'We're in cyberwar': Tracking down hackers easier said than done
Seething in the wake of a cyberattack that put millions of South Carolinians at risk, Gov. Nikki Haley told the world she wanted to slam the responsible hacker against a wall and brutalize him.
For more stories about the state Department of revenue breach, go to postandcourier.com/hacked.
But just how likely is it that the governor or anyone else will ever get their hands on the culprit who violated the state Department of Revenue's computers?
By their very nature, hackers are a shadowy and elusive lot who go to great lengths to mask their mischief, hide their identities and cover their trails across cyberspace.
Their ranks include lone wolves out for a challenge, “hacktivists” out to prove a point or expose vulnerability, criminal gangs seeking to plunder from the unsuspecting and cyber-agents trying to glean secrets from competing nation-states.
They are sprinkled all over the globe, and they can be very hard to catch — though not impossible.
In February, Interpol announced the arrest of 25 suspected members of the loose-knit Anonymous hacker group in a sweep across Europe and South America. The FBI rounded up several more suspected LulzSec and Anonymous hackers in March with the aid of a legendary computer vandal turned informant. And in June, an international investigation led to the arrest of 24 hackers around the world who had used stolen credit card, bank and personal information to victimize hundreds of thousands of people.
Still, the hacker community remains a thriving underworld.
Doug Benefield, director of research and development for Barling Bay, a SPAWAR security contractor with corporate offices on Remount Road, said the hacking threat is omnipresent.
“Everybody's getting hacked,” he said. “We're in cyberwar and it's been going on for a while.”
“It's really just the last five years that it's kind of gone off the charts with volume,” he said. Benefield, who works with the federal government's classified systems, said one major U.S. military command gets attacked some 10,000 times a day. “The volume is just absurd.”
Driving many hackers and their criminal associates are the huge potential profits that can be made from stolen data on the black market.
To get an idea of the scope of the problem, an estimated 8.6 million U.S. households had at least one person 12 or older who experienced identity theft in 2010, with losses totaling $13.3 billion, according to the U.S. Bureau of Justice Statistics. A recent report by Javelin Strategy and Research determined the victim count rose to 11.6 million last year.
South Carolina ranked 26th nationwide in the number of cyber-crime complaints referred to the federal Internet Crime Complaint Center in 2011, with $4.6 million in losses.
John Kenney, resident agent in charge of the Secret Service's Charleston office, said businesses ranging from yogurt stands to major health care corporations have been targeted in the Palmetto State. The attacks on people and payment systems occur on a constant basis, he said.
“It's a huge amount of money that is transferred through cyber-crime,” he said. “Hackers are pinging systems all over the country at all times looking for vulnerabilities. They are looking to break in through a back door and suck out as much credit and banking information as they can get.”
Thieves buy and sell stolen personal information in murky online chat rooms, card-sharing websites and hacker forums. They also treat it like a commodity overseas, experts said.
“Bad guys find this attractive because it's an easy crime to commit and its hard to hunt down these people in other countries,” said Larry Ponemon, chairman and founder of the Ponemon Institute, a Michigan-based think tank dedicated to privacy and data-protection practices. “And the bad guys are very persistent because there is gold in this information.”
How it works
Ponemon said the price for individual pieces of information can range from a few pennies to several dollars, depending on its value. When you sell in bulk, that adds up.
Stolen credit card numbers are often sold online in large batches known as “dumps” that buyers bid on with a guarantee that a certain percentage will be good to use, Kenney said. The sellers are urged to use the numbers quickly, before the card holders or their credit card companies discover the theft and cancel the number, he said.
Health records or detailed tax files cost more and are more of a long-term threat because they contain a whole host of information that can be used to raid a bank account or steal an identity, Ponemon said. Even if someone knows their Social Security number has been compromised, it's very difficult to get that number charged, leaving them vulnerable to theft.
“Tax returns are a treasure trove,” Ponemon said. “There is tons of information in there.”
Some con artists have used such information to file bogus tax returns, beating the actual taxpayer to the punch and reaping his refund before he is wise to the scam. In July, the Treasury Inspector General for Tax Administration reported that the Internal Revenue Service had processed 1.5 million fraudulent tax returns last year, resulting in more than $5.2 billion in bogus refunds.
What's more, the inspector general estimated that the IRS could dole out $21 billion in fraudulent refunds due to identity over the next five years.
How bad is it?
State officials have said they are still trying to determine the extent of the breach in South Carolina and what was stolen. One Midlands lawmaker issued a release stating that entire tax returns were accessed by the hackers, but the governor's office has not confirmed that statement. What is known is that hackers raided a Department of Revenue database with 3.6 million Social Security numbers, 387,000 credit or debit card numbers and information for as many as 657,000 companies in a breach that began Aug. 27.
Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, said the theft is the largest breach of a state agency on record that her organization is aware of.
Gov. Nikki Haley has said the attack originated from a foreign IP address, but won't say exactly where.
Several security experts said the attack sounds like the work of sophisticated cyber-thieves who operate out of Russia and other former Soviet bloc countries. Russian hackers have long been known for their clever and devious skills, including a 2000 breach in which cyber-thieves infiltrated Microsoft's computer system and sent passwords for its closely guarded source code to an e-mail account in St. Petersburg, Russia.
Other countries also have a strong presence. In China, for example, police uncovered a hacker training operation two years ago that recruited thousands of members online and then provided them with lessons and tools.
Hackers employ a variety of strategies to get in from afar.
Some send emails trying to trick folks into clicking on infected attachments that download harmful software, allowing the attacker entry or control over the computer.
People's natural curiosity often gets the better of them, at the expense of their employer, said Frank Abagnale, an infamous former con man who now runs a security firm and is an FBI consultant.
To emphasize his point, Abagnale said, he often scatters USB flash drives labeled with the word “Confidential” around the parking lot of a business before he gives a presentation. During the presentation, he then logs on and points out how many employees have found and inserted the drive into their work computers with no idea where it came from or what's inside it. He always finds some workers who have done this, even though their company policies may strictly forbid it.
“That's how these breaches occur,” Abagnale said. “The hackers are just waiting for someone to open that door for them.”
Other hackers employ something known as an “SQL injection” attack which uses malicious code to probe and exploit vulnerabilities in websites and access poorly protected databases. A suspected member of the LulzSec hacking group reportedly used this technique last year in an extensive attack against the computer systems of Sony Pictures Entertainment, according to the FBI.
So how do you catch these folks?
Kenney, the Secret Service agent, said doing so requires a lot of investigation and a fair amount of cooperation with law enforcement and governments here and around the world.
In South Carolina, the Secret Service participates in a cyber-crimes task force with the State Law Enforcement Division and local police. Overseas, they work with European task force on electronic crimes based in Rome, Kenney said.
The Secret Service also has offices in Russia, Bulgaria, Estonia and other countries where prolific hackers hide, Kenney said. Information developed here is passed on to offices there, and those agents then work with their foreign counterparts to try to shut down the operation, he said.
The FBI has employed similar strategies, and has had some success. In 2005, for example, specially trained agents traveled to Morocco and Turkey after hackers there unleashed a malicious code called “Zotob” that caused computer systems worldwide to sputter and crash.
Agents gathered IP addresses, e-mail addresses, names linked to those addresses, hacker nicknames, and other clues uncovered in the computer code. Working with Turkish and Moroccan law enforcement, they used the information to track down two of the suspected hackers within eight days of code hitting the Internet, according to the FBI.
But experts caution that other hackers learn from such episodes and make course corrections to keep from getting caught while prowling for ways to get into the world's computers.
“A lot of these technologies that are used are developed by people who are very, very smart,” Ponemon, the cyber-security expert, said. “These are genius-level people who can pretty much get inside anything. If you find a cure for the problem today, that doesn't mean tomorrow or even a couple of minutes from now, there won't be an attack to circumvent what you've created.”
Brendan Kearney contributed to this report. Reach Glenn Smith at 937-5556 or Twitter.com/glennsmith5.