How we trace the hackers behind a cyber attack

The Chinese military has been imputed for the recent cyber attack on the Australian Bureau of Meteorology (BOM).

The Chinese government has, of course, denied its involvement. And it does seem somewhat convenient that it is being blamed for this latest high profile breach.

It is therefore a legitimate question to ask what evidence there may be to implicate China in this particular incident.

Unit 61398

Much of what we know about the Chinese military involvement in hacking has come from work done by security firms like Mandiant, which first detailed what it knew about the activities of the Chinese People’s Liberation Army’s infamous Unit 61398.

Mandiant analysed the activities of this cyber espionage unit which, according to Mandiant, had hacked 141 companies over a seven year period, targeting any intellectual property it could find.

During that time, Unit 61398 stole hundreds of terabytes of data, sometimes doing so over a period of years. Mandiant had put together a profile of this unit, which employs hundreds of staff with a range of technical and linguistic skills. It was even able to identify specific individuals within the unit and the work responsibilities each of them had.

The United States district court of Pennsylvania was also able to charge five members of this unit relating to the hacking of US companies.

Building a profile that identifies a particular hacking group involves looking at the source of attacks or figuring out the origin of the machines that operate as command and control. In the case of Mandiant’s analysis of Unit 61398, all of the attacks that it reviewed originated from Shanghai.

The analysis of identifying a specific “threat group” involves creating a “digital fingerprint” of the hackers and using that to distinguish one group from all the others. This process looks at the methods and tools the hackers use to get into systems, what information they choose to take and the care they exercise to disable alarms and remove any evidence.

Weakest link

It is important to examine the entire profile of an attack because it is not sufficient to rely on isolated evidence like the source of an attack. In July of this year, the US Office of Personnel Management was hacked, resulting in the theft of personal information on 22 million US government workers.

The Chinese hackers responsible used US-based servers for their attacks. The particular groups involved were probably sanctioned by the Chinese government but were not in Unit 61398.

The difficulty with using past information to establish a digital fingerprint is that the hackers' techniques change constantly as they work to stay ahead of those trying to identify them. Unit 61398 had an arsenal of 40 different types of malware that are identifiable as long as the versions of the software do not change.

However, the process for all of the hacking groups is largely the same. The weakest link in an organisation is its people, who often fall for standard phishing emails that trick the user into downloading a piece of malware. This software can give hackers access from which they can “escalate their privileges” or get more authority to access other machines and services.

At the same time, malware can be installed on compromised machines to give broader access to the network and this can be controlled by “command and control servers” that provide an interface between the hackers and the compromised machines.

In 2009, the website for the Melbourne International Arts Festival (MIAF) was hacked, apparently by Chinese nationalists who were protesting against the arrival of exiled Uighur leader Rebiya Kadeer to Australia.AAP Image/MIAF

Origins

To a certain extent, all hackers look alike. They can often be identified as non-English speaking, but identifying them as Chinese relies on tracing back to a source which is not only located in China but shows that the user was using a Chinese keyboard or had their computer language set to Chinese.

Identifying hackers as Chinese relegates those hackers to being beyond the law. The Chinese government has not moved to stop these groups and would certainly not hand them over to western governments for trial.

However, it is entirely possible that hackers from other countries are using Chinese servers as another layer of cover for their own activities. It would be foolish to believe that it is only the Chinese government that is involved in state-sponsored hacking, as all governments have an interest in commercial and military espionage of this sort.

There are also criminally motivated hacking groups and politically motivated “hacktivists”. Separating out attack groups relies on being able to identify the separate hallmarks of their craft which security agencies and companies are getting much better at doing.

David Glance does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond the academic appointment above.