is that the dataset only lists publicly available information. In addition, the list of incidents reflects a very Western bias and is heavily U.S.-centered. Moreover, the list uses APTs and operations interchangeably without clear conceptual distinction. 2. Brandon Valeriano and Ryan C. Maness’ Cyber Conflict Between Rival Antagonists:132 This dataset with 110 incidents was used for a research article published in 2014. The authors compiled the dataset by hand, using several predefined interstate ‘rival’ relationships. The dataset spans from 2001 to 2011, but could eventually be updated by hand, if necessary. The advantage of this dataset is that it is fairly evenly spread geographically, but it focuses only on rival ‘dyads’, thus excluding operations between non-rivals. Lastly, the dataset does not provide source material. 3. Florian Roth’s APT Groups and Operations:133 This Google Spreadsheet is said to be automatically updated every five minutes, and it has a large group of invited contributing experts. The information in this dataset is divided per attributed nation- state, and lists operations per APT (175 APTs in total). The creators base attribution findings on publicly available information and the selection is based on the judgment of the contributors. Sources are included in links.

131 “Cyber Operations Tracker,” Council on Foreign Relations (website), accessed March 5, 2018, https://www.cfr.org/interactive/cyber-operations. 132 Valeriano and Maness, “Dynamics of Cyber Conflict,” dataset available at: http://file.prio.no/journals/JPR/2014/51/3/Valeriano%20&%20Maness%202014%20replication%20&%20co debook.zip. 133 Florian Roth, APT Groups and Operations (Google Doc), accessed March 5, 2018, https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubht ml#. 33

Master Thesis | K.M. van den Dool

To create a list of events, I merged these three lists and subsequently scrubbed it, deleting duplicates. When possible, I added more events based on encounters during the study. For each of the events already listed in these sources I assumed that they actually happened, except for my own additions, in which case I used a simple verification standard: at least three national or international news sources or one academic peer-reviewed source had to confirm its existence. The result is a list of 203 events (see Appendix A) that occurred in a time span of 20 years, between 1998 and 2018. Two issues with regard to case selection require further explanation and justification: data completeness and the problem of ambiguity surrounding APTs.

Data Completeness There is no guarantee about the completeness of the data. The datasets are mostly based on information that is publicly available in the form of official reports and news articles. Depending on these sources means that I am depending on several intermediaries for data selection. First, investigators and reporters function as gatekeepers, determining what ‘events’ are picked up, while potential others are let out. Second, the compilers of the datasets create an additional selection barrier, as they sift through a vast body of reporting on cyber operations. Last, I conduct a final round of selection, ‘cleaning up’ the data, deleting duplicates and adding others. As a result, it seems reasonable to assume that more cases exist ‘out there’ that are not included in this set. Another problem concerning data selection is the apparent geopolitical bias in the selected cases. The United States significantly outnumbers any other country in the category of operation target. Conversely, China tops the list of operation suspects, followed by countries such as Russia, North Korea and Iran. Although some might argue that this is evidence of the hostile nature of the latter countries in cyberspace, it may also be a consequence of uneven reporting about such operations. Language differences in reporting may be an important factor in this field. These are indeed important problems, and they limit the ability to draw valid conclusions about attribution and the communication thereof. However, within the constraints of time and resources available for this thesis, I have strived to make the data set as complete as possible. The result may be imperfect, but sufficient to draw some preliminary conclusions, and potentially expand further for future research. Furthermore, although completeness would be preferred, it is not a strict prerequisite for this research. This research tries to demonstrate in what ways the public communication of attribution may occur.

Master Thesis | K.M. van den Dool

Advanced Persistent Threats (APTs) I partially filtered APTs, because these appear to muddle the links between ‘events’, ‘campaigns’ and ‘actors’. The former two are all forms of occurrences. They are (collections of) events. In the cases of APTs however, it is often not clear whether it refers to a campaign or an actor. The data suggested that understandings about the answer to these questions vary significantly. In some cases, reporting seemed to suggest that APTs are a specific actor or group of actors that conducts one or multiple campaigns.134 Other cases, however, implied that APTs are in fact a type of campaign. Because I preferred to focus on occurrences rather than actors, I have tried to filter APTs as actors, while trying to include APTs as campaigns. This turned out to be complex, because there is no universal standard of separating APT actors from APT campaigns (or ‘malware families’) which allows for confusion.135 Finally, besides the conceptual ambiguity of APTs, the growing use of the term in private cybersecurity circles is sometimes criticized for serving the wrong purposes. As security expert Alperovitch stated in his report on Operation Shady RAT, the term APT “lost much of its original meaning due to overzealous marketing tactics of various security companies, as well as to the desire by many victims to call anything they discover being successful at compromising their organizations as having been an APT”.136 Guitton has also notes its

134 For example, a group claimed to be of North Korean origin, called Dark Seoul, has made multiple attacks on South Korean banks over several years. Jim Finkle, “Four-year hacking spree in South Korea blamed on ‘Dark Seoul Gang’,” Reuters, June 27, 2013, accessed May 22, 2018, https://www.reuters.com/article/us- korea-hackers/four-year-hacking-spree-in-south-korea-blamed-on-dark-seoul-gang- idUSBRE95Q05220130627; Or the allegedly Vietnamese APT32 (or Ocean Lotus) that has been carrying out operations on companies and organizations worldwide. Nick Carr, “Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations,” FireEye (blog), May 14, 2017, accessed May 22, 2018, https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html. 135 For example, in 2012 Symantec presented a malware toolkit dubbed Backdoor.Hikit (or just Hikit) and called it an APT. This Hikit malware is connected to Operation SMN and ‘threat actor’ Axiom by Novetta, who also presents connections with Operation Aurora and the Hydraq malware family. Symantec itself mentions The Elderwood Gang as the group responsible for Aurora, while also suggesting links to Hidden Lynx and the VOHO Campaign. See: Branko Spasojevic, “Backdoor.Hikit: New Advanced Persistent Threat,” Symantec (website), August 24, 2012, accessed May 22, 2018, https://www.symantec.com/connect/blogs/backdoorhikit-new-advanced-persistent-threat; “Operation SMN: Axiom Threat Actor Group Report,” Novetta (website), accessed May 22, 2018, https://web.archive.org/web/20150727141150/http:/www.novetta.com/wp- content/uploads/2014/11/Executive_Summary-Final_1.pdf; Gavin O’Gorman and Geoff McDonald, “The Elderwood Project,” Symantec (website), accessed May 22, 2018, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood- project.pdf; Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, and Jonell Baltazar, “Hidden Lynx – Professional Hackers for Hire,” Symantec (website), September 17, 2013, accessed May 22, 2018, https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/hidden-lynx-hackers- 13-en.pdf. 136 Dmitri Alperovitch, “Revealed: Operation Shady RAT,” McAfee (website), accessed May 22, 2018, https://web.archive.org/web/20110804080015/http:/www.mcafee.com/us/resources/white-papers/wp- operation-shady-rat.pdf. 35

Master Thesis | K.M. van den Dool negative implications: “companies may not share information with other cyber security firms, because there is competition to reap the marketing benefits of uncovering a state-sponsored campaign.”137 This inflation and conflation of APTs does not contribute to the ability to make good observations. Therefore, the study of these concepts would benefit greatly from a clearer distinction between actors, campaigns and events in both private cybersecurity and policymaking circles. Some examples to illustrate this distinction are presented in Table 5 below. Considering the time restraints this distinction has not been applied to this data set, but it would be a welcome extension for future works.

Operation Levels Examples Actor Turla Group Equation Group Comment Crew Campaigns Epic Turla, Penquin Stuxnet, Flame, Byzantine Hades, Turla Duqu (2.0) Shady RAT Events Breaches of Finnish Attacks at Natanz Breaches at and Swiss MFAs and Bushehr Nuclear Pentagon and facilities, infiltration Lockheed-Martin of Genevan hotels Table 5: Operation Levels (Examples)

As a measure to solve this ambiguity for this study as much as possible, I adopted a different approach for each of the three datasets. First, for CFR’s dataset, I deliberately skipped each record that referred to a ‘threat actor’ or ‘APT’ in its description. Second, Valeriano and Maness’ dataset makes an explicit distinction between ‘campaigns’ and ‘events’, for which I decided to include only ‘events’. Third, Florian Roth’s spreadsheet lists APTs, but it also shows known operations per APT, which I included in the list.

137 Guitton, Inside the Enemy’s Computer, 113. 36

Master Thesis | K.M. van den Dool

3.1.2. VARIABLES

Using the list of cyber operations, I then enriched the list with information about multiple variables. This information is derived from well-established news sources (e.g. Reuters, The New York Times, The Washington Post, The Guardian etc.), official statements and publications, and cybersecurity reports from the private sector (e.g. FireEye, Kaspersky, Symantec, McAfee, etc.). The following variables are used for this dataset:

Target Country The operation target countries are recorded using the ISO 3166 Alpha-2 code standard.138 Some operations target multiple countries, which are listed using comma separation. If the attacks appear to be indiscriminate and global in nature, it is categorized as ‘International’, or ‘Unknown’.

Target Type For target type, distinction is made between public and private institutions, and military and civil society are also set apart as separate categories. This is coded as follows:

1 Public Sector 2 Military 3 Private Sector 4 Civil Society 5 Multiple

Operation Type This variable is based on the CNA-CNE (computer network attack and computer network exploitation) typology of cyber operations as outlined in the section on operation types in the previous chapter. This section already explained the caveats that arise from adopting a simple distinction. In short, this distinction does not take into account that CNE may function as a precursor to CNA.

138 Available via: “Online Browsing Platform (OBP),” ISO (website), accessed May 22, 2018, https://www.iso.org/obp/ui/#search. 37

Master Thesis | K.M. van den Dool

I have looked for other ways to categorize operation types based on their intended effect. I combined Applegate and Stavrou’s taxonomy of ‘informational impact’ of cyber conflict with the taxonomy used by the Council on Foreign Relations’ (CFR) Cyber Operations Tracker.139 This categorization would start with ‘data discovery’ at the bottom, working up to ‘data distortion’, ‘data disclosure’, ‘data denial’, and ‘data destruction’, with ultimately ‘physical destruction’ as the most impactful. This, however, does not solve the issue that applies to CNE and CNA. Knowing the ultimate purpose of an operation is not always possible, especially if the effects are not (yet) noticeable. In addition, some operations are not easily classifiable in this framework.140 In addition, it is difficult to create a hierarchy of types based on severity. Therefore, I maintained the CNA/CNE distinction. Despite the fact that in some cases it is not possible to observe potential CNA purposes in CNE operations, it seems most practical to simply judge the cases based on observable facts and leave potentials out of the equation. The additional category discussed in the previous chapter is that of Information Operations (IO), such as the public disclosure of classified documents, most often with the purpose of destabilizing socio-political structures. In the same cyber operations section of the previous chapter, I discussed how IO does not attack computer networks, but uses computer networks to manipulate socio-political behavior. This is not strictly illegal, so investigation and attribution is more likely to focus on the preceding network breaches that provided the adversary the information in the first instance. In that case, we arrive back at CNE.141 Nevertheless, for the sake of completeness, and to cater to the increased attention paid to IO in recent years, I decided to include it. This results in the following coding:

139 Scott D. Applegate and Angelos Stavrou, “Towards a Cyber Conflict Taxonomy,” International Conference on Cyber Conflict (CyCon) (Conference Paper) (2013): 1-18; “Cyber Operations Tracker,” Council on Foreign Relations (website), accessed March 4, 2018, https://www.cfr.org/interactive/cyber-operations. 140 For example, the 2016 ‘SWIFT bank heist’ on Bangladeshi banks, allegedly executed by North Korea’s Lazarus Group, and the and the 2015 ‘Sandworm’ attacks on the Ukrainian power grid, linked to Russia. Strictly speaking, these are instances of data distortion. This seems counterintuitive, as their real world objective is theft and potential physical disruption. “SWIFT attackers’ malware linked to more financial attacks,” Symantec (website), May 26, 2016, accessed May 22, 2018, https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks; John Hultquist, “Sandworm team and the Ukrainian Power Authority Attacks,” FireEye (website), January 7, 2016, accessed May 22, 2018, https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and- sandworm-team.html. 141 This happened in the case of the leaking of internal documents of the Macron campaign in France, right before the elections. Aurelien Breeden, Sewell Chan, and Nicole Perlroth, “Macron Campaign Says It Was Target of ‘Massive’ Hacking Attack,” New York Times, May 5, 2017, accessed May 22, 2018, https://www.nytimes.com/2017/05/05/world/europe/france-macron-hacking.html. 38

Master Thesis | K.M. van den Dool

1 Computer Network Exploitation (CNE) Espionage and reconnaissance operations. 2 Computer Network Attack (CNA) Defacements and data distortion, DDoS, sabotage and data destruction. 3 Information Operations (IO) Doxing, disclosure, social media campaigns (trolling/botnets).

Attribution Channels The categorization made by Davis et al. distinguishes between attribution from the public sector and attribution from the private sector.142 In the case of the public sector, further distinction was made between official channels (high-level statements and reports coming directly from the government) and unofficial channels (government sources using more informal sources such as interviews). The distinguishing factor was whether the act was directly traceable to the government, for example a government website instead of a news source. There are some problems with this official-unofficial distinction. First, the distinction does not take into account the distinction between law enforcement and national security approaches as discussed in the theory chapter. Attribution may occur via criminal charges, while national security responses falling in the DIME spectrum would include diplomatic or economic sanctions. Second, the ‘unofficial’ category throws together all government communication, regardless if it is anonymous or not. This distinction, however, turned can be quite important, as government officials may share attribution findings anonymously with the media. Moreover, it is difficult to determine the level of coordination behind such disclosures by the intelligence community, which muddles the distinction between public unofficial communication and leaks. The third consideration that is not explicit in the data is that this distinction glosses over the fact that informal means of communication may serve official purposes. This type of activity can also be called ‘media diplomacy’, defined by Gilboa as “the use of the mass media by policymakers in specific cases to send signals and apply pressure on state and non-state actors to build confidence and advance negotiations as well as to mobilize public support for agreements”.143 Gilboa’s definition of media diplomacy applies to the context of conflict resolution, but the general idea of using media outlets to apply pressure and mobilize support can also be applied to the context of public attribution.

142 Davis II et al., Stateless Attribution, 17. 143 Eytan Gilboa, “Media Diplomacy: Conceptual Divergence and Applications,” Press/Politics 3, no. 3 (1998): 62. 39

Master Thesis | K.M. van den Dool

In other words, besides the fact that unofficial media communication may be a separate category, law enforcement and anonymous (intelligence) leaks may also deserve a separate category. For each of these three categories one should always bear in mind that they also might have instrumental value to a government, as part of a communication strategy. Turning to attribution by the private (or non-governmental) sector, Davis et al. distinguish between private cybersecurity company reports and investigative journalism.144 The latter category, however, does not fit nicely in this study. Because journalism and news sources are a channel in itself, they are likely to draw upon other sources of attribution for their articles. Moreover, this has overlap with the previously mentioned category of unofficial attribution by government actors, using the media to communicate attribution. In these situations, the government source prevails over the media channel for categorization. Bearing these complications and nuances to Davis et al.’s categorization in mind, I have simplified the categorization. First, I have drawn government attribution together to include all forms of apparent intentional communication, ranging from high-level statements to anonymous media interviews. Categories such as leaks and investigative journalism do not have their separate category. However, for cases in which they do occur there is a separate ‘other’ category. This category may also illustrate possible means of communication that were not taken into account by Davis et al. Lastly, I have maintained the category of private cybersecurity industry. The result is the following simple division.

Public Statements of attribution of which the government is the source, either officially or unofficially. Private (Technical) reports and analyses by private cybersecurity companies and organizations. Other Other encountered channels or sources – e.g. companies, leaks, investigative journalism, etc.

Attribution Content Studying attribution can be empirically challenging. Attribution processes are likely to involve a large amount of intelligence work and decision making that happens behind closed doors. As Rid and Buchanan state:

144 Davis II et al., Stateless Attribution, 18. 40

Master Thesis | K.M. van den Dool

“In complex scenarios, only a small fraction of the attribution process will be visible to senior officials and politicians, and an even smaller fraction to the public. Preparing and managing [communication of attribution] will determine how an agency’s activities are perceived, by the political leadership, by the technical expert community, and by the general public.”145

In other words, it is hard to observe the internal processes of attribution, and probably only a small part is visible to the outside world via communication. This issue is important, but not fundamental for the purpose of this research. The public communication of attribution process is the object of focus, so the working mechanisms of the attribution process itself are a secondary concern. Looking at the content of attribution communications, I have adopted a double digit coding scheme to capture how nation-state involvement is communicated and how this relates to the technical-human levels of identification. The first digit indicates the communicated level of nation-state involvement mentioned in the communication. In this context, I distinguish three levels of attribution: neutral attribution, territorial attribution, and nation-state attribution. Neutral attribution: The first scenario of attribution does not trace any nationality, nor assesses there is any governmental involvement. Instead, it merely assesses the apparent threat. Nevertheless, it is still possible that the operation is attributed to a ‘hypothetical’ or ‘technical’ actor, such as an APT, that is not explicitly linked to any country or government. In other words, the attributing actor falls short of blaming a specific government. This can be a result of insufficient incriminating information, but is also possible that it is a political choice while looking to avoid overt confrontation. Territorial attribution: In the second scenario, the attributing actor has been able to identify the operation source in a given country, without mentioning its government’s involvement. The identification can be either technical – tracing traffic to an IP address in that country – or physical – identifying an individual or group of hackers in a country. Not blaming a government can be sincere when the perpetrators are indeed operating on their own motives. But just as with general attribution, it can also be intentional or because of lacking evidence. Nation-state attribution: The third scenario has the most diplomatic weight, it blames a nation-state government either for conducting, sponsoring or tolerating the operation. This is

145 Rid and Buchanan, “Attributing Cyber Attacks,” 26. 41

Master Thesis | K.M. van den Dool only counted if the communication specifically mentions governmental involvement or a specific governmental institution. So generic indications (e.g. ‘Israel’ or ‘the Chinese’) are below this threshold.

1 Neutral Attribution 2 Territorial Attribution 3 Nation-State Attribution

The second digit indicates the level of identification based on the distinction between technical and human attribution. I included this variable to see if it shows us something about the conversion from one type to the other. Although it appears unnatural to set man and machine apart, it should be considered hierarchical. As explained in the previous chapter, human attribution is preferred over technical attribution for decision makers. This is coded as follows:

0 None A general threat or entity 1 Technical Digital forensics: IP addresses, malware families, etc. 2 Human A specific individual or organization

There is one important caveat that mostly applies to the fourth nation-state attribution scenario. In order to be categorized as ‘physical attribution’ a given case had to fulfil the condition of identifying a physically observable entity – i.e. an individual or organization. However, there is a large grey area between something abstract such as ‘China’, gradually moving to more concrete entities such as ‘the Chinese Government’, ‘The People’s Liberation Army’, down to naming ‘three individuals working at BuYoSec’. For the coding, I considered cases equal to the former two – nation-states or governments in general – to be too general for physical attribution. Blaming a government, however, would still fall in the realm of human attribution. This is also kept in mind in the following analysis.

Master Thesis | K.M. van den Dool

3.2. ANALYSIS

3.2.1. FIRST RESULTS

Attribution Identification Total Public Private Other Human 32 12 10 10 Nation-State Technical 35 8 21 6 None 53 37 1 15 Human 8 5 3 0 Territorial Technical 30 7 20 3 None 30 20 0 10 Human 0 0 0 0 Neutral Technical 58 1 55 2 None 27 13 2 12 TOTAL 273 103 112 58 Table 6: First Results of Categorization

Table 6 above shows the first results of the categorization of attribution communication in the list of selected events. Several things stand out, looking purely at these results. First, the total number of attribution occurrences is larger than the number of cases. This can be explained because in some cases there are multiple ways in which attribution may occur. Second, human attribution does not occur in the categories of threat or general attribution. This makes sense, considering that human attribution requires identification of some sort of physical entity, which would instantly lead to a country of origin. Third, as stated in the methodology section, the results confirm that ‘other’ categories such as journalism, leaks and attribution by private (non-cybersecurity) companies occur a lot less than attribution by governmental actors and cybersecurity companies. Fourth, governments appear mostly geared towards nation-state attribution. It is important to remember the aforementioned caveat that abstract entities such as a state in its entirety were coded as ‘none’ under identification, which could explain the high outcome there. Fifth, private cybersecurity industry also frequently blame nation-states, but they also seem to be particularly active at technical neutral attribution – that is, demonstrating the technical features and relationships to particular malware families, without further statements about government involvement. This would also seem logical as this type of activity is at the core of cybersecurity companies such as McAfee, Kaspersky, Symantec, and the likes.

Master Thesis | K.M. van den Dool

Attribution of Cyber Operations, 1998-2018 60

0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Public Nation-State Public Territorial Public Neutral Private Nation-State Private Territorial Private Neutral Other Nation-State Other Territorial Other Neutral

Figure 1: Attribution of Cyber Operations, 1998-2018

Figure 1 above presents the attribution occurrences in chronological order, categorized per attribution level and channel. Besides the data limitations mentioned in the methodology section, this graph does not look at the total number of cyber operations that go undetected, or the number of cyber operations that are detected but invoke no response. In other words, it is not possible to tell if the risks for detection and retaliation against cyber attackers has increased. Despite these limitations, the amount of attribution occurrences does appear to be nominally increasing. Especially 2014 marks a steep increase, characterized by an increase in territorial attribution in the public sector, nation-state attribution in the private sector, and neutral attribution in other channels. However, the largest increase is in the public sector attributing nation-states. Most of these events are U.S. official responses to attacks on government branches (see Appendix A). Another striking detail is the growing role of the private cybersecurity industry, especially after 2014 onwards. Although the rate of nation-state attribution decreases, this sector is increasingly carrying out neutral attribution. This increase is mostly caused by the growing rate of APT technical assessments that do not (explicitly) mention human attribution in any way. As stated in the methodology section on APTs, this may be a consequence of private sector marketing strategies.

Master Thesis | K.M. van den Dool

Operation Types The two tables below show the classification results per operation type. As already discussed, CNE significantly outnumbers CNA and IO. Moreover, IO is only included once in the case of Macron’s presidential campaign leaks. This roughly reflects the aforementioned expectation because CNA is usually only discovered after the attack. If it is caught before the attack – that is, during preparations – it is more likely to be considered CNE. Looking at attribution communication practices in CNA and CNE cases, the results in Table 8 show that there is little difference, except for the fact that the private cybersecurity industry appears to be a little more active in CNE cases compared to CNA, whereas public authorities and other channels are slightly more frequently attributing in CNA cases.

Code Operation Type Amount 1 Cyber Espionage (CNE) 163 2 Cyber Attack (CNA) 39 3 Information Operations (IO) 1 Table 7: Number of Cases per Operation Type

Attribution Identification Total (%) Public (%) Private (%) Other (%) CNA CNE CNA CNE CNA CNE CNA CNE Human 8,96% 12,25% 5,97% 3,43% 0,00% 4,90% 2,99% 3,92% Nation-State Technical 16,42% 11,76% 5,97% 1,96% 5,97% 8,33% 4,48% 1,47% None 22,39% 18,63% 13,43% 13,73% 0,00% 0,49% 8,96% 4,41% Human 1,49% 3,43% 1,49% 1,96% 0,00% 1,47% 0,00% 0,00% Territorial Technical 7,46% 11,76% 4,48% 1,96% 1,49% 8,82% 1,49% 0,98% None 8,96% 11,76% 4,48% 8,33% 0,00% 0,00% 4,48% 3,43% Human 0,00% 0,00% 0,00% 0,00% 0,00% 0,00% 0,00% 0,00% Neutral Technical 23,88% 20,59% 0,00% 0,49% 22,39% 19,61% 1,49% 0,49% None 10,45% 9,80% 4,48% 4,90% 0,00% 0,98% 5,97% 3,92% TOTAL 67 204 40,30% 36,76% 29,85% 44,61% 29,85% 18,63% Table 8: Classification of Attribution Occurrences for CNA and CNE Cases

Master Thesis | K.M. van den Dool

Operation Targets Looking at the variation of attribution occurrences per target type, the results are different. Table 9 shows the total number of recorded cases per target type, and Table 10 show how attribution occurrences are spread within each type – the percentages are calculated based on the total amount of occurrences within the corresponding type to normalize the different occurrence rates. What is striking is that operations targeting the military sector are recorded in only 10 cases. However, if it happens (publicly), public authorities seem more willing to attribute the operations compared to other target types. Looking at private sector attribution, the results show higher percentages for operations targeting civil society and multiple sectors. This may mean that the private cybersecurity industry is more active in this sector, but it may also indicate that other (public) attribution authorities and channels generally stay aloof from attribution of operations targeting non-governmental sectors.

Code Target Type Amount 1 Government 80 2 Military 10 3 Private Sector 45 4 Civil Society 26 5 Multiple 42 Table 9: Number of Cases per Target Type

Public (%) Private (%) Other (%) Attr. Id. 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 Human 3,06 7,14 6,94 6,25 1,75 1,02 7,14 1,39 12,50 5,26 6,12 0,00 2,78 3,13 1,75 Nation- Technical 2,04 0,00 4,17 6,25 1,75 7,14 7,14 5,56 15,63 7,02 2,04 0,00 5,56 0,00 0,00 State None 21,43 28,57 8,33 6,25 7,02 0,00 0,00 1,39 0,00 0,00 3,06 0,00 9,72 0,00 8,77 Human 3,06 0,00 1,39 0,00 1,75 1,02 0,00 0,00 0,00 3,51 0,00 0,00 0,00 0,00 0,00 Terri- Technical 5,10 0,00 1,39 0,00 1,75 5,10 0,00 4,17 12,50 14,04 1,02 0,00 2,78 0,00 0,00 torial None 13,27 14,29 2,78 3,13 3,51 0,00 0,00 0,00 0,00 0,00 4,08 7,14 5,56 0,00 1,75 Human 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 0,00 Neutral Technical 1,02 0,00 0,00 0,00 0,00 11,22 14,29 18,06 28,13 35,09 0,00 0,00 2,78 0,00 0,00 None 7,14 14,29 2,78 6,25 0,00 0,00 0,00 1,39 0,00 1,75 2,04 0,00 11,11 0,00 3,51 TOTAL 56,12 64,29 27,78 28,13 17,54 25,51 28,57 31,94 68,75 66,67 18,37 7,14 40,28 3,13 15,79 Table 10: Classification of Attribution Occurrences per Target Type

Master Thesis | K.M. van den Dool

3.2.2. NEUTRAL ATTRIBUTION

As the name suggests, communication in the category of neutral attribution does not mention government involvement in any form. The previous section also showed how human attribution does not occur within this category. This makes sense, because human attribution with automatically imply that at least a country of origin or nationality of the attacker is known. Of the 85 recorded occurrences of neutral attribution, 58 were based on technical identification, and 27 did not mention any type of identification at all. The next sections will look at the variations per attribution channel.

Public Sector In the dataset, threat attribution by public actors is recorded 14 times, of which only one resulted in technical identification. This instance occurred after a detected cyber espionage campaign on RUAG, a Swiss defense contractor. The Swiss official cybersecurity agency MELANI issued a technical report about the incident, linking it to the Turla malware family.146 This conclusion makes Russia a prime suspect, but the report does not mention Russian involvement, let alone any government involvement. Instead, the authors claim to have issued the report to “give organizations the chance to check their networks for similar infections, and show the modus operandi of the attacker group.”147 Looking at the other official approaches, attribution can come in the form of attribution to an APT – without further expanding on the backgrounds of that APT. Moreover, this can be limited to stating only that (any) APT involvement is likely, as happened by the German intelligence service after attacks on German steel mills in 2014.148 In 2017, the International Association of Athletics Federations (IAAF) was a bit more specific when it issued a press release stating that it had been victim to a cyber attack, carried out by ‘Fancy Bear’, also known

146 GovCERT.ch, APT Case RUAG: Technical Report, May 23, 2016, 3, accessed May 22, 2018, https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pd f/Report_Ruag-Espionage-Case.pdf. 147 Richard Chirgwin, “Swiss CERT publishes reveals details of defence contractor hack,” The Register, May 24, 2016, accessed May 22, 2018, https://www.theregister.co.uk/2016/05/24/anatomy_of_a_breach_swiss_cert_publishes_analysis_of_ruag_att ack/. 148 German Federal Office for Information Security, The State of IT Security in Germany 2014, 31, accessed May 22, 2018, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT- Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3. 47

Master Thesis | K.M. van den Dool as APT28.149 However, these statements do not mention any country of origin nor government involvement. In other cases, communication entailed a general condemnation, as occurred when French officials condemned the alleged ‘cyberterrorist’ attacks targeting television network TV5.150 Later on, the attacks turned out to be a Russian ‘false flag’ operation, creating the impression that ISIS was behind it.151 A similar response came after Macron’s campaign files were stolen and released online in 2017, leading to an official condemnation.152 Again, there was no finger pointing included, despite earlier suggestions by ThreatConnect that APT28 was already targeting Macron.153 In both French cases, there was no attribution despite strong suggesting evidence, which may only show how the decision to communicate blame is dependent on more than just evidence. It seems likely political power implications are also an important factor here. In some cases, attribution is deliberately left vague for exactly these reasons, as is illustrated by the case of a series of attacks on British critical national infrastructure companies in 2005.154 Incident response was managed by the National Infrastructure Security Coordination Centre (NISCC), in close cooperation with intelligence service MI5. In his reconstruction of the events, BBC’s Gordon Corera describes:

“The NISCC also issued the first public warning in 2005. It said that ‘industrial-strength hacking’ was taking place on an increasingly sophisticated scale to steal commercial secrets. However the group was forbidden by the Foreign Office from mentioning China for fear of the diplomatic impact and also from using the term espionage, since that

149 “IAAF Victim of Cyber Attack,” IAAF (website), April 3, 2017, accessed May 22, 2018, https://www.iaaf.org/news/press-release/iaaf-cyber-attack. 150 “Hacking of French TV Channel was ‘terror act’,” The Local, April 9, 2015, accessed May 22, 2018, https://www.thelocal.fr/20150409/frances-tv5-monde-isis-cyberattack-charlie-hebdo. 151 Emmanuel Paquette, “Piratage de TV5 Monde: l’enquête s’oriente vers la piste russe,” L’Express, June 9, 2015, accessed May 22, 2018, https://www.lexpress.fr/actualite/medias/piratage-de-tv5-monde-la-piste- russe_1687673.html. 152 “French election: Emmanuel Macron condemns ‘massive’ hack attack,” BBC News, May 6, 2017, accessed May 22, 2018, http://www.bbc.com/news/world-europe-39827244. 153 “Parlez-vous Fancy?” ThreatConnect (website), April 26, 2017, accessed May 22, 2018, https://www.threatconnect.com/blog/activity-targeting-french- election/?utm_campaign=DNC%20Guccifer%202.0%20Fancy%20Bears%20Research; Lorenzo Franceschi- Bicchierai, “This Is the Evidence Linking Russian Hackers to the French Election,” Vice, April 26, 2017, accessed May 22, 2018, https://motherboard.vice.com/en_us/article/vvaxy8/evidence-linking-russian- hackers-fancy-bear-to-macron-phishing. 154 David Batty, “Hackers target vital UK IT networks,” The Guardian, June 16, 2005, accessed May 22, 2018, https://www.theguardian.com/society/2005/jun/16/epublic.politics. 48

Master Thesis | K.M. van den Dool

would imply a state actor and that would also raise too many difficult questions. The warnings were left vague.”155

Despite the neutrality of attribution in this category, attribution authorities may nevertheless hint at (sophisticated) state-sponsored attacks. In 2016, a threat report by the Australian Cyber Security Centre (ACSC) mentioned a 2015 operation on the Australian Bureau of Meteorology as an example of threats to government, providing further explanation that the used Remote Access Tools (RATs) in the attack are particularly popular among ‘state-sponsored cyber adversaries’.156 Beyond this single case, there are no other recorded cases of public sector general attribution. Again, a possible explanation is the fact that hinting at a state-sponsor would place the government on a slippery slope. It would invite for difficult questions that may have large diplomatic consequences.

Private Sector Contrary to the public sector, the private cybersecurity industry is quite active on threat attribution according to the dataset. In 57 of the 203 recorded cases there was some form of private sector threat attribution.157 In all but two cases attribution is based on technical identification, referring to technical pointers such as malware (and APT) families, aliases and other digital footprints. I found that there are three general types within this category. There are plenty of examples for each type, but I will present only a few here for illustration. The first is a general threat assessment. In these cases reporting merely draws a technical sketch of the identified threat, often paired with technical evidence such as Command and Control (C2 or C&C) servers, domain names and other Indicators of Compromise (IOCs). These are often brief blog posts, as opposed to full-scale reports. Arbor Networks posted such an item after the DDoS attacks in the context of the Russo-Georgian conflict in 2008, analyzing internet traffic.158 More recently, both Kaspersky and Cisco posted their assessments of the Olympic Destroyer attacks that targeted the PyeongChang Winter Olympics this year.159

155 Gordon Corera, Intercept: The Secret History of Computers and Spies (London: Weidenfeld & Nicolson, 2005) (online), Accessed May 22, 2018, https://books.google.nl/books?id=td8aBwAAQBAJ 156 Australian Cyber Security Centre, 2016 Threat Report, 11, accessed May 22, 2018, https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf. 157 Note that this is on case level, not on attribution occurrence level. 158 Jose Nazario, “Georgia DDoS Attacks – A Quick Summary of Observations,” Arbor Networks (website), August 12, 2008, accessed May 22, 2018, https://asert.arbornetworks.com/georgia-ddos-attacks-a-quick- summary-of-observations/. 159 “Olympic Destroyer: who hacked the Olympics?” Kaspersky (website), March 9, 2018, accessed May 22, 2018, https://www.kaspersky.com/blog/olympic-destroyer/21494/; Warren Mercer and Paul Rascagneres, 49

Master Thesis | K.M. van den Dool

In the second type, the companies go beyond just a threat assessment, and turn to technical profiling to link their observations to other APTs or existing malware toolkits. A notable example is a whole string of operations that Kaspersky has traced back to the Equation Group, allegedly connected to Israel and the Five Eyes (US, UK, Canada, Australia, and New Zealand), though without naming them explicitly. In the cases of Stuxnet and Duqu, Kasperky limited itself to very general terms.160 However, in the cases of Flame,161 Gauss,162 Duqu 2.0163, and Regin,164 Kaspersky explicitly stated that it deemed it likely that a nation-state was behind these operations. To pinpoint the exact nation-state, only circumstantial evidence is presented, such as distribution of timestamps in the malware to indicate activity hours, while leaving it “up to the reader to attempt to interpret this”.165 Another example is the Dragos report after the CrashOverride attacks on Ukrainian electricity company Ukrenergo, which connected CrashOverride to earlier cyber offensive threats such as Black Energy (2) and SandWorm.166 Similarly, a string of reports by Arbor Networks, Citizen Lab, Palo Alto and other researchers build upon each other’s technical indicators to identify ongoing espionage campaigns against political targets in South-East Asia.167

“Olympic Destroyer Takes Aim At Winter Olympics,” Talos Intelligence (blog), February 12, 2018, accessed May 22, 2018, https://blog.talosintelligence.com/2018/02/olympic-destroyer.html. 160 “Equation Group: Questions and Answers,” Kaspersky’s SecureList (blog), February 2015, accessed May 22, 2018, https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf. 161 Alexander Gosteve, “The Flame: Questions and Answers,” Kaspersky’s SecureList (blog), May 28, 2012, accessed May 22, 2018, https://securelist.com/the-flame-questions-and-answers-51/34344/. 162 “Gauss: Nation-state cyber-surveillance meets banking Trojan,” Kaspersky’s SecureList (blog), August 9, 2012, accessed May 22, 2018, https://securelist.com/gauss-nation-state-cyber-surveillance-meets-banking- trojan-54/33854/. 163 “Duqu is back: Kaspersky Lab reveals cyberattack on its corporate network that also hit high profile victims in Western countries, the Middle East and Asia,” Kaspersky (website), accessed May 22, 2018, https://www.kaspersky.com/about/press-releases/2015_duqu-is-back-kaspersky-lab-reveals-cyberattack-on- its-corporate-network-that-also-hit-high-profile-victims-in-western-countries-the-middle-east-and-asia. 164 “The Regin Platform: Nation-State Ownage of GSM Networks,” Kaspersky (website), November 24, 2014, 23, accessed May 22, 2018, https://d2538mqrb7brka.cloudfront.net/wp- content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf. 165 Ibid. 166 “CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations,” Dragos (website), June 13, 2017, accessed May 22, 2018, https://dragos.com/blog/crashoverride/CrashOverride-01.pdf. 167 Robert Falcone, Mike Scott, and Juan Cortes, “Attack Campaign on the government of Thailand Delivers Bookworm Trojan,” Palo Alto Networks’ Research Center (blog), November 24, 2015, accessed May 22, 2018, https://researchcenter.paloaltonetworks.com/2015/11/attack-campaign-on-the-government-of-thailand- delivers-bookworm-trojan/; Robert Falcone, “Evilgrab Delivered by Wateringhole Attack on President of Myanmar’s Website,” Palo Alto Networks’ Research Center (blog), June 11, 2015, accessed May 22, 2018, https://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by-watering-hole-attack-on- president-of-myanmars-website/; Matt Brooks, Jakub Dalek, and Masashi Crete-Nishihata, “Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns,” The Citizen Lab (website), April 18, 2016, accessed May 22, 2018, https://citizenlab.ca/2016/04/between-hong-kong-and-burma/; “ASERT Threat Intelligence Report 2015-08: Uncovering the Seven Pointed Dagger,” Arbor Networks (website), 50

Master Thesis | K.M. van den Dool

Third, sometimes the circumstantial evidence is more human and political in nature. In these cases, factors such as targeting and identified language in the malware may function as clues. Kaspersky frequently uses language indicators in its reports, as is found in its conclusion that the attackers behind RedOctober are Russian-speaking,168 or the fact that the attackers behind Shamoon 2.0 had their language configurations set to ‘Arabic (Yemen)’.169 Similar targeting is also used as an argument. Drawing an attacker profile based on targets is an important element of the abovementioned reports by Arbor Networks, Citizen Labs and Palo Alto, as well as TrendMicro’s assessment of the ChessMaster malware’s ties to APT10 (or Stone Panda), based on its targeting profile.170 Similar to this last type, circumstantial profiling may in some cases lead to the conclusion that some form of state involvement is likely. In FireEye’s APT report on WITCHCOVEN, it illustrates what factors may inform an assessment of state-sponsorship: First, the scope of the operation implied that the aggressors were looking for vast amounts of intelligence; second, the operation restraint suggested that the operation was long-term and the aggressors wanted to limit exposure; and third, the probable targets are considered of interest to other governments.171 Palo Alto (Unit 42) gave similar profiling arguments in its attribution report of Operation Lotus Blossom in 2015.172 In this report, the authors suggested the aggressor to be ‘a nation state adversary with a strong interest in the militaries of Southeast Asian nations’, and an ability to maintain a C2 infrastructure over a long period of time.173 Overall, private sector threat attribution occurs very frequently, drawing from the first results. The majority of these reports focus on APT profiling, either technical or circumstantial. However, these reports rarely attribute such operations and APTs to a nation-state, at least in

August 2015, accessed May 22, 2018, https://asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT- Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf. 168 “‘Red October’ Diplomatic Cyber Attacks Investigation,” Kaspersky’s SecureList (blog), January 14, 2013, accessed May 22, 2018, https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/. 169 “From Shamoon to Stonedrill: Wipers attacking Saudi Organizations and Beyond,” Kaspersky (website), March 7, 2017, 7, accessed May 22, 2018, https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf. 170 Kohei Kawabata and CH Lei, “ChessMaster: A New Campaign Targeting Japan Using The New ChChes Backdoor,” RSA Conference 2017, Session FLE-R09, July 26-28, 2017, 44, accessed May 22, 2018, https://www.rsaconference.com/writable/presentations/file_upload/fle-r09_chessmaster-a-new-campaign- targeting-japan-using-the-new-chches-backdoor.pdf. 171 Jonathan Wrolstad and Barry Vengerik, “Pinpointing Targets: Exploiting Web Analytics to Ensnare Victims,” FireEye (website), 15, accessed May 22, 2018, https://www2.fireeye.com/rs/848-DID-242/images/rpt- witchcoven.pdf. 172 Robert Falcone, Josh Grunzweig, Jen Miller-Osborn, and Ryan Olson, “Operation Lotus Blossom,” Palo Alto Networks (website), 42, accessed May 22, 2018, https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resou rces/research/unit42-operation-lotus-blossom. 173 Ibid. 51

Master Thesis | K.M. van den Dool public. When private actors appear to move beyond mere technical attribution and assess potential nation-state involvement, the evidence is mostly circumstantial: sophistication, targeting, persistence, and sometimes even activity hours. (I will discuss later when and how such reports do occur.) In addition, as was also pointed out in the methodology section, the frequency of such APT profiling reports should be observed critically. APTs are also said to have become a marketing strategy by private cybersecurity companies.

Other Beyond attribution by the government or private cybersecurity industry, leaks and investigative journalism are insignificant. There is only one recorded case of journalism where a Japanese newspaper has stated that Chinese characters were found in the malware that was used for the attacks on Mitsubishi Heavy Industries in 2011.174 Yet again, this begs the question where the newspaper gets its information. It is very likely that the source has been an insider, either from the private or from the public sector. Unfortunately, this information was undetectable. Turning to communication of attribution by targeted private sector entities, such communication appeared to occur very rarely in total. When it occurred, it occurred mostly on the level of threat attribution. In most cases, the targeted company limited its reaction to a mere statement of facts about the operations and mitigation strategies. After the 2014 attacks on Sony Pictures Entertainment, CEO Kazuo Hirai declared on a stage that Sony had been “victim to one of the most vicious and malicious attacks in recent history,” and continued to express its appreciation of the efforts by the company and its partners “who stood up against some of the extortionist efforts of the criminals”.175 In the same year, Apple’s iCloud was compromised, to which Apple responded that they were “aware of intermittent organized network attacks”, while also stressing its commitment to “protecting [Apple’s] customer’s privacy and security”.176 There are two instances in the dataset in which targeted companies have responded to a cyber operation suggesting nation-state involvement. In 2014, hackers broke into the computer networks of USIS, a US company that performs background checks on government employees,

174 Justin McCurry, “Japan anxious over defence data as China denies hacking weapons maker,” The Guardian, September 20, 2011, accessed May 22, 2018, https://www.theguardian.com/world/2011/sep/20/china-denies- hacking-attack-japan; BBC News, “Japan defence firm Mitsubishi Heavy in cyber attack,” September 20, 2011, accessed May 22, 2018, http://www.bbc.com/news/world-asia-pacific-14982906. 175 Charles Riley, “Sony CEO breaks silence after ‘vicious and malicious’ hack,” CNN, January 6, 2015, accessed May 22, 2018, http://money.cnn.com/2015/01/06/media/sony-interview-hack-ces/index.html. 176 “Apple update on iCloud,com security,” Apple, September 5, 2017, accessed May 22, 2018, https://support.apple.com/en-us/HT203126. 52

Master Thesis | K.M. van den Dool including undercover investigators.177 The breach was reported by USIS itself, and the company released a statement, saying “experts who have reviewed the facts gathered to-date believe it has all the markings of a state-sponsored attack.”178 In the same year, Yahoo was hacked, resulting in the breach of information of over 500 million user accounts.179 In its official statement, Yahoo said it believed a ‘state-sponsored actor’ carried out the operation.180 Both examples indicate that their assessments of nation-state involvement are based on (expert) judgment. In any case, looking at the collected data, these two examples appear to be an exception to the ‘rule’ that private companies tend to shy away from political statements. Of course, the private sector has different decision making motives than governments. Profit interests may be more likely to prevail over national security interests, and scolding potential international trade partners after an attack might harm business relations. This difference in motives may be the reason why companies largely remain silent after an attack, and leave the finger pointing to those that act in the interest of national security.

177 Jim Finkle and Mark Hosenball, “U.S. undercover investigators among those exposed in data breach,” Reuters, August 23, 2014, accessed May 22, 2018, https://www.reuters.com/article/us-usa-security- contractor-cyberattack-idUSKBN0GM1TZ20140823. 178 “USIS Comments on Recent Self-Reported Cyber-Attack on Corporate Network,” USIS, August 6, 2014, accessed May 22, 2018, https://web.archive.org/web/20150223064255/http:/usis.com/Media-Release- Detail.aspx?dpid=151. 179 Dustin Volz, “Yahoo says hackers stole data from 500 million accounts in 2014,” Reuters, September 22, 2016, accessed May 22, 2018, https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-hackers-stole- data-from-500-million-accounts-in-2014-idUSKCN11S16P. 180 Bob Lord, “An Important Message About Yahoo User Security,” Yahoo (website), September 22, 2016, accessed May 22, 2018, https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo- user-security. 53

Master Thesis | K.M. van den Dool

3.2.3. TERRITORIAL ATTRIBUTION

The second category of attribution, territorial attribution, holds that the operation is traced to a given country, without communicating blame towards the government of that country. This may occur if the investigating entity has successfully attributed the operation to an agent in or from that country, or if technical attribution leads to network assets in that country. Out of all recorded attribution occurrences, 68 are about territorial attribution, 8 of which claim to have identified a physical agent.

Public Sector Governments may communicate the fact that they have identified a country of origin of an operation – without explicitly blaming its government – in various ways. These may vary from very general to more specific. On the one end are the general references to a given country. This occurs mostly in unofficial communication channels, such as media interviews. After the French Ministry of Defense was targeted in 2008, then Secretary-General Delon reportedly told Le Monde:

“We have proof that there is involvement with China. But I am prudent. When I say China, this does not mean the Chinese government. We don’t have any indication now that it was done by the Chinese People’s Liberation Army.”181

Similarly, after the Indian prime minister’s office was compromised in 2010, outgoing national security advisor Narayanan told The Times in abstract terms he was “fairly sure it was the Chinese”, without providing any further detail.182 What happens more frequently is a government pointing to unidentified (groups of) hackers in a given country. This may occur via unofficial channels, such as in 2015, when anonymous U.S. officials told NBC news that ‘alleged Russian hackers’ attacked the Pentagon’s Joint Staff’s systems, but were apparently still in the dark about possible

181 “Hacking into the French state,” France 24, September 9, 2007, accessed May 23, 2018, https://web.archive.org/web/20080118141424/http:/www.france24.com/france24Public/en/news/france/2007 0909-Internet-piracy-france-secuirty-china-hacker.html. 182 “Chinese hacked PMO computers, says Narayanan,” The Indian Express, January 19, 2010, accessed May 23, 2018, http://archive.indianexpress.com/news/chinese-hacked-pmo-computers-says-narayanan/569075/. 54

Master Thesis | K.M. van den Dool involvement of the Russian government.183 However, this has also happened via channels that are more official. For example, another attack on the Pentagon in 2015, U.S. Defense Secretary Carter denounces Russian hackers during a public speech in Stanford.184 In these cases, the sources do not provide any additional information about the evidence that has led to their conclusions. One scale up in terms of specificity, governments may support their claims by stating that they have been able to achieve technical attribution. In other words, the attributing authority can claim that it has traced the attacks to servers or IP addresses in a given country, and leaves it at that. In 2007, U.S. Congressional investigators stated that hackers had breached the Department of Homeland Security networks, siphoning data to ‘Chinese-language web sites’.185 Moreover, they declined to say whether the Chinese government was involved. Not only NATO countries follow this strategy. Russian intelligence services issued a message in 2016, warning for an imminent attack via Dutch servers owned by Ukraine.186 In these cases of attribution, the authorities seem more determined to demonstrate their conviction by hinting at technical indicators, without necessarily sharing them. This may be a form of raising the stakes in a standoff. An interesting case in this respect is the U.S. response after Operation Aurora, an espionage operation targeting the Chinese Google websites. Computer security experts reportedly traced the attacks to two schools in China with ties to the Chinese military.187 However, the experts did not exclude the possibility that it was a false flag operation. Under such circumstances, where technical traces point to a given country but the case on government involvement remains inconclusive, requesting forensic cooperation seems like a logical

183 Jim Miklaszewski, “Russian Cyber Attack Targets Pentagon Email Systems: Officials,” NBC News, August 6, 2015, accessed May 23, 2018, https://www.nbcnews.com/tech/security/cyberattack-pentagons-joint-staff- emails-take-system-offline-n405321. 184 U.S. Department of Defense, Remarks by Secretary Carter at the Drell Lecture Cemex Auditorium, Stanford Graduate School of Business, Stanford, California, April 23, 2015, accessed May 23, 2018, https://www.defense.gov/News/Transcripts/Transcript-View/Article/607043/. 185 “Investigators: Homeland Security computers hacked,” CNN, September 24, 2007, accessed May 23, 2018, http://edition.cnn.com/2007/US/09/24/homelandsecurity.computers/index.html. 186 Russian Federal Security Service (translated), “Foreign intelligence agencies are preparing cyber attacks aimed at destabilizing the financial system of Russia,” December 2, 2016, accessed May 23, 2018, http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10438041%40fsbMessage.html; Christian Lowe and Natalia Zinets, “Russia says foreign spies plan cyber attack on banking system,” Reuters, December 2, 2016, accessed May 23, 2018, https://www.reuters.com/article/us-russia-cyberattack-banks/russia-says- foreign-spies-plan-cyber-attack-on-banking-system-idUSKBN13R0NG. 187 John Markoff and David Barboza, “2 China Schools Said to Be Tied to Online Attacks,” The New York Times, February 18, 2010, accessed May 23, 2018, https://www.nytimes.com/2010/02/19/technology/19china.html. 55

Master Thesis | K.M. van den Dool decision. In the context of Aurora, State Secretary Clinton stated that the U.S. government is looking to the Chinese government for an explanation.188 Another recurring strategy that relies heavily on authority and credibility is the interaction between anonymous (intelligence) officials and the media. In such cases, media reporting speaks only of ‘highly placed sources’,189 ‘(senior) officials’,190 or ‘security sources/officials’.191 These sources are often willing to disclose information under de condition of remaining anonymous. As stated before, this raises an important question about their motives. Are these sources leaking information illegally? Are they deliberately creating that impression to add credibility to their message? Alternatively, are they simply professionals looking to keep their identities secret? The last seems most obvious, though all three are plausible. This circles back to the dilemma discussed in the theory chapter: using intelligence as evidence is hard to verify in public. This is less so for the last type in this section: criminal charges. In these instances, identification is not only technical, but also physical, blaming one or more specific agents. Three different cases show the different circumstances in which this may take place. In one case, after operation Cisco Raider in 2008, a group of American individuals were arrested and charged for collusion with a Chinese firm in importing manipulated hardware.192 This case, however, puts most of the blame with these American citizens, charging them for a ‘physical’ crime of trafficking illegal hardware. In another case, a Chinese individual pleaded guilty before a U.S. court in 2016 for compromising American defense contractors such as Boeing in 2014.193

188 U.S. Department of State, Statement on Google Operations in China. 189 Greg Weston, “Foreign hackers attack Canadian government,” CBC News, February 16, 2011, accessed May 23, 2018, http://www.cbc.ca/news/politics/foreign-hackers-attack-canadian-government-1.982618. 190 Mary Pat Flaherty, Jason Samenow, and Lisa Rein, “Chinese hack U.S. weather systems, satellite network,” The Washington Post, November 12, 2014, accessed May 23, 2018, https://web.archive.org/web/20141113041310/https:/www.washingtonpost.com/local/chinese-hack-us- weather-systems-satellite-network/2014/11/12/bef1206a-68e9-11e4-b053-65cea7903f2e_story.html; Michael S. Schmidt, David E. Sanger, and Nicole Perlroth, “Chinese Hackers Pursue Key Data on U.S. Workers,” The New York Times, July 9, 2014, accessed May 23, 2018, https://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html; Chris Uhlmann, “China blamed for ‘massive’ cyber attack on Bureau of Meteorology computer,” ABC News, December 2, 2015, accessed May 23, 2018, http://www.abc.net.au/news/2015-12-02/china-blamed-for-cyberattack-on-bureau-of-meteorology/6993278. 191 Gordon Corera, “NHS cyber-attack was ‘launched from North Korea’,” BBC News, June 16, 2017, accessed May 23, 2018, http://www.bbc.com/news/technology-40297493. 192 U.S. Department of Justice, Departments of Justice and Homeland Security Announce International Initiative Against Traffickers in Counterfeit Network Hardware, February 28, 2008, accessed May 23, 2018, https://www.justice.gov/archive/opa/pr/2008/February/08_crm_150.html. 193 U.S. Department of Justice, Chinese National Pleads Guilty to Conspiring to Hack into U.S. Defense Contractors’ Systems to Steal Sensitive Military Information, March 23, 2016, accessed May 23, 2018, https://www.justice.gov/opa/pr/chinese-national-pleads-guilty-conspiring-hack-us-defense-contractors- systems-steal-sensitive. 56

Master Thesis | K.M. van den Dool

This is also a somewhat peculiar case, because the plea agreement by the aggressor, named Su Bin, makes a compelling attribution case less urgent. In the third case the U.S. Department of Justice charged three Chinese individuals – Wu Yingzhuo, Dong Hao and Xia Lei, working for an Internet security company called BoYuSec – for hacking into multiple computer systems of Moody’s, Siemens and Trimble between 2011 and 2017.194 The indictment presents a detailed account of the crimes the three individuals are charged for, including concealment of their identities, but it does not make any statement of how it has attributed the crimes to them.195 In short, in this category it is possible to identify several response mechanisms depending on the level of identification. Some cases reach only technical attribution, so determining response is difficult without knowing the who. Requesting forensic cooperation is an obvious first step. However, if the investigators have been able to reach human attribution, the realm of possible response mechanisms expands, including a law enforcement approach involving criminal charges.

Private Sector Private cybersecurity companies frequently mention country of origin or nationality one way or another. In general, I found that these reports might contain both technical and physical attribution. In both categories, the findings might be based on profiling – identifying circumstantial links in the malware or targeting patterns – or identification – identifying server traffic information or identification of an individual or organization. In the category of technical profiling, the investigating party bases its findings on a malware analysis. In the Operation Night Dragon case, for example, McAfee said it has “identified tools, techniques, and network activities utilized during these continuing attacks that point to individuals in China as the primary source.”196 In 2011, Dell Secureworks investigated a compromise of U.S. government contractor RSA, and found that the attackers used the same ‘HTran’ tool used by the group ‘Honker Union of China’ (HUC).197 Similarly, in 2015 FireEye

194 U.S. Department of Justice, U.S. Charges Three Chinese Hackers Who Work at Internet Security Firm for Hacking Three Corporations for Commercial Advantage, November 27, 2017, accessed May 23, 2018, https://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking- three-corporations. 195 U.S. District Court for the Western District of Pennsylvania, United States of America v. Wu Yingzhuo, Dong Hao, Xia Lei (Indictment), September 13, 2017, accessed May 23, 2018, https://www.justice.gov/opa/press- release/file/1013866/download. 196 “Night Dragon,” McAfee (website), accessed May 23, 2018, https://www.mcafee.com/uk/about/night- dragon.aspx. 197 Joe Stewart, “HTran and the Advanced Persistent Threat,” Dell SecureWorks (blog), August 3, 2011, accessed May 23, 2018, https://www.secureworks.com/research/htran. 57

Master Thesis | K.M. van den Dool attributed an espionage campaign on a Taiwanese political party to China-based group APT16, based on use of the same domain, “as well as overlaps in previously observed targeting and tactics, techniques and procedures.”198 Besides malware analysis, investigators may pursue technical identification by analyzing ‘command and control’ (C2) server traffic. Some of these analyses are relatively general: After the 2011 attacks on Dutch certificate authority organization DigiNotar – also known as Operation Black Tulip – Fox-IT found that over 99% of requesting IPs were located in Iran.199 Kaspersky drew a similar conclusion in its investigations of the ‘Madi Campaign’ in 2012.200 Other cases are more detailed, pinpointing a specific server or location. In 2013, a cyber espionage campaign targeted South Korean think tanks. Kaspersky managed to trace the operation, called ‘Kimsuky’, to ten IP addresses located in the Jilin and Liaoning provinces, bordering North Korea.201 Interestingly, Kaspersky takes into account the circumstantial information that ISPs in these provinces are important for North Korean internet access, supporting the theory that the attackers are from North Korea.202 In addition, in the aforementioned case of Guccifer 2.0, Threatconnect initially publicized attribution reports, showing it was able to trace the operation to a Russian VPN server – which other sources later connected to Russian intelligence.203 In addition to technical indicators, some reports infuse their analysis with (political) circumstantial evidence to support their case. In 2016, F-Secure publicized a report about operation ‘NanHaiShu’, which targeted the Justice Department of the Philippines, likely in the context of the South China Sea dispute.204 Besides an analysis of the malware and C2 servers,

198 Ryann Winters, “The EPS Awakens – Part 2,” FireEye (website), December 20, 2015, accessed May 23, 2018, https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html. 199 J.R. Prins, “DigiNotar Certificate Authority breach ‘Operation Black Tulip’,” Fox-IT, September 5, 2011, 8, accessed May 23, 2018, https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2011/09/05/diginotar-public- report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf. 200 “The Madi Campaign – Part II,” Kaspersky’s SecureList (blog), July 26, 2012, accessed May 23, 2018, https://securelist.com/the-madi-campaign-part-ii-53/33701/. 201 Dmitry Tarakanov, “The ‘Kimsuky’ Operation: A North Korean APT?” Kaspersky’s SecureList (blog), September 11, 2013, accessed May 23, 2018, https://securelist.com/the-kimsuky-operation-a-north-korean- apt/57915/. 202 Ibid. 203 “Guccifer 2.0: All Roads Lead to Russia,” Threatconnect (website), July 26, 2016, accessed May 23, 2018, https://www.threatconnect.com/blog/guccifer-2-all-roads-lead-russia/; Kevin Poulsen and Spencer Ackerman, “Exclusive: ‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer,” The Daily Beast, March 22, 2018, accessed May 23, 2018, https://www.thedailybeast.com/exclusive-lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a- russian-intelligence-officer. 204 “NANHAISHU: RATing the South China Sea,” F-Secure (website), July 26, 2016, accessed May 23, 2018, https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf. 58

Master Thesis | K.M. van den Dool the authors of the report “consider it significant that the selection of organizations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government.”205 In 2013, Norman was even more radical in its judgment in its investigation report of operation ‘Hangover’. Although the report includes a decent malware and C2 analysis, a substantial part of the report delves into victimology and the perceived strategic motives behind the targeting.206 As a result, they conclude: “The continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin.”207 Forcepoint’s investigation of operation Monsoon followed a similar ‘cui bono?’ approach.208 Some reports suggest that successful physical identification has taken place, referring to a specific individual. Symantec’s investigation of the Nitro attacks in 2011 led to the identification of the owner of a Virtual Private Server (VPS) in the U.S., a ’20-something male located in the Hebei region in China’, whose Chinese name roughly translates to ‘Covert Grove’.209 Furthermore, although their names are not disclosed, Forcepoint’s report on Monsoon and Clearsky’s report on DustySky claim that they have been able to point a specific individuals based on domain registration records and ‘last saved by’ metadata.210 In general, private cybersecurity reports are more precise in terms of their technical evidence, compared to their public counterparts – this sector has 20 instances of technical identification in this category versus 7 by the public sector, who in turn has 20 instances where territorial attribution is not backed by any form of identification in the communication. Interestingly, the reports that mention human attribution tend to be infused with circumstantial profiling and analysis.

205 Ibid, 5. 206 Snorre Fagerland, Morten Krakvik, Jonathan Camp, and Ned Moran, “Operation Hangover: Unveiling an Indian Cyberattack Infrastructure,” Norman, May 2013, 18-30, accessed May 23, 2018, http://www.thecre.com/fnews/wp- content/uploads/2013/05/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf. 207 Ibid., 31. 208 Andy Settle, Nicholas Griffin, and Abel Toro, “Monsoon – Analysis of an APT Campaign,” ForcePoint (website), 47, accessed May 23, 2018, https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis- report.pdf. 209 Eric Chien and Gavin O’Gorman, “The Nitro Attacks: Stealing Secrets from the Chemical Industry,” Symantec (website), 4, accessed May 23, 2018, https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks. pdf. 210 Settle, Griffin and Toro, “Monsoon,” 47; “Operation DustySky,” ClearSky (website), January 2016, 24, accessed May 23, 2018, https://www.clearskysec.com/wp- content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf. 59

Master Thesis | K.M. van den Dool

Other Looking at attribution by companies that are targets of operations, communicating country of origin is relatively rare. In the Operation Aurora case in 2010, where Chinese hackers allegedly censored the Chinese version of Google, Google did not mention Chinese responsibility directly in its official statement titled ‘a new approach to China’.211 Moreover, Google’s Chief Legal Officer touched upon the uniqueness of the act to issue a public statement:

“We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech.”212

As mentioned in the last section on territorial attribution by public actors, the U.S. responded to Aurora with a request for an explanation. It is also possible to specifically request forensic cooperation. In an interview with CBC, Nortel’s systems security adviser was convinced the attackers on Nortel in 2012 were based in China, and the Chinese government should investigate and ‘provide direct assistance with an expert team’.213 In four instances, news outlets have communicated about the country of origin of attacks, but base their findings on unmentioned sources altogether. For example, the Australian documentary show Four Corners once investigated a case where the blueprint for the Australian intelligence service’s new headquarters had been stolen.214 The documentary mentions some anonymous sources, without any affiliation.215 This makes it had to draw any conclusions about this type of communication. Lastly, whereas leaks are apparently nonexistent in the data for cases in threat attribution and general attribution, they do occur in four cases in the current scenario. In three

211 David Drummond, “A new approach to China,” Google (blog), January 12, 2010, accessed May 23, 2018, https://googleblog.blogspot.nl/2010/01/new-approach-to-china.html. 212 Ibid. 213 “Nortel Collapse linked to Chinese hackers,” CBC News, February 15, 2012, accessed May 23, 2018, http://www.cbc.ca/news/business/nortel-collapse-linked-to-chinese-hackers-1.1260591. 214 “China blamed after ASIO blueprints stolen in major cyber attack on Canberra HQ,” ABC News, May 27, 2013, accessed May 23, 2018, http://www.abc.net.au/news/2013-05-27/asio-blueprints-stolen-in-major- hacking-operation/4715960. 215 “HACKED!” ABC News, May 27, 2013, accessed May 23, 2018, http://www.abc.net.au/4corners/hacked/4717206. 60

Master Thesis | K.M. van den Dool instances, these leaks involve internal official documentation or communication,216 but one case demonstrates the role of private cybersecurity companies behind the scenes: Following an attack on Sand’s Casino in Las Vegas in 2014, investigators from Dell SecureWorks said in an internal document the attack was perpetrated by hacktivists based in Iran.217

216 John Markoff, “Cyber attack on U.S. nuclear arms lab linked to China,” The New York Times, November 9, 2007, accessed May 23, 2018, https://www.nytimes.com/2007/12/09/world/americas/09iht- hack.1.8653712.html; “Codename BYZANTINE HADES / NSA research on the targets of Chinese network exploitation tools, the targets and actors,” Spiegel, accessed May 23, 2018, http://www.spiegel.de/media/media-35687.pdf; “Doc #129906,” WikiLeaks (website), February 15, 2015, accessed May 23, 2018, https://wikileaks.org/saudi-cables/doc129906.html. 217 “Doc #129906”, WikiLeaks. 61

Master Thesis | K.M. van den Dool

3.2.4. NATION-STATE ATTRIBUTION

In the third category of attribution, nation-state attribution, the attributing entity draws the conclusion that another nation-state’s government is responsible for the operation at hand, either as a principal or as an agent in itself. Looking at the four types of principal-agent relationships discussed earlier in the theory section on principal attribution, this category roughly covers the first three types: the principal may be the agent itself, the principal may actively support the agent, or the principal may knowingly provide passive support by refusing to take countermeasures against the agent. This type of attribution occurs 120 times in the dataset. In the following sections, I will present the most illustrative cases.

Public Sector The cases in this study demonstrate a multitude of ways in which governments communicate blame on other governments. There are four cases where response follows a law enforcement approach and the defendant presses criminal charges. In one instance, Chinese news agencies report that the Chinese government issued an arrest warrant for an alleged Taiwanese secret agent that had remote access to its systems.218 The details of this case are unknown, but in other cases in the U.S., the charges are explained in greater detail. What is interesting about the American charges is that they appear to be part of a conscious policy in recent years to hold foreign governments accountable via criminal charges. In 2014, five Chinese agents were charged for espionage on Westinghouse Electric and the U.S. Steel Corporation.219 In a press statement, officials said that the case serves the purpose of demonstrating that the U.S. is “serious about holding foreign governments accountable for crimes committed in cyberspace”.220 Similar approaches were taken against seven Iranians in

218 Lawrence Chung, “Beijing seeks Taiwanese secret agent over hacking,” South China Morning Post, November 1, 2007, accessed May 23, 2018, http://www.scmp.com/article/613904/beijing-seeks-taiwanese- secret-agent-over-hacking. 219 U.S. Department of Justice, U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage, May 19, 2014, accessed May 23, 2018, https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us- corporations-and-labor. 220 Ellen Nakashima and William Wan, “Chinese military unit charged with cyber-espionage against U.S. firms,” The Washington Post, May 19, 2014, accessed May 23, 2018, https:/www.washingtonpost.com/world/national-security/us-to-announce-first-criminal-charges-against- foreign-country-for-cyberspying/2014/05/19/586c9992-df45-11e3-810f-764fe508b82d_story.html. 62

Master Thesis | K.M. van den Dool

2012, 221 and three Russians in 2016. 222 The indictments are explicit in their claims and provide detailed accounts of the alleged crimes that were committed. They even mention the online ‘aliases’ that were connected to the individuals, but do not provide any explanation as to how this connection was established. A second variant of official communication of blame happens via official government reports. Again, the record cases in this category are all from the United States, so it might be heavily dependent on national policymaking culture. Supporting evidence and/or arguments come in various shapes. In 2011, a U.S. Congressional commission reports based on circumstantial profiling: Chinese ‘military writings’ – that is, other policy documentation – suggest that they would have strong strategic interest in a series of attacks on NASA satellites in 2008.223 Interestingly, that same report puts blame on the Chinese government for the RSA SecurID compromise, referring to the Dell SecureWorks study of ‘Honker Union of China’ that was discussed in the previous section on territorial attribution.224 That Dell report did not mention government involvement, but the Congress report seems to cut some corners and use a suggestive CNET report with dubious sources to call the operations ‘state-sponsored’.225 In 2014, another report by the U.S. Committee on the Armed Services attributed a series of attacks on TRANSCOM contractors to the People’s Liberation Army of China.226 When looking for evidence for these findings, the results are heavily censored, as shown in Image 3 below. Also in 2014, the FBI released an update about its investigations after the Sony attacks.227 In this statement the FBI blamed the North Korean government, referring to

221 U.S. Attorney’s Office for the Southern District of New York, Manhattan U.S. Attorney Announces Charges Against Seven Iranians For Conducting Coordinated Campaign Of Cyber Attacks Against U.S. Financial Sector On Behalf of Islamic Revolutionary Guard Corps-Sponsored Entities, March 24, 2016, accessed May 23, 2018, https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-charges-against-seven- iranians-conducting-coordinated. 222 U.S. Department of Justice, U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts, March 15, 2017, accessed May 23, 2018, https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking- yahoo-and-millions. 223 U.S.-China Economic and Security Review Commission, 2011 Report to Congress, November 2011, 217, accessed May 23, 2018, https://web.archive.org/web/20111124012100/http:/www.uscc.gov/annual_report/2011/annual_report_full_1 1.pdf. 224 Ibid, 174. 225 Ibid, 175; Elinor Mills, “China linked to new breaches tied to RSA,” CNET, June 6, 2011, accessed May 23, 2018, https://www.cnet.com/news/china-linked-to-new-breaches-tied-to-rsa/. 226 U.S. Senate Committee on Armed Services, Inquiry Into Cyber Intrusions Affecting U.S. Transportation Command Contractors: Report, 2014, accessed May 23, 2018, https://www.armed- services.senate.gov/imo/media/doc/SASC_Cyberreport_091714.pdf. 227 U.S. Federal Bureau of Investigation, Update on Sony Investigation, December 19, 2014, accessed May 23, 2018, https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation. 63

Master Thesis | K.M. van den Dool similarities in malware and tools used in previous attacks attributed to North Korea, as well as overlap in attack infrastructure.228 Like previous cases, no further details are provided.

Image 3: Excerpt from the TRANSCOM report (screenshot)229

This brings us to the third possibility to communicate blame, via official statements and response measures. In the context of these Sony attacks, the Obama administration eventually imposed economic sanctions.230 In another well-known case, the U.S. has responded with diplomatic sanctions against Russia, expelling over 30 Russian diplomats, after blaming it for meddling in the 2016 presidential elections.231 In other cases, attribution response restricted itself to an official statement, as was the case in various instances of alleged Russian attacks in

228 Ibid. 229 U.S. Senate Committee on Armed Services, Inquiry Into Cyber Intrusions, 9. 230 U.S. White House, “Imposing Additional Sanctions with Respect to North Korea”. 231 U.S. White House, Statement by the President on Actions in Response to Russian Malicious Cyber Activity and Harassment, December 29, 2016, accessed May 23, 2018, https://obamawhitehouse.archives.gov/the- press-office/2016/12/29/statement-president-actions-response-russian-malicious-cyber-activity. 64

Master Thesis | K.M. van den Dool the context of the Russo-Ukrainian conflict, to which the Ukrainian Secret Service has repeatedly responded with official statements.232 A fourth category would include ‘unofficial’ government communication in the media, often based on the condition of anonymity. This occurred in various cases, such as the 2007 ‘Pentagon Raid’,233 the 2011 attack on NASDAQ,234 the 2013 attack on the U.S. Navy,235 and various attacks on the U.S. State Department and White House in 2015.236 In some cases, these sources originate from intelligence officials, as was the case after the alleged Chinese attacks on the 2008 U.S. Presidential campaigns,237 the Iranian attacks on U.S. banks in 2012,238 and the investigation of the Guccifer 2.0 Twitter account after its leaks of the files stolen during the DNC Hack in 2016.239 A striking detail about attribution by anonymous intelligence officials that appeared difficult to fit in the categorization model is that it also occurs frequently for cases involving third countries. After the 2012 ‘Shamoon’ attacks on Saudi Arabian oil companies, U.S. intelligence officials blamed Iran.240 The same thing happened after the hacks on Qatari government and news sites in 2017, linked to the United Arab Emirates by U.S. intelligence

232 Security Service of Ukraine, SSU successfully counteracts hacker attacks of Russian special services, March 13, 2015, accessed May 23, 2018, https://web.archive.org/web/20150319104801/http:/www.sbu.gov.ua/sbu/control/en/publish/article?art_id=13 8949&cat_id=35317; Security Service of Ukraine, SSU repels information psychological attack of Russian special service, May 2, 2015, accessed May 23, 2018, https://web.archive.org/web/20150502195833/http:/www.sbu.gov.ua:80/sbu/control/en/publish/article?art_id =131264&cat_id=131098; Security Service of Ukraine, SBU establishes involvement of the RF special services into Petya.A virus-extorter attack, July 1, 2017, https://ssu.gov.ua/en/news/1/category/2/view/3660#.BQqwCMLj.dpbs. 233 Demetri Sevastopulo, “Chinese military hacked into Pentagon,” Financial Times, September 3, 2007, accessed May 23, 2018, https://web.archive.org/web/20071012020714/http:/www.ft.com/cms/s/0/9dba9ba2- 5a3b-11dc-9bcd-0000779fd2ac.html. 234 https://www.wsj.com/news/articles/SB10001424052748704709304576124502351634690. 235 Devlin Barrett, “Hackers Penetrate Nasdaq Computers,” The Wall Street Journal, February 5, 2011, accessed May 23, 2018, https://www.wsj.com/articles/us-says-iran-hacked-navy-computers-1380314771?tesla=y. 236 David E. Sanger and Nicole Perlroth, “Iranian Hackers Attack State Dept. via Social Media Accounts,” The New York Times, November 24, 2015, accessed May 23, 2018, https://web.archive.org/web/20151129040241/http:/www.nytimes.com/2015/11/25/world/middleeast/iran- hackers-cyberespionage-state-department-social-media.html; Evan Perez, “How the U.S. thinks Russians hacked the White House,” CNN, April 8, 2015, accessed May 23, 2018, https://edition.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/index.html. 237 Michael Isikoff, “Chinese hacked Obama, McCain campaigns, took internal documents, officials say,” NBC, June 6, 2013, accessed May 23, 2018, http://investigations.nbcnews.com/_news/2013/06/06/18807056- chinese-hacked-obama-mccain-campaigns-took-internal-documents-officials-say. 238 Ellen Nakashima, “Iran blamed for cyberattacks on U.S. banks and companies,” The Washington Post, September 21, 2012, accessed May 23, 2018, https://www.washingtonpost.com/world/national-security/iran- blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html. 239 Poulsen and Ackerman, “Lone DNC Hacker”. 240 Nicole Perlroth, “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back,” The New York Times, October 23, 2012, accessed May 23, 2018, https://www.nytimes.com/2012/10/24/business/global/cyberattack-on- saudi-oil-firm-disquiets-us.html. 65

Master Thesis | K.M. van den Dool officials.241 In addition, in the context of the investigations after the DNC hack, Dutch intelligence insiders communicated to national news outlets how the intelligence agency’s investigations have contributed to identifying Russian APT29 involvement.242 Another awkward-fitting case is that of the Stuxnet attacks on Iranian nuclear facilities in 2010, after which anonymous U.S. intelligence officials have anonymously disclosed their involvement in the media.243 This seems counterintuitive, especially because the Stuxnet operation was considered to be highly sophisticated and creates an impression that its designers went to great lengths to conceal their identity. The reasoning behind such anonymous and seemingly deliberate communication with the media is unknown, but some speculative explanations are possible, one domestic and the other international. The first is that intelligence services, especially after the Cold War, have increasingly opened up to the public about their work in an effort to demonstrate and legitimize their abilities and actions.244 Especially after the Snowden leaks, it seems likely that Western intelligence services needed to increase their legitimizing efforts domestically, while balancing source protection. Second, possible answer may be that the U.S. government was looking for a way to demonstrate its cyber capabilities to its adversaries after the successful operation as part of a deterrence strategy. Another hanging question is why this should be done anonymously. An obvious explanation lies in the fact that intelligence services need to protect their sources, employees and methods. Anonymity lowers the level of accountability, which makes it difficult to determine the level of coordination behind such disclosures by the intelligence community, which muddles the distinction between public unofficial communication and leaks. In the abovementioned Stuxnet case, as well as the Dutch involvement in the APT29 investigations, it is hard to tell at face value whether the source is a whistleblower, or that it is part of a

241 Karen DeYoung and Ellen Nakashima, “UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials,” The Washington Post, July 16, 2017, accessed May 23, 2018, https://www.washingtonpost.com/world/national-security/uae-hacked-qatari-government- sites-sparking-regional-upheaval-according-to-us-intelligence-officials/2017/07/16/00c46e54-698f-11e7- 8eb5-cbccc2e7bfbf_story.html?noredirect=on&utm_term=.bc0988809335. 242 Eelco Bosch van Rosenthal, “Hackteam AIVD gaf FBI cruciale info over Russische inmenging verkiezingen,” Nieuwsuur, January 25, 2018, accessed May 23, 2018, https://nos.nl/nieuwsuur/artikel/2213762-hackteam-aivd-gaf-fbi-cruciale-info-over-russische-inmenging- verkiezingen.html. 243 David E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times, June 1, 2012, accessed May 23, 2018, https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave- of-cyberattacks-against-iran.html. 244 Claudia Hillebrand, “The Role of News Media in Intelligence Oversight,” Intelligence and National Security 27, no. 5 (October 2012): 704; Arthur S. Hulnick, “Openness: Being Public About Secret Intelligence,” International Journal of Intelligence and Counterintelligence 12, no. 4 (1999). 66

Master Thesis | K.M. van den Dool coordinated communication strategy. Again, it should be noted here that these cases are heavily U.S. centered, which may suggest that it is a matter of national strategy and does not apply elsewhere. To summarize this section, public sector communication often does not mention technical or human identification to motivate its conclusions or response. Instead, attribution tends to remain in abstract terms, blaming an entire government, often via unofficial channels such as anonymous communication in the media. This makes it difficult to verify the claims. In addition, beyond the law enforcement approach, governments may apply other national security (DIME) responses, such as diplomatic and economic sanctions.

Private Sector Now turning to nation-state attribution by the private sector, the collected samples show that there are 32 recorded cases of private sector nation-state attribution. Just like the private cybersecurity sector reports in the territorial attribution category, attribution here may be based on technical identification (network traffic analysis), profiling (malware analysis), and in some cases other circumstantial profiling (targeting and motives). For example, a SANS report on ‘Operation Troy’ and the APT DarkSeoul based its attribution to North Korea on both network trail analysis and malware analysis.245 Another McAfee blog post on a botnet campaign against Vietnamese political targets in 2010 studied not only IP addresses and malware, but it also stated a belief that the attackers had ‘political motivations’ and ‘some allegiance to the government of the Socialist Republic of Vietnam’.246 A more recent and perhaps more explicit example showing these three factors is Threatconnect’s analysis of the 2016 attacks at the World Anti-Doping Agency (WADA) that it tied to Russian APT FancyBear (aka APT28).247 In their analysis ThreatConnect applied what they call a ‘Diamond Model’ to look at “the relationship between the identified domains, their registration and hosting information, known FANCY BEAR TTPs [tactics, techniques, and procedures], and intended targets”.248

245 David M. Martin, “Tracing the Lineage of DarkSeoul,” The SANS Institute, 2016, 9-10, accessed May 23, 2018, https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787. 246 George Kurtz, “Vietnamese Speakers Targeted in Cyberattack,” McAfee Security Insights (blog), March 30, 2010, accessed May 23, 2018, https://web.archive.org/web/20100417071801/http:/siblog.mcafee.com/cto/vietnamese-speakers-targeted-in- cyberattack/. 247 “Russian Cyber Operations on Steroids,” Threatconnect (website), August 19, 2016, accessed May 23, 2018, https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/. 248 Ibid. 67

Master Thesis | K.M. van den Dool

Image 4: ThreatConnect's Diamond Model and Attribution of FancyBear (screenshot)249

In ten cases, investigating parties have been able to physically identify the alleged perpetrators. In the earliest recorded case, a 2013 Threatconnect investigation of ‘Operation Arachnophobia’ (aka Operation Tranchulas) a combination of network traffic analysis and social engineering resulted in the identification of at least three Pakistani employees of the Tranchulas company.250 This combination of network tracing and social engineering is a compelling method that is also used in other cases such as Operation Cleaver,251 the Anthem Hack,252 and Operation Manul.253 In two of the cases, identification was possible because of loopholes in the alleged aggressor’s network security. In 2017, CitizenLab was able to assess that an Israeli cybersecurity company

249 Ibid. 250 Rich Barger, Mike Oppenheim, and Chris Phillips, “Operation Arachnophobia: Caught in the Spider’s Web,” ThreatConnect, 6-7, accessed May 23, 2018, https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/ThreatConnect_Operation_Arach nophobia_Report.pdf. 251 “Operation Cleaver,” Cylance, 17-30, accessed May 23, 2018, https://web.archive.org/web/20170101154234/https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance _Operation_Cleaver_Report.pdf. 252 “The Anthem Hack: All Roads Lead to China,” ThreatConnect (website), February 27, 2015, accessed May 23, 2018, https://www.threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/. 253 Eva Galperin, Cooper Quintin, Morgan Marquis-Boire, and Claudio Guarnieri, “I Got a Letter From the Government the Other Day… Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan,” Electronic Frontier Foundation, August 2016, 14-17, accessed May 23, 2018, https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf. 68

Master Thesis | K.M. van den Dool called ‘Cyberbit’ was selling spyware to authoritarian regimes worldwide, because of a public logfile in the spyware that showed operator activity.254 In the other case, LookOut and Electronic Frontier Foundation (EFF) noticed that among the identified compromised devices in Operation Dark Caracal were also malware test devices that were located in the Lebanese General Directorate of General Security (GDGS).255 Finally, in two other cases the investigating parties CrowdStrike and LookingGlass pointed at Russian intelligence agencies, but provided little to back up these claims.256 A final observation about nation-state attribution by the private sector is the prominence of non-profit organizations among the investigating parties, especially in the context of privacy and human rights abuses. I already meantioned Operation Manul (EFF) and the Cyberbit case (Citizen Lab). Next to that, there are also the cases of CitizenLab’s reporting of Mexican espionage operations on journalists,257 the University of Cambridge’s report on GhostNet,258 GreatFire’s analysis of Chinese iCloud operations,259 Netzpolitik’s investigative report on hacks of the Left Party in the Bundestag,260 and the combined reporting on alleged Chinese attacks against GitHub.261 Although these organizations are included in the private sector, it is important to consider that these researches are driven by entirely different motives than most

254 Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott Railton, and Ron Deibert, “Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware,” The Citizen Lab (website), December 6, 2017, accessed May 23, 2018, https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian- dissidents-targeted-commercial-spyware/. 255 “Dark Caracal: Cyber-espionage at a Global Scale,” Lookout, 5, accessed May 23, 2018, https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf. 256 “Operation Armageddon: Cyber Espionage as a Strategic component of Russian Modern Warfare,” Lookingglass, April 28, 2015, accessed May 23, 2018, https://www.lookingglasscyber.com/wp- content/uploads/2015/08/Operation_Armageddon_Final.pdf; “Use of Fancy Bear Android Malware in Tracking of Ukrainian Field Artillery Units,” Crowdstrike, December 22, 2016, accessed May 23, 2018, https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf. 257 John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Masashi Crete-Nishihata, and Ron Deibert, “Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware,” The Citizen Lab (website), June 19, 2017, accessed May 23, 2018, https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/. 258 Shishir Nagaraja and Ross Anderson, “The snooping dragon: social-malware surveillance of the Tibetan movement,” University of Cambridge Computer Laboratory, March 2009, accessed May 23, 2018, https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf. 259 “China Collecting Apple iCloud Data: Attack Coincides With Launch of New Phone,” Greatfire.org, October 20, 2014, accessed May 23, 2018, https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data- attack-coincides-launch-new-iphone. 260 “Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag,” Netzpolitik.org, June 19, 2015, accessed May 23, 2018, https://netzpolitik.org/2015/digital- attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/. 261 Robert Graham, “Pin-pointing China’s attack against GitHub,” Errata Security (blog), April 1, 2015, accessed May 23, 2018, https://blog.erratasec.com/2015/04/pin-pointing-chinas-attack- against.html#.WuxK04huZPY; Bill Marczak, Nicholas Weaver, Jakub Dalek, Roya Ensafi, David Fifield, Sarah McKune, Arn Rey, John Scott-Railton, Ron Deibert, and Vern Paxson, “China’s Great Cannon,” The Citizen Lab (website), April 10, 2015, accessed May 23, 2018, https://citizenlab.ca/2015/04/chinas-great- cannon/. 69

Master Thesis | K.M. van den Dool of the private cybersecurity firms mentioned above. A speculative explanation for their activity in this field is their activist nature and lower dependence on good customer relations. Overall, the private cybersecurity industry appears unafraid to point fingers to governments, and in some cases even specific individuals and/or organizations. The transparency of methods and evidence adds credibility to their conclusions, despite the fact that these are often based on circumstantial factors such as victimology and technical profiling. Another hanging question about these conclusions is that of impartiality – the private investigating company may be directed and censored by some commissioning authority.

Other Contrary to non-profit organizations, private companies in general are very much constrained by commercial interests and good public PR. Of the 45 recorded operations targeting the private sector, there are only two cases in the data set where the victims overtly connected the attack to a specific nation-state – as opposed to the 11 cases in which such operations provoked a similar response from public sector entities. The first is a statement by BBC’s director after an attack in 2012, blaming the Iranian government.262 In the second case, a group of Internet Service Providers (ISPs) filed an official complaint at an international investigatory tribunal after GCHQ’s Operation Socialist that targeted telephone companies.263 A skeptical interpretation of the private sector’s decision to go public after Operation Socialist and Operation Aurora would be that here connectivity and communication is their product under attack. Nevertheless, the take-away is that private companies are reluctant to communicate about attribution, in any form. Another factor that did turn out to be crucial for some attribution cases are leaks. In some cases, ongoing investigations that had been stranded were put on a new trail because of new clues provided by such leaks. For example, in 2015 German magazine Spiegel published a document provided by Edward Snowden, which explained the details of QWERTY malware that was developed by the Five Eyes.264 Afterwards, Kaspersky compared the sample to Regin malware samples that was used for Operation Socialist, and concluded that they must be created

262 “Mark Thompson: The BBC in 2012 and beyond,” BBC, March 14, 2012, accessed May 23, 2018, http://www.bbc.co.uk/mediacentre/speeches/2012/thompson-rts. 263 Owen Bowcott, “ISPs take GCHQ to court in UK over mass surveillance,” The Guardian, July 2, 2014, accessed May 23, 2018, https://www.theguardian.com/world/2014/jul/02/isp-gchq-mass-surveillance- privacy-court-claim. 264 “Malware from the Five Eyes,” Spiegel, accessed May 23, 2018, http://www.spiegel.de/media/media- 35668.pdf. 70

Master Thesis | K.M. van den Dool by the same entity.265 Other cases in which incriminating evidence was provided via leaks are Titan Rain,266 the 2012 French elections,267 and Operation Babar.268 Although leaks may be crucial for some attribution investigations, they do not occur often and investigators cannot assume they will occur sometime during the investigations. Instead, they tend to emerge later. As such, they are a stroke of luck that may help to get stranded investigations moving again.

265 Marcel Rosenbach, Hilmar Schmundt, and Christian Stöcker, “Experts Unmask ‘Regin’ Trojan as NSA Tool,” Spiegel, January 27, 2015, accessed May 23, 2018, http://www.spiegel.de/international/world/regin- malware-unmasked-as-nsa-tool-after-spiegel-publishes-source-code-a-1015255.html; Costin Raiu and Igor Soumenkov, “Comparing the Regin module 50251 and the ‘Qwerty’ keylogger,” Kaspersky’s Securelist (blog), January 27, 2015, accessed May 23, 2018, https://securelist.com/comparing-the-regin-module-50251- and-the-qwerty-keylogger/68525/. 266 Nathan Thornburgh, “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them),” Time Archive, September 5, 2005, accessed May 23, 2018, https://courses.cs.washington.edu/courses/csep590/05au/readings/titan.rain.htm. 267 Charles Haquet and Emmanuel Paquette, “NSA: les Américains étaient-ils à l’origine de l’espionnage de l’Elysée en 2012?” L’Express, November 20, 2012, accessed May 23, 2018, https://lexpansion.lexpress.fr/high-tech/nsa-les-americains-etaient-ils-a-l-origine-de-l-espionnage-de-l-elysee- en-2012_1340421.html. 268 Jacques Follorou and Martin Untersinger, “Quand les Canadiens partent en chasse de ‘Babar’,” Le Monde International, March 21, 2014, accessed May 23, 2018, http://www.lemonde.fr/international/article/2014/03/21/quand-les-canadiens-partent-en-chasse-de- babar_4387233_3210.html. 71

Master Thesis | K.M. van den Dool 4. Conclusion

In this thesis, I have tried to develop a structured approach to the attribution of cyber operations, or more specifically, the communication of nation-state involvement in cyber operations. The goal was to move beyond existing theoretical concepts that have been applied to small groups of cases towards the empirical observation of a large set of cases to untangle this communication process. This attempt is a decent start that this is not impossible, although there are many grey areas that make clear classification a difficult task. One core problem is the lack of common standards and definitions. For example, there is no universally accepted language as to what an APT entails. Is it an actor, or is it a malware family? Moreover, the distinction between a physical and technical entity is sometimes difficult to make. This is most definitely a terrain that would benefit greatly from further research, but also one in which especially private cybersecurity actors can significantly improve the quality of their reporting. Despite the difficulties, I have been able to study 203 cases and categorize the attribution communication occurrences for these cases according to the level of nation-state attribution and the level of identification. Based on the dataset it was possible to observe some patterns in attribution practices discussed below. Future research could expand this dataset to increase external validity, as well as to balance out potential U.S.-centric bias in the list of cases. This may require overcoming language barriers, as well as formalizing coding practices and source selection. There have been other projects in International Relations research where similar processes are automatized in a transparent way, giving real-time insight into ongoing issues and their effect on interstate relationships.269 It would most definitely be interesting to see something similar on the topic of cyber attribution somewhere in the future. Turning to the substantial objective of this study, are people right in saying that the attribution problem is ‘solved’, as stated in the introduction? In other words, are investigators becoming capable of identifying perpetrators in cyberspace beyond reasonable doubt? The honest answer is: We do not know for sure. What happens behind closed doors and between states bilaterally is hard to tell. The evidence used to support attribution claims hardly proves that investigators are now able to connect digital evidence to physical locations and/or entities with complete certainty. This does not mean that elite cyber units and investigators are incapable of achieving this. It seems reasonable to assume that intelligence agencies are able to

269 The GDELT project is an example in this respect. See: https://www.gdeltproject.org/. 72

Master Thesis | K.M. van den Dool make high confidence judgments based on intelligence obtained from other sources, such as human intelligence. Another factor may be that attribution findings are based on illegal penetration of third party networks or other methods that violate principles of law and ethics. This may result in a reluctance to disclose sources and methods. The evidence presented in the collected cases also supports this absence of perfect attribution. Indeed, both public and private actors have become increasingly active in pointing fingers to nation-states over the past 30 years. However, in the cases studied for this thesis, only very few cases get close to demonstrating perfect attribution. These cases have been able to pinpoint a specific individual or organization based on their network infrastructure, and support their case by technical profiling – comparing malware snippets for clues – and circumstantial profiling – analyzing victimology and potential strategic advantages. Nevertheless, even in these cases it is not possible to exclude with one hundred percent certainty the possibility that the apparent aggressors are actually the target of a false flag operation. Assuming that the absence of perfect attribution is either because of technical limitations or because of evidence disclosure limitations, perhaps the actual and more fundamental attribution ‘problem’ is the issue of communication. Without evidence in support of perfect attribution, credibility and authority become ever more important. The private cybersecurity industry is mostly driven by profit, which makes it an easy target for accusations of clientelism, promoting the interests of their public employers that are “outsourcing the finger-pointing to the private sector”.270 The public sector, on the other hand, is driven by political factors. Based on their decision making authority, public actors have different means of communicating attribution, depending on the level of attribution. Below the level of human attribution, responses are generally limited to threat assessment reports and media communication, which resembles the category of neutral attribution. Above the level of human attribution is where things get more interesting, and more complex. The distinction between agent attribution (the specific perpetrator) and principal attribution (the sponsor or responsible entity) roughly concurs with the distinction between territorial attribution and nation-state attribution, with some grey areas. In the former category, the attributing authority has been able to identify the aggressor, but it has not established government involvement. This implies that either the attributing authority has been able to carry out successful agent attribution, leading to criminal charges following the law enforcement model, or it has carried out technical attribution and traced the

270 Michael Joseph Gross, “Enter the Cyber-Dragon,” Vanity Fair, September 2011, accessed May 22, 2018, https://www.vanityfair.com/news/2011/09/chinese-hacking-201109. 73

Master Thesis | K.M. van den Dool operation to another nation-state, leaving investigations ongoing. As a result, a state may request forensic cooperation. In the latter category, criminal charges also occur when individuals are charged with explicit links to a foreign government, but the array of available response mechanisms widens to include retaliatory measures along the DIME spectrum (diplomacy, information, military, economic). Although we have not witnessed military retaliation to cyber attacks in public to this point, diplomatic and economic sanctions are more frequent, as well as official condemnations. Although human identification is a strict requirement for law enforcement responses, this appeared not to be the case for national security responses, where sanctions may be imposed without an indication of how it has established a link between the operation and the blamed state. So, if credibility and authority are always questionable when attribution is communicated unilaterally, what are the alternatives? Some have suggested creating a central authority for attribution, similar to the International Atomic Energy Agency, which would judge upon universally agreed standards of evidence.271 This initiative has also been aggressively promoted by Microsoft, who calls for a ‘Digital Geneva Convention’ putting a check on nation- states’ use of ‘cyber weapons’.272 At face value, the idea seems attractive: A neutral third party that has trust and authority and allows the idea that nation-states do not have to publicly disclose their sources and methods for attribution. However, there are some serious caveats to such an initiative. First, it seems naïve to assume that countries with very advanced technological capabilities would be willing to disclose their secret tactics and techniques with a third party, neutral or not. Second, setting up such an organization requires negotiation with other parties that may want stricter standards of evidence. This has the effect that it denies a victim a legal basis to bring claims against operations it would otherwise consider illegitimate. Third, institutionalizing attribution in a treaty organization makes it an extremely rigid process, whereas technological innovation advances exponentially and in some cases in unpredictable ways. Therefore, comparing the unilateral and multilateral options, the former appears to be the lesser of the two evils, even though it always runs the risk of stranding on the adversary’s ‘plausible deniability’. In the face of this dilemma, the implicit lesson for policymakers is that, for the time being, the primary and probably most effective means of increasing the costs of attacks on its

271 Davis II et al., Stateless Attribution. 272 Brad Smith, “The need for a Digital Geneva Convention,” Microsoft (blog), February 14, 2017, accessed May 22, 2018, https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/. 74

Master Thesis | K.M. van den Dool computer systems is on the defensive side, rather than the response side. Crucial good policy practices in this respect may include: Ensuring efficient cyber threat intelligence exchange between different sectors; facilitating responsible (vulnerability) disclosure and penetration testing; promoting open-source software use (in order to ensure interoperability and open patching); and fostering awareness and good ‘cyber hygiene’ practices. These are admittedly obvious measures, but nevertheless crucial and likely to be more effective to fend off aggressors in cyberspace. Perhaps, we should also be more conscious of the possible consequences for end users’ privacy, were perfect attribution to become a reality. The idea of being constantly identifiable hardly seems to fit with the Western ideal of an ‘open, free and secure Internet’. Instead, we may have to be more tolerant of the fact that attribution is a messy process, and according to Rid and Buchanan, mostly dependent on “what states make of it”.273

273 Rid and Buchanan, “Attributing Cyber Attacks,” 4. 75

Master Thesis | K.M. van den Dool Bibliography

Alperovitch, Dmitri. “Revealed: Operation Shady RAT.” McAfee (website). Accessed May 22, 2018, https://web.archive.org/web/20110804080015/http:/www.mcafee.com/us/resources/wh ite-papers/wp-operation-shady-rat.pdf. Andress, Jason and Steve Winterfeld,. Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners. Waltham, Massachusetts: Syngress, 2014. “Apple update on iCloud,com security.” Apple (website), September 5, 2017. Accessed May 22, 2018, https://support.apple.com/en-us/HT203126. Applegate, Scott D., and Angelos Stavrou. “Towards a Cyber Conflict Taxonomy.” International Conference on Cyber Conflict (CyCon) (Conference Paper) (2013): 1- 18. Arquilla, John, and David Ronfeldt. “Cyberwar is Coming!” Comparative Strategy 12, no. 2 (1993): 141-165. “ASERT Threat Intelligence Report 2015-08: Uncovering the Seven Pointed Dagger.” Arbor Networks (website), August 2015. Accessed May 22, 2018, https://asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat- Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf. Australian Cyber Security Centre. 2016 Threat Report. Accessed May 22, 2018, https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf. Barger, Rich, Mike Oppenheim, and Chris Phillips. “Operation Arachnophobia: Caught in the Spider’s Web.” ThreatConnect. Accessed May 23, 2018, https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/ThreatCon nect_Operation_Arachnophobia_Report.pdf. Barrett, Devlin. “Hackers Penetrate Nasdaq Computers.” The Wall Street Journal, February 5, 2011. Accessed May 23, 2018, https://www.wsj.com/articles/us-says-iran-hacked- navy-computers-1380314771?tesla=y. Batty, David. “Hackers target vital UK IT networks.” The Guardian, June 16, 2005. Accessed May 22, 2018, https://www.theguardian.com/society/2005/jun/16/epublic.politics. Bhattacharjee, Yudhijit. “How a Remote Town in Romania Has Become Cybercrime Central.” Wired, January 31, 2011. Accessed May 22, 2018, https://www.wired.com/2011/01/ff_hackerville_romania/.

Master Thesis | K.M. van den Dool

Bosch van Rosenthal, Eelco. “Hackteam AIVD gaf FBI cruciale info over Russische inmenging verkiezingen.” Nieuwsuur, January 25, 2018. Accessed May 23, 2018, https://nos.nl/nieuwsuur/artikel/2213762-hackteam-aivd-gaf-fbi-cruciale-info-over- russische-inmenging-verkiezingen.html. Bowcott, Owen. “ISPs take GCHQ to court in UK over mass surveillance.” The Guardian, July 2, 2014. Accessed May 23, 2018, https://www.theguardian.com/world/2014/jul/02/isp-gchq-mass-surveillance-privacy- court-claim. Breeden, Aurelien, Sewell Chan, and Nicole Perlroth. “Macron Campaign Says It Was Target of ‘Massive’ Hacking Attack.” New York Times, May 5, 2017. Accessed May 22, 2018, https://www.nytimes.com/2017/05/05/world/europe/france-macron- hacking.html. Brenner, Suzan W. “At Light Speed: Attribution and Response to Cybercrime/Terrorism/Warfare.” Journal of Criminal Law & Criminology 97, no. 2 (2007): 397-476. Brito, Jerry, and Tate Watkins. “Loving the Cyber Bomb? The Dangers of Threat inflation in Cybersecurity Policy.” Harvard Security Journal 3 (2011): 39-84. Brooks, Matt, Jakub Dalek, and Masashi Crete-Nishihata. “Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns.” The Citizen Lab (website), April 18, 2016. Accessed May 22, 2018, https://citizenlab.ca/2016/04/between-hong- kong-and-burma/. Carr, Nick. “Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations.” FireEye (blog), May 14, 2017. Accessed May 22, 2018, https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html. Chien, Eric, and Gavin O’Gorman. “The Nitro Attacks: Stealing Secrets from the Chemical Industry.” Symantec (website). Accessed May 23, 2018, https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepa pers/the_nitro_attacks.pdf. “China blamed after ASIO blueprints stolen in major cyber attack on Canberra HQ.” ABC News, May 27, 2013. Accessed May 23, 2018, http://www.abc.net.au/news/2013-05- 27/asio-blueprints-stolen-in-major-hacking-operation/4715960. “China Collecting Apple iCloud Data: Attack Coincides With Launch of New Phone.” Greatfire.org, October 20, 2014. Accessed May 23, 2018,

Master Thesis | K.M. van den Dool

https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-attack- coincides-launch-new-iphone. “Chinese hacked PMO computers, says Narayanan.” The Indian Express, January 19, 2010. Accessed May 23, 2018, http://archive.indianexpress.com/news/chinese-hacked-pmo- computers-says-narayanan/569075/. Chirgwin, Richard. “Swiss CERT publishes reveals details of defence contractor hack.” The Register, May 24, 2016. Accessed May 22, 2018, https://www.theregister.co.uk/2016/05/24/anatomy_of_a_breach_swiss_cert_publishes _analysis_of_ruag_attack/. Chung, Lawrence. “Beijing seeks Taiwanese secret agent over hacking.” South China Morning Post, November 1, 2007. Accessed May 23, 2018, http://www.scmp.com/article/613904/beijing-seeks-taiwanese-secret-agent-over- hacking. Clarke, Richard A., and Robert K. Knake. Cyber War: The Next Threat to National Security and What to Do About It. New York: Ecco, 2010. “Codename BYZANTINE HADES / NSA research on the targets of Chinese network exploitation tools, the targets and actors.” Spiegel. Accessed May 23, 2018, http://www.spiegel.de/media/media-35687.pdf. Committee on Deterring Cyberattacks. Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy. Washington, D.C.: The National Academies Press, 2010. Corera, Gordon. Intercept: The Secret History of Computers and Spies. London: Weidenfeld & Nicholson, 2005. ---. “NHS cyber-attack was ‘launched from North Korea’.” BBC, June 16, 2017. Accessed May 23, 2018, http://www.bbc.com/news/technology-40297493. “CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations.” Dragos (website), June 13, 2017. Accessed May 22, 2018, https://dragos.com/blog/crashoverride/CrashOverride-01.pdf. Czosseck, C., R. Ottis, and K. Ziolkowski, eds. 2012 4th International Conference on Cyber Conflict. Tallinn: NATO CCD COE Publications, 2014. “Cyber Operations Tracker.” Council on Foreign Relations (website). Accessed March 4, 2018, https://www.cfr.org/interactive/cyber-operations.

Master Thesis | K.M. van den Dool

“Dark Caracal: Cyber-espionage at a Global Scale.” Lookout. Accessed May 23, 2018, https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark- Caracal_srr_20180118_us_v.1.0.pdf. Davis II, John S., Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase. Stateless Attribution: Toward International Accountability in Cyberspace. Santa Monica: RAND Corporation, 2017. DeYoung, Karen, and Ellen Nakashima. “UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials.” The Washington Post, July 16, 2017. Accessed May 23, 2018, https://www.washingtonpost.com/world/national-security/uae-hacked-qatari- government-sites-sparking-regional-upheaval-according-to-us-intelligence- officials/2017/07/16/00c46e54-698f-11e7-8eb5- cbccc2e7bfbf_story.html?noredirect=on&utm_term=.bc0988809335. “Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.” Netzpolitik.org, June 19, 2015. Accessed May 23, 2018, https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report- on-the-hack-of-the-left-party-infrastructure-in-bundestag/. “Doc #129906.” WikiLeaks (website), February 15, 2015. Accessed May 23, 2018, https://wikileaks.org/saudi-cables/doc129906.html. Doherty, Stephen, Jozsef Gegeny, Branko Spasojevic, and Jonell Baltazar. “Hidden Lynx – Professional Hackers for Hire.” Symantec (website), September 17, 2013. Accessed May 22, 2018, https://www.symantec.com/content/dam/symantec/docs/security- center/white-papers/hidden-lynx-hackers-13-en.pdf. Drummond, David. “A new approach to China.” Google (blog), January 12, 2010. Accessed May 23, 2018, https://googleblog.blogspot.nl/2010/01/new-approach-to-china.html. Dutch IT-Channel. “WhoIS nadert zijn einde.” Dutch IT-channel (website), April 17, 2018. Accessed April 19, 2018, https://dutchitchannel.nl/597903/whois-protocol-voldoet- niet-aan-gdpr.html. “Duqu is back: Kaspersky Lab reveals cyberattack on its corporate network that also hit high profile victims in Western countries, the Middle East and Asia.” Kaspersky (website). Accessed May 22, 2018, https://www.kaspersky.com/about/press-releases/2015_duqu- is-back-kaspersky-lab-reveals-cyberattack-on-its-corporate-network-that-also-hit-high- profile-victims-in-western-countries-the-middle-east-and-asia.

Master Thesis | K.M. van den Dool

“Equation Group: Questions and Answers.” Kaspersky’s SecureList (blog), February 2015. Accessed May 22, 2018, https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf. Fagerland, Snorre, Morten Krakvik, Jonathan Camp, and Ned Moran. “Operation Hangover: Unveiling an Indian Cyberattack Infrastructure.” Norman, May 2013. Accessed May 23, 2018, http://www.thecre.com/fnews/wp- content/uploads/2013/05/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf. Falcone, Robert. “Evilgrab Delivered by Wateringhole Attack on President of Myanmar’s Website.” Palo Alto Networks’ Research Center (blog), June 11, 2015. Accessed May 22, 2018, https://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by- watering-hole-attack-on-president-of-myanmars-website/. Falcone, Robert, Josh Grunzweig, Jen Miller-Osborn, and Ryan Olson. “Operation Lotus Blossom.” Palo Alto Networks (website), 42. Accessed May 22, 2018, https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/co ntent/pan/en_US/resources/research/unit42-operation-lotus-blossom. Falcone, Robert, Mike Scott, and Juan Cortes. “Attack Campaign on the government of Thailand Delivers Bookworm Trojan.” Palo Alto Networks’ Research Center (blog), November 24, 2015. Accessed May 22, 2018, https://researchcenter.paloaltonetworks.com/2015/11/attack-campaign-on-the- government-of-thailand-delivers-bookworm-trojan/. Farwell, James P. and Rafal Rohozinski. “Stuxnet and the Future of Cyber War.” Survival 53, no. 1 (2011): 23-40. Fearon, James D. “Domestic Political Audiences and the Escalation of International Disputes.” American Political Science Review 88, no. 3 (1994): 577-592. Finkle, Jim. “Four-year hacking spree in South Korea blamed on ‘Dark Seoul Gang’.” Reuters, June 27, 2013. Accessed May 22, 2018, https://www.reuters.com/article/us- korea-hackers/four-year-hacking-spree-in-south-korea-blamed-on-dark-seoul-gang- idUSBRE95Q05220130627. Finkle, Jim, and Mark Hosenball. “U.S. undercover investigators among those exposed in data breach.” Reuters, August 23, 2014. Accessed May 22, 2018, https://www.reuters.com/article/us-usa-security-contractor-cyberattack- idUSKBN0GM1TZ20140823. Flaherty, Mary Pat, Jason Samenow, and Lisa Rein. “Chinese hack U.S. weather systems, satellite network.” The Washington Post, November 12, 2014. Accessed May 23,

Master Thesis | K.M. van den Dool

2018, https://web.archive.org/web/20141113041310/https:/www.washingtonpost.com/local/c hinese-hack-us-weather-systems-satellite-network/2014/11/12/bef1206a-68e9-11e4- b053-65cea7903f2e_story.html. Follorou, Jacques, and Martin Untersinger. “Quand les Canadiens partent en chasse de ‘Babar’.” Le Monde International, March 21, 2014. Accessed May 23, 2018, http://www.lemonde.fr/international/article/2014/03/21/quand-les-canadiens-partent- en-chasse-de-babar_4387233_3210.html. Franceschi-Bicchierai, Lorenzo. “This Is the Evidence Linking Russian Hackers to the French Election.” Vice, April 26, 2017. Accessed May 22, 2018, https://motherboard.vice.com/en_us/article/vvaxy8/evidence-linking-russian-hackers- fancy-bear-to-macron-phishing. “French election: Emmanuel Macron condemns ‘massive’ hack attack.” BBC News, May 6, 2017. Accessed May 22, 2018, http://www.bbc.com/news/world-europe-39827244. “From Shamoon to Stonedrill: Wipers attacking Saudi Organizations and Beyond.” Kaspersky (website), March 7, 2017, 7. Accessed May 22, 2018, https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf. Galperin, Eva, Cooper Quintin, Morgan Marquis-Boire, and Claudio Guarnieri. “I Got a Letter From the Government the Other Day… Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan.” Electronic Frontier Foundation, August 2016. Accessed May 23, 2018, https://www.eff.org/files/2016/08/03/i-got-a-letter- from-the-government.pdf. “Gauss: Nation-state cyber-surveillance meets banking Trojan.” Kaspersky’s SecureList (blog), August 9, 2012. Accessed May 22, 2018, https://securelist.com/gauss-nation- state-cyber-surveillance-meets-banking-trojan-54/33854/. German Federal Office for Information Security. The State of IT Security in Germany 2014. Accessed May 22, 2018, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituati on/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3. Gibson, William. Neuromancer. New York: The Berkley Publishing Group, 1984. Gilboa, Eytan. “Media Diplomacy: Conceptual Divergence and Applications.” Press/Politics 3, no. 3 (1998): 56-75. Go Comics (website). https://www.gocomics.com/.

Master Thesis | K.M. van den Dool

Gosteve, Alexander. “The Flame: Questions and Answers.” Kaspersky’s SecureList (blog), May 28, 2012. Accessed May 22, 2018, https://securelist.com/the-flame-questions- and-answers-51/34344/. GovCERT.ch. APT Case RUAG: Technical Report. May 23, 2016. Accessed May 22, 2018, https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%2 0ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf. Graham, Robert. “Pin-pointing China’s attack against GitHub.” Errata Security (blog), April 1, 2015. Accessed May 23, 2018, https://blog.erratasec.com/2015/04/pin-pointing- chinas-attack-against.html#.WuxK04huZPY. Grassegger, Hannes, and Mikael Krogerus. “Fake news and botnets: how Russia weaponised the web.” The Guardian, December 2, 2017. Accessed April 18, 2018, https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia- weaponised-the-web-cyber-attack-estonia. Greenberg, Andy. “Security Guru Richard Clarke Talks Cyberwar.” Forbes, April 8, 2010. Accessed May 26, 2018, https://www.forbes.com/2010/04/08/cyberwar-obama-korea- technology-security-clarke.html#7bf35589344e. Gross, Michael Joseph. “Enter the Cyber-Dragon.” Vanity Fair, September 2011. Accessed May 22, 2018, https://www.vanityfair.com/news/2011/09/chinese-hacking-201109. “Guccifer 2.0: All Roads Lead to Russia.” Threatconnect (website), July 26, 2016. Accessed May 23, 2018, https://www.threatconnect.com/blog/guccifer-2-all-roads-lead-russia/. Guitton, Clement. Inside the Enemy’s Computer: Identifying Cyber Attackers. New York: Oxford University Press, 2017. Guitton, Clement and Elaine Korzak. “The Sophistication Criterion for Attribution: Identifying the Perpetrators of Cyber-Attacks.” The RUSI Journal 158, no. 4 (2013): 62-68. “HACKED!” ABC News, May 27, 2013. Accessed May 23, 2018, http://www.abc.net.au/4corners/hacked/4717206. “Hacking into the French state.” France 24, September 9, 2007. Accessed May 23, 2018, https://web.archive.org/web/20080118141424/http:/www.france24.com/france24Publi c/en/news/france/20070909-Internet-piracy-france-secuirty-china-hacker.html. “Hacking of French TV Channel was ‘terror act’.” The Local, April 9, 2015. Accessed May 22, 2018, https://www.thelocal.fr/20150409/frances-tv5-monde-isis-cyberattack- charlie-hebdo.

Master Thesis | K.M. van den Dool

Hall, Allan. “The scourge of Scamville: Romanian town is the cyber-crime capital of the world – where hundreds of fraudsters rake in millions from gullible online shoppers.” Daily Mail, November 21, 2014. Accessed May 22, 2018, http://www.dailymail.co.uk/news/article-2840697/The-scourge-Scamville-Romanian- town-cyber-crime-capital-world-hundreds-fraudsters-rake-millions-gullible-online- shoppers.html. Haquet, Charles, and Emmanuel Paquette. “NSA: les Américains étaient-ils à l’origine de l’espionnage de l’Elysée en 2012?” L’Express, November 20, 2012. Accessed May 23, 2018, https://lexpansion.lexpress.fr/high-tech/nsa-les-americains-etaient-ils-a-l- origine-de-l-espionnage-de-l-elysee-en-2012_1340421.html. Hathaway, Melissa E. “Cyber Security: an Economic and National Security Crisis.” The Intelligencer: Journal of U.S. Intelligence Studies 16, no. 2 (2008): 31-36. Healey, Jason. “The Spectrum of National Responsibility for Cyberattacks.” Brown Journal of World Affairs 18, no. 1 (2011): 57-70. Hillebrand, Claudia. “The Role of News Media in Intelligence Oversight.” Intelligence and National Security 27, no. 5 (October 2012): 689-706. Hulnick, Arthur S. “Openness: Being Public About Secret Intelligence.” International Journal of Intelligence and Counterintelligence 12, no. 4 (1999): 463-483. “IAAF Victim of Cyber Attack.” IAAF (website), April 3, 2017. Accessed May 22, 2018, https://www.iaaf.org/news/press-release/iaaf-cyber-attack. Iasello, Emilio. “Is Cyber Deterrence an Illusory Course of Action?” Journal of Strategic Security 7, no. 1 (2014): 54-67. International Court of Justice. Case Concerning Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States of America) (Merits). June 27, 1984. Para. 115. Accessed May 22, 2018, http://www.icj-cij.org/files/case-related/70/070- 19860627-JUD-01-00-EN.pdf. ---. The Corfu Channel Case (Merits). April 9, 1949. P. 22. Accessed May 22, 2018, http://www.icj-cij.org/files/case-related/1/001-19490409-JUD-01-00-EN.pdf. “Investigators: Homeland Security computers hacked.” CNN, September 24, 2007. Accessed May 23, 2018, http://edition.cnn.com/2007/US/09/24/homelandsecurity.computers/index.html. Isikoff, Michael. “Chinese hacked Obama, McCain campaigns, took internal documents, officials say.” NBC, June 6, 2013. Accessed May 23, 2018,

Master Thesis | K.M. van den Dool

http://investigations.nbcnews.com/_news/2013/06/06/18807056-chinese-hacked- obama-mccain-campaigns-took-internal-documents-officials-say. “Japan defence firm Mitsubishi Heavy in cyber attack.” BBC News, September 20, 2011. Accessed May 22, 2018, http://www.bbc.com/news/world-asia-pacific-14982906. Kawabata, Kohei, and CH Lei. “ChessMaster: A New Campaign Targeting Japan Using The New ChChes Backdoor.” RSA Conference 2017, Session FLE-R09, July 26-28, 2017, 44. Accessed May 22, 2018, https://www.rsaconference.com/writable/presentations/file_upload/fle- r09_chessmaster-a-new-campaign-targeting-japan-using-the-new-chches- backdoor.pdf. Kello, Lucas. “The Meaning of the Cyber Revolution: Perils to Theory and Statecraft.” International Security 38, no. 2 (2013): 7-40. Key Canfil, Justin. “Honing Cyber Attribution: A Framework for Assessing Foreign State Complicity.” Journal of International Affairs 70, no. 1 (2016): 217-226. Kawabata, Kohei, and CH Lei. “ChessMaster: A New Campaign Targeting Japan Using The New ChChes Backdoor.” RSA Conference 2017, Session FLE-R09. July 26-28, 2017. Accessed May 22, 2018, https://www.rsaconference.com/writable/presentations/file_upload/fle- r09_chessmaster-a-new-campaign-targeting-japan-using-the-new-chches- backdoor.pdf. Kurtz, George. “Vietnamese Speakers Targeted in Cyberattack.” McAfee Security Insights (blog), March 30, 2010. Accessed May 23, 2018, https://web.archive.org/web/20100417071801/http:/siblog.mcafee.com/cto/vietnamese -speakers-targeted-in-cyberattack/. Lawson, Sean. “Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of Cyber-Threats.” Journal of Information Technology & Politics 10, no. 1 (2013): 86-103. Libicki, Martin C. Cyberdeterrence and Cyberwar. Santa Monica: RAND Corporation, 2009. Lin, Herbert. “Attribution of Malicious Cyber Incidents: From Soup to Nuts.” Journal of International Affairs 70, no. 1 (2016): 75-137. Lindsay, Jon R. “Stuxnet and the Limits of Cyber Warfare.” Security Studies 22, no. 3 (2013): 365-404. ---. “Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack.” Journal of Cybersecurity 1, no. 1 (2015): 53-67.

Master Thesis | K.M. van den Dool

Lindsay, Jon R., and Lucas Kello. “Correspondence: A Cyber Disagreement.” International Security 39, no. 2 (2014): 181-192. Lord, Bob. “An Important Message About Yahoo User Security.” Yahoo (website), September 22, 2016. Accessed May 22, 2018, https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo- user-security. Lowe, Christian, and Natalia Zinets. “Russia says foreign spies plan cyber attack on banking system.” Reuters, December 2, 2016. Accessed May 23, 2018, https://www.reuters.com/article/us-russia-cyberattack-banks/russia-says-foreign-spies- plan-cyber-attack-on-banking-system-idUSKBN13R0NG. Lupovici, Amir. “The ‘Attribution Problem’ and the Social Construction of ‘Violence’: Taking Cyber Deterrence Literature a Step Forward.” International Perspectives 17 (2016): 322-342. Lynn III, William J. “Defending a New Domain: The Pentagon’s Cyberstrategy.” Foreign Affairs 89, no. 5 (September 2010): 97-108. “Malware from the Five Eyes.” Spiegel. Accessed May 23, 2018, http://www.spiegel.de/media/media-35668.pdf. Marczak, Bill, Geoffrey Alexander, Sarah McKune, John Scott Railton, and Ron Deibert. “Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware.” The Citizen Lab (website), December 6, 2017. Accessed May 23, 2018, https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted- commercial-spyware/. Marczak, Bill, Nicholas Weaver, Jakub Dalek, Roya Ensafi, David Fifield, Sarah McKune, Arn Rey, John Scott-Railton, Ron Deibert, and Vern Paxson. “China’s Great Cannon.” The Citizen Lab (website), April 10, 2015. Accessed May 23, 2018, https://citizenlab.ca/2015/04/chinas-great-cannon/. “Mark Thompson: The BBC in 2012 and beyond.” BBC News, March 14, 2012. Accessed May 23, 2018, http://www.bbc.co.uk/mediacentre/speeches/2012/thompson-rts. Markoff, John. “Cyber attack on U.S. nuclear arms lab linked to China.” The New York Times, November 9, 2007. Accessed May 23, 2018, https://www.nytimes.com/2007/12/09/world/americas/09iht-hack.1.8653712.html. Markoff, John, and David Barboza. “2 China Schools Said to Be Tied to Online Attacks.” The New York Times, February 18, 2010. Accessed May 23, 2018, https://www.nytimes.com/2010/02/19/technology/19china.html.

Master Thesis | K.M. van den Dool

Martin, David M. “Tracing the Lineage of DarkSeoul.” The SANS Institute, 2016. Accessed May 23, 2018, https://www.sans.org/reading-room/whitepapers/critical/tracing- lineage-darkseoul-36787. Maurer, Tim. Cyber Mercenaries: The State, Hackers, and Power. Cambridge: Cambridge University Press, 2018. McCurry, Justin. “Japan anxious over defence data as China denies hacking weapons maker.” The Guardian, September 20, 2011. Accessed May 22, 2018, https://www.theguardian.com/world/2011/sep/20/china-denies-hacking-attack-japan. Mercer, Warren, and Paul Rascagneres. “Olympic Destroyer Takes Aim At Winter Olympics.” Talos Intelligence (blog), February 12, 2018. Accessed May 22, 2018, https://blog.talosintelligence.com/2018/02/olympic-destroyer.html. Merriam-Webster (website). https://www.merriam-webster.com/. Miklaszewski, Jim. “Russian Cyber Attack Targets Pentagon Email Systems: Officials.” NBC News, August 6, 2015. Accessed May 23, 2018, https://www.nbcnews.com/tech/security/cyberattack-pentagons-joint-staff-emails- take-system-offline-n405321. Mills, Elinor. “China linked to new breaches tied to RSA.” CNET, June 6, 2011. Accessed May 23, 2018, https://www.cnet.com/news/china-linked-to-new-breaches-tied-to-rsa/. Nagaraja, Shishir, and Ross Anderson. “The snooping dragon: social-malware surveillance of the Tibetan movement.” University of Cambridge Computer Laboratory, March 2009. Accessed May 23, 2018, https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR- 746.pdf. Nakashima, Ellen. “Iran blamed for cyberattacks on U.S. banks and companies.” The Washington Post, September 21, 2012. Accessed May 23, 2018, https://www.washingtonpost.com/world/national-security/iran-blamed-for- cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html. Nakashima, Ellen, and William Wan. “Chinese military unit charged with cyber-espionage against U.S. firms.” The Washington Post, May 19, 2014. Accessed May 23, 2018, https:/www.washingtonpost.com/world/national-security/us-to-announce-first- criminal-charges-against-foreign-country-for-cyberspying/2014/05/19/586c9992-df45- 11e3-810f-764fe508b82d_story.html. “NANHAISHU: RATing the South China Sea.” F-Secure (website), July 26, 2016. Accessed May 23, 2018, https://www.f- secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf.

Master Thesis | K.M. van den Dool

Nazario, Jose, “Georgia DDoS Attacks – A Quick Summary of Observations.” Arbor Networks (website), August 12, 2008. Accessed May 22, 2018, https://asert.arbornetworks.com/georgia-ddos-attacks-a-quick-summary-of- observations/. Newman, Lily Hay. “Hacker Lexicon: What Is The Attribution Problem?” Wired, December 24, 2016. Accessed May 26, 2018, https://www.wired.com/2016/12/hacker-lexicon- attribution-problem/. “Night Dragon.” McAfee (website). Accessed May 23, 2018, https://www.mcafee.com/uk/about/night-dragon.aspx. “Nortel Collapse linked to Chinese hackers.” CBC News, February 15, 2012. Accessed May 23, 2018, http://www.cbc.ca/news/business/nortel-collapse-linked-to-chinese-hackers- 1.1260591. Nye Jr., Joseph S. “Deterrence and Dissuasion in Cyberspace.” International Security 41, no. 3 (2016): 44-71. ---. “Public Diplomacy and Soft Power.” The Annals of the American Academy of Political and Social Science 616, no. 1 (2008): 94-109. O’Gorman, Gavin, and Geoff McDonald. “The Elderwood Project.” Symantec (website). Accessed May 22, 2018, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepap ers/the-elderwood-project.pdf. “Olympic Destroyer: who hacked the Olympics?” Kaspersky (website), March 9, 2018. Accessed May 22, 2018, https://www.kaspersky.com/blog/olympic-destroyer/21494/. “Online Browsing Platform (OBP).” ISO (website). Accessed May 22, 2018, https://www.iso.org/obp/ui/#search. “Operation Armageddon: Cyber Espionage as a Strategic component of Russian Modern Warfare.” Lookingglass, April 28, 2015. Accessed May 23, 2018, https://www.lookingglasscyber.com/wp- content/uploads/2015/08/Operation_Armageddon_Final.pdf. “Operation Cleaver.” Cylance. Accessed May 23, 2018, https://web.archive.org/web/20170101154234/https:/cdn2.hubspot.net/hubfs/270968/a ssets/Cleaver/Cylance_Operation_Cleaver_Report.pdf. “Operation DustySky.” ClearSky, January 2016. Accessed May 23, 2018, https://www.clearskysec.com/wp- content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf.

Master Thesis | K.M. van den Dool

“Operation SMN: Axiom Threat Actor Group Report.” Novetta (website). Accessed May 22, 2018, https://web.archive.org/web/20150727141150/http:/www.novetta.com/wp- content/uploads/2014/11/Executive_Summary-Final_1.pdf. Paquette, Emmanuel. “Piratage de TV5 Monde: l’enquête s’oriente vers la piste russe.” L’Express, June 9, 2015. Accessed May 22, 2018, https://www.lexpress.fr/actualite/medias/piratage-de-tv5-monde-la-piste- russe_1687673.html. “Parlez-vous Fancy?” Threatconnect (website), April 26, 2017. Accessed May 22, 2018, https://www.threatconnect.com/blog/activity-targeting-french- election/?utm_campaign=DNC%20Guccifer%202.0%20Fancy%20Bears%20Research . Perez, Evan. “How the U.S. thinks Russians hacked the White House.” CNN, April 8, 2015. Accessed May 23, 2018, https://edition.cnn.com/2015/04/07/politics/how-russians- hacked-the-wh/index.html. Perez, Evan and Tim Hume. “Apple opposes judge’s order to hack San Bernardino shooter’s iPhone.” CNN, February 18, 2016. Accessed February 10, 2018, https://edition.cnn.com/2016/02/16/us/san-bernardino-shooter-phone-apple/. Perlroth, Nicole. “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back.” The New York Times, October 23, 2012. Accessed May 23, 2018, https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm- disquiets-us.html. Poulsen, Kevin, and Spencer Ackerman. “Exclusive: ‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer.” The Daily Beast, March 22. 2018. Accessed May 23, 2018, https://www.thedailybeast.com/exclusive- lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a-russian-intelligence- officer. Prins, J.R. “DigiNotar Certificate Authority breach ‘Operation Black Tulip’.” Fox-IT, September 5, 2011. Accessed May 23, 2018, https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2011/09/05 /diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf. Raiu, Costin, and Igor Soumenkov. “Comparing the Regin module 50251 and the ‘Qwerty’ keylogger.” Kaspersky’s Securelist (blog), January 27, 2015. Accessed May 23, 2018, https://securelist.com/comparing-the-regin-module-50251-and-the-qwerty- keylogger/68525/.

Master Thesis | K.M. van den Dool

“‘Red October’ Diplomatic Cyber Attacks Investigation.” Kaspersky’s SecureList (blog), January 14, 2013. Accessed May 22, 2018, https://securelist.com/red-october- diplomatic-cyber-attacks-investigation/36740/. Reichenstein, Oliver. “Bots Need To Be Identifiable By Law.” iA (website), January 24, 2018. Accessed May 22, 2018, https://ia.net/topics/domo-arigato-mr-roboto-tell-us-your- secret. Rid, Thomas, and Ben Buchanan. “Attributing Cyber Attacks.” Journal of Strategic Studies 38, no. 1-2 (2015): 4-37. Riley, Charles. “Sony CEO breaks silence after ‘vicious and malicious’ hack.” CNN, January 6, 2015. Accessed May 22, 2018, http://money.cnn.com/2015/01/06/media/sony- interview-hack-ces/index.html. Rosenbach, Marcel, Hilmar Schmundt, and Christian Stöcker. “Experts Unmask ‘Regin’ Trojan as NSA Tool.” Spiegel, January 27, 2015. Accessed May 23, 2018, http://www.spiegel.de/international/world/regin-malware-unmasked-as-nsa-tool-after- spiegel-publishes-source-code-a-1015255.html. Roth, Florian. APT Groups and Operations (Google Doc). Accessed March 5, 2018, https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMs dvePFX68EKU/pubhtml#. “Russian Cyber Operations on Steroids.” Threatconnect (website), August 19, 2016. Accessed May 23, 2018, https://www.threatconnect.com/blog/fancy-bear-anti-doping- agency-phishing/. Russian Federal Security Service (translated). “Foreign intelligence agencies are preparing cyber attacks aimed at destabilizing the financial system of Russia.” December 2, 2016. Accessed May 23, 2018, http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10438041%40fsbMessage. html. Sanger, David E. “Obama Order Sped Up Wave of Cyberattacks Against Iran.” The New York Times, June 1, 2012. Accessed May 23, 2018, https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of- cyberattacks-against-iran.html. Sanger, David E. and Nicole Perlroth. “Iranian Hackers Attack State Dept. via Social Media Accounts.” The New York Times, November 24, 2015. Accessed May 23, 2018, https://web.archive.org/web/20151129040241/http:/www.nytimes.com/2015/11/25/wo rld/middleeast/iran-hackers-cyberespionage-state-department-social-media.html.

Master Thesis | K.M. van den Dool

Schmidt, Michael S., David E. Sanger, and Nicole Perlroth. “Chinese Hackers Pursue Key Data on U.S. Workers.” The New York Times, July 9, 2014. Accessed May 23, 2018, https://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on- us-workers.html. Schmitt, Michael S., ed. Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge: Cambridge University Press, 2013. Schneier, Bruce. “Computer Network Exploitation vs. Computer Network Attack.” Schneier on Security (Blog), March 10, 2014. Accessed March 2, 2018, https://www.schneier.com/blog/archives/2014/03/computer_networ.html. Scott-Railton, John, Bill Marczak, Bahr Abdul Razzak, Masashi Crete-Nishihata, and Ron Deibert. “Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware.” The Citizen Lab (website), June 19, 2017. Accessed May 23, 2018, https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/. Security Service of Ukraine. SBU establishes involvement of the RF special services into Petya.A virus-extorter attack. July 1, 2017, https://ssu.gov.ua/en/news/1/category/2/view/3660#.BQqwCMLj.dpbs. ---. SSU repels information psychological attack of Russian special service. May 2, 2015. Accessed May 23, 2018, https://web.archive.org/web/20150502195833/http:/www.sbu.gov.ua:80/sbu/control/e n/publish/article?art_id=131264&cat_id=131098. ---. SSU successfully counteracts hacker attacks of Russian special services. March 13, 2015. Accessed May 23, 2018, https://web.archive.org/web/20150319104801/http:/www.sbu.gov.ua/sbu/control/en/p ublish/article?art_id=138949&cat_id=35317. Settle, Andy, Nicholas Griffin, and Abel Toro. “Monsoon – Analysis of an APT Campaign.” ForcePoint (website), 47, accessed May 23, 2018, https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs- monsoon-analysis-report.pdf. Sevastopulo, Demetri. “Chinese military hacked into Pentagon.” Financial Times, September 3, 2007. Accessed May 23, 2018, https://web.archive.org/web/20071012020714/http:/www.ft.com/cms/s/0/9dba9ba2- 5a3b-11dc-9bcd-0000779fd2ac.html. Shachtman, Noah. “26 Years after Gibson, Pentagon defines ‘Cyberspace’.” Wired, May 23, 2008. Accessed May 22, 2018, https://www.wired.com/2008/05/pentagon-define/.

Master Thesis | K.M. van den Dool

Shane, Scott, and Vindu Goel. “Fake Russian Facebook Accounts Bought $100,000 in Political Ads.” The New York Times, September 6, 2017, accessed April 18, 2018, https://www.nytimes.com/2017/09/06/technology/facebook-russian-political-ads.html. Singer, P.W., and Allan Friedman. Cybersecurity and Cyberwar. New York, NY: Oxford University Press, 2014. Smith, Brad. “The need for a Digital Geneva Convention.” Microsoft (blog), February 14, 2017. Accessed May 22, 2018, https://blogs.microsoft.com/on-the- issues/2017/02/14/need-digital-geneva-convention/. Spasojevic, Branko. “Backdoor.Hikit: New Advanced Persistent Threat.” Symantec (website), August 24, 2012. Accessed May 22, 2018, https://www.symantec.com/connect/blogs/backdoorhikit-new-advanced-persistent- threat. Stewart, Joe. “HTran and the Advanced Persistent Threat.” Dell SecureWorks (blog), August 3, 2011. Accessed May 23, 2018, https://www.secureworks.com/research/htran. “SWIFT attackers’ malware linked to more financial attacks.” Symantec (website), May 26, 2016. Accessed May 22, 2018, https://www.symantec.com/connect/blogs/swift- attackers-malware-linked-more-financial-attacks. Tarakanov, Dmitry. “The ‘Kimsuky’ Operation: A North Korean APT?” Kaspersky’s SecureList (blog), September 11, 2013. Accessed May 23, 2018, https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/. “The Anthem Hack: All Roads Lead to China.” Threatconnect (website), February 27, 2015. Accessed May 23, 2018, https://www.threatconnect.com/blog/the-anthem-hack-all- roads-lead-to-china/. “The Madi Campaign – Part II.” Kaspersky’s SecureList (blog), July 26, 2012. Accessed May 23, 2018, https://securelist.com/the-madi-campaign-part-ii-53/33701/. “The Regin Platform: Nation-State Ownage of GSM Networks.” Kaspersky (website), November 24, 2014. Accessed May 22, 2018, https://d2538mqrb7brka.cloudfront.net/wp- content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platfo rm_eng.pdf. Thornburgh, Nathan. “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them).” Time Archive, September 5, 2005. Accessed May 23, 2018, https://courses.cs.washington.edu/courses/csep590/05au/readings/titan.rain.htm.

Master Thesis | K.M. van den Dool

U.S. Attorney’s Office for the Southern District of New York. Manhattan U.S. Attorney Announces Charges Against Seven Iranians For Conducting Coordinated Campaign Of Cyber Attacks Against U.S. Financial Sector On Behalf of Islamic Revolutionary Guard Corps-Sponsored Entities. March 24, 2016. Accessed May 23, 2018, https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-charges- against-seven-iranians-conducting-coordinated. U.S. Department of Defense. Remarks by Secretary Carter at the Drell Lecture Cemex Auditorium, Stanford Graduate School of Business, Stanford, California. April 23, 2015. Accessed May 23, 2018, https://www.defense.gov/News/Transcripts/Transcript- View/Article/607043/. U.S. Department of Justice. Chinese National Pleads Guilty to Conspiring to Hack into U.S. Defense Contractors’ Systems to Steal Sensitive Military Information. March 23, 2016. Accessed May 23, 2018, https://www.justice.gov/opa/pr/chinese-national-pleads- guilty-conspiring-hack-us-defense-contractors-systems-steal-sensitive. ---. Departments of Justice and Homeland Security Announce International Initiative Against Traffickers in Counterfeit Network Hardware. February 28, 2008. Accessed May 23, 2018, https://www.justice.gov/archive/opa/pr/2008/February/08_crm_150.html. ---. U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage. May 19, 2014. Accessed May 23, 2018, https://www.justice.gov/opa/pr/us-charges-five-chinese- military-hackers-cyber-espionage-against-us-corporations-and-labor. ---. U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts. March 15, 2017. Accessed May 23, 2018, https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal- conspirators-hacking-yahoo-and-millions. ---. U.S. Charges Three Chinese Hackers Who Work at Internet Security Firm for Hacking Three Corporations for Commercial Advantage. November 27, 2017. Accessed May 23, 2018, https://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work- internet-security-firm-hacking-three-corporations. U.S. Department of State. Statement on Google Operations in China. January 12, 2010. Accessed April 20, 2018, https://2009- 2017.state.gov/secretary/20092013clinton/rm/2010/01/135105.htm.

Master Thesis | K.M. van den Dool

U.S. District Court for the Western District of Pennsylvania. United States of America v. Wu Yingzhuo, Dong Hao, Xia Lei (Indictment). September 13, 2017. Accessed May 23, 2018, https://www.justice.gov/opa/press-release/file/1013866/download. U.S. Federal Bureau of Investigation. Update on Sony Investigation. December 19, 2014. Accessed May 23, 2018, https://www.fbi.gov/news/pressrel/press-releases/update-on- sony-investigation. U.S. Senate Committee on Armed Services. Inquiry Into Cyber Intrusions Affecting U.S. Transportation Command Contractors: Report. 2014. Accessed May 23, 2018, https://www.armed- services.senate.gov/imo/media/doc/SASC_Cyberreport_091714.pdf. U.S. White House. Statement by the President on Actions in Response to Russian Malicious Cyber Activity and Harassment. December 29, 2016. Accessed May 23, 2018, https://obamawhitehouse.archives.gov/the-press-office/2016/12/29/statement- president-actions-response-russian-malicious-cyber-activity. ---. Statement by the Press Secretary on the Executive Order Entitled ‘Imposing Additional Sanctions with Respect to North Korea’. January 2, 2015. Accessed April 20, 2018, https://obamawhitehouse.archives.gov/the-press-office/2015/01/02/statement-press- secretary-executive-order-entitled-imposing-additional-s. U.S.-China Economic and Security Review Commission. 2011 Report to Congress. November 2011. Accessed May 23, 2018, https://web.archive.org/web/20111124012100/http:/www.uscc.gov/annual_report/201 1/annual_report_full_11.pdf. Uhlmann, Chris. “China blamed for ‘massive’ cyber attack on Bureau of Meteorology computer.” ABC News, December 2, 2015. Accessed May 23, 2018, http://www.abc.net.au/news/2015-12-02/china-blamed-for-cyber-attack-on-bureau-of- meteorology/6993278. Usborne, Simon. “Digital gold: why hackers love Bitcoin.” The Guardian, May 15, 2017. Accessed February 27, 2018, https://www.theguardian.com/technology/2017/may/15/digital-gold-why-hackers- love-bitcoin-ransomware. “Use of Fancy Bear Android Malware in Tracking of Ukrainian Field Artillery Units.” Crowdstrike, December 22, 2016. Accessed May 23, 2018, https://www.crowdstrike.com/wp- content/brochures/FancyBearTracksUkrainianArtillery.pdf.

Master Thesis | K.M. van den Dool

“USIS Comments on Recent Self-Reported Cyber-Attack on Corporate Network.” USIS, August 6, 2014. Accessed May 22, 2018, https://web.archive.org/web/20150223064255/http:/usis.com/Media-Release- Detail.aspx?dpid=151. Valeriano, Brandon, and Ryan C. Maness. “The dynamics of cyber conflict between rival antagonists, 2001-2011.” Journal of Peace Research 51, no. 3 (2014): 347-360. VICELAND. “The Attribution Problems in Cyber Attacks: CYBERWAR (Extra Scene).” YouTube (website), July 14, 2016. Accessed February 20, 2018, https://www.youtube.com/watch?v=OJ9myAO445w. Volz, Dustin. “Yahoo says hackers stole data from 500 million accounts in 2014.” Reuters, September 22, 2016. Accessed May 22, 2018, https://www.reuters.com/article/us- yahoo-cyber/yahoo-says-hackers-stole-data-from-500-million-accounts-in-2014- idUSKCN11S16P. Weston, Greg. “Foreign hackers attack Canadian government.” CBC News, February 16, 2011. Accessed May 23, 2018, http://www.cbc.ca/news/politics/foreign-hackers- attack-canadian-government-1.982618. Wheeler, David A. and Gregory N. Larsen. Techniques for Cyber Attack Attribution. Alexandia, VA: Institute for Defense Analyses, 2003. Whyte, Christopher. “Ending cyber coercion: Computer network attack, exploitation and the case of North Korea.” Comparative Strategy 35, no. 2 (2016): 93-102. Winters, Ryann. “The EPS Awakens – Part 2.” FireEye (website), December 20, 2015. Accessed May 23, 2018, https://www.fireeye.com/blog/threat-research/2015/12/the- eps-awakens-part-two.html. Wrolstad, Jonathan, and Barry Vengerik. “Pintpointing Targets: Exploiting Web Analytics to Ensnare Victims.” FireEye (website), 15. Accessed May 22, 2018, https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf. Zetter, Kim, “Hacker Lexicon: What are CNE and CNA?” Wired, July 6, 2016. Accessed March 2, 2018, https://www.wired.com/2016/07/hacker-lexicon-cne-cna/.

Master Thesis | K.M. van den Dool Appendix A: Dataset

Public Private Other Operation Operation Attribution Public Public Cyber- Private Private Operation Year Target Type Journalism Leaks Other Note Target Type Target Official Unofficial security Official Unofficial

Moonlight Maze 1998 US 2 1 RU 30 11 Officials point to Russia in media, Kaspersky report mentions nationstate, but no specific Japanese Textbook 2001 JP 1 2 KR 22 Officials say ROK Affair students behind attacks, no evidence Hainan Incident 2001 US 1 2 CN 20 20 News articles blame Attacks Chinese hackers in context of Hainan incident, no evidence. Various interviewed sources and selfproclamation by Honker Union October 2001 2001 IN 3 2 PK 11 11 21 News agencies and Cisco defacements talk about 'Gforce Pakistan', BBC says 'pakistani-based' Yasukuni Shrine 2005 JP 5 2 CN 21 Officials point at China, Attacks origin of web traffic Titan Rain 2005 US, UK 1 1 CN 30 30 32 30 TIME reports Carpenter's attribution to PRC, anonymous intel officials point at PRC, leaked slide points at PLA billing address. Unrelated expert commentary Commerce 2006 US 1 1 CN 21 Attribution of servers Department located in China Compromise State Department 2006 US 1 1 CN 10 10 Weak attribution, Compromise anonymous officials hinting UK CNI Attack 2006 UK 1 1 CN 10 Attribution was deliberately left vague

AUS and NZ Attacked 2007 AU, NZ 1 1 CN 10 NZ PM mentions foreign intel agency, not which one. French Defense 2007 FR 1 1 CN 20 Defense Secretary Ministry General mentions Compromised Chinese involvement, but not government per se DHS Compromise 2007 US 1 1 CN 22 Congressional investigators only mentioned 'web hosting services that connect to Chinese web sites', potentially incriminating contractor Unisys Syrian Air Force 2007 SY 1 2 IL 32 32 Attribution was part of Comromise package after air raids Lee Fang-Jung 2007 CN 1 1 TW 32 Arrest warrant for Taiwanese secret agent, Chinese spokesperson confirms Taiwan involvement Oak Ridge National 2007 US 1 1 CN 21 DHS memorandum Laboratories I indicating that servers were located in China German Government 2007 DE 1 1 CN 30 Intelligence Report, Hacked untraceable 2007 Pentagon Raid 2007 US 2 1 CN 32 US Intel Officials communicated to FT about PLA involvement Estonian DDoS 2007 EE 1 2 RU 31 30 Leak of communication between EST and US. Officials presented lists of IP addresses, blaming Russian govt. Russo-Georgian 2008 GE 5 2 RU 30 11 Arbor and Shadowserver Conflict DDoS technical reports. Georgia officially blamed Russia. Cisco Raider 2008 US, CA 1 1 CN 22 US individual charged for cooperating with Chinese firm, evidence in statement

2008 Campaign Hack 2008 US 4 1 CN 30 High level warnings issued bilaterally to PRC, not public. In NBC report, officials blame PRC. Agent.btz 2008 US 2 1 RU 30 31 Anonymous officials tell Reuters that Russia is top suspect. Gdata report connects it with Uroburos, Russian intel. NASA Attacks 2008 US 1 1 CN 30 2011 Commission report referred to Chinese military strategy as circumstantial evidence ('military writings'). Fourth of July Attacks 2009 US, KR 1 2 KP 20 20 Intelligence officials shared evidence with MPs. MPs and anonymous intel officials communicated with newspapers. State Commission has identified IP addresses. Twitter Hack 2009 US 3 2 IR 31 31 Media speculate about Iranian retaliation, with caution. Other unrelated sources blame Iran (WaPo). GhostNet 2009 US, IN, TW, 4 1 CN 30 31 Toronto report no CA, attribution, but Internation Cambridge attributed al Chinese government. Cable leak suggests 'tenuous connection' with PLA. Dalai Lama condemned. Considered first cases that demonstrated private actors' capabilities to attribute threat actors. Joint Strike Fighter 2009 US 2 1 CN 20 NSA slide leaked linking (Byzantine Hades) to China

ROK Government 2009 KR, US 1 2 KP 30 Intel officials told Shutdown politicians DPRK was behind it US Power Grid 2009 US 5 1 CN, RU 30 Officials speculate about Hacked PRC in media without evidence Senator Nelson 2009 US 1 1 CN 20 Nelson issues own Compromised statement blaming China based hackers. Aurora 2010 Internation 3 1 CN 20 10 20 Google mentions attack al originating from China. McAfee mentions technical assesment. US (Clinton) asks China for explanation. Stuxnet 2010 IR 1 2 US, IL 30 11 32 Iran blamed US, Israel 'regimes' and Siemens. NYT articles citing US intel unveils Olympic Games. Kasperksy calls it EquationGroup. Night Dragon 2010 US 3 1 CN 21 McAfee says individuals in China are primary source Baidu Defacement 2010 CN 3 2 IR 31 Xinhuanet: ICA believed to be aligned with the current ruling party in Iran. Australian Mining 2010 AU 3 1 CN 30 Investigative report by Companies Attacked ABC 'four corners' (Documentary), former officials cited Vietnamese Botnet 2010 VN 5 2 VN 31 Google and McAfee Attacks mention likely links with Vietnamese government Indian PMO Hacked 2010 IN 1 1 CN 20 Outgoing national security advisor considers it likely that the Chinese are behind attacks, in newspaper interview.

Duqu 2011 IR, FR, NL, 5 1 US, IL 11 Technical reports CH, UA, IN, connect it to Stuxnet SD, VN RSA SecurID 2011 US, JP 3 1 CN 31 21 10 RSA open letter says Comrpomise APT, but not specific. Congress report says kit is connected to statesponsored Honker Union of China. SecureWorks also indicates connection with HUC. Mitsubishi Heavy 2011 JP 3 1 CN 11 Japanese newspaper Industry Hack said Chinese characters were used in code. Japanese Parliament 2011 JP 1 1 CN 21 Chair statement Hack mentions China-based server, but warns that it could be spoofed Shady RAT 2011 US, CA, KR, 5 1 CN 11 30 McAfee report presents TW, JP, CH, only victimology. UK, ID, VN, Kaspersky and Symantec DK, SG, HK, downplayed it. DE, IN Unrelated security experts Canadian Finance 2011 CA 1 1 CN 21 Anonymous officials tell Dept and Treasury CBC servers are located Board Hacked in China Chamber of 2011 US 1 1 CN 30 Chamber of Commerce Commerce Hacked blames hackers with ties to Chinese military. Nonghyup Bank 2011 KR 3 2 KP 32 Prosecutor links to DPRK reconnaissance bureau, referring to technical evidence linking it to previous attacks Ten Days of Rain 2011 KR, US 1 1 KP 31 McAfee links to DPRK (sympathizers), but is prudent with 'circumstantial evidence'. One source says intelligence blames DPRK.

NASDAQ Attack 2011 US 1 1 RU 30 Anonymous officials tell Bloomberg RF involvement is convincing, based on partial/circumstantial evidence Nitro Attacks 2011 US, BD, UK, 5 1 CN 22 Symantec located C2 AR, SG, servers in China, owned Internation by man named 'Covert al Grove'. Operation Black Tulip 2011 IR, NL 5 1 IR 21 10 Fox-IT shows server (DigiNotar) activity in Iran, but does not blame any specific actor. Comodohacker claimed responsibility. DPP Compromise I 2011 TW 4 1 CN 32 DPP said investigations point at Chinese state controlled Xinhua News Agency Flame 2012 IR, IL, SD, 5 1 US, IL 11 Kaspersky linked it to SY, LB, SA, same actor as Stuxnet EG and Duqu, likely nationstate, but no specifics. WaPo article citing anonymous intel officials confirms US involvement Gauss 2012 LB, IL, PS, 3 1 US, IL 11 Linked to Stuxnet and US Flame (probability) by Kaspersky and Symantec. White House Attack 2012 US 1 1 CN 31 Officials tell Fox and FreeBeacon China govt is culprit, based on traced server location in China French Elections 2012 FR 1 1 US 32 32 L'Express blames NSA and refers to wikileaks while claiming Flame was used. Wikileaks points to CIA

100

Operation Ababil 2012 US 3 2 IR 32 30 30 Seven Iranians (ITSecTeam and MERSAD) convicted, court mentioned links to Iran's Revolutionary Guard. NYT and WP cite unnamed intelligence officials. Former (unrelated) officials. 110 Self proclamation Izzad- Din al-Qassam. Attempted BBC 2012 UK 3 2 IR 30 BBC Director mentioned Compromise Iranian authorities in speech. Nortel Collapse 2012 CA 3 1 CN 20 Former Nortel Security Chief says hackers are based in China and demands governmental cooperation Madi Campaign 2012 IR, US, IL 5 1 IR 21 Kaspersky reports 84% of traffic comes from Iran Coca-Cola 2012 US 3 1 CN 31 30 Bloomberg cites internal Compromise company document attributing attack to PRC state-sponsored actors (APT1). Coca Cola kept silent. Unrelated security experts comment. Shamoon (Saudi 2012 SA 3 2 IR 30 11 Anonymous US officials Aramco) name Iran in NYT. Kaspersky considers it work of copycat because it copies Wiper elements from Flame Operation Troy 2013 KR 3 2 KP 31 McAfee technical report link it to a specific group, DarkSeoul, but do not mention a country. SANS connects it to DPRK. Operation Hangover 2013 PK, LK, BD 5 1 IN 21 Norman company located attack infrastructure in India

101

Tranchulas Operation 2013 IN 1 1 PK 32 TrheatConnect identifies individuals and Tranculas company, likely to provide services to Pakistani govt Operation Kimsuky 2013 KR 5 1 KP 21 Kaspersky suspects hackers are from DPRK based on IP geolocation. Operation 2013 EU 1 1 CN 21 FireEye determines KE3CHANG (G20) hackers operate from China. Red October 2013 RU, KZ, AZ, 1 1 RU 11 Technical report by (Campaign against BE, IN, AF, Kaspersky suggests diplomatic agencies) AM, IR, TM, hackers are Russian- Internation speaking. al EADS and 2013 DE, US 3 1 CN 21 ThyssenKrupp informed ThyssenKrupp Spiegel it knows attacks Compromise originate from PRC Ips TeamSpy 2013 RU, TR, HU, 5 1 RU 11 Tech reports by Crysys UA and Kaspersky ASIO Blueprints 2013 AU 1 1 CN 20 20 Program Four Corners Stolen blames China, mentions anonymous unaffiliated sources. Related officials say they know but refuse to tell. Anonymous informant suspects China. Navy Compromise 2013 US 1 1 IR 30 Anonymous officials told WSJ attacks are linked to Iran. Finnish MFA 2013 FI 1 1 CN, RU 31 Minister refuses to point Compromise fingers, Finnish reports blame Russia/China, later reports link it to Russian state-sponsored Turla Group.

102

Operation Socialist 2013 BE 3 1 UK 32 32 Snowden leaks link GCHQ/Regin malware to Belgacom hack. ISPs file complaint at investigatory powers tribunal. TRANSCOM 2014 US 1 1 CN 30 US Senate Committee Compromise blames China in Press Release and Congress Report. Boeing Compromise 2014 US 5 1 CN 22 Chinese individual pleads guilty before US Court Sony Compromise 2014 US 3 2 KP 31 11 10 FBI report (IP addresses) and Obama press statement officially blame DPRK, Sony itself avoids fingerpointing. Novetta Blockbuster report links to LazarusGroup CAN National 2014 CA 1 1 CN 30 CIO of Canadian Research Council Government mentions Compromise 'highly sophisticated Chinese state-sponsored actor' USIS Compromise 2014 US 5 1 CN 20 10 Unnamed public officials trace back to China in NYT but can't confirm gvt involvement, USIS mentions state involvement without attribution in press release. Babar 2014 IR, US, CA, 5 1 FR 11 30 32 Technical attribution by GR, NO, ES, Cyphort, leaked CI, DZ Canadian intelligence files. French official spoke about it in public. Fake Occupy Central 2014 HK 4 1 CN 31 Lacoon Mobile Security Apps believes Chinese government directed the attacks

103

Master Thesis | K.M. van den Dool Public Private Other Operation Operation Attribution Public Public Cyber- Private Private Operation Year Target Type Journalism Leaks Other Note Target Type Target Official Unofficial security Official Unofficial iCloud Compromise 2014 US, CN 3 1 CN 31 10 Watchdog Greatfire attributes MITM attack to China, Apple declines comment US White House 2014 US 1 1 RU 30 Officials tell media Compromise (CNN/WaPo) they think Russia has been behind attacks. US State Dept 2014 US 1 1 RU 30 Officials tell media Compromise (CNN/WaPo) they think Russia has been behind attacks. Regin 2014 RU, SA, BE, 5 1 US, UK 31 30 30 Based on Snowden leaks MX, IE, IN, of QWERTY malware, SY, IR, PK, Kaspersky finds that DZ, Regin is from the same multiple creators. Spiegel concludes it's NSA. US Postal Service 2014 US 1 1 CN 30 10 USPS allegedly declined Compromise comment, anonymous officials told WaPo and ABC Russia is suspect. Operation Cleaver 2014 CA, CN, UK, 5 1 IR 32 20 Cylance assesses FR, DE, US, operation is sponsored UAE, IL, by Iran. Leak suggests multiple Iranian actors US NOAA 2014 US 1 1 CN 20 Anonymous officials Compsomise blame Chinese hackers. Attempted 2014 UA 1 1 RU 30 Ukrainian Security Compromise of Service formally Ukrainian Email denounces, no evidence Accounts provided. Sands Casino 2014 US 3 2 IR 30 20 DNI Clapper blames Iran, Compromise internal investigation documents from Dell Secureworks mentions Iranian hacktivists. Westinghouse 2014 US 3 1 CN 32 5 PLA Agents arrested Electric and US Steel and charged Corp compromise

104

German Steel Mill 2014 DE 3 2 Unknown 10 German intelligence Attack report mentions attack, says APT involvement is likely, but does not mention which one. OPM Breach 2014 US 1 1 CN 30 20 Anonymous FBI officials say attack was traced to China. Later Intelligence chief says China is main suspect. Year later, US seeks retaliation against PRC. Yahoo Breach 2014 US 3 1 Unknown 10 Yahoo does only mention 'a state- sponsored entity' likely. Korea Hydro and 2014 KR 3 2 KP 31 Linked to Kimsuky in Nuclear Power Co official statement by Compromise prosecutor. Poisoned Helmand 2014 AF 1 1 CN 31 ThreatConnect report points to possible Chinese intel involvement Turla 2014 EU 1 1 RU 31 Kaspersky refers to Gdata report on Uroburos, linking to Russian intel agencies Cloud Atlas 2014 Internation 1 1 RU 11 Kasperksy connects to al RedOctober BlueTermite/CloudyO 2015 JP 5 1 CN 11 Kaspersky report mega mentions Chinese language. Symantec links to HiddenLynx. Duqu 2.0 2015 IR, US, CH, 5 1 IL 11 30 Kasperksy links it to Austria EquationGroup/Olympic Games, considers it nation-state campaign. NYT reports in 2017 about Kaspersky breach, linking it with Israel DPP Compromise II 2015 TW 4 1 CN 21 FireEye attributes China- based APT16

105

Anthem Hack 2015 CN 3 1 CN 20 32 FBI formally warns for China based DeepPanda, Threatconnect identifies a specific individual and universities in China, suggests state-spnsored Ukrainian Power Grid 2015 UA 3 2 RU 30 11 Intelligence service Attack warns russian intelligence, Energy ministry traces Russian internet network providers, FireEye links to Sandworm. Clandestine Wolf 2015 US, HK 5 1 CN 21 FireEye links to China- based APT3 Compromise of US 2015 US 1 1 RU 20 Officials tell NBC Russia Joint Chiefs of Staff is behind the attacks, not sure about govt involvement United Airlines 2015 US 3 1 CN 20 Atricles by Bloomberg Compromise and PCWorld connect different reports cite unnamed/unaffiliated sources, but remains speculative, connected to Anthem and OPM hacks. Attempted 2015 UA 1 1 RU 32 Intelligence service Compromise of denounces specific Ukrainian Officials Russian Secret Service, no evidence Seoul Subway 2015 KR 1 1 KP 30 Parliament cites national Compromise intelligence report that linked it to same APT as 2013 attacks: PyongYang GitHub Disruption 2015 US 3 2 CN 31 10 Several technical analyses (Netresec) point to China, Chinese government considered likely culprit. GitHub response mentions no attribution.

106

Iron Tiger 2015 US 1 1 CN 21 TrendMicro links to EmissaryPanda, located in China Permanent Court of 2015 NL 1 1 CN 31 Threatconnect Artbitration technically traces a Compromise Chinese domain reseller but also interprets it as being PRC. South Korean 2015 KR 1 1 KP 20 South Korean Government intelligence service Compromised reports DPRK is the culprit, no evidence TV5 Compromise 2015 FR 3 2 RU 10 10 30 Initially considered cyberterrorism by TV5 and govt in public, later reports by French media and TrendMicro link it to APT28 (Russia) in media interview. Attempted 2015 NL 1 1 RU 11 TrendMicro attributes to Compromise of the PawnStorm (APT28) Dutch Safety Board Saudi Government 2015 SA 1 1 IR 31 Buzzfeed report says it is Compromise connected to Gholee/WhoolenGoldfis h/Saffron, likely to be Iranian govt according to ClearSky/TrendMicro/Fir eEye US State Dept Social 2015 US 1 1 IR 30 Anonymous officials link Media Accounts attacks to Iranian Compromised Revolutionary Guard in media, no evidence Bundestag 2015 DE 1 1 RU 30 31 NetzPolitik connects it to Comrpomise state-sponsored APT28, and refers to other reports linking it to Russia and intelligence service and MPs call out Russia

107

Bureau of 2015 AU 1 1 CN 10 20 ACSC report mentions Meteorology foreign intelligence Comrpomise service, anonymous officials point to China in media Japanese Pension 2015 JP 1 1 Unknown 10 Fund President said System Compromise investigations are ongoing in press statement Pentagon Legacy 2015 US 2 1 RU 20 Defense Secretary Carter System Compromised denounces Russian hackers in statement, scarce evidence. Operation SMN 2015 Internation 5 1 CN 30 31 Novetta attributes to al Axiom, considers it state- sponsored, likely to be of Chinese intelligence apparatus. FBI attributes applied Hikit toolkit to PRC Lotus Blossom 2015 Internation 5 1 CN 11 PaloAlto Unit42 tracks al C2 servers, says nation- state support is likely. Seven Pointed 2015 MM 1 1 Unknown 11 Various reports Dagger (CitizenLab,Arbor,PaloAlt o) identify various possibilities for human attribution, remains inconclusive Russian Doll 2015 Unknown 1 1 RU 31 FireEye connects to APT28, in other report connected to Russia German MFA 2018 DE 1 1 RU 30 SPIEGEL report based on Compromise intel sources Witchcoven 2015 Internation 5 1 RU 10 FireEye points to al individuals suspectedly sponsored by a nationstate OP Armageddon 2015 UA 5 1 RU 32 Tech report attributes to two specific Russian intel agencies

108

Woolen Goldfish 2015 IL, DE 1 1 IR 21 TrendMicro mentions coherence with Iran, but not government connection Thamar Reservoir 2015 SA, IL, YE, 5 1 IR 31 ClearSky tech report VE mentions Iran and assumes govt involvement US Post-Election 2016 US 4 1 RU 21 Area1Security and Phishing Volexity technical attribution reports attributed to APT29/PowerDukes in Russia DNC Hack 2016 US 4 1 RU 31 31 32 Official statement and sanctions on behalf of US government, multiple technical reports say Russian involvement is very likely. Third party (NL) intel is said to have been of importance. Guccifer 2.0 2016 US 5 3 RU 32 21 Threatconnect traces IP to Russian VPN, Intel officials tell Daily Beast it belongs to Russian GRU agent. Monsoon 2016 CN, PK, LK, 1 1 IN 22 ForcePoint was able to Internation identify an individual al based on domain name, not published. South Korean 2016 KR 1 1 KP 20 Officials communicate Government technical evidence point Compromised to DPRK, evidence is not disclosed. SWIFT Bank Heists 2016 BD, VN, 1 2 KP 11 Symantec believes Ecuador, PL malware is similar to that used by previous attacks by Lazarus

109

Operation Mermaid 2016 IR 1 1 IR 21 SkyEye and HeliosTeam show technical evidence that the actor is likely to operate from the Middle-East, PaloAlto considers Iran likely. RUAG Compromise 2016 CH 1 1 RU 11 Official MELANI report provides technical attribution to Turla family, providing indirect link to Russia Ukrainian Bank 2016 UA 3 2 RU 11 Technical report believes Attacks it is connected to BlackEnergy, indirectly linked to Russia Yahoo Breach 2016 US 3 1 RU 32 10 Criminal charges communicated including links to FSB, Yahoo does not mention attribution NanHaiShu 2016 PH 5 1 CN 21 F-Secure report considers it likely that the attackers are of Chinese origin, and profile matches Chinese govt interests South Korean 2016 KR 1 1 KP 21 Intelligence and govt Diplomats and officials believe DPRK is Journalists culprit, based on Compromised technical similarity with previous attacks, but no further info Ukrainian Artillery 2016 UA 2 1 RU 32 CrowdStrike links attack Targeted to FancyBear based on partial technical attribution, some findings were rejected by Ukrainian govt Kazakh Dissidents 2016 Global 4 1 KZ 32 EFF believes operation is Targeted linked to KZK govt, based on technical evidence

110

World Anti-Doping 2016 Global 4 1 RU 31 32 WADA condems Russia, Agency Compromised refers to technical report by McLaren. McLaren reports identifies Russian entities. Shamoon 2.0 2016 SA 1 2 IR, YE 21 11 Saudi Officials say technical indicators suggest attacks originate from Iran, FireEye nor Kaspserky draw any conclusions as to attribution, Kaspersky also finds clues about Yemen Russian Warning of 2016 RU 3 2 NL, UA 21 FSB says servers are Attack on Banking located in NL and owned Sector by Ukrainian BlazingFast Dust Storm 2016 JP, KR, US, 5 1 CN 11 Cylance tech report EU, Internation al Four Element Sword 2016 CN, HK, TW 4 1 CN 11 CitizenLab and Arbor do not mention any actor Ukrenergo 2016 UA 3 2 RU 11 10 30 Ukrenergo press service mention possible hackers. ESET/Dragos connect it to Industroyer/CrashOverri de, which is connected to SandWorm Team. Wired article blames Russia. US Intel officials cited. Odinaff 2016 US, HK, AU, 3 1 RU 11 Symantec links to UK, UA Carbanak Project Sauron 2016 RU, CN, BE, 5 1 US 11 Symantec says SE nationstate involvement is likely, Symantec/Kaspersky mention none

111

DustySky 2016 IL, EG, SA, 5 1 PS 22 ClearSky links it to AE MoleRats/GazaCybergan g, metions Gaza Strip origins, points to specific individuals Daybreak 2016 RU, NP, KR, 5 1 KP 11 Kaspersky report CN, IN, RO mentions Korean language IronGate 2016 Unknown 5 2 Unknown 11 FireEye report comparison to Stuxnet Ghoul 2016 Internation 3 1 Unknown 11 Tech reports al South China Sea 2017 PH 1 1 VN 31 FireEye says APT32 is Dispute aligned with Vietnamese government interests Defense Integrated 2017 KR, US 2 1 KP 20 MoP said North Korean Data Center hackers are responsible, Compromise based on unidentified official sources. Far Eastern 2017 TW 3 2 KP 21 BAE systems points at International Bank Lazarus in technical Compromise report, which it believes is controlled from DPRK. NotPetya 2017 UA, RU, 5 2 RU 31 11 Ukraine blames Russia, Internation so do UK and US, latter al provides technical analyses, ESET tech report links it to TeleBot/BlackEnergy because of KillDisk malware used. JadeRAT 2017 CN 4 1 CN 31 LookOut technical report traces Chinese phone numbers, also says state- sponsor is likely, but two findings not necessarily connected. Boyusec 2017 US 3 1 CN 22 Criminal charge of three individuals linked to a company, state attribution not mentioned

112

Belarus Government 2017 BY 1 1 CN 11 SecurList believes Targeted possible link with NetTraveler malware family (PRC) Attempted 2017 UK 1 1 IR 20 32 Undisclosed intelligence Compromise of UK report cited in The Times Parliament and Guardian. Unrelated experts commenting. US Electric 2017 US 3 1 KP 30 FireEye devices detected Companies Targeted and stopped spear phishing emails sent on Sept. 22, 2017, to U.S. electric companies by known cyber threat actors likely affiliated with the North Korean government Qatar News Agency 2017 QA 3 2 UAE 30 30 Qatar statement blames Compromised UAE based on WaPo article, which cites anonymous US officials. Bellingcat Targeted 2017 UK 4 1 RU 32 ThreatConnect technically attributes to Fancy Bear (APT28) / Cyberberkut, also identifies an individual name WannaCry 2017 Global 5 2 KP 30 20 11 Official public statements and intelligence communications blame DPRK, Symantec suggests strong links with Lazarus but steers clear from DPRK connection. Targeting of 2017 ET 4 1 ET 32 CitizenLab accuses Ethiopian Dissidents Ethiopian gvt with technical evidence Swiss Defense 2017 CH 1 1 RU 10 Swiss statement links Ministry Targeted attack to Turla malware, no evidence

113

IAAF Compromise 2017 IAAF 4 1 RU 10 IAAF blames Fancy Bear (APT28) in statement, no evidence US Senator Rubio 2017 US 4 1 RU 20 Rubio blames Russia in Campaign Targeted Senate hearing, no evidence Montenegro Phishing 2017 Mexico 1 1 RU 11 FireEye blames APT28 in Campaign media Danish Defense 2017 DK 2 1 RU 30 30 Defense minister blames Ministry Targeted APT28/RF based on public intel report (untraceable), which provides circumstantial evidence Czech MFA 2017 CZ 1 1 RU 30 Minister says must be a Compromised nation-state, but declines to attribute, another anonymous official says Russia is prime suspect. Macron Campaign 2017 FR 4 1 RU 10 11 TrendMicro says Hack PawnStorm was likely culprit, Macron Campaign did not blame anyone Italian MFA Targeted 2017 IT 1 1 RU 30 Anonymous officials tell Guardian Russia is suspect of attacks, no evidence. DragonFly 2.0 2017 US 3 1 RU 32 30 11 Symantec technical attribution report for DragonFly 2.0 is used by US govt to blame Russian govt and retaliate. US intel officials blame Russia in WaPo Attempted 2017 US 1 1 RU 20 Norwegian intel services Compromise of communicate to TV2 Norwegian Govt attacks are likely executed by APT29 which is a Russian actor

114

ViperRAT 2017 IL 2 1 Unknown 11 Only technical attribution by LookOut and Kaspersky, LookOut finds Arabic language Mexican Journalists 2017 MX 4 1 MX 31 NYT and CitizenLab and Civil Society reports blame Mexico Targeted including evidence Montenegro DDoS 2017 ME 1 2 RU 10 Official statement only mentions possibility of state-sponsor, no attribution Cryptocurrency 2017 KR 3 2 KP 31 Reports by Exchanges RecordedFuture,FireEye Compsomised and Kaspersky link the attacks to Lazarus/Bluenoroff (DPRK) Compromise of 2017 SG 2 1 Unknown 10 10 Official statement does Singaporean Ministry not mention attribution, of Defense officials in media hint at state sponsor, no attribution CloudHopper 2017 US 5 1 CN 21 PwC adn BAE Systems connect it to APT10 (China-based) in technical report ('highly likely') ChessMaster 2017 JP 5 1 CN 11 TrendMicro connects it to APT10/StonePanda/Men uPass. Chinese language in code. BugDrop 2017 UA, RU, SA, 5 1 RU 11 CyberX suspects AT nationstate involvement, does not mention which one Erebus 2017 Unknown 5 1 KP 11 Kaspersky connects to StarCruft Golden Time 2017 KR 4 1 KP 11 Cisco Talos connects it to Group 123, mentions Korean language

115

Evil New Year 2017 KR 4 1 KP 11 Cisco Talos connects it to Group 123, mentions Korean language AreYouHappy? 2017 KR 5 2 KP 11 Cisco Talos connects it to Group 123, mentions Korean language FreeMilk 2017 KR 3 1 KP 11 Cisco Talos connects it to Group 123, mentions Korean language North Korean Human 2017 KR 4 1 KP 11 Cisco Talos connects it to Rights Group 123, mentions Korean language KNF Wateringhole 2017 PL 1 1 KP 11 BAE connects to Lazarus Attack Wilted Tulip 2017 IL, SA, TR, 1 1 IR 21 TrendMicro and ClearSky US, DE, JO link it to CopyKitten, called 'iranian threat agent' by ClearSky Electric Powder 2017 IL 3 1 Unknown 11 Clearsky report. Potentially linked to GazaCybergang by McAfee Cobalt Kitty 2017 Unknown 3 1 CN 11 CybeReason report connects to OceanLotus Inexsmar 2017 Unknown 1 1 KR 11 Bitdefender connects to DarkHotel Groundbait 2017 UA 4 1 UA 21 ESET report says hackers likely operate from within UA borders, no mentioning of state involvement International Sports 2018 Internation 4 1 RU 11 Trend Mirco blamed Federations Targeted al Pawn Storm (APT28) Dark Caracal 2018 US, CA, DE, 5 1 LB 32 LookOut and EFF believe LB, FR the campaign is operated from a building belonging to the Lebanese general Security Directorate in Beirut. Evil New Year 2018 2018 KR 4 1 KP 11 Cisco Talos connects it to Group 123, mentions Korean language

116

Honeybee 2018 KR 4 1 KP 11 McAfee mentions Korean language TopHat 2018 PS 4 1 PS 21 PaloAlto identifies arabic language and connects it to DustySky, mentions likelihood attackers are from PS Tropic Trooper 2018 TW, PH, HK 5 1 Unknown 11 Tech reports

Olypmic Destroyer 2018 KR 4 2 RU 32 11 False flag operation. US Intel officials tell WaPo GRU was behind attacks. Technical reports still in the dark

117