What is Misattribution – Part 4: Misattribution Challenges
If you read the first blogs of this series, you know what misattribution is (Part 1), why it’s important, and the various technical (Part 2) and non-technical (Part 3) elements that go into it. You know when to manage your attribution, why that’s often a better choice than being anonymous, and some kinds of tools available to help you. Now, users need only put misattribution into practice. Easy, right? Not so much. Misattribution is profoundly difficult. There is only a single path to maintaining a false identity in the face of a sophisticated and determined opponent. However, operators will face an almost infinite number of misattribution challenges when coordinating missions.
Listen to the Ntrepid Cast podcast on this topic.
Misattribution Challenges: Why Operations Fail
Operational security (OPSEC) failures create misattribution challenges, and lead to mission downfalls. A common OPSEC mistake is an operator leaking their true IP address by simply forgetting to turn on their VPN. Reusing accounts, account names, or other identifiers also leads to the downfall of many operations.
How rigorous OPSEC needs to be depends on the sophistication, resources, and paranoia of the opponents. If they have few technical skills, are just another user on a service, and are not looking for false identities, then an operator may be able to get away with less-than-perfect masking and practices. If the opponent has a cadre of programmers and analysts, access (legal or illegal) to data and services, and the money and will to do whatever it takes, then there is absolutely no room for error.
Even non-opponents can cause trouble for misattribution operations. Recent attention focused on the issue of “fake accounts,” leading service providers to shut down many accounts associated with alias identities. Service providers want to prevent the “abuse” of their services. Through this “cleaning” process, providers will sweep up alias identities in purges, unless users ensure their profiles look normal.
There are many ways that opponents can get non-public information about false identities. In some cases, they may be able to apply legal process to compel the production of information. Alternatively, they can extract information with threats, lies, or other forms of social engineering. Finally, they may be able to access the information through hacking or employ an insider with access to it.
Mission Failures: Criminal Downfalls
Many criminals have exposed themselves due to misattribution failures. For several years, Ross Ulbricht (aka Dread Pirate Roberts) ran an illegal marketplace on the dark web called Silk Road. Investigators discovered Ulbricht’s identity due to a combination of reusing accounts and identifiers that linked his real life and his Dread Pirate Roberts identity. Additionally, he made several mistakes very early on in the use of the identity, far before the Silk Road was big or important. Regardless of the present threat, users will need to prepare to face scrutiny from sophisticated and resourced opponents.
Hector Monsegur (aka Sabu) was a hacker and one of the leaders of the hacktivist group LulzSec. Law enforcement caught Monsegur because he revealed his real IP address by communicating on a public channel; he failed to first enable his VPN. Once he unveiled his IP, a call to the ISP quickly revealed his true name and home address.
The Russian hackers who hacked the Democratic National Committee in 2016 made all the mistakes. There is significant evidence that they were not Russia’s A-Team of operators. On at least one occasion, they failed to use a VPN. In doing so, they revealed their real IP address, which was associated with a Russian intelligence agency building in Moscow. They used common accounts to purchase infrastructure for different identities that were supposed to be separate from each other. They also used cryptocurrency from a common source to pay for that infrastructure. Additionally, their Romanian identity did not convincingly write like a native Romanian speaker—instead, he had patterns characteristic of a Russian speaker. The FBI indictment of the hackers shows that these mistakes allowed the investigators to have almost total visibility into the identities of the operators and all the details of their activities.
Can Operators Address These Misattribution Challenges?
Solving misattribution challenges in the face of sophisticated and resourced opponents takes tremendous effort. Both the technical and non-technical misattribution must be flawless and executed with perfect OPSEC. Appropriate tools and systems can make the task much simpler and can completely prevent many types of errors, but human action will always play a big role. Careful threat modeling of all operations will clarify what aspects of misattribution will be required and the impacts of any possible failures.