Friday, May 09, 2008

The Difficulty in Identifying Source and Motive of Politically Motivated Computer Crimes

In a textbook example of the difficulties in determining the true source and motive behind online attacks, there are several reports coming from Korea concerning the arrest of Chinese and Korean nationals involved in online identify thefts. In this case, the original attacks were attributed to Chinese 'hackers' attacking Korean systems for political reasons. This was because the attacks appeared to originate in China and the software used in the attack had an anti-Korean title.

However, in this case, it appears that Korean criminals involved in online identity thefts were using Chinese 'hackers' to gather the information for fraud:
"...Chinese hackers who claim there is something of a black market for Korean personal information in China. They say Koreans hire Chinese hackers to break into sites to get information, which is then handed over and sold in Korea."

"...the vice head of PR for “Auction” [eBay's Korean subsidiary] said on CBS radio last month that the hacking program employed in the attack was named “Fuck KR,” leading at the time to speculation that the attack was anti-Korean in nature."

This case demonstrated three important issues in analyzing politically motivated computer crimes (or any other computer crime):

1. Most attackers use a chain of connections between themselves and their target. Inexperienced investigators are often misled when they attribute the attack to the most immediate link. (This is not a new phenomena and has been employed for over 20 years by 'hackers'. See "International Intrusions: Patterns and Motives" specifically section 3 Intrusion Patterns and Dynamics for a discussion on how this technique was used in the 1980's and 1990's.)

2. 'Hackers' can be manipulated by more criminal elements thus disguising the actual motive behind the attack.

3. Motive is very difficult to determine in online attacks. There are many cases of politically motived computer crimes disguised as fraud or other types of attacks and also attacks (such as this example) where the motive is disguised as political. Another good example of this is the 'WANK' worm released in 1989:
" the internal network of Digital Equipment Corporation and later in the NASA / SPAN networks. This was jokingly named by the Australian authors as “Worms against Nuclear Killers” and has been misreported in several publications as an example of political hacking [See: Denning, Dorothy E., “Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy”].

"However, the authors had no political motive in these attacks and were playing on the British meaning of the word 'wank' [Source: "Hacktivism & Politically Motivated Computer Crime"]."

Too often the source and motives behind attacks are attributed with little information or based on assumptions. This is inadequate when discussing cyberwar and when governments and corporations are considering online retaliation. Investigators and security professionals need better skills in determining actual sources and motives behind computer crimes - political or otherwise.

Also see Analyzing Goggle Attacks - Plenty of Room for Error

Auction Identity Thieves Nabbed

‘Auction’ Hacker Arrested in China?

No comments: