Hacker News new | past | comments | ask | show | jobs | submit login

I've always wondered how you can be so sure it's PRC in the age of easily being able to mask your true IP address. Perhaps the identified attacks have been previously linked with the PRC, or another option is that the actors were not as covert as they thought.

Like remember the indictment of 12 russians ( https://www.justice.gov/file/1080281/download )

The FBI linked a pool of bitcoins used to purchase a VPN service and other things to the Russians. Probably best to not use a crypto with a public ledger for criminal activity.




First of all, the IC works with estimative language, i.e. "with a high degree of confidence", which everyone understands on what to make of it and how it should inform policy (I know, policy is different than a criminal investigation).

To your question: Imagine tracking these threat actors for years (or decades). You have observed different TTPs (Techniques, Tactics & Procedures) from different actors, you see them operating in different ways and with different teams, you can observe the time when they are active, by their targeting you can make an educated guess what they're after, you can correlate their activity with policy changes in their presumed home-countries and lastly you can repeat those observations over and over again since these threat actors are persistent and keep coming back since it's their job. If all these soft and passive observations already point to the same actor(s), and then you get some additional hard evidence on top (Opsec failures, HUMINT, SIGINT), you are eventually able to make a verdict with a high degree of confidence.


I think sometimes they just blame whoever suits the political narrative. The Chinese replaced the Russians as the boogeyman de jour a short while back, so of course they will now be blamed by default.


Same here. I remember once I was watching the news and they claimed a hack was done by Russians because they found Russian comments in the code. That didn't sound very convincing :). The ledger evidence sounds better.

At the same time in this case I would be more surprised if the PRC , since their need for control, and since the stakes are extremely high, wasn't doing such things.


Similarly, I recall a strain of malware being attributed to Chinese hackers because variable names were in Chinese; then when you actually inspect the code, it's clearly Unicode gibberish generated by an obfuscator... That is to say, the hackers weren't even trying to be misleading, it was just a result of obfuscation reminiscent of mojibake. (I read the article on Ars Technica but don't remember enough details to find the article.)

If I ever code a hacking tool I'll throw in some Korean comments for sure.


Do keep in mind that intelligence services are probably not being fully transparent about how they know the source of an attack. They wouldn't want to reveal their methods, to avoid them becoming unreliable in the future.


Which makes it impossible to have an open, informed discussion on the subject.

Instead, you get tribalist arguments over who believes which secret police.


Do spanish instead... represent!


Was googling to see if I could find a news article to back up my memory.

Instead I found an article on Wikileaks claiming CIA executed false flag hacking operations: https://theintercept.com/2017/03/08/wikileaks-files-show-the...


Which is another reason why attribution of cyber incidents is notoriously difficult.

The CIA is hardly the only organization to put misleading evidence in their attack path. Also, countries like China and Russia have healthy malware ecosystems so a Chinese-written malware can end up in the payload of a {North Korean, Russian, Iranian} cyber attack.

Personally, I'm starting to believe that the only way to have extremely high confidence in attributing an attack is to have surveillance of the person on the source keyboard when it happens or to have telecom evidence of people admitting what they did. Most of the actual attack is probably robotic at this point.


Exactly my friend, seems like it'd be trivial to leave misleading clues.


An IP address is merely one of thousands of ways that you could identify the source of network traffic.


Would you be willing to share some good resources for identifying rework traffic beyond IP? I have seen things in my little snitch logs I wonder about but no real recourse.


And I'm guessing most of the time the "thousands of ways" don't all point in the same direction.


>Perhaps the identified attacks have been previously linked with the PRC

I'm sure the PRC has used password spraying before, the only detail mentioned. Tgatd about as easily forged as the IP address though.


Should have used Monero




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: