BBC cyber attacks highlight difficulty of attribution

The BBC has revealed that is was targeted by sophisticated cyber attacks following a campaign by the Iranian government against the BBC Persian service, but stopped short of accusing Tehran of ordering the attacks.

Some parts of the BBC were unable to access e-mail and other internet services on 1 March as the result of what is believed to have been a distributed denial-of-service attack, the BBC said.

In an extract from a speech at the Royal Television Society released by the BBC, the broadcaster's director general Mark Thompson explains the difficulty of proving the origin of the internet attack.

Although the attempted jamming of BBC services to Iran is nothing new and the coincidence of the attacks is "self-evidently suspicious", Thompson concedes it may prove impossible to confirm the source of the attacks.

Thompson is right to be cautious of claiming definitively the Tehran government was responsible for the internet attack on the BBC, said Graham Cluley, senior technology consultant at IT security firm Sophos.

"Even if a computer involved in the attacks was found to be located in an Iranian military base, that doesn't necessarily mean that it was an attack done with the knowledge of Iran's authorities. It could have been compromised by hackers in other countries," Cluley wrote in a blog post.

Ross Brewer, managing director and vice-president, international markets, LogRhythm, said that, even once a cyber breach has been remediated and any potential damage minimised, there often remains an enormous amount of uncertainty and speculation surrounding the origins of the attack and attackers.

"Further forensic analysis of the breach is often required - unfortunately traditional point security solutions, such as anti-virus software and firewalls, do not provide the insight into IT networks needed to attribute cyber attacks," Brewer said.

Brewer said that, as nation states hone their cyber skills, the accurate attribution of cyber attacks has never been more important. He said this is especially so as inaccurate finger-pointing can inflame diplomatic conflicts and may even incite military aggression.

“To enable the accurate attribution of attacks, organisations need to employ protective monitoring systems which continuously collect and analyse all IT network log data," Brewer said.

According to Brewer, this approach not only enables the real-time automatic identification and remediation of any anomalous network activity, but also provides the network visibility required to piece together seemingly isolated events, giving organisations the intelligent insight needed for deep forensic analysis.

"Only with this deep level of network visibility can cyber attacks be accurately attributed to the correct perpetrators," Brewer said.

The BBC's revelations come only days after free-speech lobby group Reporters Without Borders released its Enemies of the Internet report.

The report stated that Iran is among the countries on its register that "censor internet access so effectively that they restrict their populations to local intranets that bear no resemblance to the world wide web".

It added that Iran's authorities were now capable of blocking ports used by virtual private networks designed to bypass the restrictions. At times of unrest the state had slowed internet connections speeds to make it impossible to send or receive photos or videos.

Iran's Revolutionary Guard created a "cyber army" in 2010. Hundreds of net users have been arrested and some even sentenced to death, according to the BBC.