xorl %eax, %eax

Example of SIGINT-enabled cyber attribution from the NSA

leave a comment »

DISCLAIMER: Just to be clear, the following do not represent my employer. Also, I’m not a lawyer. Check the legislation on your own. I have personal experience doing what I suggest here since I regularly volunteer for such investigations in the private and public sector, so I’m not making a hypothetical recommendation.

The aim of this blog post is to demonstrate with a real practical example how traditional SIGINT enables threat actor attribution and also inspire cyber threat intelligence analysts to expand their scope beyond cyber when working on threat actor attribution.

In September 2020 I published an educational video of the 2016 GRU phishing campaign NSA analysis which was leaked to the press by former NSA employee Reality Winner. It’s a particularly educational slide deck for intelligence analysts and revealed some of the NSA’s tradecraft too.



Some of the digital artefacts that assisted in the attribution were:

  • The phone number used for the GMail account belonged to a GRU officer
  • The GMail was used to send an email to a personal account of a GRU officer
  • Connection of the GRU officers to the operations box, and from there to GMail

You might wonder, that’s great but I don’t have access to such traditional SIGINT sources (like mobile operators databases, access to adversary’s GMail accounts or packet capturing on ISP level) but I kind of disagree, and here is why…

Phone numbers
If you collect and maintain a searchable database from leaked (thus OSINT) phone numbers, government databases, etc. there is a relatively good chance that you can perform similar correlations without having near realtime SIGINT from telcos.

GMail use & operations box access
If you are working in an investigation with law enforcement it is very likely that if you can provide them with evidence that an email account or a hosted server was used for malicious activities they can get a search warrant, collect digital forensics evidence, and give you access to some details like that (IPs of who connected there or emails in the account) to assist your threat research. Of course if you are an email service or hosting provider that’s like standard operating procedure but this is limited to a small part of the industry.

To summarize… Do not limit yourself to cyber sources when working in threat intelligence. Work towards an all-source intelligence approach. You might not have access to SIGINT, but you might have access to OSINT, HUMINT or other intelligence disciplines that can increase your confidence level in threat actor attribution. Any time you wonder of what intelligence sources to use, remember the following from DNI’s ICD 203:

Based on All Available Sources of Intelligence: Analysis should be informed by all relevant information that is available to the analytic element. Where critical gaps exist, analytic elements should work with collectors to develop appropriate collection, dissemination, and access strategies.

Written by xorl

January 20, 2021 at 12:41

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s