Why linguistics can't always identify cyber attackers' nationality

The security whodunnit: analysing the language used in an attack is just one tool to assign attribution, and it’s not always reliable.

By Fahmida Y. Rashid
June 14, 2017

False flags are also possible. Just as The Shadow Brokers appear to have intentionally inserted grammatical errors to make it seem like they didn’t speak English well, attackers can intentionally insert specific phrases or errors to make their nationalities to throw off law enforcement and security researchers. This is why having a lot of text to analyze is important—it is harder to consistently make the same kind of errors. It’s also very difficult to sustain that over time.

A recent study by New York University professor Damon McCoy showed how studying linguistic style can be used reliably and accurately to identify individuals in an underground community, even when they use different aliases and accounts. Many attackers may overlook the language used in their strings, comments and notes, and not even realize that these items can and will be analyzed by researchers.

“Linguistic analysis is not definitive proof of attribution, but can be used in conjunction in certain circumstances with technical evidence to link malicious actors to attacks,” says Condra.

Previous Page  1  2  3  4