When the APT1 report was published, the document was immensely detailed, down to the level of singling out the Chinese People’s Liberation Army cyber espionage group known as Unit 61398. A year later, the US Department of Justice effectively backed up the report when it indicted five officers from the unit on charges of hacking and stealing intellectual property from American companies.
“The APT1 report fundamentally changed the benefit-risk calculus of the attackers,” says Timo Steffens, a German cyber-espionage investigator and author of the book Attribution of Advanced Persistent Threats.
“Prior to that report, cyber-operations were regarded as almost risk-free tools,” he says. The report not only came up with hypotheses, but it clearly and transparently documented the analysis methods and data sources. It was clear that this was not a one-off lucky finding, but that the tradecraft can be applied to other operations and attacks as well.”
The consequences of the headline-grabbing news were far-reaching. A wave of similar attributions followed and the United States accused China of systematic massive theft, leading to cybersecurity being a centerpiece of Chinese president Xi Jinping’s visit to the United States in 2015.
“Before the APT1 report, attribution was the elephant in the room that no one dared to mention,” says Steffens. “In my opinion it was not only a technical breakthrough, but also a bold achievement of the authors and their managers to go the final step and make the results public.”
It’s that final step that has been lacking, as intelligence officers are now well-versed in the technical side. To be able to attribute a cyberattack, intelligence analysts look at a range of data including the malware the hackers used, the infrastructure or computers they orchestrated to conduct the attack, intelligence and intercepted communications, and the question of cui bono — who stands to gain? — a geopolitical analysis of strategic motivation behind the attacks.
The more data, the easier attribution becomes as patterns emerge. Even the world’s best hackers make mistakes, leave behind clues, and reuse old tools that help make the case. There’s an ongoing arms race between analysts coming up with new ways to unmask hackers and the hackers aiming to cover their tracks.
But the speed of the attribution of the Russian attack showed that previous delays in naming names were not simply due to a lack of data or evidence. It was politics.
“It boils down to a matter of political will,” says Wilde, who worked at the White House until 2019. “For that you need decisive leadership at every level. My interactions with [Anne Nueberger] lead me to believe she’s the type that can move mountains and cut through red tape when needed to augur an outcome. That’s the person she is.”
Wilde argues that the potential Russian invasion of Ukraine and the risk to hundreds of thousands of lives is pushing the White House to act more quickly.
“The administration seems to have gathered that the best defense is a good pre-emptive offense to get ahead of these narratives, pre-bunking them, and inoculating the international audience whether it be the cyber intrusions or false flags and fake pretexts,” says Wilde.
Public attribution can have a very real impact on an adversary’s cyber-strategy. It can signal that they’re watched and understood, or can impose costs when operations are uncovered and tools must be burned to start anew. It can also trigger political action such as sanctions that go after the bank accounts of those responsible.
Just as important, Gavin argues, it’s a signal to the public that the government is closely tracking malicious cyber activity and working to fix it in a way that you can often go and read in public indictments or intelligence reports.
“It creates a credibility gap, particularly with the Russians and Chinese,” he says. “They can obfuscate all they want but the US government is putting it all out there, for public consumption, a forensic accounting of their time and efforts.”