Cyberattacks: Toward attribution beyond a reasonable doubt

Analysis by Cristina Posa – U.S. Department of Justice Attaché to the U.S. Embassy in Italy – published by Cyber Affairs

During the September 28, 2018 OSCE cybersecurity conference held in Rome as part of Italy’s presidency of the OSCE, a Russian representative criticized what he perceived to be an overly aggressive approach in the attribution of cyberattacks to Russia, claiming that some countries seem to be “ignoring the presumption of innocence, and designate a guilty party on the principle of ‘highly likely.’” But when it comes to the recent criminal indictments of Russian and other state-sponsored malicious cyber actors in the United States, his claims are just wrong. Although cybercrime, by its very nature, is shrouded in secrecy and anonymity, the U.S. Department of Justice has succeeded in bringing powerful and transparent criminal charges against private and state-sponsored actors alike, relying upon concrete evidence subject to rigorous analysis and evaluation, with the ultimate objective of proving the guilt of individual defendants beyond a reasonable doubt at a public trial.
Here I examine some of the investigative techniques used in just a few recent cases brought in the United States. This information comes directly from publicly-available indictments and criminal complaints, which means that the evidence has been evaluated by a grand jury or federal magistrate judge and found to demonstrate probable cause of guilt. “Probable cause” is a high burden of proof to meet, albeit not as stringent as the “proof beyond a reasonable doubt” required to demonstrate guilt at trial. But the Department of Justice’s manual for federal prosecutions directs that prosecutors should not seek indictment on charges that that prosecution cannot reasonably expect to prove beyond a reasonable doubt by legally sufficient and admissible evidence at trial. “Proof beyond a reasonable doubt” is not the same as 100 percent certainty, but it goes far beyond “highly likely.” Juries in the United States are instructed that although the prosecution need not prove the defendant’s guilt beyond all possible doubt, they must present evidence that excludes any reasonable doubt concerning a defendant’s guilt.
These U.S. criminal cases demonstrate that attributing cybercrimes to an individual person for purposes of criminal prosecution requires much more than technical malware analysis and the forensic examination of victim networks. Although such analysis is fundamental, it is rarely sufficient, on its own, to prove individual guilt. That extra step in the attribution puzzle almost always requires additional categories of evidence, such as information from online accounts, including email and social media profiles; tracking financial transactions, including cryptocurrency, used to pay for the infrastructure used to conduct the intrusions; and even old-fashioned confidential human source information. In other words, attribution beyond a reasonable doubt is possible, but it takes a highly sophisticated, multi-pronged investigative approach to unravel the highly sophisticated, multi-pronged cyberattacks that have created such destruction on a global scale over the past decade.

Social Media Evidence in North Korea Case

In June 2018, federal prosecutors in the Central District of California brought criminal charges against North Korean computer programmer Park Jin Hyok for participating in a wide-ranging, multi-year conspiracy to conduct computer intrusions and commit wire fraud on behalf of the government of North Korea. The conspiracy included the November 2014 cyberattack against Sony Pictures Entertainment and the spectacular $81 million cyber heist from Bangladesh Bank in February 2016, as well as other financial cyberattacks that resulted in over $1 billion in losses. The same actors were also responsible for authoring the “WannaCry 2.0” ransomware that was released in May 2017.
The 179-page criminal complaint is extraordinary in its level of detail and provides a guidebook for successful investigative and attribution techniques. It explains how, despite the diversity of targets, the attacks contained several signatures that eventually enabled U.S. investigators to attribute the attacks to North Korea generally and Park in particular. The intrusions were carried out using the same computers or digital devices, using the same accounts or overlapping sets of email or social media accounts, aliases, and cyber infrastructure, including the same IP addresses and proxy services. Detecting these signatures, however, was not simple; the evidence included not only the forensic analysis of victim computer networks and malware, but also information obtained by executing approximately 100 search warrants for approximately 1,000 email and social media accounts accessed by the subjects of the investigation, as well as approximately 85 formal requests for evidence to foreign countries.
The Park complaint makes clear that analysis of Internet accounts is critical to successful attribution for purposes of criminal prosecution. For example, the complaint describes how the “Brambul” worm used by the North Korean hackers crawled from computer to computer, trying to infect computers and then, if successful, relayed the credentials and victim host information necessary to gain access to the victim networks to certain “collector” email accounts hard-coded into the malware – many of which were Gmail accounts. Investigators also analyzed Facebook accounts used to propagate malware in the Sony attacks as well as the hyperlinks used to link to that malware, which were created by URL-shortening service such as the Google service The connections between the different Gmail, Microsoft, Facebook, LinkedIn and other Internet accounts and the various attacks charged by the Department of Justice create a dizzying but powerful web of evidence. Indeed, one email account used for criminal purposes also contained an email attaching Park’s resume, including his date of birth, and his photograph. Simply put, social media analysis cannot be separated from cyber forensic analysis when the objective is individual attribution beyond a reasonable doubt.

International Cooperation and Financial Analysis in Russian GRU Cases

In October 2018, federal prosecutors in the Western District of Pennsylvania announced charges against seven Russian military hackers of the Russian Main Intelligence Directorate (GRU) for a criminal hacking campaign that included the theft and public dissemination of private medical records of 250 athletes, including U.S. Olympic athletes. According to the indictment, the Russian hackers targeted the athletes and major anti-doping organizations in retaliation for a ban on Russian athletes due to Russia’s state sponsored doping program. They also targeted employees of the Westinghouse Electric Corporation, a nuclear energy company in Western Pennsylvania that supplies Ukraine with nuclear fuel, as well as an organization and laboratory investigating Russia’s alleged use of chemical weapons. They then released the data publicly, often in misleading ways, masquerading as the “Fancy Bears’ Hack Team” on the websites,, which were seized by the Department of Justice, and using social media accounts, as part of a misinformation campaign.
How were prosecutors in Pittsburgh and the FBI able to attribute these intrusions by name to members of a highly sophisticated Russian military intelligence agency? The 41-page indictment once again demonstrates that only an investigation conducted on a global scale can combat this global threat. American investigators worked with law enforcement partners and victims around the world to show how the defendants conducted the operation both via remote access techniques, including spear-phishing attacks, from an identified GRU Unit in Moscow, and by way of “close access” operations conducted by GRU members who traveled around the world to hack into nearby computers. The indictment describes in detail several “on-site” operations: in Rio De Janiero during and prior to the 2016 Olympic games, compromising the email account of an official of the U.S. Anti-Doping Agency; in Lausanne, Switzerland, stealing the login credentials of a Canadian antidoping official; and at The Hague in April 2018, in an attempt to hack into the networks of the Organisation for the Prohibition of Chemical Weapons (OPCW), which was investigating the use of chemical weapons in Syria and the March 2018 poisoning of a former GRU officer in the United Kingdom with a chemical nerve agent. These on-site operations often involved targeting Wi-Fi networks used by victim organizations or their personnel, including hotel Wi-Fi, in an effort to gain unauthorized access to the victims’ computer networks.
The categories of evidence described in the indictment are diverse and comprehensive, and taken together, result in much greater than a “highly likely” probability of attribution. In addition to the analysis of social media accounts to unmask fictitious online personae created by the defendants, the techniques used in this case included working with international partners to obtain information that identified the defendants traveling with Russian diplomatic passports and the physical surveillance of one defendant while conducting an on-site hacking operation at the OPCW. The U.S. investigators also followed the trail of cryptocurrency transactions used to pay for infrastructure used in the attacks and closely examined that infrastructure, including the identification of 38 common IP addresses used to attack the World and U.S. Anti-Doping Agencies and various phony domain names. Although all bitcoin transactions are publicly available through the Blockchain ledger, the conspirators attempted to hide their transaction history by purchasing infrastructure using hundreds of different email accounts, in some cases using a new account for each purchase. But the indictment describes how the conspirators also used several dedicated email accounts to track basic bitcoin transactions and to facilitate bitcoin payments to vendors. Indeed, the U.S. investigators identified one dedicated email account that was used to receive hundreds of bitcoin payment requests from approximately 100 different email accounts. The evidence regarding these dedicated email accounts was thus crucial to understanding the complicated web of transactions.
And like the North Korean investigation described above, this investigation also involved the examination of hyperlinks used in spear-phishing emails that had been shortened using URL-shortening service such as requires that users create an account in order to use its services, and the investigators found that the same account was used to create shortened URLs embedded in spear-phishing emails sent to both USADA and WADA employees. In addition, the prosecutors charged five counts of wire fraud against one individual defendant based on his sending five different malicious links all created by the same account to employees of Westinghouse Electric in western Pennsylvania. U.S. investigators used similar investigative techniques, including the analysis of URL-shortened links sent in spear-phishing emails to the campaign of Hillary Clinton, in the July 2018 indictment of 12 GRU officers on charges of hacking into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election and releasing confidential information to interfere with that election.

The Human Factor

Finally, one of the least-reported but most common techniques used in cybercrime investigations, especially those involving private actors, involves the use of confidential human sources. Under United States law, law enforcement authorities may approach individuals before, during or after their arrest on criminal charges about cooperating in an undercover capacity. Such individuals, known as “confidential sources” or “cooperating witnesses” (after they have pleaded guilty to criminal charges and signed a cooperation agreement) may engage in closely-supervised, consensually-recorded communications with their co-conspirators and can provide an incomparable view into the operations of their criminal networks. The use of these sources can provide real-time information about attacks as they unfold and enable investigators to overcome the hurdle of encrypted communications. Incredibly, even the most sophisticated cybercriminals sometimes let down their guard and exchange personal information that results in direct identification of the subjects.
This very brief survey of recent U.S. criminal prosecutions undermines the notion that the United States is attributing cyberattacks based on mere guesswork or speculation. As DOJ Deputy Assistant Attorney General John Demers said in revealing the October charges against the seven Russian GRU officers, “the defendants believed that they could use their perceived anonymity to act with impunity, in their own countries and on territories of other sovereign nations, to undermine international institutions and to distract from their government’s own wrong-doing. They were wrong. Working together with our partners in nations that share our values, we can expose the truth for the world to see.”