They're out there, says security researchers: the Chinese hackers attempting to break into U.S. enterprises, and jihadist terrorists that brazenly post videos of sniper killings, while stealing credit-cards to launder money for funding nefarious campaigns in Mideast or Caucasus hot spots.
It's just a matter of finding them, and Dell SecureWorks researcher Joe Stewart described at the RSA Conference this week how he caught one by laboriously collecting information related to a Chinese hacker. He's calling the incident the "Sin Digoo Affair" after the misspelling of San Diego in Internet domain registrations under the fake name of "Tawnya Grilth" that he saw over and over again, which was but one clue, including many others such as malware signatures, he followed in his quest to track down an attacker based on a case of industrial espionage and botnets.
"We know we have a set of domains exclusively used for espionage activity," says Stewart. After months of sleuthing, Stewart managed to link the email firstname.lastname@example.org used to register those domains to a multitude of other clues to follow a trail that led him to believe "Tawnya" is a Chinese hacker whose probably part of a group promoting SocialUp.net, a site that accepts payment, including PayPal, for delivering "artificial likes, often through bots" so people can get promoted on Facebook.
Tracking this laboriously amassed evidence, including known Chinese hacker websites, Stewart thinks he has identified the espionage hacker he set out to find through his real Chinese name. Undisclosed publicly, this name and what's known about him has been turned over to the FBI, though the outcome of any meaningful prosecution of espionage activity through China may at the moment be slim. Still, Stewart wants to make the point that criminal activity related to bots can be investigated, though he emphasizes what he's found is simply evidence of an individual's activity.
Another session at RSA talked about what jihadist extremists are doing today on the Web and how they launder money for terrorist causes. Mikko Hypponen, chief research officer at F-Secure, says he spent time combing the Internet to find evidence of what extremists, mostly Arab speaking but also Chechens from the Caucasus who have made terrorist attacks on Russian civilian targets, are doing in terms of sophisticated use of technology online.
"My first impression is high-tech terrorists don't exist," said Hypponen in a media briefing today. But after considerable online research, his opinion has changed. He has found evidence of a growing amount of interest in technology, encryption and hacking in online jihadist publications that now include topics such as an "Open Source Jihad" section to "Technical Mujahaden" which tells how to hide files using rootkits and steganography. He said he's also analyzed what he thinks is probably British intelligence counter-efforts to trojanize fake versions of these publications so that if they're downloaded, monitoring of possible terrorist activity could take place on whatever computer it's downloaded to.
Sign up for Computerworld eNewsletters.