With news of Russian hackers influencing the U.S. presidential election, many in the media have wondered how we identify hackers. There are a number of ways that cyber-security experts can find the source behind a hack.
The first and most obvious way to track a hacker is with their IP address. Now, any hacker worth their salt will use an IP address that lacks meaningful information. They’ll work over Tor, over a VPN, or maybe even in a public space. But let’s assume that the hacker we want to track is exceptionally inexperienced, or they accidentally exposed their IP address. Finding them by their IP might work like this:
1. The hacker successfully achieves their objectives (whatever that might be) but leaves behind logs showing network access from a specific IP address.
2. The company or individual that was hacked passes those logs on to law enforcement.
3. Law enforcement officers subpoena the ISP to find out who owns that IP address or who was using it at the time of the attack. Investigators can then associate this IP address with a physical location.
4. After obtaining a warrant, investigators travel to the physical location indicated by the IP address and begin their investigation.
5. If our hacker was really dumb, investigators will find evidence of the hack everywhere. If so, it will be a short trial before the hacker is sent to jail for his or her crimes.
Of course, with most hackers working behind proxies, the IP addresses obtained by law enforcement won’t point them anywhere useful. That means they’ll need to use other techniques or wait for hackers to make a mistake.
When investigating a skilled hacker, computer forensics comes down to looking for little mistakes and circumstantial evidence. You won’t have an IP address pointing a big red arrow at your attacker’s home. Instead, you’ll have a bunch of little breadcrumbs that can help you make a good guess about the likely perpetrators.
The complexity of a hack might limit potential perpetrators to highly-skilled operatives. U.S. intelligence agencies keep records of previous attacks and correlate them to specific hackers, even if they don’t know their names.
For example, American law enforcement called the DNC hacker APT 29, or Advanced Persistent Threat 29. We might not know his or her name and address, but we can still attribute hacks to him or her based on his or her style, modus operandi and software packages.
The type of software package used in the hack might offer a “signature” pattern. For example, many hackers use highly customized software packages. Some can even be traced back to state intelligence agencies. In the DNC hack, forensic investigators found that the SSL certificate used in the hack was identical to the one used by Russian military intelligence in the 2015 hack of the German parliament.
Sometimes it’s the really tiny things. Maybe it’s an odd phrase that’s repeated in random communications that ties the hack back to a particular individual. Or maybe it’s a little breadcrumb left by their software package.
That’s one of the ways the DNC hacks came to be associated with Russia. Investigators of the exploit noticed that some of the Word documents released by the hack showed revisions by a user with a Russian localization of Word and a Cyrillic user name. Buggy tools can even reveal a hacker’s location. The popular DDoS utility Low Orbital Ion Cannon once had a bug in it that would reveal the user’s location.
Old-fashioned police work helps find hackers too. The specific target might help identify the perpetrator. If law enforcement determines the motivation behind the attack, it might be possibile to attribute political motivations. If the hack is suspiciously beneficial to one group or individual, it’s obvious where to look. Hackers might be funneling money into a bank account, and that might be traceable. And hackers aren’t immune to “ratting” on one another to save their own skin.
Finally, sometimes hackers just tell you. It’s not uncommon to see hackers bragging on Twitter or IRC about their recent exploits.
If investigators can track down enough breadcrumbs, they can start to build a more complete picture and try to get their hands on a meaningful IP address.
It’s one thing to know the code name of a hacker, but it’s another thing to actually get your hands on them. Often, arresting a hacker comes down to a small mistake. Lulzsec leader Sabu, for example, was caught when he neglected to use Tor to log into IRC. He only made the mistake once, but it was enough for the agencies surveilling him to determine his real physical location.
Law enforcement finds hackers in an astonishing variety of ways. It often comes down to a small but critical mistake made by the perpetrator.