Hackers are human beings, just like you and me. This simple but integral fact provides the foundation for cyber security as we know it. Because no matter how many firewalls they can build and zombie computers they can route their attacks through, hackers inevitably make mistakes, like humans do, and these are often the only breadcrumbs left behind for cyber security professionals. (It's more fun if you call them hacker hunters; think scavenger hunter, not Big Buck Hunter.) And these days, you'd better know a little bit of Chinese if you have any hope of getting the trophy.
Joe Stewart is one of these hacker hunters. As director of malware research for Dell SecureWorks, a subsidiary of Dell, he spends his days in a basement office, sifting through tens of thousands of piece of malware looking for patterns that might serve as clues for the latest hacking techniques. Hackers are constantly looking for new ways to break into websites, and it's Stewart's job to spot them so that Dell engineers can come up with new ways to keep them out. A new Bloomberg Businessweek profile of Stewart walks through the painstaking process not only of spotting hackers but also the near impossible task of identifying them. And, in this rare case, Stewart succeeds.
Hunting hackers is all about looking for patterns and connecting the dots. As Bloomberg Businessweek's Dune Lawrence and Michael Riley explain, "aliases used in domain registrations, old online profiles, or posts on discussion boards that give the odd glimpse of hackers at work" are about the only kinds of clues a hacker hunter gets that links a hacker to a real human being. These are like footprints that a hacker either forgot existed or forgot to brush away. In the case of the hacker behind that fake online identity Tawnya Grilth, these are exactly the clues that led to Stewart identifying the computer science teacher with ties to China's equivalent of the National Security Agency (NSA).
The hacker behind Tawnya Grilth messed up when he registered the domain dellpc.us which threw up a red flag for Stewart to spot. After contacting Icann and gaining control over the domain due to trademark issues, Stewart started to see the hacker network light up.
"Once inside a computer, malware is set up to signal a server or several servers scattered across the globe, seeking further marching orders," Lawrence and Riley explain. "This is known in the information security business as 'phoning home.' Stewart and his fellow sleuths have found tens of thousands of such domains, known as command and control nodes, from which the hackers direct their attacks."
From there, Stewart eventually found a unique user ID for the chat service QQ that eventually led him to the hacker, Zhang Changhe, who works at the PLA Information Engineering University. There's more to it than that, but it's worth reading the whole profile so that you don't miss any details.
The takeaway from Stewart's quest to unmask Zhang isn't some secret formula for doxing Chinese hackers. Rather, it provides new insight into how the Chinese government is farming out its cyber warfare needs to non-military experts, also known as cyber-militias. This keeps them from starting World War III while still rooting around in the servers of everyone from the United States government to major multinational companies. It's a real dodgy business with serious consequences, explains Foreign Policy's Richard Andres:
In order to empower cyber-militias, states must facilitate their ability to obtain cyberweapons and create institutions that reduce evidence of state control. Because reducing evidence of state control generally requires reducing actual state control, militias usually have some real level of autonomy. In an earlier age, when the worst damage cyber-militias could do involved defacing webpages and conducting minor denial of service attacks, this had limited implications for international security. In the post-Stuxnet era, however, it is conceivable that organized and empowered non-state actors could damage nuclear power plants, air traffic control systems, gas pipelines, banking systems, or electric grids.
Just a couple of weeks ago, the New York Times informed the world that they'd been the target of Chinese hackers for four solid months. The paper and Mandiant, the hacker hunter company they hired to help them deal with the attack, said that no sensitive information was stolen, even though the hackers managed to break into every New York Times employee's account. The hackers were evidently looking for information related to recent investigative reports about bad behavior amongst senior Communist Party leadership.
It's unclear what tipped the Times off to the possibility of a break-in, but over the course of those four months, they were able to observe the patterns of one of these Chinese cyber-militias at work. They seemed to stick to business hours, showing up to hack around nine and leaving around five. They took vacations. They also employed a lot of the same methods we've seen from the Chinese military. The Chinese government, of course, denies any involvement.
So you want to be a hacker hunter, too? Help hold Beijing accountable for its potentially destructive code-clipping? Get in line. The Pentagon's been on a hiring spree for years now, and with President Obama's new executive order on cyber security, we're surely going to see an uptick in these kinds of job openings. Of course, it would help to do a little hacking of your own first, you know, to see what it's like. Just don't screw up.