Reading about the recent solarwinds security breach has made me wonder how these cyber hackers are identified. The hack has been described as sophisticated and extensive, if a cyber hacker is this good my intuition leads me to believe that the hacker would be able to hide their trail or mask their identity. How are they identified?
There’s a number of ways to trace the source of an attack. I’ll give a few examples.
1. The hackers take credit for it. Hackers are often vain and leave telltale calling cards in the systems they hacked just for kicks. Or they release the information they stole on the web and that gets linked to them.
2. Hackers always leave traces. More sophisticated networks use Firewalls and Logging solutions that aren’t so easy to wipe. So the hackers attack can be traced back using their source IP (although that’s easy to mask)
3. Reverse engineering the tools and malware that they used. Being computer programs these tools often have finger prints in them that can trace them back to their original coder.
4. Reverse engineering the botnets / CnC (Command and control). Malware these days often “phones home” sending information to a CNC. In the Solarwinds hack they identified several websites being used. Who purchased these URLs and where they point can be reverse engineered, as that also leaves traces.
5. Finger prints on other systems. Computer software these days is often interlinked with other systems, often 3rd party ones and cloud services that themselves have there own logging. Cloudflare for example was able to provide a great deal of information about the hack because it had logs + analytics that referred to the compromised websites in the CnC because those websites were accessed through the Cloudflare services at some point. While Office 365 is being used more and more for it’s email and file sharing functions in business and it has logging that’s completely isolated from corporate networks. So information such as emails, login attempts, etc might be available to be analyzed.
Really what it boils down to is it’s basically impossible to cover your tracks completely, and even 1 mistake will lead investigators to you. But in this case the hackers don’t really care since they are likely Russian and therefore effectively untouchable.