Direkt zum Seiteninhalt springen

The Attribution Dividend: Protecting Critical Infrastructure from Cyber Attacks

SWP Comment 2024/C 46, 09.10.2024, 8 Seiten

doi:10.18449/2024C46

Forschungsgebiete

International law and voluntary norms have not effectively prevented state, proxy, or other criminals from malicious and harmful behaviour in cyberspace. Geopolitical confrontation and tension beyond cyberspace with major threat actors have largely exhausted sanctions. Faced with threats that prove difficult to deter, the European Union (EU), its Member States, and international partners need to refocus their atten­tion on creating friction for malicious activity and increasing the costs of adversary operations. Through their contributions to resilience, forensic capabilities and inter­national cooperation on technical investigations offer practical opportunities to blunt the tools of adversaries. By coordinating technical, political, and legal attribution at the EU level, Member States could reinforce a victim-oriented approach to cyber diplomacy.

Pipeline ruptures in the Baltic Sea, cut data cables, and disruptions of satellite communications are raising questions in European capitals about how to respond to suspected attacks against critical infrastructure. Ad­dressing incidents affecting Germany and at least six other member states, NATO allies in early May called attention to the scope of detected Russian efforts to destabilize sup­porters of Ukraine. Moscow’s documented hybrid activities have ranged from influ­ence campaigns, air traffic signal jamming, and violent intimidation and assassination attempts against regime critics to acts of sabotage, including through cyber-enabled means. To strengthen capabilities to pre­pare and assist Member States in countering these threats, in late May 2024 the Council of the EU agreed on a first framework to set up EU Hybrid Rapid Response Teams. Deploying such mechanisms effectively in the EU, however, depends on a shared understanding among Member States of threat actors and their capabilities. For cyber-enabled sabotage, the practices for analyzing the tactics, techniques, and pro­cedures of threat actors as well as the trade-offs involved in publicly attributing mali­cious activity have been tested and evolved over more than a decade against the back­drop of Russia’s attempts to subvert Ukraine’s election systems and electric grid following Russia’s invasion of Crimea in 2014.

In comparison to other types of cyber operations, sabotage missions designed to destroy data or cause operational disruptions have been a focus of public attribution efforts. Practical differences, such as the visible effects of a successful sabotage, may contribute to public pressure to ad­dress these operations and a higher attribu­tion ratio. By their design, sabotage attempts seek to manipulate targeted systems to cause a specific disruptive effect. Concerns in this regard have focused, for example, on the opening of circuit breakers in substations to cut off electricity or the altering of chemicals used in water treatment plants to levels dangerous to health. Such physical consequences can make it easier for inves­tigations to identify initial effects and likely strategic intentions that attribution state­ments can address.

Espionage operations, in contrast, tend to develop their value through cumulative effects. This can be accomplished either through depth, by maintaining access to target environments for prolonged periods of time, or breadth, through intrusions across certain sectors. This campaigning approach requires a similarly sustained effort to attribution, that assembles and connects the pieces of this puzzle. Attribut­ing sabotage operations targeting critical infrastructure is part of a larger effort to assert UN-level agreements about respon­sible behaviour in cyberspace. The cred­ibility of the red line these agreements established for the protection of critical national infrastructure in times of peace depends on whether norm violations are identified and perpetrators are held accountable. A notable trend has been the extension of the attribution pattern from state-sponsored disruptive operations to espionage operations that are conducted to prepare for sabotage. Attribution efforts have also expanded to criminal groups that seek to hold critical infrastructure at risk for financial gain. In line with shifts in the threat landscape, this has led to a surge in the attribution of malicious cyber activity.

Flashpoint critical infrastructure

To assess threats against critical infrastructure, a fundamental distinction is necessary. Network environments of many essen­tial service providers, such as power plants or water treatment facilities, contain both IT and operational technology (OT) com­ponents. While IT networks are used for administrative tasks, such as to send emails or issue invoices, OT sustains the actual operations of critical infrastructure. Central within OT are industrial control systems (ICS), which manage processes that, for example, clean water, distribute electricity, or direct traffic. The vast majority of intru­sions affecting critical infrastructure do not reach OT components. However, as IT and OT networks converge, disruptions of IT appliances can develop cascading effects. For instance, Colonial Pipeline shut down its distribution of gas and jet fuel after the Russian ransomware group DarkSide en­crypted its billing system in May 2021. This decision by the largest United States (US) transport pipeline operator out of an abun­dance of caution led to temporary supply shortages at US East Coast gas stations.

In contrast, ICS specific malware that directly targets OT remains rare. To date, only nine cases have been publicly tracked. Instances of destructive effects against OT through cyber capabilities are rarer yet. Increasingly, OT systems that were devel­oped for operations in isolated networks are brought online, as part of digitalisation efforts to assist with remote maintenance. These connectivity initiatives change the threat model of critical infrastructure opera­tors and can lead to new vulnerabilities. OT components and protocols that are legacies from air-gapped operations were not designed for the potential exposure intro­duced with deployment adjacent to IT net­works. Digital transformation of industries needs to take into account how such in­creases in OT connectivity can be secured.

Driver 1: Russian efforts to erode support for Ukraine

Russia’s use of cyber operations has become a central component of its broader strategy to weaken international support for Ukraine. These threats, however, are not solely orchestrated by the Kremlin. Various hack­tivists with suspected links to state entities in Russia, such as the Cyber Army of Russia Reborn (CARR), operate with varying degrees of autonomy. The involvement of these groups poses a significant risk of inadvertent escalation, as highlighted by repeated warnings from the United King­dom’s (UK) Government Communications Headquarters in 2023 and 2024.

The sophistication of these threat actors remains limited, as demonstrated by the US imposition of sanctions on July 19th, 2024, against two prominent CARR mem­bers. While these actors may not possess advanced capabilities, the US government has designated their activities as a “significant threat to the national security, foreign policy, or economic health or financial stability” under Executive Order 13694. This classification is less a judgment about the technical prowess of the hackers and more about the vulnerabilities within the targeted organisations, particularly those in critical infrastructure sectors. National Secu­rity Advisor Jake Sullivan and the Environmental Protection Agency have both called for enhanced support for local utilities, emphasizing that strengthening resilience must be a key component of the defence strategy.

Driver 2: Chinese preparations for a geopolitical contingency

The strategic intent behind cyber operations targeting sensitive networks is diffi­cult to assess through technical means alone. This is particularly true when the objective is to establish access for potential future disruptions without observable actions in the present to that end. In May 2023, US intelligence disclosed a series of stealthy intrusions affecting sensitive tele­communication networks that it linked to Volt Typhoon, a group with suspected links to the Chinese state. US intelligence assess­ments have concluded that the detected activities differ fundamentally from pre­vious espionage operations. This distinction is based on the nature of the intrusions, which is aligned more with preparations for potential offensive actions rather than mere intelligence gathering.

A beachhead for sabotage?

Volt Typhoon is a new but highly sophisticated Advanced Persistent Threat actor, attributed to China, focusing on espionage and network dis­covery. It has been active since mid-2021, primarily targeting critical infrastructure. Microsoft first dis­closed Volt Typhoon’s activity on May 24th, 2023, in a report published alongside a joint advisory by the US and the cybersecurity agencies of Five Eyes partner countries. The observed behaviour suggests that the threat actor is attempting to maintain ac­cess for as long as possible without being detected, using living-off-the-land techniques. Microsoft states with moderate confidence that the analysed activity is already at a form of developing the capabilities to disrupt infrastructure in the future (prepositioning). Notable activities include the successful infiltration of US communication infrastructure in the Pacific region in 2021 that would be critical to US logistics in an armed confrontation with China.
Author: Erik Kellenter, SWP.

Driver 3: Cybercrime as emerging national security threat

The rise of ransomware attacks targeting critical infrastructure with low disruption tolerance, particularly in the healthcare sector, represents a new dimension of national security threats posed by criminal actors. Over the past 12 months, ransomware attacks on hospitals have surged, plac­ing the healthcare sector among the most targeted industries. To speed up recovery and prevent the leak of sensitive health data, the US-based drug distribution com­pany Cencora, for example, agreed to pay a ransomware group $75 million, the highest publicly recorded sum to date. This trend marks a significant shift. Ransomware groups previously had been reluctant to target organisations in the healthcare sector out of concern of attracting law enforcement attention. Another ransomware attack in June caused delays in blood processing in London, forcing the city to limit blood trans­fusions. Such incidents underscore the potentially disastrous impact of ransom­ware on essential services, including the delivery of care.

The threat posed by criminal cyber actors has been recognized at the highest levels of government. The European Commission’s new Political Guidelines include a commit­ment to develop an action plan within the first 100 days in office to address this esca­lating threat. Additionally, the EU’s deci­sion to sanction criminal actors for the first time in June 2024 reflects an increasing concern over the impact of these threats on critical national infrastructure and the limitations of traditional law enforcement tools in mitigating these risks.

Returns from technical attribution

While the immediate purpose of attribution is to establish responsibility, its under­lying objective, as Jason Healey elaborated, is to enable an understanding of malicious activity that can put a stop to it. Efforts in this direction are typically categorized according to three lines of action: technical, political, and legal. At the foundation, forensic investigations aim to determine the tools, tactics, techniques, and procedures (TTPs) employed in an operation and trace the systems and networks through which it was conducted. Such technical assessments link this information to an intrusion set to compare and find matches across other operations. This allows observations of how threat actor behaviour evolves over time. Although the initial focus is on reconstructing the breach, these insights can also in­form targeted defences against the detected intrusion patterns. Hardening the entry points used by threat actors to break into networks and monitoring for their instru­ments impose operational costs on threat actors, forcing them to adjust their ap­proach to gain access or avoid detection.

Findings from this technical investigation may be leveraged for political attribu­tion, which assigns responsibility to a state. Judg­ments of state responsibility can cover a spectrum, ranging from direct authorship of an operation and, support for proxies to failing to meet due diligence obligations in prohibiting criminal activity originating from its territory. Public and private com­munications of these conclusions seek to weigh in on adversaries’ strategic cost cal­culus to deter them from continuing their operation. A key lesson in this regard has been the interference in the 2016 US elec­tion. The delay in a US government response to expose the leaks that were directed by the Russian government allowed for influ­ence material that was stolen from the Clinton campaign to circulate without offi­cial challenge. When in August 2024, sev­eral US media organisations were approached with internal documents from the Trump campaign, the outlets decided against re­porting on details from the hacked material on the suspicion that the files had been obtained by a foreign power. Early warn­ings by Microsoft and supporting state­ments by the US intelligence community that linked the leak to a hostile power vindicated this approach, denying momentum to the influence attempt.

Building on such efforts to establish responsibility, legal attribution aims to hold perpetrators and their sponsors accountable with a longer-term view – beyond an indi­vidual operation – of strengthening the rule of international law and the respect of norms of responsible behaviour. Calling out violations strengthens these frameworks as the basis for response measures.

While political and legal responses rely on the conclusions of forensic investigations, technical attribution, including those by government actors, can proceed inde­pendent of decisions to assign responsibility and pursue accountability. In its public response to the compromise of the defence company RUAG, the Swiss government notably focused on technical attribution in describing the breach as conducted by the espionage group Turla. Attribution speed is of essence if the goal is to protect other potential victims by sharing knowledge of TTPs and reducing their effectiveness. This positions technical attribution as the fast track to disseminating insights with the direct potential to influence adversary behaviour.

In the current threat environment criti­cal infrastructure faces, political and legal measures face an uphill challenge in dimin­ishing the strategic motivations of states at war or preparing for conflict and the finan­cial motivations of criminals sheltered in these countries. Technical attribution pro­vides a channel to introduce friction into the capabilities of adversaries by creating awareness about attacker TTPs that allows for the development of mitigation measures.

In a best-case scenario, early detection can thwart an operation. In 2022, the OT cybersecurity company Dragos in collaboration with the US government discovered a toolkit capable of causing physical disrup­tion and destruction in electrical systems, oil and gas pipelines, water systems, manu­facturing plants, and military control sys­tems. As the tool uses the inherent func­tionalities of target systems, its use cannot be prevented with a software fix. Detection requires continuous vigilance. Noting the capability’s robustness and applications across a variety of sectors, the analysts called it PIPEDREAM. The name, however, also captures the success of detecting the tool before its deployment – “left of boom.

Plans like the announcement of the UK National Cyber Security Centre (NCSC) in August to upgrade its Active Cyber Defence (ACD) program seek to expand early detec­tion capabilities to disrupt adversary activ­ity. In particular, the NCSC is preparing to add deceptive measures to the ACD port­folio. Part of this consideration are trip­wires and honeypots that are designed for threat actors to inadvertently reveal their presence and tradecraft. Making these ser­vices available at scale, especially to small- and medium-sized enterprises that other­wise lack the resources for these capabilities, can further extend the visibility into threat activity that supports technical attribution.

The addition of deceptive measures also points to a psychological component of technical attribution capabilities. Knowl­edge about the potential presence of decep­tion tools in target networks may in itself have an effect on threat actor behaviour – an area of influence that the NCSC has identified for further study.

Maintaining the attribution dividend

In a new development, China’s National Com­puter Virus Emergency Response Center and the 360 Digital Security Group made ham-fisted attempts in two reports to misconstrue Western threat intelligence reporting to link Volt Typhoon to a crimi­nal ransomware group. Without any cor­roboration, these reports refer to updates to industry reporting as signs of US govern­ment pressure on industry to hide the pur­ported ransomware identity of Volt Typhoon. The incentive structure of ransomware groups to openly claim responsibility for their breaches to exert pressure on victims to respond to demands makes these claims doubtful. Despite their lack of supporting evidence, Chinese officials repeatedly cited these reports, in an attempt to frame the official disclosures on Volt Typhoon as a “disinformation campaign” conceived by the US intelligence community.

Despite these steps to deflect responsibilities, political attribution has achieved no perceptible change in behaviour. In early August, Sherrod DeGrippo, Director of Threat Intelligence Strategy for Microsoft – the company that first publicly reported on Volt Typhoon’s activities – assessed that the group’s operations continue unabated. DeGrippo identified a pattern of “consistency and persistence” in its targeting. A central concern, as the former Chief Security Officer of Yahoo and Facebook Alex Stamos put it, is that publicity “does not deter” actors and their sponsors.

As Volt Typhoon shows, despite coordinated efforts to root out the group from tar­geted networks with a dedicated technical attribution campaign, for well-resourced groups with long-term strategic objectives, these effects have a short half-life. While technical attribution raises the costs of op­erations for threat actors, it remains in con­stant competition with adversary efforts to retool. For advanced actors that are unlikely to be priced out, successes remain temporary. Defender advantages developed through technical attribution are therefore part of a cycle: Knowledge about TTPs and tools close the gap and can deprive threat actors of their foothold, requiring them to identify new entry vectors. Threat actors regain momentum as they pivot to new intrusion techniques – a gap that renewed detection and attribution efforts need to close. How­ever, not all attack infrastructure is equally easy to replace. Takedowns enabled through technical attribution, such as in the case of the KV botnet of hijacked small office/home office routers in January 2024 in the US that allowed Volt Typhoon to obfus­cate its opera­tions, can set adversaries back.

An FBI-led disruption of a second China-nexus botnet in September 2024 underscores this contribution of continuous tech­nical attribution. Flax Typhoon, the group who controlled the botnet, seeks to main­tain a low profile by minimizing malware use and avoiding easily identifiable intru­sion patterns. This approach allowed the group to remain undetected during a multi-year espionage campaign against critical in­frastructure targets, including in Taiwan and the US. To communicate findings beyond jurisdictions cooperating in the takedown, the US together with its Five Eyes partners published an advisory documenting more than 60 vulnerabilities that Flax Typhoon had exploited to grow its botnet. Assembling a cumulative picture of these compro­mises maps the attack infrastructure and can inform the focus of preventive efforts. Consistent tracking of actor groups that en­ables substantive degradation of their infra­structure raises the bar for the efforts of threat actors to stay undetected over time.

In a new espionage campaign targeting US Internet service providers (ISPs) and digital services that cater to government and military users publicly reported in August, Volt Typhoon was observed using a zero-day vulnerability in Versa Director, a software that allows for the central manage­ment and monitoring of network devices. Such previously unreported software flaws are a rare commodity. Volt Typhoon’s use of a zero-day exploit highlights that the group needs to resort to valuable means to regain access. It also demonstrates its efforts to avoid early detection and tech­nical attribu­tion as it continues its opera­tions.

The EU sanction-attribution nexus

The EU’s response to malicious cyber activ­ities has evolved significantly over the past few years. The EU’s cyber sanctions regime was formally established with Council Regulation (EU) 2019/796 and Council Deci­sion (CFSP) 2019/797 of 17 May 2019. This legal framework laid the foundation for imposing targeted restrictive measures on individuals, entities, and bodies responsible for cyberattacks threatening the EU or its Member States. However, it also made a clear distinction between sanctions and the attribution of responsibility to a third state. The Decision emphasized that attribution is a sovereign political decision that each Mem­ber State can make independently on a case-by-case basis.

The initial rounds of sanctions under this regime, imposed on 30 July 2020 and 22 October 2020, followed a more cautious approach. These measures were imposed with a significant time difference between the events they are intended to sanction and relied heavily on public third-party reporting that required minimal informa­tion sharing between Member States. For the first round of sanctions, the EU clearly stated that the imposition of restrictive measures was to have a deterrent effect and should be distinguished from attributing responsibility to any state actor.

Over time, the EU’s approach to attribution in the context of cyber sanctions has evolved, particularly as the threat landscape has grown more complex. The Council Con­clusions from 21 May 2024 on the Future of Cybersecurity highlighted the rising threat level as a key reason to review the 2020 EU Cybersecurity Strategy. The Conclusions ex­plicitly pointed to the increasing frequency and severity of cyberattacks, particularly those targeting critical infrastructure and essential services, often using disruptive techniques such as ransomware and wiper malware.

These changes in the threat environment were a direct impetus for the third round of EU sanctions imposed on 24 June 2024. This latest round marked a significant shift in the EU’s strategy by more actively linking attribution to the sanctions process. The EU relied on attribution not only to justify sanc­tions but also as a tool to directly con­nect individuals to specific malicious activ­ities. Notably, two individuals were sanc­tioned by the EU who had not previously been indicted or sanctioned by other coun­tries, despite being identified by the Ukrain­ian Security Service as officers of the Rus­sian Federal Security Service (FSB). This marked the first time that the EU had sanc­tioned individuals based on attributions that had not been publicly established by other major powers, signalling a new wil­lingness of the EU to lead.

However, despite this progress, there are still areas where the EU’s attribution, co­ordination, and sanctions processes have room to catch up to the efforts of partner countries. For example, the UK and US have often documented and sanctioned threat actors based on intelligence that was not publicly available at the time, demonstrat­ing a higher level of agility and coordination in their response. While the Council’s press release accompanying the third round of sanctions expressed an ambition to en­hance cooperation with the UK and US in disrupting and responding to cybercrime, the EU’s current attribution coordination has yet to reach this proactive level. The influence of the ongoing conflict in Ukraine has influenced the EU’s approach to attribu­tion. For instance, in response to the dis­ruptions of modems linked to the KA-SAT satellite network, the EU’s High Representative issued a statement in solidarity with Ukraine and attributed the attack to Rus­sian state actors. This quick response is part of a broader trend of shrinking attribution timelines that has accelerated the exchange of threat information.

The revised implementing guidelines of the EU Cyber Diplomacy Toolbox (CDT) adopted in 2023 further underscore the EU’s commitment to improving attribution processes. The guidelines include detailed recommendations on how to use attribution strategically in communications while maintaining that political attribution remains the sovereign decision of Member States. The guidelines also recognize the importance of shared situational awareness and information sharing to facilitate co­ordinated political attribution at the EU level. Whereas the guidelines acknowledge the impact of technical attribution on deci­sion-making, they do not explicitly address the mechanisms through which technical attribution contributes to the overall deter­rent effect.

Leveraging technical attribution: Recommendations for the EU

While the technical dimension of attribution remains under-leveraged by EU insti­tutions due to limited analytical capabilities provided by Member States, the EU can sig­nificantly increase its engagement through strategic partnerships, support for inter­national mechanisms, and alignment with victims of cyber operations.

A victim-oriented approach to cyber diplomacy

One of the most effective ways for how the EU can strengthen its attribution efforts is by enhancing the cyber capabilities of its partner countries. Capacity building sup­port is crucial in enabling these nations to establish and improve their own attribution capabilities, which can serve as a force multiplier for collective security. By focus­ing on partnerships, the EU can support a network of countries equipped to conduct credible and timely attribution.

The EU should prioritize coordination with countries that have been victims of cyber operations, particularly in the use of measures provided by the CDT. The Euro­pean External Action Service can play a pivotal role in this effort by building on its initial consultations, e.g., with Ukraine. Ukraine’s experience and ongoing defence efforts offer valuable insights that can in­form a more victim-oriented approach to cyber diplomacy. Law enforcement coopera­tion has taken steps in this direction on a case-by-case basis, documenting the behav­iour of ransomware groups to prevent fur­ther compromises. Diplomatic initiatives can systematically scale this exchange between victims and potential targets at the international level.

Recent exchanges as part of the EU-Ukraine Cyber Dialogue signal a shift to­wards a target-centred approach that rec­ognizes the experience of frontline states in their value for identifying targeted re­sponses. Such dialogues offer a platform not only to discuss strategic priorities to advance local cybersecurity capabilities, but to ascertain how coordinated disclosures can contribute to the degradation of adver­sary capabilities and thereby enhance the defensive posture of the victim’s state.

Supporting international rule of law through best practices

In addition to capacity building, the EU has a critical role to play in the development and dissemination of best practices for attribu­tion on a global scale. It is imperative that the international community estab­lishes clear, consistent, and legally sound standards for attribution. Such shared standards may facilitate joint report­ing by Member States and international partners. Merging insights into the opera­tions of North Korean threat actors, Ger­many and South Korea, for instance, devel­oped comprehensive mitigation guidance.

The EU should support efforts for the creation of a United Nations accountability mechanism specifically for cyber opera­tions. Such a mechanism would provide a platform for the international community to collectively assess and respond to cyber incidents, ensuring that perpetrators are held accountable under international law.

The EU’s commitment to supporting inter­national legal frameworks can be further demonstrated by backing the Inter­national Criminal Court (ICC) in its investi­gations into potential cyber war crimes. In June 2024, ICC officials confirmed an on­going probe into four cyberattacks against Ukraine, investigating them as possible war crimes. The EU should actively support these investigations, which test the appli­cation of international humanitarian law in cyberspace. The war context in Ukraine has put international views on how inter­national humanitarian law (IHL) applies to cyber operations to the test. Cyberattacks that target civilian infrastructure, disrupt essential services, or contribute to broader war crimes challenge traditional interpretations of IHL. The EU could support legal and factual assessments that affirm the ap­plication of IHL in cyberspace.

Dr Annegret Bendiek is a Senior Fellow at the EU / Europe Research Division and Co-Head of the Research Cluster Cybersecurity and Digital Policy at SWP.
Jakob Bund is an Associate at the EU / Europe Research Division at SWP and Senior Researcher at the European Cyber Conflict Research Initiative (ECCRI).
Mika Kerttunen is the Director of the Cyber Policy Institute.
All authors are members of the research consortium managing the European Repository of Cyber Incidents (EuRepoC, www.eurepoc.eu), a project funded by the German Federal Foreign Office.

SWP

Stiftung Wissenschaft und Politik

ISSN (Print) 1861-1761

ISSN (Online) 2747-5107