Make us your home page

Today’s top headlines delivered to you daily.

(View our Privacy Policy)

What makes cyberattacks so hard to trace?

NEW YORK — The attacks that knocked South Korean banks offline this week appear to be the latest examples of international "cyberwar." But among the many ways that digital warfare differs from conventional combat: there's often no good way of knowing who's behind an attack.

South Korean authorities said Thursday that the attack, which shut down scores of cash machines and hampered business, had been traced to an "Internet Protocol" address in China. But that doesn't mean the attack was launched from there. The general assumption in South Korea is that the attack originated in North Korea.

"IP" addresses are, roughly speaking, the phone numbers of the Internet. Each connected computer has a number that identifies it uniquely on the network, so the Chinese IP address implies that a computer in China was involved in the attack.

However, that computer could have been controlled from elsewhere, either because someone bought access to it, or because it's been infected with malicious software. To determine the location from which it's being controlled, investigators would need access to that computer, or to the records of the company hosting the computer. That's unlikely to be forthcoming from a Chinese company.

"China is obviously a popular place to hide things," said Dan Holden, director of security research at Arbor Networks' Security Engineering & Response Team. Chinese authorities are difficult to work with, and there's a language barrier, he said.

In addition, China is believed to be conducting its own campaign of cyber-espionage, which means that attacks launched from there are often simply attributed to the Chinese government, even if it isn't responsible for the aggression, Holden said.

"If you are any nation state or even any attacker right now, why wouldn't you hide in China right now?" Holden asked rhetorically.

Apart from tracing the path an attack takes through the Internet, there's another way to figure out who's behind it: analysis of the software involved. Malicious software, or "malware," can provide clues to its creator. Some of those are obvious, like comments inserted into the written code. However, such comments can be easily faked to lead investigators astray. More subtle analysis can be fruitful, according to Christopher Novak, managing principal of the global investigative response team at Verizon Communications Inc.

"In many cases, the malware that you see on the computer is very similar to a cold or an illness that a person gets ... The strain of the cold that I have and the strain of the cold that you have may be slightly different, but when we look at the DNA and makeup and see they're 99.9 percent the same, there's a pretty good chance one of us transmitted it to the other," Novak said. "When we analyze malware codes, we see the elements that are copied and reused, certain programming styles."

Such analysis can yield important clues, but rarely rock-solid attribution. The U.S. Department of Defense has said that a cyberattack can merit a violent response, but first you have to know who to target.

"Digital attribution is extremely difficult and if you want to do it, it takes some serious effort," Holden said.

What makes cyberattacks so hard to trace? 03/21/13 [Last modified: Thursday, March 21, 2013 6:00pm]
Photo reprints | Article reprints

Copyright: For copyright information, please check with the distributor of this item, Associated Press.

Join the discussion: Click to view comments, add yours

  1. Gov. Rick Scott could soon be the all-time king of line-item veto


    2016: $256,144,027

    2015: $461,387,164

    2014: $68,850,121

    2013: $367,950,394

    2012: $142,752,177

    2011: $615,347,550

    Only once has Scott used the line-item veto sparingly. That was in 2014, the year he ran for re-election, when he removed a paltry $69 million from the budget.

    Gov. Rick Scott waves a veto pen at The Villages in 2011.
  2. Rays morning after: An up-and down day for Jose De Leon


    Rays RHP Jose De Leon had a busy Monday - getting called up to join the Rays for the first time and making his way from Pawtucket, R.I., to Boston and the flying to Texas, working 2 2/3 eventful innings to get the W in the 10-8 victory over the Rangers, and then getting optioned back to Triple-A.

    Jose De Leon follows through in the sixth inning against the Texas Rangers at Globe Life Park in Arlington, Texas, on May 29, 2017.
  3. Resignation of communications director Dubke could signal more changes within White House staff


    WASHINGTON — Mike Dubke has resigned as White House communications director, a senior administration official confirmed Tuesday, in the first of what could be a series of changes to President Trump's senior staff amid the growing Russia scandal.

    President Donald Trump speaks at the Memorial Amphitheater in Arlington National Cemetery in Arlington, Va., Monday, May 29, 2017, during a Memorial Day ceremony. [Associated Press]
  4. Trump pays somber tribute to fallen troops on Memorial Day


    ARLINGTON, Va. — President Donald Trump expressed the nation's "boundless" gratitude for the ultimate sacrifice paid by Americans defending the United States, dedicating his first Memorial Day address as commander in chief to a top Cabinet secretary and two other families who lost loved ones.

    Brittany Jacobs, left, watches as her 6-year-old son Christian Jacobs meets President Donald Trump and Vice President Mike Pence in Section 60 of Arlington National Cemetery, Monday, May 29, 2017, in Arlington, Va. Jacobs father, Marine Sgt. Christopher Jacobs, was killed in 2011. [Associated Press]
  5. Florida education news: Budgets, discipline, charter schools and more


    BUDGETING: Florida school district officials keep a close eye on their spending plans as they await word on the Legislature's budget. Gov. Rick Scott