January 4, 2021

How do government agencies trace the source of hacks reliably?

Every now and then a story comes out of someone in some specific country being the source of a hack. How could they blame a specific country like China/Russia/Iran/Israel when hackers use VPN’s ? Heck couldn’t someone just SSH into a remote computer they have gained access to make it appear as if the traffic is coming from thee?



I think the answer is: they don’t.

Often these claims are based on what fulfills the political narrative best. This said there are definitely ways to estimate from which direction the attacks are coming. In most cases IP addresses are probably none of them. It is more probable they use strategies like analysis of the writing (even if hackers publish information in English you can assume their native language by analyzing which language specific errors are made during translation especially regarding their probable keyboard layout). Also their use of tools or the base code of their malware give hints on where they are from. Hackers tend to reuse code and build up their own strategies of doing things (this obviously only works if you have information of other attacks). Another big aspect is of course also a lot of data retrieved by the NSA. Did any of the hackers ever googled there target before going dark? Did any of them maybe work on an already compromised machine?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.