Is Fancy Bear really behind the World Anti-Doping Agency and DNC hacks?

Russian hackers are in the news once again. This time the Fancy Bear hacking group supposedly hacked into the World Anti-Doping Agency and released medical information this week on U.S. Olympic athletes, including gymnast Simone Biles and tennis stars Venus and Serena Williams. That’s according to a statement from the World Anti-Doping Agency, which sets and oversees anti-doping policies for sports organizations across the world.

This isn’t the first headline-making hack attributed to Fancy Bear. The group, which has ties to the Russian government, made news in June when cyber-security analysts blamed them for the attack against the Democratic National Committee. The group is also allegedly behind a 2015 hack against French television network TV5 Monde.

Attack attribution is a futile pursuit...

Wanting to blame someone for a crime or a major violation of privacy is natural. If you know who’s behind a hack, they can be brought to justice. But after the incident response firm you’ve hired identifies the nation behind an attack, what can really be done? Your organization can’t call the police and press charges against China. Ultimately, attack attribution does little to benefit enterprise security or help companies fight sophisticated adversaries.

While the U.S. government can investigate a security incident that attracts international attention, like the Sony hack, or has political ramifications, like the DNC data breach, this ultimately doesn’t accomplish much in terms of keeping companies safe. Maybe the organization that was hacked has a better understanding of how adversaries infiltrated its network but how can justice be dispensed against a nation-state?

Some may argue that attributing an attack to a nation can lead to sanctions against this country. These political steps may work. But for private organizations that have been hacked this would do little to help their security teams learn more about the enemy.

What’s unknown is why would a group linked to Russia hack a U.S. political group and an international anti-doping organization? The argument that they’re trying to send a message doesn’t completely makes sense. If the Russian government wanted to convey a point to its U.S. counterparts there are diplomatic channels that are far more effective at achieving that objective.

… and isn’t always right

And, of course, we’re assuming that the attack attribution is accurate. Hackers use several tactics to disguise their activities and deceive security analysts. They could launch a DDoS attack and bury Russian characters in each attack packet, giving the appearance that Russians are behind the incident. But what if the North Koreans added the Russian characters to throw off analysts? Or what if these are criminal groups pretending to be a nation state?

The same goes for foreign languages appearing in the code of malware. Sure, Chinese characters could indicate that China had a hand in developing the program, but what if the U.S. government included the Chinese in an effort to frame the country? Attackers could also break into unsecure servers in a country and launch an attack from them, giving the appearance that the campaign originated in that nation.

And what if a hacking group was looking to incriminate another hacking organization? Accomplishing this is pretty easy. Hackers could implant attack elements used by the other hacking group into their campaign. Then when forensic analysis revealed these elements, the blame would be placed on the group that uses these tactics, not the one that actually carried out the attack.

Attack attribution is a losing game for enterprise security

I’m not trying to promote conspiracy theories but that’s what attack attribution can cause and that’s part of the problem with guessing who’s behind the hack. Playing detective slows down the process of figuring out how adversaries infiltrated a company and how to prevent a breach from happening again. Instead, time and money is wasted guessing whether Russia or China was behind the attack. Meanwhile, the vulnerabilities remain and the company is still susceptible to another hack. It’s time for the security community to realize that attack attribution is a losing game.

Lior Div is the CEO of Cybereason. 

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div