Linguistics as a Tool for Cyber Attack Attribution

Update August 2020: Latest research can be found in a new blog post called Cultural Spectrum of Trust.


My mother and I from 2006 to 2010 presented a linguistic analysis of the Advanced Fee Fraud (419 Scam).

One of the key findings we revealed (also explained in other blog posts and our 2006 paper) is that intelligence does not prevent someone from being vulnerable to simple linguistic attacks. In other words, highly successful and intelligent analysts have a predictable blind-spot that leads them to mistakes in attribution.

The title of the talk was usually “There’s No Patch for Social Engineering” because I focused on helping users avoid being lured into phishing scams and fraud. We had very little press attention and in retrospect instead of raising awareness in talks and papers alone (peer review model) we perhaps should have open-sourced a linguistic engine for detecting fraud. I suppose it depends on how we measure impact.

Despite lack of journalist interest, we received a lot of positive feedback from attendees: investigators, researchers and analysts. That felt like success. After presenting at the High-Tech Crimes Investigation Association (HTCIA) for example I had several ex-law enforcement and intelligence officers thank me profusely for explaining in detail and with data how intelligence can actually make someone more prone to misattribution, to fall victim to bias-laced attacks. They suggested we go inside agencies to train staff behind closed doors.

In other words, since long before the Sony breach news started breaking I have tried to raise the importance of linguistic analysis for attribution, as I tweeted here.

I’m told my sense of humor doesn’t translate well under the constraints of Twitter.

Recently the significance of our work has taken a new turn; a spike in interest on my blog post from 2012 is happening right now, coupled with news about linguistics being used to analyze Sony attack attribution. Ironically the news is by a “journalist” at the NYT who blocked me on Twitter.

I’m told by friends she blocked me after I used a Modified Tweet (MT) to parody her headline.

Allegedly she didn’t find my play on words amusing, but a block seems kind of extreme for that MT if you ask me.

And then at the start of the Sony breach story breaking on December 8, I tweeted a slide from our 2010 presentation.

Also recently I tweeted

good analysis causes anti-herding behavior: “separates social biases introduced by prior ratings from true value”

Tweets unfortunately are disjointed and get far less audience than my blog posts so perhaps it is time to return to this topic here instead? I thus am posting the full presentation again:

Download: RSAC_SF_2010_HT1-106_Ottenheimer.pdf

Look forward to discussing this topic further, as it definitely needs more attention in the information security community. Kudos to Jeffrey Carr for pursuing the topic and invitation to participate in crowds that have been rushing into the Sony breach analysis fray with linguistics.

Updated to add: Perhaps it also would be appropriate here to mention my mother’s book called The Anthropology of Language: An Introduction to Linguistic Anthropology.anthropology of language

Ottenheimer’s authoritative yet approachable introduction to the field’s methodology, skills, techniques, tools, and applications emphasizes the kinds of questions that anthropologists ask about language and the kinds of questions that intrigue students. The text brings together the key areas of linguistic anthropology, addressing issues of power, race, gender, and class throughout. Further stressing the everyday relevance of the text material, Ottenheimer includes “In the Field” vignettes that draw you in to the chapter material via stories culled from her own and others’ experiences, as well as “Doing Linguistic Anthropology” and “Cross-Language Miscommunication” features that describe real-life applications of text concepts.

Big Data Security in 1918: How Far Off Is That German Gun?

Recently I wrote here about the ill-fated American operation “IGLOOWHITE” from the Vietnam War that cost billions of dollars to try and use information gathering from many small sensors to locate enemies.

It’s in fact an old pursuit as you can see from this news image of the Japanese Emperor inspecting his big 1936 investment in anti-aircraft data collection technology.

Even earlier, Popular Science this month in 1918 published a story called “How Far Off Is That German Gun? How sixty-three German guns were located by sound waves alone in a single day.”

How Far Off Is That German Gun? How 63 German guns were located by sound waves alone in a single day, Popular Science monthly, December 1918, page 39

Somewhere in-between the Vietnam War and WWI narratives, we should expect the Defense Department to soon start exhibiting how they are using the latest location technology (artificial intelligence) to hit enemy targets.

The velocity of information between a sensor picking signs of enemy movement and the counter-attack machinery…is the stuff of constant research probably as old as war itself.

Popular Mechanics for its share also ran a cover story with acoustic locator devices, such as a pre-radar contraption that was highlighted as the future way to find airplanes.

The cover style looks to be from the 1940s although I have only found the image so far, not the exact text.

That odd-looking floral arrangement meant for war was known as a Perrin acoustic locator (named for French Nobel prizewinner Jean-Baptiste Perrin) and it used four large clusters of 36 small hexagonal horns (six groups of six).

Such a complicated setup might have seemed like an improvement to some. Here are German soldiers in 1917 using a single personal field acoustic and sight locator to enhance the “flash bang” of enemy artillery, just for comparison.

Source: “Weird War One” by Peter Taylor, published by Imperial War Museum

Obviously use of many small sensors gave way to the common big dish design we see everywhere today. Igloo White perhaps could be seen as a Perrin data locator of its day?

They are a perfect example of how simply multiplying/increasing the number of small sensors into a single processing unit is not necessarily the right approach versus designing a very large sensor fit for purpose.


Update September 2020: “AI-Accelerated Attack: Army Destroys Enemy Tank Targets in Seconds

…”need for speed” in the context of the well known Processing, Exploitation and Dissemination (PED) process which gathers information, distills and organizes it before sending carefully determined data to decision makers. The entire process, long underway for processing things like drone video feeds for years, has now been condensed into a matter of seconds, in part due to AI platforms like FIRESTORM. Advanced algorithms can, for instance, autonomously sort through and observe hours of live video feeds, identify moments of potential significance to human controllers and properly send or transmit the often time-sensitive information.

“In the early days we were doing PED away from the front lines, now it’s happening at the tactical edge. Now we need writers to change the algorithms,” Flynn explained.

“Three years ago it was books and think tanks talking about AI. We did it today,” said Army Secretary Ryan McCarthy.

Three years ago? Not sure why he uses that time frame. FIRESTORM promises to be an interesting new twist on IGLOOWHITE from around 50 years ago, and we would be wise to heed the “fire, ready, aim” severe mistakes made.

USAF Operation Igloo White

The US Air Force (USAF) at the end of 1967 started to air-drop around 20,000 micro sensors into a country bordering Vietnam to be monitored by an IBM mainframe, in order to help direct US airstrikes. The project was an expensive disaster that became a foundation for US domestic military surveillance of non-whites.

Scene from “Bugging the Battlefield” by National Archives and Records Administration, 1969 *

It had little impact (e.g. “sensors couldn’t tell the difference between a gun and a shovel”) while costing American lives. All it did prove was the fact that drones flying above a mesh of sensors could launch airstrikes on a moment’s notice…for a low low price of just $1 billion/year in the 1970s, as the following documentary puts plainly:

When you stop to think about it if you have $30M orbiting reconnaissance aircraft to transmit signals, and $20M command post to call in four $10M fighters to assault a convoy of five $5000 trucks with $2000 worth of rice, it’s easy to see that’s not cost-effective. This is a self-inflicted wound… a losing proposition…

Initial Plans

The North Vietnamese had built a network of roads through neighboring neutral countries Laos and Cambodia to supply forces in South Vietnam. This “Truong Son Road” (called “Ho Chi Minh Trail” by Americans) was concealed by the natural foliage of thick jungle.

Plans were concocted by Americans to appear respectful of Laos and Cambodia, while still bombing them, by secretly dropping hidden sensors that would guide targeted strikes and Army Special Forces teams “over the fence

The idea of constructing an anti-infiltration barrier across the DMZ and the Laotian panhandle was first proposed in January 1966 by Roger Fisher of Harvard Law School in one of his periodic memos to McNaughton.

A book called The Closed World explains in detail what these Harvard Law School plans turned into:

From Paul Edwards’ “The Closed World: Computers and the Politics of Discourse in Cold War America“: Chapter 1

Sensor Technical Details (Data Integrity Failure)

There were several iterations of the sensors. The USAF archives refer to these categories:

  • ADSID I and III, (Normal) and (Short): (Air Delivered Seismic Intrusion Detector) – transmitted vibration from geophone (personnel or vehicles in motion)
  • HELOSID (Helicopter Delivered Seismic Intrusion Detector)
  • ACOUSID II and III: (Acoustic and Seismic Intrusion Detector) – transmitted sound from microphone

We’re talking here about $2K radios inside a dart-shaped canister with a 2 week battery (later expanded to 45 days by changing from continuous to polling), and a 20% failure rate on deployment.

ACOUSID III Cutaway (USAF Drawing)

Ten years ago Air Force Magazine described the wide set of problems with false positives from these wireless sensors in a jungle. This honest analysis is a far cry from how the USAF originally fluffed up the technology to be as easy as “drugstore pinball” and give North Vietnamese “nowhere to hide”:

The challenge for the seismic sensors (and for the analysts) was not so much in detecting the people and the trucks as it was in separating out the false alarms generated by wind, thunder, rain, earth tremors, and animals—especially frogs.

There were other kinds of sensors as well. One of them was the “people sniffer,” which chemically sensed sweat and urine.

[…]

“We wire the Ho Chi Minh Trail like a drugstore pinball machine, and we plug it in every night,” an Air Force officer told Armed Forces Journal in 1971. “Before, the enemy had two things going for him. The sun went down every night, and he had trees to hide under. Now he has nothing.”

Here are the sort of acoustic details captured in working group studies hoping to isolate signals of frogs and shovels from soldiers and trucks:

Figure and Table from “Acoustical Working Group: Acquisition, Reduction and Analysis of Acoustical Data. An Unclassified Summary of Acoustical Working Group Studies.” NADC Report No. AWG-SU, 1974

Sensor Deployment

Either a F-4 Phantom jet, a OV-10 Bronco plane, or a CH-3 Jolly Green Giant helicopter was used for air drops. Given the large quantity of sensors, frequency of drops, size of budget and talent of engineering, their placement wasn’t as sophisticated as one might imagine.

Here you can see a member of 21st Special Operations Squad (SOS) based in Nakhon Phanom (under the Dust Devils call sign) at low altitude sending a sensor by hand.

Initially MC-130E Blackbird were used to orbit and monitor the sensors. The 554th Reconnaissance Squad (under the Vampires call sign) by 1970 started orbiting a QU-22B “drone” to pick up signals from the sensors and relay them back to Infiltration Surveillance Center (ISC) at the Nakhon Phanom Royal Thai Air Force Base.

Despite being engineered with complex electrical equipment to enable remote control. reliability failures meant every flight carried a pilot on board (A QU-22 reunion site interviews them).

The high-tech QU-22 drone program was cancelled after just two years with a number of crashes including two inside Laos.

Command Center

Back at the ISC, computers made by IBM were connected to a giant wall-sized display of the area under surveillance, as well as touchscreen monitors (images from US Air Force Historical Research Agency):



Military Surveillance “Toys” Deployed in America

Despite President Nixon’s backing, the expense of Igloo White coupled with many American casualties sat on top of a failure to produce results to justify continuing the program, especially after North Vietnamese simple changed tactics. The program was cancelled by 1973 just as Nixon was infamously announcing he would criminalize being non-white.

Nixon had believed so strongly in the new surveillance technology that he had the same sensors deployed to his lawns and…of course the border with Mexico.

Needless to say, even domestically the systems failed spectacularly as documented in 1971 and reported again in 1972:

“Bringing the toys home from Vietnam” New Scientist 15 Jun 1972

That kind of outcome didn’t seem to dissuade some from thinking there is a bright future for military surveillance technology along America’s borders.

In 1989 the Air War College reported that military surveillance failure under Nixon on the border with Mexico meant President Reagan actually had a useful foundation for military role in the criminalization of non-whites.

Reagan pushed so hard on invasive of domestic military surveillance the Posse Comitatus Act of 1878 was modified “to allow all branches of the Armed Forces to provide equipment, training, and assistance to the U.S. Coast Guard, U.S. Customs, and to other Drug Enforcement agencies”. Today it is widely known and becoming uncontroversial that the “war on drugs” was intentionally racist — criminalizing non-whites.

Conclusion

The true lesson from Igloo White was that an expensive technological military replacement (even domestically) for human intelligence gathering systems may have been very fast yet also very expensive and never really proven accurate. It will forever be known in history as a “self-inflicted wound” by Nixon that Reagan doubled-down on.

Air Force Magazine, while admitting the USAF vastly overstated the success of their work, also emphasized analysis of data can be mishandled by everyone involved:

…7th Air Force’s “numbers game” was refuted by the CIA’s own “highly reliable sources,” referring to its agents in the enemy ranks. The CIA and the Defense Intelligence Agency developed a formula that arbitrarily discounted 75 percent of the pilot claims. […] Then, as now, the bomb damage assessment process was flawed on both ends: Operations tended to claim too much; Intelligence tended to validate too little.

It was the “fire, ready, aim” foreshadowing of today’s drone programs (e.g. Operation Haymaker) where the vast majority of targets are later reported to be innocent civilians.


* “Bugging the Battlefield” by National Archives and Records Administration, 1969:

For a perspective from the Laotian side, see “The Rocket”:



Update April 2021:
Jim Bolen (former Special Forces operative in Laos and Cambodia on SOG operations to the Ho Chi Minh and Sihanouk Trails during the Vietnam War — recon team leader on over 40 SOG missions and extracted under fire from over 30) gives a new interview where he describes “Reconnaissance Missions to the Ho Chi Minh Trail” and argues that electronic sensors were infallible technology and instead it was LBJ who wasn’t listening.

…we had planted electronic seismic sensors along the Trail coming out of North Vietnam. These sensors were monitored 24 hours a day 365 days a year by C-130 Blackbirds. The seismic sensors would pick up vibrations from truck or tank movements along the Trail.


Sensors dropped along the Ho Chi Minh Trail in Attapeu Laos. Source: Military Assistance Command, Vietnam – Studies and Observations Group

Update October 2021: Declassification of secret missions gives us the opposite of Jim Bolen, “MACV-SOG: A Conversation with John Stryker Meyer“, which includes a gold nugget of modest wisdom from a Green Beret who served on the ground at the time that the bombing campaigns in Laos were “completely useless“.

How the NSA Can Tell if You Are a Foreigner

For several years I have tried to speak openly about why I find it disappointing that analysts rely heavily (sometimes exclusively) on language to determine who is a foreigner.

Back in 2011 I criticized McAfee for their rather awful analysis of language.

They are making some funny and highly improbable assumptions: … The attackers used Chinese language attack tools, therefore they must be Chinese. This is a reverse language bias that brings back memories of L0phtCrack. It only ran in English.

Here’s the sort of information I have presented most recently for people to consider:

You see above the analysts tell a reporter that presence of a Chinese language pack is the clue to Chinese design and operation of attacks on Russia. Then further investigation revealed the source actually was Korea. Major error, no? It seems to be reported as only an “oops” instead of a WTF.

At a recent digital forensics and incident response (DFIR) meeting I pointed out that the switch from Chinese to Korean origin of attacks on Russia of course was a huge shift in attribution, one with potential connections to the US.

This did not sit well with at least one researcher in the audience. “What proof do you have there are any connections from Korea to the US” they yelled out. I assumed they were facetiously trying to see if I had evidence of an English language pack to prove my point.

In retrospect they may actually have been seriously asking me to offer clues why Korean systems attacking Russia might be linked to America. I regret not taking the time to explain what clues more significant than a language pack tend to look like. Cue old history lesson slides…but I digress.

A traitorous Confederate flag flies from an American M4 (A3E8?) in the “Forgotten War

Here’s another slide from the same talk I gave about attribution and language. I point to census data with the number and location of Chinese speakers in America, and most popular languages used on the Internet.

Unlike McAfee, mentioned above, FireEye and Mandiant have continued to ignore the obvious and point to Chinese language as proof of someone being foreign.

Consider for a moment that the infamous APT1 report suggests that language proves nothing at all. Here is page 5:

Unit 61398 requires its personnel to be…proficient in the English language

Thus proving APT1 are English-speaking and therefore not foreigners? No, wait, I mean proving that APT1 are very dangerous because you can never trust anyone required to be proficient in English.

But seriously, Mandiant sets this out presumably to establish two things.

First, “requires to be proficient” is a subtle way to say Chinese never will do better than “proficient” (non-native) because, foreigners.

Second, the Chinese target English-speaking victims (“Only two victims appear to operate using a language other than English…we believe that the two non-English speaking victims are anomalies”). Why else would the Chinese learn English except to be extremely targeted in their attacks — narrowing their focus to basically everywhere people speak English. Extremely targeted.

And then on page 6 of APT1 we see supposed proof from Mandiant of something else very important. Use of a Chinese keyboard layout:

…the APT1 operator’s keyboard layout setting was “Chinese (Simplified) – US Keyboard”

On page 41 (suspense!) they explain why this matters so much:

…Simplified Chinese keyboard layout settings on APT1’s attack systems, betrays the true location and language of the operators

Mandiant gets so confident in where someone is from based on assessing language they even try to convince the reader that Americans do not make grammar errors. Errors in English (failed attempts at proficiency) prove they are dealing with a foreigner.

Their own digital weapons betray the fact that they were programmed by people whose first language is not English. Here are some examples of grammatically incorrect phrases that have made it into APT1’s tools

It is hard to believe this is not meant as a joke. There is a complete lack of linguistic analysis, for example, just a strange assertion about proficiency. In our 2010 RSAC presentation on the linguistics of threats we give analysis of phrases and show how syntax and spellings can be useful to understand origins. I can only imagine what people would have said if we tried to argue “Bad Grammar Means English Ain’t Your First Language”.

Of course I am not saying Mandiant or others are wrong to have suspicion of Chinese connections when they find some Chinese language. Despite analysts wearing clothes with Chinese language tags and using computers that probably have Chinese language print there may be some actual connections worth investigating further.

My point is that the analysis offered to support conclusions has been incredibly weak, almost to the point of being a huge distraction from the quality in the rest of the reports. It makes serious work look absurd when someone over-emphasizes language spoken as proof of geographic location.

Now, in some strange twist of “I told you so”, the Twittersphere has come alive with condemnation of an NSA analyst for relying to heavily on language.

Thank you to Chris and Halvar and everyone else for pointing out how awful it is when the NSA does this kind of thinking; please also notice how often it happens elsewhere.

More people need to speak out against this generally in the security community on a more regular basis. It really is far too common in far too many threat reports to be treated as unique or surprising when the NSA does it, no?