At 2 p.m. on March 20, 2013, the hard drives of tens of thousands of computers in South Korea were suddenly wiped clean in a massive cyberattack. The main targets were banks and news agencies. At first the assault looked like a case of cyber-vandalism. But as they probed deeper, the computer sleuths investigating it came to a different conclusion.
The operation, which they dubbed "Dark Seoul," had been carefully planned. The hackers had found their way into the targets’ systems a couple of months earlier and inserted the software needed to wipe drives. Just before the attack they added the code needed to trigger it. Looking at the methods the intruders used, the investigators from McAfee, a cybersecurity firm, thought the attack might have been carried out by a group of hackers known for targeting South Korean military information.
But they could not be sure. Tracing the exact source of an attack can be next to impossible if the assailants want to cover their tracks. Over the past decade or so various techniques have been developed to mask the location of Web users. For example, a technology known as Tor makes Internet connections anonymous by bouncing data around the globe, encrypting and re-encrypting them until their original sender can no longer be traced.
Conversely, some hackers are only too happy to let the world know what they have been up to. Groups such as Anonymous and LulzSec hack for fun ("lulz" in Web jargon) or to draw attention to an issue, typically by defacing websites or launching distributed-denial-of-service (DDoS) attacks, which involve sending huge amounts of traffic to websites to knock them offline. Anonymous also has a track record of leaking emails and other material from some of its targets.
Criminal hackers are responsible for by far the largest number of attacks in cyberspace and have become arguably the biggest threat facing companies. Some groups have organized themselves so thoroughly that they resemble mini-multinationals. Earlier this year a joint operation by police from a number of countries brought down the cybercrime ring behind a piece of malware called Blackshades, which had infected more than half a million computers in over 100 countries. The police found that the group was paying salaries to its staff and had hired a marketing director to tout its software to hackers. It even maintained a customer-support team.
Such organized hacking empires are becoming more common.
"Crime has changed dramatically as a result of the Internet," said Andy Archibald, the head of Britain’s National Cyber Crime Unit. Criminal hackers are involved in two broad sets of scams. In the first, they help carry out traditional crimes. Last year police in the Netherlands and Belgium broke up a drug-smuggling ring that had hired a couple of computer experts to beef up its logistics. The gang hid drugs in legitimate shipments of goods destined for the port of Antwerp, using the hackers to break into the IT systems of shipping companies at the port and steal the security codes for the containers so the criminals could haul them away before their owners arrived.
The second type of crime takes place entirely online. In June U.S. authorities issued charges against the Russian mastermind behind the GameOver Zeus botnet, a sophisticated piece of malware that steals login details for people’s bank accounts from infected computers and uses them to drain cash from their accounts. The Federal Bureau of Investigation puts the losses at more than US$100 million.
"Robbing one person at a time using a knife or gun doesn’t scale well. But now one person can rob millions at the click of a button," said Marc Goodman of the Future Crimes Institute.
In the past year or so police have scored some other notable victories against digital crooks. These include the arrest of the man behind Silk Road, a notorious online bazaar that sold guns, drugs and stolen credit-card records, and a raid on servers hosting Cryptolocker, a "ransomware" program that encrypts computer files, decrypting them only on payment of a ransom.
Cybercrimes often involve multiple jurisdictions, which makes investigations complicated and time-consuming. And good cybersleuths are hard to find
Cybercrimes often involve multiple jurisdictions, which makes investigations complicated and time-consuming. And good cybersleuths are hard to find, because the sort of people who are up to the job are also much in demand by companies, which usually offer higher pay. Archibald said he is trying to get more private firms to send him computer-savvy employees on secondment.
Criminals are generally after money. The motives of state-sponsored or state-tolerated hackers are harder to categorize, ranging from a wish to cause chaos to pilfering industrial secrets. The Syrian Electronic Army, for example, generates publicity by defacing the websites of media companies. Last year it hijacked the Twitter account of The Associated Press and posted a tweet falsely claiming that the White House had been bombed.
Other groups that have caught security people’s attention include Operation Hangover, based in India and focused on Pakistani targets, and the Elderwood Group, a Chinese hacker outfit that was behind a series of attacks in 2009 on American tech companies such as Google. Such groups have become collectively known by a new acronym, APTs, or advanced persistent threats.
"These hackers are smart and they wage long-term campaigns," said Mike Fey, McAfee’s chief technology officer.
Unlike criminals, who typically scatter malware far and wide to infect as many targets as possible, APT groups concentrate on specific targets. They often use "spear-phishing" attacks, trying to trick people into divulging passwords and other sensitive information, to get access to networks. And once inside, they sometimes lie low for weeks or months before striking.
Government spies typically use the same tactics, so it can be hard to tell the difference between state-run spying and the private sort. When Mandiant, a cybersecurity firm, published a report last year about China’s industrial-espionage activities, it labeled it "APT1." The report claimed that Chinese hackers from Unit 61398, a Shanghai-based arm of the People’s Liberation Army, had broken into dozens of corporate networks over a number of years, paying special attention to industries such as technology and aerospace that China sees as strategic. In May the U.S. Justice Department indicted five Chinese hackers from the unit in absentia for attacks on the networks of some American firms and a trade union.
China is not the only country involved in extensive cyberespionage. Edward Snowden’s leaks have shown that the U.S. National Security Agency ran surveillance programs that collected information direct from the servers of big tech firms, including Microsoft and Facebook, and that it eavesdropped on executives at Huawei, a large Chinese telecommunications firm. U.S. officials like to claim that the NSA’s spying is not designed to be of direct benefit to American firms, though it has certainly sought intelligence on issues such as trade negotiations that are likely to be helpful to all American companies.
Blocking sophisticated and highly targeted attacks is extremely difficult. Defenders are like the batsmen in a cricket game who must deflect every ball heading for the stumps; hackers just need to knock off the bails once to win. But the defense would greatly improve its chances by getting a few basic things right.