Recently Mandiant released a very good and in-depth look at the flood of Chinese cyber attacks against US military and technology sites. Which of course China immediately refuted and claimed that it was America that was attacking them.
Who is right, and could we even tell for sure?
According to the Mandiant report, China’s secret Unit 61398 works out of a 12 story building in Shanghai and has stolen Terabytes of information from over 140 different targets. But China fired right back, claiming that the US was responsible for the majority of 144,000 hacking attempts a month that hit their military sites.
Nations the world over are reporting hacking attacks originating in China. US tech and military secrets are being pilfered at an alarming rate by hackers. It has even gotten to the point that some nations are warning about physical strikes in response to cyber attacks.
But with the ease of anonymity on the web, who would they strike?
From analysis of recently submitted malware samples from a single entity, you can see an alarming trend. Several of the malware samples included almost identical code, they were obviously written by the same person or group. They were all targeted phishing type attacks. Either they included malware disguised as an informational report to run or they linked to a malicious page.
The problem was, even though the source of the attack was obviously the same group, the servers that they sent the victims to were located all over the world!
One of the malware samples included a round-robin type list of servers in multiple countries. It would try to connect out to numerous servers, one after the other until it made a connection. These were located in Europe, England and even America!
One malware sample, when executed, connected out to a Chinese site, then transferred you to a Russian site and finally to a site in Turkey! One of the malicious sites was even hosted on a high speed game server located in America.
Which country was the actual attacker actually located in? Which one should be bombed in retaliation?
Only a basic level of analysis was performed, but without hacking into the malware servers (which would be illegal) there is really not much more a civilian could do at that point.
Sure they could report the individual malware site to get it shut down, but then all the attacker does is move to another server and continues the attack.
Law Enforcement officials would need to work together with the server hosting provider to attempt to back track it from that point to see who is logging into these servers to download the data. And if the hackers are using a program like TOR, that bounces traffic through several countries to retrieve the pilfered data, the job of finding the source attacker is even more difficult.
As you can see tracking down cyber espionage is not a simple game of Clue. It can be a long and arduous task involving several agencies and multiple countries.
A true Cyber Who Dunnit…