What is Misattribution – Part 4: Misattribution Challenges

Nfusion

If you read the first blogs of this series, you know what misattribution is (Part 1), why it’s important, and the various technical (Part 2) and non-technical (Part 3) elements that go into it. You know when to manage your attribution, why that’s often a better choice than being anonymous, and some kinds of tools available to help you. Now, users need only put misattribution into practice. Easy, right? Not so much. Misattribution is profoundly difficult. There is only a single path to maintaining a false identity in the face of a sophisticated and determined opponent. However, operators will face an almost infinite number of misattribution challenges when coordinating missions.

Listen to the Ntrepid Cast podcast on this topic.

Misattribution Challenges: Why Operations Fail

Operational security (OPSEC) failures create misattribution challenges, and lead to mission downfalls. A common OPSEC mistake is an operator leaking their true IP address by simply forgetting to turn on their VPN. Reusing accounts, account names, or other identifiers also leads to the downfall of many operations.

How rigorous OPSEC needs to be depends on the sophistication, resources, and paranoia of the opponents. If they have few technical skills, are just another user on a service, and are not looking for false identities, then an operator may be able to get away with less-than-perfect masking and practices. If the opponent has a cadre of programmers and analysts, access (legal or illegal) to data and services, and the money and will to do whatever it takes, then there is absolutely no room for error.

Even non-opponents can cause trouble for misattribution operations. Recent attention focused on the issue of “fake accounts,” leading service providers to shut down many accounts associated with alias identities. Service providers want to prevent the “abuse” of their services. Through this “cleaning” process, providers will sweep up alias identities in purges, unless users ensure their profiles look normal.

There are many ways that opponents can get non-public information about false identities. In some cases, they may be able to apply legal process to compel the production of information. Alternatively, they can extract information with threats, lies, or other forms of social engineering. Finally, they may be able to access the information through hacking or employ an insider with access to it.

Mission Failures: Criminal Downfalls

Many criminals have exposed themselves due to misattribution failures. For several years, Ross Ulbricht (aka Dread Pirate Roberts) ran an illegal marketplace on the dark web called Silk Road. Investigators discovered Ulbricht’s identity due to a combination of reusing accounts and identifiers that linked his real life and his Dread Pirate Roberts identity. Additionally, he made several mistakes very early on in the use of the identity, far before the Silk Road was big or important. Regardless of the present threat, users will need to prepare to face scrutiny from sophisticated and resourced opponents.

Hector Monsegur (aka Sabu) was a hacker and one of the leaders of the hacktivist group LulzSec. Law enforcement caught Monsegur because he revealed his real IP address by communicating on a public channel; he failed to first enable his VPN. Once he unveiled his IP, a call to the ISP quickly revealed his true name and home address.

The Russian hackers who hacked the Democratic National Committee in 2016 made all the mistakes. There is significant evidence that they were not Russia’s A-Team of operators. On at least one occasion, they failed to use a VPN. In doing so, they revealed their real IP address, which was associated with a Russian intelligence agency building in Moscow. They used common accounts to purchase infrastructure for different identities that were supposed to be separate from each other. They also used cryptocurrency from a common source to pay for that infrastructure. Additionally, their Romanian identity did not convincingly write like a native Romanian speaker—instead, he had patterns characteristic of a Russian speaker. The FBI indictment of the hackers shows that these mistakes allowed the investigators to have almost total visibility into the identities of the operators and all the details of their activities.

Can Operators Address These Misattribution Challenges?

Solving misattribution challenges in the face of sophisticated and resourced opponents takes tremendous effort. Both the technical and non-technical misattribution must be flawless and executed with perfect OPSEC. Appropriate tools and systems can make the task much simpler and can completely prevent many types of errors, but human action will always play a big role. Careful threat modeling of all operations will clarify what aspects of misattribution will be required and the impacts of any possible failures.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
esctx	session	The esctx cookie is set by Microsoft for secure authentication of the users' login details.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
stsservicecookie	session	This cookie is set by Microsoft for secure authentication of the users' login details.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
x-ms-gateway-slice	session	This cookie is set by Microsoft for secure authentication of the users' login details.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-37785135-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
buid	1 month	No description available.
fpc	1 month	No description available.
muc_ads	2 years	No description available.
RpsContextCookie	10 minutes	No description available.
visitor_id456132	10 years	This is a cookie pattern that appends a unique identifier for a website visitor, used for tracking purposes. The cookies in this domain have a lifespan of 10 years.
visitor_id456132-hash	10 years	This is a cookie pattern that appends a unique identifier for a website visitor, used for tracking purposes. The cookies in this domain have a lifespan of 10 years.

What is Misattribution – Part 4: Misattribution Challenges

Share this post