How experts track global cyber criminals

If President Barack Obama was correct when he blamed the 2014 Sony Pictures cyber attack on the North Korean government, then Pyongyang was also likely responsible for the recent digital assaults on banks using the Swift network.

But the president might have been wrong, as several cyber security specialists suggested at the time. If so, it would not be the first example of errant attribution in cyber space.

Identifying the culprit behind a computer attack often takes weeks or months of painstaking detective work and offers no guarantee of success.

What evidence links North Korea to the bank attacks?

Security researchers at Symantec say they discovered tell-tale similarities between the malicious software used to infiltrate Sony’s computers and that used in electronic break-ins at banks in Bangladesh, Vietnam and the Philippines.

The malware used to tap the Bangladesh central bank’s Federal Reserve account in February was also used in a failed bid to steal more than $1m from a Vietnamese bank late last year and an attack on an unidentified bank in the Philippines in October, according to Symantec.

That code — known as “ban swift” — was identical to the Trojan virus used in the 2014 attack on Sony Pictures and a 2013 attack that wiped clean the computer memories of South Korea’s top broadcaster and several banks. “These attacks are all related and coming from the same actor,” said Eric Chien, technical director of Symantec’s security technology and response division.

Did the experts get it wrong in the past?

Yes. When JPMorgan in 2014 disclosed a computer breach that exposed personal data on more than 100m individuals, initial reports pointed to Russian hackers said to be retaliating for US sanctions. Eventually, the justice department indicted five people, including two Israelis, who had been engaged in a stock manipulation scheme.

Likewise, a 1998 attack that the Federal Bureau of Investigation initially blamed on Saddam Hussein turned out to be the handiwork of a pair of California teenagers. “Attribution’s really hard,” says Ben Johnson, chief security strategist for Carbon Black, a cyber security company in Waltham, Massachusetts. “You’re really hopeful there are enough clues.”

Why is determining who launched a cyber attack so hard?

Answering the “whodunnit” question is not as straightforward in cyber space as in the physical world. In the Sony case, the FBI identified several internet protocol addresses that matched those belonging to computers implicated in earlier North Korean cyber mischief.

But hackers often mask their location by bouncing electronic commands off servers in several countries. “Usually, it’s part of the campaign to make it look like you’re coming from a location other than where you’re from,” says Mr Johnson, a former National Security Agency specialist.

How does the cat-and-mouse game play out in practice?

Hackers can disguise their identity by writing their software code in a second language or by staging their attacks outside customary working hours. One way the justice department in 2014 identified the Chinese military officers behind the theft of trade secrets from companies such as US Steel and Westinghouse was that the attacks occurred during routine office hours in Shanghai, home to a well-known Chinese signals intelligence unit. The attackers took regular lunch breaks and went silent over the weekend, according to a grand jury indictment.

The justice department has become more aggressive about attributing cyber attacks to specific individuals or governments, even if the cases are unlikely to come to trial. John Carlin, assistant attorney-general for national security, said in a speech earlier this year that the US can deter attacks only by making sure those who launch them cannot remain anonymous.

Is the North Korean government definitely behind these attacks?

Symantec linked the tools used in the bank attacks to a hacking group known as “Lazarus”, rather than explicitly point to North Korea. “We wouldn’t claim that it’s North Korea. We don’t have evidence of that,” says Mr Chien. “All we can claim is that it’s the same attacker behind all of these attacks.”

But Mr Chien says it is “very unlikely” the attacks involved a different hacker mimicking the techniques used in the Sony Pictures attack. Whoever hit the banks would have needed the source code for the malware used against Sony, something only the original programmer would likely possess. (The bank attacks exploited local connections between the affected institutions and a global transactions network operated by the Brussels-based Society for Worldwide Interbank Financial Telecommunication).

Is there a consensus in the cyber security community on this issue?

Not everyone is agreed. FireEye, a rival security company that was hired by the Bangladesh central bank to investigate the attack, found evidence that North Korean hackers had infiltrated the institution’s network. But they were not alone: two additional intruders also left behind digital footprints, meaning multiple suspects in the subsequent theft.

Even as the security experts debate, the FBI is not saying whether or not it knows who carried out the bank attacks. Investigators may yet get fresh evidence to review. Both Symantec and FireEye say similar attacks could hit other financial institutions in Southeast Asia or elsewhere.


. . . . . . . .

Leave a Reply