Make us your home page

Today’s top headlines delivered to you daily.

(View our Privacy Policy)

What makes cyberattacks so hard to trace?

NEW YORK — The attacks that knocked South Korean banks offline this week appear to be the latest examples of international "cyberwar." But among the many ways that digital warfare differs from conventional combat: there's often no good way of knowing who's behind an attack.

South Korean authorities said Thursday that the attack, which shut down scores of cash machines and hampered business, had been traced to an "Internet Protocol" address in China. But that doesn't mean the attack was launched from there. The general assumption in South Korea is that the attack originated in North Korea.

"IP" addresses are, roughly speaking, the phone numbers of the Internet. Each connected computer has a number that identifies it uniquely on the network, so the Chinese IP address implies that a computer in China was involved in the attack.

However, that computer could have been controlled from elsewhere, either because someone bought access to it, or because it's been infected with malicious software. To determine the location from which it's being controlled, investigators would need access to that computer, or to the records of the company hosting the computer. That's unlikely to be forthcoming from a Chinese company.

"China is obviously a popular place to hide things," said Dan Holden, director of security research at Arbor Networks' Security Engineering & Response Team. Chinese authorities are difficult to work with, and there's a language barrier, he said.

In addition, China is believed to be conducting its own campaign of cyber-espionage, which means that attacks launched from there are often simply attributed to the Chinese government, even if it isn't responsible for the aggression, Holden said.

"If you are any nation state or even any attacker right now, why wouldn't you hide in China right now?" Holden asked rhetorically.

Apart from tracing the path an attack takes through the Internet, there's another way to figure out who's behind it: analysis of the software involved. Malicious software, or "malware," can provide clues to its creator. Some of those are obvious, like comments inserted into the written code. However, such comments can be easily faked to lead investigators astray. More subtle analysis can be fruitful, according to Christopher Novak, managing principal of the global investigative response team at Verizon Communications Inc.

"In many cases, the malware that you see on the computer is very similar to a cold or an illness that a person gets ... The strain of the cold that I have and the strain of the cold that you have may be slightly different, but when we look at the DNA and makeup and see they're 99.9 percent the same, there's a pretty good chance one of us transmitted it to the other," Novak said. "When we analyze malware codes, we see the elements that are copied and reused, certain programming styles."

Such analysis can yield important clues, but rarely rock-solid attribution. The U.S. Department of Defense has said that a cyberattack can merit a violent response, but first you have to know who to target.

"Digital attribution is extremely difficult and if you want to do it, it takes some serious effort," Holden said.

What makes cyberattacks so hard to trace? 03/21/13 [Last modified: Thursday, March 21, 2013 6:00pm]
Photo reprints | Article reprints

Copyright: For copyright information, please check with the distributor of this item, Associated Press.

Join the discussion: Click to view comments, add yours

  1. Jordan Spieth wins British Open (w/ video)


    SOUTHPORT, England — Someday, perhaps soon, there will be a plaque at Royal Birkdale for Jordan Spieth, much like the one off the 16th hole that celebrates Arnold Palmer and the 6-iron he slashed out of the rough in 1961 to win the British Open and usher in a new era of golf.

    Matt Kuchar plays out of the bunker on the 18th hole and finishes with bogey for 1-under 69. He had a one-shot lead after 13 holes.
  2. Fennelly: Brutal weekend could be start of something worse for Rays

    The Heater

    ST. PETERSBURG — Well, that was lovely.

    Brad Boxberger suffers his second loss in the three-game series, this time by allowing back-to-back homers in the eighth inning when called on to protect a 5-3 lead. “Just bad pitches,” he says.
  3. Wesley Chapel hockey camp impresses youth players, parents

    Lightning Strikes

    WESLEY CHAPEL — As a 17-year-old Triple-A hockey player, MacCallum Brown regularly plays against elite talent. As a Palm Harbor resident, he often has to travel to face that talent.

  4. Rays claim not to be panicking after third straight brutal loss to Rangers (w/ video)

    The Heater

    ST. PETERSBURG — There was no "here we go again" moment in the dugout as Rougned Odor's two-run homer in the eighth inning arced across Tropicana Field and toward the rightfield seats, even though when it landed, the score was tied and another late-inning Rays lead was blown.

    Rays third baseman Evan Longoria heads back to the dugout after fouling out in the ninth inning with the potential tying run on first.
  5. White House signals acceptance of Russia sanctions bill


    WASHINGTON — The White House indicated Sunday that President Donald Trump would accept new legislation imposing sanctions on Russia and curtailing his authority to lift them on his own, a striking turnaround after a broad revolt in Congress by lawmakers of both parties who distrusted his friendly approach to …

    President Donald Trump’s ability to lift sanctions against Russia would be blocked.