Recently in Phuket, Thailand:
Noushin Shabab is a cyber warrior. She and her team ferret out cyber attackers from the dark alleys of the cyber underworld.
A cyber warrior is the last thing one expects Noushin to be. Unassuming and quiet, when she speaks, her voice hardly reaches the other end of the table. But when she gets talking, we realise she means business.
Noushin is a Senior Security Researcher at Kaspersky Labs’ Global Research and Analysis Team (GReAT). She and her team have been successful in bringing out into the open cyber attackers who thought they had covered themselves well, but had left a small trail – enough for Noushin.
What Noushin and her team does is interesting – they scour the web to hunt down small traces of clues left behind by hackers and cyber espionage gangs.
Noushin says the image of a cyber attacker – a lone guy sitting in a dingy room in a far away place – is wrong. There are cyber armies controlled by intelligence agencies of governments, private companies set up just to do cyber espionage and attacks, ‘normal’ private companies leading a double life of being a ‘normal’ business organisation and also performing espionage.
Most attackers “live” online and end up leaving tracks.
Examples of “tracks” include posts on social media, photos uploaded on social media, reusing usernames and passwords and using social media to recruit.
What are the “tracks” and how does Noushin’s small band of researchers track them down?
A blog post details the unravelling of a cyber attacker details:
Analysis of a cyber attack revealed that several domains were originally registered to email addresses containing variants of a handle “cpyy”.
It was also discovered that “cpyy” appeared to use email addresses such as “cpiyy” and “cpyy.chen”. They found out that the cpyy.net domain listed “Chen Ping” as the registrant name, which may be cpyy’s real name, as this matched the initials “cp” in “cpyy”.
This led to personal blogs of “cpyy” that showed that he worked for “military/police”. He had also published several photographs. One of them – a photograph of bottles in a shelf – also inadvertently revealed a couple of military (Chinese PLA officer) caps in a shelf.
The personal blog also contained outdoor pictures from his office. The post says: “Looking at historical domain registrations for PUTTER PANDA Command and Control (C2) domains, we observed an interesting address related to a sample (MD5: 15cae06fe5aa9934f96895739e38ca26) that called out to [redacted].checalla.com. “
Using Google Maps and the Shanghai address, it zeroed in on the location. The satellite imagery clearly showed what the building was. And the buildings around the office shown in the satellite imagery corresponded to the pictures uploaded by the cyber attacker.
Noushin says the careless mistakes made by the attacker – uploading pictures of buildings around the office – made it easy for the investigators to hone in on him.
In many instances, the domain name registration details are also matched with other websites. In one case, the hacker’s name in a domain name information revealed that he was a shareholder in a large company.
Then there are those who upload “test files” like word documents that contain usernames in the MS Office cache file. The file also contained the full name of the individual. An online search for the name brought them to the social media accounts of the individual – leading to the name of the company the individual worked for. And now the best part – the director of the company turned out to be a former army intelligence unit chief.
So, what motivates the individuals and organisations to carry out cyber attacks? They could be economic (making a fast buck), political agenda or plain intolerance of a particular view.
It’s a painstaking task scouring the big web, but Noushin and her team at Kaspersky Research need just a small slip – like domain name registration or photos in social media to catch hold of cyber attackers.
(The writer attended the Kaspersky Cyber Security Weekend at Phuket at the invitation of Kaspersky Labs)
(This article was published on October 20, 2017)
Please enter your email. Thank You.
Newsletter has been successfully subscribed.