Can we find hackers by the clues they leave in their code?

In Overmatched, we take a close look at the science and technology at the heart of the defense industry—the world of soldiers and spies.

THE YEAR WAS 1998. The computers were blocky, the jeans were baggy, and the US military was sending Marines to Iraq to support weapons inspections. Someone, also, was hacking into unclassified military systems at places like Kirtland Air Force Base in New Mexico and Andrews Air Force Base in Maryland. Given the geopolitical climate, investigators wondered if the cyberattack was state-on-state—an attempt by Iraq to thwart military operations there. 

Three weeks of investigation, though, proved that guess wrong: “It comes out that it was two teenagers from California and another teenager in Israel that were just messing around,” says Jake Sepich, former research fellow at the Center for Security, Innovation, and New Technology. 

The event came to be known, redundantly, as Solar Sunrise. And it illustrates the importance of being able to determine exactly who’s rifling through or ripping up your digital systems—a process called cyber attribution. Had the government continued to think a hostile nation might have infiltrated its computers, the repercussions of a misplaced response could have been significant.

Both cyberattacks and the methods for finding their perpetrators have grown more sophisticated in the 25 years since the dawn of Solar Sunrise. And now an organization called IARPA—the Intelligence Advanced Research Projects Activity, which is the intelligence community’s high-risk-high-reward research agency and is a cousin to DARPA—wants to take things a step further. A program called SoURCE CODE, which stands for Securing Our Underlying Resources in Cyber Environments, is asking teams to compete to develop new ways to do forensics on malicious code. The goals are to find innovative ways to help finger likely attackers based on their coding styles and to automate parts of the attribution process.

Who did the hacking?

There isn’t just one way to answer the question of cyber attribution, says Herb Lin, senior research scholar for cyber policy and security at Stanford’s Center for International Security and Cooperation. In fact, there are three: You can find the machines doing the dirty work, the specific humans operating those machines, or the party that’s ultimately responsible—the boss directing the operation. “Which of those answers is relevant depends on what you’re trying to do,” says Lin. If you just want the pain to stop, for instance, you don’t necessarily care who’s causing it or why. “That means you want to go after the machine,” he says. If you want to discourage future attacks from the same actors, you need to get down to the root: the one directing the action.

Regardless, being able to answer the whodunit question is important not just in stopping a present intrusion but in preventing future ones. “If you can’t attribute, then it’s pretty easy for any player to attack you because there are unlikely to be consequences,” says Susan Landau, who researches cybersecurity and policy at Tufts University. 

In efforts to get at any of the three attribution answers, both the government and the private sector are important operators. The government has access to more and different information from the rest of us. But companies like Crowdstrike, Mandiant, Microsoft, and Recorded Future have something else. “The private sector is significantly ahead in technological advancement,” says Sepich. When they work together, as they will in this IARPA project, likely along with university researchers, there’s potential for symbiosis.

And there might just be some special sauce behind some of the collaborations too. “It’s not an accident that many of the people who start these private sector companies are former intelligence people,” says Lin. They often have, he says, social wink-wink relationships with those still in government. “These guys, you know, get together for a drink downtown,” he says. The one still on the inside could say, as Lin puts it, “You might want to take a look at the following site.”

Who wrote this code?

The project seems secretive. IARPA did not respond to a request for comment, and a lab that will be helping with testing and evaluation for SoURCE CODE once the competing teams are chosen and begin their work declined to comment. (Update: IARPA provided a comment after this story published. We’ve added it below.) But according to the draft announcement about the program released in September, the research teams will find automated ways to detect similarities between pieces of software code, to match attacks to known patterns, and to do so for both source code—the code as programmers write it—and binary code—the code as computers read it. Their tech must be able to spit out a similarity score and explain its matchmaking. But that’s not all: Teams will also develop techniques to analyze how patterns might point to “demographics,” which could refer to a country, a group, or an individual.

The general gist of the program’s approach, says Lin, is a bit like a type of task literary scholars sometimes undertake: determining, for instance, whether Shakespeare penned a given play, based on aspects like sentence structures, rhythmic patterns, and themes. “They can say yes or no, just by examining the text,” he says. “What this requires, of course, is many examples of genuine Shakespeare.” Maybe, he speculates, part of what the IARPA program could yield is a way to identify a nefarious code-writing Shakespeare with fewer reference examples. 

But IARPA is asking performers to go beyond lexical and syntactic features—essentially, how Shakespeare’s words, sentences, and paragraphs are put together. There’s much research out there on those basic matching tasks, and attackers are also adept at framing others (for example, counterfeiting Shakespeare) and obfuscating their own identities (being Shakespeare but writing differently to throw detectives off the scent).

One kind of code, for instance, called metamorphic malware, changes its syntax each generation but can maintain the same ultimate goals—what the program is trying to accomplish. Perhaps that is why SoURCE CODErs will focus instead on “semantic and behavioral” features: those that have to do with how a program operates and what the meaning of its code is. As a nondigital example, maybe many physicists use a specific lecture style, but no one else seems to. If you start listening to someone give a talk, and they use that style, you could reasonably infer that they are a physicist. Something similar could be true in software. Or, to continue the theater analogy to its closing act, “Can you extract the high-level meaning of those plays, rather than the individual use of this word here and that word there, in some way?” says Lin. “That’s a very different question.” And it’s one IARPA would like the answer to.

Although parts of SoURCE CODE will likely be classified (since parts of the informational sessions IARPA held for potential participants were), there is also value, says Landau, in the government crowing not just about attributional achievements but also about the capabilities that made them possible. In the last few years, she says, the government has become more willing to publicly attribute cyberattacks. “That’s a decision that it is better for US national security to acknowledge that we have the techniques to do so by, for example, putting it into a court indictment than it is to keep that secret and allow the perpetrator to go unpunished.”

Why did they do it?

Whatever SoURCE CODE teams are able to do will never be the end of the story. Because cyber attribution isn’t just a technical effort; it’s also a political one. The motivation of the bad actor doesn’t emerge just from code forensics. “That’s never going to come from technology,” says Lin. Sometimes that motivation is financial, or it’s a desire to access and use other people’s personal information. Sometimes, as in the case of “hacktivists,” it’s philosophical, the desire to prove a social or political point. More seriously, attacks can be designed to disrupt critical infrastructure, like the power grid or a pipeline, or to gather information about military operations. 

Often, the finger-pointing part won’t come from technical forensics, but from other kinds of intelligence that, conveniently, the intelligence community running this program would have access to. “They intercept email, and they listen to phone conversations,” says Lin. “And if they find out that this guy who loves his program is talking to his girlfriend about it, and they listened in on that conversation, that’s interesting.”

Update on November 9, 2023. IARPA provided the following comment following the publication of this story: “Every piece of software has unique fingerprints that can be used to extract hidden information. The SoURCE CODE program is looking to leverage these fingerprints to improve cyber forensic tools and disrupt cyber attackers’ capabilities. Quickly pinpointing the attribution of malicious attacks will help law enforcement respond with greater speed and accuracy, and help impacted organizations finetune their safeguards against future attacks.”

Read more PopSci+ stories.