The Attribution Dividend: Protecting Critical Infrastructure from Cyber Attacks

Flashpoint critical infrastructure

To assess threats against critical infrastructure, a fundamental distinction is necessary. Network environments of many essen­tial service providers, such as power plants or water treatment facilities, contain both IT and operational technology (OT) com­ponents. While IT networks are used for administrative tasks, such as to send emails or issue invoices, OT sustains the actual operations of critical infrastructure. Central within OT are industrial control systems (ICS), which manage processes that, for example, clean water, distribute electricity, or direct traffic. The vast majority of intru­sions affecting critical infrastructure do not reach OT components. However, as IT and OT networks converge, disruptions of IT appliances can develop cascading effects. For instance, Colonial Pipeline shut down its distribution of gas and jet fuel after the Russian ransomware group DarkSide en­crypted its billing system in May 2021. This decision by the largest United States (US) transport pipeline operator out of an abun­dance of caution led to temporary supply shortages at US East Coast gas stations.

In contrast, ICS specific malware that directly targets OT remains rare. To date, only nine cases have been publicly tracked. Instances of destructive effects against OT through cyber capabilities are rarer yet. Increasingly, OT systems that were devel­oped for operations in isolated networks are brought online, as part of digitalisation efforts to assist with remote maintenance. These connectivity initiatives change the threat model of critical infrastructure opera­tors and can lead to new vulnerabilities. OT components and protocols that are legacies from air-gapped operations were not designed for the potential exposure intro­duced with deployment adjacent to IT net­works. Digital transformation of industries needs to take into account how such in­creases in OT connectivity can be secured.

Returns from technical attribution

While the immediate purpose of attribution is to establish responsibility, its under­lying objective, as Jason Healey elaborated, is to enable an understanding of malicious activity that can put a stop to it. Efforts in this direction are typically categorized according to three lines of action: technical, political, and legal. At the foundation, forensic investigations aim to determine the tools, tactics, techniques, and procedures (TTPs) employed in an operation and trace the systems and networks through which it was conducted. Such technical assessments link this information to an intrusion set to compare and find matches across other operations. This allows observations of how threat actor behaviour evolves over time. Although the initial focus is on reconstructing the breach, these insights can also in­form targeted defences against the detected intrusion patterns. Hardening the entry points used by threat actors to break into networks and monitoring for their instru­ments impose operational costs on threat actors, forcing them to adjust their ap­proach to gain access or avoid detection.

Findings from this technical investigation may be leveraged for political attribu­tion, which assigns responsibility to a state. Judg­ments of state responsibility can cover a spectrum, ranging from direct authorship of an operation and, support for proxies to failing to meet due diligence obligations in prohibiting criminal activity originating from its territory. Public and private com­munications of these conclusions seek to weigh in on adversaries’ strategic cost cal­culus to deter them from continuing their operation. A key lesson in this regard has been the interference in the 2016 US elec­tion. The delay in a US government response to expose the leaks that were directed by the Russian government allowed for influ­ence material that was stolen from the Clinton campaign to circulate without offi­cial challenge. When in August 2024, sev­eral US media organisations were approached with internal documents from the Trump campaign, the outlets decided against re­porting on details from the hacked material on the suspicion that the files had been obtained by a foreign power. Early warn­ings by Microsoft and supporting state­ments by the US intelligence community that linked the leak to a hostile power vindicated this approach, denying momentum to the influence attempt.

Building on such efforts to establish responsibility, legal attribution aims to hold perpetrators and their sponsors accountable with a longer-term view – beyond an indi­vidual operation – of strengthening the rule of international law and the respect of norms of responsible behaviour. Calling out violations strengthens these frameworks as the basis for response measures.

While political and legal responses rely on the conclusions of forensic investigations, technical attribution, including those by government actors, can proceed inde­pendent of decisions to assign responsibility and pursue accountability. In its public response to the compromise of the defence company RUAG, the Swiss government notably focused on technical attribution in describing the breach as conducted by the espionage group Turla. Attribution speed is of essence if the goal is to protect other potential victims by sharing knowledge of TTPs and reducing their effectiveness. This positions technical attribution as the fast track to disseminating insights with the direct potential to influence adversary behaviour.

In the current threat environment criti­cal infrastructure faces, political and legal measures face an uphill challenge in dimin­ishing the strategic motivations of states at war or preparing for conflict and the finan­cial motivations of criminals sheltered in these countries. Technical attribution pro­vides a channel to introduce friction into the capabilities of adversaries by creating awareness about attacker TTPs that allows for the development of mitigation measures.

In a best-case scenario, early detection can thwart an operation. In 2022, the OT cybersecurity company Dragos in collaboration with the US government discovered a toolkit capable of causing physical disrup­tion and destruction in electrical systems, oil and gas pipelines, water systems, manu­facturing plants, and military control sys­tems. As the tool uses the inherent func­tionalities of target systems, its use cannot be prevented with a software fix. Detection requires continuous vigilance. Noting the capability’s robustness and applications across a variety of sectors, the analysts called it PIPEDREAM. The name, however, also captures the success of detecting the tool before its deployment – “left of boom”.

Plans like the announcement of the UK National Cyber Security Centre (NCSC) in August to upgrade its Active Cyber Defence (ACD) program seek to expand early detec­tion capabilities to disrupt adversary activ­ity. In particular, the NCSC is preparing to add deceptive measures to the ACD port­folio. Part of this consideration are trip­wires and honeypots that are designed for threat actors to inadvertently reveal their presence and tradecraft. Making these ser­vices available at scale, especially to small- and medium-sized enterprises that other­wise lack the resources for these capabilities, can further extend the visibility into threat activity that supports technical attribution.

The addition of deceptive measures also points to a psychological component of technical attribution capabilities. Knowl­edge about the potential presence of decep­tion tools in target networks may in itself have an effect on threat actor behaviour – an area of influence that the NCSC has identified for further study.

Maintaining the attribution dividend

In a new development, China’s National Com­puter Virus Emergency Response Center and the 360 Digital Security Group made ham-fisted attempts in two reports to misconstrue Western threat intelligence reporting to link Volt Typhoon to a crimi­nal ransomware group. Without any cor­roboration, these reports refer to updates to industry reporting as signs of US govern­ment pressure on industry to hide the pur­ported ransomware identity of Volt Typhoon. The incentive structure of ransomware groups to openly claim responsibility for their breaches to exert pressure on victims to respond to demands makes these claims doubtful. Despite their lack of supporting evidence, Chinese officials repeatedly cited these reports, in an attempt to frame the official disclosures on Volt Typhoon as a “disinformation campaign” conceived by the US intelligence community.

Despite these steps to deflect responsibilities, political attribution has achieved no perceptible change in behaviour. In early August, Sherrod DeGrippo, Director of Threat Intelligence Strategy for Microsoft – the company that first publicly reported on Volt Typhoon’s activities – assessed that the group’s operations continue unabated. DeGrippo identified a pattern of “consistency and persistence” in its targeting. A central concern, as the former Chief Security Officer of Yahoo and Facebook Alex Stamos put it, is that publicity “does not deter” actors and their sponsors.

As Volt Typhoon shows, despite coordinated efforts to root out the group from tar­geted networks with a dedicated technical attribution campaign, for well-resourced groups with long-term strategic objectives, these effects have a short half-life. While technical attribution raises the costs of op­erations for threat actors, it remains in con­stant competition with adversary efforts to retool. For advanced actors that are unlikely to be priced out, successes remain temporary. Defender advantages developed through technical attribution are therefore part of a cycle: Knowledge about TTPs and tools close the gap and can deprive threat actors of their foothold, requiring them to identify new entry vectors. Threat actors regain momentum as they pivot to new intrusion techniques – a gap that renewed detection and attribution efforts need to close. How­ever, not all attack infrastructure is equally easy to replace. Takedowns enabled through technical attribution, such as in the case of the KV botnet of hijacked small office/home office routers in January 2024 in the US that allowed Volt Typhoon to obfus­cate its opera­tions, can set adversaries back.

An FBI-led disruption of a second China-nexus botnet in September 2024 underscores this contribution of continuous tech­nical attribution. Flax Typhoon, the group who controlled the botnet, seeks to main­tain a low profile by minimizing malware use and avoiding easily identifiable intru­sion patterns. This approach allowed the group to remain undetected during a multi-year espionage campaign against critical in­frastructure targets, including in Taiwan and the US. To communicate findings beyond jurisdictions cooperating in the takedown, the US together with its Five Eyes partners published an advisory documenting more than 60 vulnerabilities that Flax Typhoon had exploited to grow its botnet. Assembling a cumulative picture of these compro­mises maps the attack infrastructure and can inform the focus of preventive efforts. Consistent tracking of actor groups that en­ables substantive degradation of their infra­structure raises the bar for the efforts of threat actors to stay undetected over time.

In a new espionage campaign targeting US Internet service providers (ISPs) and digital services that cater to government and military users publicly reported in August, Volt Typhoon was observed using a zero-day vulnerability in Versa Director, a software that allows for the central manage­ment and monitoring of network devices. Such previously unreported software flaws are a rare commodity. Volt Typhoon’s use of a zero-day exploit highlights that the group needs to resort to valuable means to regain access. It also demonstrates its efforts to avoid early detection and tech­nical attribu­tion as it continues its opera­tions.

The EU sanction-attribution nexus

The EU’s response to malicious cyber activ­ities has evolved significantly over the past few years. The EU’s cyber sanctions regime was formally established with Council Regulation (EU) 2019/796 and Council Deci­sion (CFSP) 2019/797 of 17 May 2019. This legal framework laid the foundation for imposing targeted restrictive measures on individuals, entities, and bodies responsible for cyberattacks threatening the EU or its Member States. However, it also made a clear distinction between sanctions and the attribution of responsibility to a third state. The Decision emphasized that attribution is a sovereign political decision that each Mem­ber State can make independently on a case-by-case basis.

The initial rounds of sanctions under this regime, imposed on 30 July 2020 and 22 October 2020, followed a more cautious approach. These measures were imposed with a significant time difference between the events they are intended to sanction and relied heavily on public third-party reporting that required minimal informa­tion sharing between Member States. For the first round of sanctions, the EU clearly stated that the imposition of restrictive measures was to have a deterrent effect and should be distinguished from attributing responsibility to any state actor.

Over time, the EU’s approach to attribution in the context of cyber sanctions has evolved, particularly as the threat landscape has grown more complex. The Council Con­clusions from 21 May 2024 on the Future of Cybersecurity highlighted the rising threat level as a key reason to review the 2020 EU Cybersecurity Strategy. The Conclusions ex­plicitly pointed to the increasing frequency and severity of cyberattacks, particularly those targeting critical infrastructure and essential services, often using disruptive techniques such as ransomware and wiper malware.

These changes in the threat environment were a direct impetus for the third round of EU sanctions imposed on 24 June 2024. This latest round marked a significant shift in the EU’s strategy by more actively linking attribution to the sanctions process. The EU relied on attribution not only to justify sanc­tions but also as a tool to directly con­nect individuals to specific malicious activ­ities. Notably, two individuals were sanc­tioned by the EU who had not previously been indicted or sanctioned by other coun­tries, despite being identified by the Ukrain­ian Security Service as officers of the Rus­sian Federal Security Service (FSB). This marked the first time that the EU had sanc­tioned individuals based on attributions that had not been publicly established by other major powers, signalling a new wil­lingness of the EU to lead.

However, despite this progress, there are still areas where the EU’s attribution, co­ordination, and sanctions processes have room to catch up to the efforts of partner countries. For example, the UK and US have often documented and sanctioned threat actors based on intelligence that was not publicly available at the time, demonstrat­ing a higher level of agility and coordination in their response. While the Council’s press release accompanying the third round of sanctions expressed an ambition to en­hance cooperation with the UK and US in disrupting and responding to cybercrime, the EU’s current attribution coordination has yet to reach this proactive level. The influence of the ongoing conflict in Ukraine has influenced the EU’s approach to attribu­tion. For instance, in response to the dis­ruptions of modems linked to the KA-SAT satellite network, the EU’s High Representative issued a statement in solidarity with Ukraine and attributed the attack to Rus­sian state actors. This quick response is part of a broader trend of shrinking attribution timelines that has accelerated the exchange of threat information.

The revised implementing guidelines of the EU Cyber Diplomacy Toolbox (CDT) adopted in 2023 further underscore the EU’s commitment to improving attribution processes. The guidelines include detailed recommendations on how to use attribution strategically in communications while maintaining that political attribution remains the sovereign decision of Member States. The guidelines also recognize the importance of shared situational awareness and information sharing to facilitate co­ordinated political attribution at the EU level. Whereas the guidelines acknowledge the impact of technical attribution on deci­sion-making, they do not explicitly address the mechanisms through which technical attribution contributes to the overall deter­rent effect.

Leveraging technical attribution: Recommendations for the EU

While the technical dimension of attribution remains under-leveraged by EU insti­tutions due to limited analytical capabilities provided by Member States, the EU can sig­nificantly increase its engagement through strategic partnerships, support for inter­national mechanisms, and alignment with victims of cyber operations.