When the APT1 report was published, the document was immensely detailed, even singling out the Chinese People’s Liberation Army cyber-espionage group known as Unit 61398. A year later, the US Department of Justice effectively backed up the report when it indicted five officers from the unit on charges of hacking and stealing intellectual property from American companies.
“The APT1 report fundamentally changed the benefit-risk calculus of the attackers,” says Timo Steffens, a German cyber-espionage investigator and author of the book Attribution of Advanced Persistent Threats.
“Prior to that report, cyber operations were regarded as almost risk-free tools,” he says. The report not only came up with hypotheses but clearly and transparently documented the analysis methods and data sources. It was clear that this was not a one-off lucky finding, but that the tradecraft can be applied to other operations and attacks as well.”
The consequences of the headline-grabbing news were far reaching. A wave of similar attributions followed, and the United States accused China of systematic massive theft. As a result, cybersecurity was a centerpiece of Chinese president Xi Jinping’s visit to the United States in 2015.
“Before the APT1 report, attribution was the elephant in the room that no one dared to mention,” says Steffens. “In my opinion it was not only a technical breakthrough, but also a bold achievement of the authors and their managers to go the final step and make the results public.”
It’s that final step that has been lacking, as intelligence officers are now well versed in the technical side. To attribute a cyberattack, intelligence analysts look at a range of data including the malware the hackers used, the infrastructure or computers they orchestrated to conduct the attack, intelligence and intercepted communications, and the question of cui bono (who stands to gain?)—a geopolitical analysis of strategic motivation behind the attacks.
The more data can be examined, the easier attribution becomes as patterns emerge. Even the world’s best hackers make mistakes, leave behind clues, and reuse old tools that help make the case. There’s an ongoing arms race between analysts coming up with new ways to unmask hackers and the hackers aiming to cover their tracks.
But the speed with which the Russian attack was attributed showed that previous delays in naming names were not simply due to a lack of data or evidence. The issue was politics.
“It boils down to a matter of political will,” says Wilde, who worked at the White House until 2019. “For that you need decisive leadership at every level. My interactions with [Anne Neuberger] lead me to believe she’s the type that can move mountains and cut through red tape when needed to augur an outcome. That’s the person she is.”
Wilde argues that the potential Russian invasion of Ukraine, which risks hundreds of thousands of lives, is pushing the White House to act more quickly.
“The administration seems to have gathered that the best defense is a good preemptive offense to get ahead of these narratives, ‘pre-bunking’ them and inoculating the international audience, whether it be the cyber intrusions or false flags and fake pretexts,” says Wilde.
Public attribution can have a very real impact on adversaries’ cyber strategy. It can signal that they’re being watched and understood, and it can impose costs when operations are uncovered and tools must be burned to start anew. It can also trigger political action such as sanctions that go after the bank accounts of those responsible.
Just as important, Gavin argues, it’s a signal to the public that the government is closely tracking malicious cyber activity and working to fix it.
“It creates a credibility gap, particularly with the Russians and Chinese,” he says. “They can obfuscate all they want, but the US government is putting it all out there for public consumption—a forensic accounting of their time and efforts.”