Tracking the hack

So I hear on the news that this organization or that organization has tracked the hackers back to "this place" or "that place". But I'm curious.... how do they know where the attack actually came from when there are ways to provide anonymity such as VPNs and proxy chaining? From my knowledge, not all VPN providers and proxies keep logs.

Find more posts tagged with

Comments

philz1982

Some folks will put files in a honeypot or a live directory with geolocation code embedded in the file. That's one reason why folks don't shut down hacks instantly. You put the file on the drive being hacked, and the geolocation code will tell you where the hacker is at.

[COLOR=blue]var[/COLOR] loc = [COLOR=blue]null[/COLOR];[INDENT][COLOR=blue]function[/COLOR] getLoc() {       [/INDENT]
[INDENT=2] [COLOR=blue]if[/COLOR] (loc == [COLOR=blue]null[/COLOR]) 
{            loc = [COLOR=blue]new[/COLOR] Windows.Devices.Geolocation.Geolocator();        }       

 [COLOR=blue]if[/COLOR] (loc != [COLOR=blue]null[/COLOR]) 
{            loc.getGeopositionAsync().then(getPositionHandler, errorHandler);        } [/INDENT]
[INDENT]}    [/INDENT]
[INDENT=2]
[COLOR=blue]function[/COLOR] getPositionHandler(pos) [/INDENT]
[INDENT=3]{        
 document.getElementById([COLOR=#A31515]'latitude'[/COLOR]).innerHTML = pos.coordinate.point.position.latitude;        document.getElementById([COLOR=#A31515]'longitude'[/COLOR]).innerHTML = pos.coordinate.point.position.longitude;        document.getElementById([COLOR=#A31515]'accuracy'[/COLOR]).innerHTML = pos.coordinate.accuracy;        document.getElementById([COLOR=#A31515]'geolocatorStatus'[/COLOR]).innerHTML =            getStatusString(loc.locationStatus);   
 }[/INDENT]

Then once you have location you setup a reverse connection and send the location to the listener.You could use an HTTP Socket to send the information, if you wanted to you could encrypt and send over HTTPS.

cyberguypr

Ah, the lovely game of attribution. A lot of the work is done with forensics, reverse engineering and log analysis. Attackers usually tend to reuse tools and methods so that makes it easier to associate attacks to a particular group. Sometimes comments are found in the code that provide valuable pointers to the origin and identity of the attackers. The problem then becomes the 'false flag' issue where attackers mask their footprint to have it appear as coming from a specific group or country. This is where the concept of strategic attribution comes in place, where a more in-depth analysis is performed going above and beyond the physical evidence and take into consideration geopolitical and other factors.

Dieg0M

philz1982 wrote: »

Some folks will put files in a honeypot or a live directory with geolocation code embedded in the file. That's one reason why folks don't shut down hacks instantly. You put the file on the drive being hacked, and the geolocation code will tell you where the hacker is at.

Then once you have location you setup a reverse connection and send the location to the listener.You could use an HTTP Socket to send the information, if you wanted to you could encrypt and send over HTTPS.

So what you are saying is that you have to hack the hacker to get his identity?

the_Grinch

Attributing the attack to someone is the hardest part. But it is just like any other crime, you follow the clues. The way someone writes their code, particular methods used for an attack (if you read you'll see that certain teams like to use certain kinds of attacks), and then good old fashioned mistakes. It really comes down to this, if you do not have evidence you won't find them. Logs, logs, logs.

philz1982

Dieg0M wrote: »

So what you are saying is that you have to hack the hacker to get his identity?

I'm telling you, if you haven't done this you'd be surprised how well it works. When someone is uploading GB/PB of data that little 24kb file goes unnoticed.

It's the whole concept of active defense.

-Phil

the_Grinch

It's a legal grey area that I'm not totally sure I'd want to go down, but companies do try it.

wd40

Regarding the VPN / Tor security part; Sometimes they just wait for you to make a mistake, or force you to make a mistake.

An example: A Kiddie P@&# site was ceased I think by FBI, so they do some changes to the site and use a flash player exploit to expose site visitors.

Example 2, look at how they caught the guy behind Silk Road 2.0 .

renacido

Another way this is done, particularly with botnets, is to identify/enumerate the domains used by the botnet, find one with a domain name that is about to expire, then register the domain before the botnet operator renews it. This is called "sinkholing a domain". Then you set up your own CnC server on that domain to accept the connection requests from the bots sending callbacks and capture their traffic. Meanwhile you put a copy of the botnet client in a malware analysis environment (sandboxed lab) and reverse engineer it. From this analysis you'll often find:

- Countries, industries, specific systems/users being targeted
- All the above target demographics that are excluded from being targeted (example, if the malware install is aborted if the victim machine's NAT IP address puts this host in Russia, then Russia is a likely geographic source or sponsor)
- Often the analysis reveals authentication credentials or possible exploits that can be used against the actual botnet server, for instance you may be able to log into the server and drop a payload of your own, or if the server hosts a database with no backend data validation you might be able to use a SQL injection to **** the tables, get all the info stored within, and pwn the blackhat's servers.

Chinook

In some cases knowing the location of the hacker is mostly a moot point. For example, the Syrian Electronic Army regularly attack the United States & some of it's companies. We can assume they're in Syria & the subpoena the Feds send won't have much influence.

@WD40. I think it was in 2014 when the FBI took down Freedom Hosting & a bunch of dark net sites. They did so by writing a complex JavaScript (or so I read) that was able to extract the IP of the Tor user. It only worked on Windows & Mac (not Linux).

The complexity of modern computer systems make it that a lone Blackhat has a real challenge to stay anonymous. The game changes when the intruder has their own red team & are state sponsored. Then you're dealing with a high level of skill and a budget.