OSINT Isn’t Evidence - InfoSec Needs To Take A Step Back & Breathe

A recent ForeignPolicy.com headline “Feds Quietly Reveal Chinese State-Backed Hacking Operation”, but that headline is misleading because the indictment issued by the U.S. Attorney in Western Pennsylvania didn’t name the Chinese government at all.

It only named three employees of the Guangzhou Bo Yu Information Technology Company Limited (Boyusec).

“The indictment makes no allegations regarding state sponsorship,” said Justice Department spokesman Wyn Hornbuckle, who added that prosecutors only “included the allegations that we are prepared to prove in court with admissible evidence.”

Elias Groll, who wrote the article, apparently questioned why the DOJ didn’t include the Chinese government like they did in the 2014 indictment that named five Chinese PLA officers, and which also came from the same U.S. Attorney’s office in Western Pennsylvania. Groll contacted FireEye’s John Hultquist and quoted from past research by RecordedFuture in support of his headline that directly refuted what the DOJ said.

So let’s be clear about what FireEye, RecordedFuture, and every other cyber security company puts out in a commercial white paper designed to generate headlines and attract sales, and what the DOJ develops in order to get a conviction. Only one of those two things can properly be called “evidence.”

In 2014, I spoke with William C. Snyder, a former Assistant U.S. Attorney who served in the Western District of Pennsylvania and the District of Columbia and who today is a professor at Syracuse University’s College of Law.

My question for him at that time was what must a cyber intelligence report have to deliver in order for an AUSA to pursue an indictment with the intent to prosecute. Here is an excerpt of his response to me:

First, the report by the non-government company is hearsay and is not admissible in court to prove any of the findings in the report. What the U.S. Attorney will be looking for in the report is a path to admissible evidence.

Here is a simple example. Guy opens Yahoo email accounts in names of boss who fired him and cop who arrested him. Guy sends emails from both accounts to the White House, threatening to blow it up. Desk at White House snags both emails and finds that they came from same IP.

For USSS, I issue on behalf of a grand jury a subpoena to the cable company for basic subscriber info for that IP. It comes back to a static IP for an account in the name of Joe Defendant at the address of his house.

Ready to indict? No.

Agents interview ex — boss and cop. Both deny sending emails to White House and both have had run — ins with Mr. Defendant.

Agents interview postal carrier and neighbors. Mr. Defendant lives at the house with his wife and small child. Interviews continue, and local pastor and others indicate that wife and child were at church at the time emails to White House were sent. I take agents to a judge, who issues search warrant for Mr. Defendant ’s house and computers.

Knock, Knock — BOOM. Agents search house and seize indicia of residence and computers, but don’t arrest anyone.

Forensic evaluation of hard drive finds in slack files of deleted cache various screen shots of when the Yahoo accounts were actually created on that very machine, at 2:00 a.m. some morning when an outsider is unlikely to have had access to the machine because Mr. Defendant worked days and his wife and small child sleep in house every night.

All this is presented to a grand jury, which returns an indictment to a judge who issues an arrest warrant. Agents visit house again.

Knock, Knock — click, click. Defendant now in handcuffs and off to court. Now, imagine that case where Defendant and house are on the other side of the world and the interviews and search warrant must be done with local law enforcement or by clandestine surveillance and hacking.

So, when ABC presents its report, the AUSA will be looking for a road map to admissible evidence to prove every essential fact — including attribution — beyond a reasonable doubt. The AUSA will not expect the report to prove any thing, because it is not admissible anyhow. But, they will need the report and its authors to be able to show a government investigative agency how to get to the proof.

So the next time that you hear an infosec company announce that so and so State actor is responsible for anything, please keep in mind that all of their open source research is not only not evidence, it’s not even admissable in court.

At best, it can be used as a roadmap to help the AUSA prosecute the case. At worst, it’s nothing more than a marketing rag. And 99 out of 100 journalists don’t have the background to know the difference.