By Sakaguchi Yuichi, Nikkei senior staff writer
In the cyberattack on the Japan Aerospace Exploration Agency (JAXA) and others, the Japanese police, for the first time ever, made the “attribution,” identifying and naming an entity involving a foreign state as responsible for the cyberattack. Attribution is a way to “counter” cyberattacks, and it also proves that the investigating country has counterattack capabilities. What was the aim of this first-ever attribution by Japan, and how was it done? Japan made an in-depth investigation into a scheme that was unfolding outside of view.
National Police Agency (NPA) Commissioner-General Matsumoto Mitsuhiro said at an April 22 press conference that “the attack likely involved Unit 61419 of the People’s Liberation Army (PLA)’s strategic support unit based in Qingdao, Shandong Province, China.” His comments spread throughout the cyberworld and surprised foreign intelligence and security agencies. The NPA reportedly still receives inquiries regarding the case.
The reason for the attention is that this was the first attribution officially made by Japan. Attribution is the “identification of the entity responsible for an attack” and is an important concept in the field of cyberattacks.
Two days before Matsumoto’s press conference, the Public Security Bureau of the Tokyo Metropolitan Police Department (TMPD) sent papers to the public prosecutor’s office regarding a male member of the Chinese Communist Party, in connection with a cyberattack that targeted about 200 Japanese companies and research institutions, such as JAXA. The man was suspected of illegally creating and storing private electromagnetic records, by using a false identity to rent a server for the attacks.
Matsumoto explained that “a group called Tick carried out the series of attacks” and said that the NPA will continue its investigation “to clarify all the facts of the case.”
Generally speaking, a country or organization identified as being involved in a cyberattack does not admit it. Regarding the investigation of the JAXA case, China Ministry of Foreign Affairs Deputy Press Director Wang Wenbin responded that he “resolutely opposes damaging China’s honor for a cyberattack.” It is difficult to bring the suspected party to court in another country, even with full evidence.
This is why attribution is a valuable method. Attribution does not involve criminal procedures, so a country can give warnings and show that it has defense capabilities without revealing its investigative procedures or evidence. Deterrence through “naming and shaming” is the expected result. Attribution can also be a basis for imposing sanctions.
If several countries attribute a cyberattack to another country, sharing the results of their analyses can strengthen their ability to counter the country that launched the attack.
In response to Wang, Matsumoto said that “an investigation of a cyber incident must be based on sufficient evidence,” and emphasized that NPA came to its conclusion by “accumulating a large amount of evidence, including statements by the suspect and others concerned.” The exchange also gave a glimpse into the “psychological warfare” involved in attribution.
It is not easy to investigate entities behind cyberattacks, and even more difficult if the attack is at the national level where big investments in technology, personnel, and budget are made.
Although there are cases in the U.S. and other countries where the perpetrator is identified and criminal charges are pursued, an incident can only be resolved in situations where the perpetrator makes a mistake. In most incidents, the investigation is conducted by following up on small traces such as bits of non-anonymized communications used as part of a large-scale operation.
At the Chief Cabinet Secretary’s press conference, the Japanese government has stated in the past that “[the government] knows for a fact that North Korea was involved in the case” of a cyberattack using the ransomware “WannaCry.”
This statement was based on information from the U.S. and other countries, and the incident did not lead to an attribution by Japan based on the results of its own investigation.
Why was Japan able to make the attribution in the cyberattack on JAXA?
The TMPD identified the server used for the attack and the Chinese individual who had a contract for use of the server. The TMPD was also able to obtain a statement from the individual through questioning. The TMPD was successful because the case presented an ideal situation where it was able to connect the traces of evidence on the Internet and the physical investigation.
As the threat of cyberattacks increases, we cannot expect such “good fortune” as was the case in the investigation of the JAXA case. There is an urgent need to review laws and regulations and develop investigative tools to meet current needs.
It is also important to note that investigative agencies are not the only ones responsible for making the attribution. All intelligence and analytical abilities regarding cyberattacks must be mobilized to meet the threat.
In addition to national organizations — such as the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and the Ministry of Defense, which are the command centers for countermeasures — the technologies and human resources of the private sector, such as companies and research institutes, should be utilized more widely. Cooperation with overseas governments and intelligence agencies is indispensable, and the capabilities of the Cabinet Intelligence and Research Office and the Ministry of Foreign Affairs will also be put to the test.