Where are the hackers from?

"Where are you from?" - A question commonly asked to people who appear to "not be from around here". Depending on the answer, this can also be followed up with a clarifying question "where are you really from?". This line of questioning also happens in the world of cyber security Threat Intelligence. Threat Intel teams painstakingly try to answer the same question, except about hackers. Do you know where hackers are from?

If China, Russia, or Iran came to mind, well done, you've been reading threat intel reports (or maybe just the news). If you thought of different culprits, you might not have read the reports (or you live in China, Russia, or Iran). Without getting stuck into the power of propaganda and information warfare, I think you can see why the populations of two countries might be pointing the finger at each other. It's very much the case of the pot calling the kettle black, or for those of meme-age: Spiderman pointing at Spiderman. This finger pointing also includes governments releasing advisories going into great lengths describing the cyber operations of different countries. And in just the same way that assuming someone's heritage can be insulting, being accused of hacking can rub people the wrong way.

Earlier this year, the US and its allies released advisories on a hacking group dubbed "Volt Typhoon". This group was accused of being sponsored by the PRC (People's Republic of China) and conducting "disruptive or destructive cyber activity against U.S. critical infrastructure". This isn't the first time the PRC has been accused of conducting cyber operations, but this time the PRC's response gained some traction in the news cycle. They refuted the accusation (obviously) and said that the hacking group called "Volt Typhoon" was actually invented by the US to discredit them. Well then, where is Volt Typhoon really from?

China again claims Volt Typhoon was invented by the US

Enough with the racist-sounding ‘dragons’ and ‘pandas’, Beijing complains – then points the finger at koalas

The RegisterSimon Sharwood

Before we move on, let's get a better understanding what Volt Typhoon is. In the cyber security community, Volt Typhoon is known as an "Advanced Persistent Threat" or APT. An APT is essentially an online Threat that has Advanced capabilities and is Persistent in its operations. In other words, a well-funded hacking group with advanced tools and skills, who have been operating for a long time. APTs are usually tracked, monitored, and given "codenames". In addition they are often assigned a country of origin or said to be sponsored by a particular nation state. "Volt Typhoon" is the name given to an APT that is said to be sponsored by China.

Because APTs are so closely studied, surely we can be certain of their geolocation. You can even find interactive world maps showing which countries have the most APTs. If we look at one of these maps, it seems obvious that China, Russia, and Iran host more APTs than other countries. So do we now know where the hackers are from? At this point we probably need a better understanding of how online threats can be geolocated.

APTMAP - Advanced Persistent Threat Map

Advanced Persistent Threat Map

Advanced Persistent Threat MapAndrea Cristaldi

One way to estimate the geographic location of an APT is by looking at their targets. In other words - who do they try to hack. In the world of cyber espionage and warfare, state-sponsored hackers tend to target non-allies. So if we see a hacking group targeting western countries we can narrow down the list of suspect countries to those that aren't aligned with the west. From this shortlist we can then narrow it down to countries that have the resources to conduct the operations. For example, if the threat actor is observed using highly sophisticated, custom tools or exploits, you have to assume the country has the financial and technological means to support developing these capabilities. So now the list becomes a lot smaller.

We can also look at the evidence that is left behind by hackers. For example, the malware they install on devices might give us some clues as to where in the world the hackers are operating from. For example, if we can discover any text in the software, what language was it written in? Or if we can discover any timestamps, what timezone is being used?

Timezones and time analytics are very interesting when it comes to determining the location of hackers. While hackers and ATPs always seem to be these ambiguous actors operating in cyberspace, the reality is, behind every hack is a person behind a keyboard. This person will probably sleep during night time hours, work predominantly during the day, and take significant holidays off. If you track a threat actor for long enough, these patterns will likely emerge. Which timezone aligns to the threat actor's work hours? Which national holidays align to the threat actors reduce activities? Using this information we can cut out a strip of the earth which timezone(s) most closely matches the ATPs patterns.

This is just scratching the surface of the different ways we can geolocate different threat actors. But even with these few examples it seems that threat actor geolocation can be pretty reliable. This is until we reconsider how advanced these ATPs really are. If they are so advanced, surely they know everything we've just discussed and more. So couldn't they use that knowledge to cover their tracks? Could they possibly try to deceive us? Could they leave the wrong clues? What if they are geographically dispersed? Or so well resourced they operate 24/7/365? Or so brazen they they'll hack allies and non-allies? The water all of a sudden gets a lot murkier.

However, even with this uncertainty and assuming a certain error margin, we still wouldn't tip the scale away from our usual suspects. However, in the wise words of Ice Cube: check yourself before you wreck yourself. That is - check your biases. A large part of identifying these ATPs is monitoring them, getting samples of the tools they've left behind, or finding evidence when responding to cyber incidents. So if you're in a western country, would China send you malware samples? Or will a Russian organisation call you in to respond to a cyber incident? Would Iran let you install sensors on their networks? Obviously not. In fact, you probably wouldn't care about any cyber incidents in those countries anyway. So the fact that our map shows a lot more threat actors from China, Russia, and Iran could simply be because that's the only data we have access to, or care to look at. So where are the hackers really from? My answer is, wherever you care to look.

Asking a few critical questions has taken us from being confident in our convictions to being a little less sure. And while we have looked at this from a cyber threat perspective, we can apply this to everything we know. Even though the Internet makes it feel like we have all the information in the world at our fingertips, we are still in our own bubble - an echo chamber that reinforces our biases. Maybe we are being deceived, or maybe we actually don't care.

Acknowledgements

Part of this post was inspired by the great talk about Counter Deception by Tom Cross and Greg Conti at DEF CON 32. Watch it below: