130321-kisa-01Investigators looking into last week’s cyber attack on South Korean banks and broadcasters have reportedly found more IP (Internet Protocol) addresses linked to the attacks, but one security expert I spoke to said that might mean nothing.

The National Police Agency said it has traced some of the malicious code to addresses in the United States and three European countries, according to Yonhap. No further details were released by the NPA.

The news comes after investigators last week publicly announced a Chinese address as linked to the attack, but then withdrew the accusation a day later. It turned out the address was correct and, when used on the global Internet it was located in a China, but in the context of this attack was being reused by Nonghyup Bank on its internal network.

The attacks hit at 2pm on March 20 and resulted in an estimated 32,000 machines at three broadcasters, KBS, MBC and YTN, and three banks, Kookmin Bank, Nonghyup Bank and Jeju Bank, being hit. The contents of the hard disk drive on many of the machines was wiped clean.

Part of the investigation is centered on discovering the source — especially a smoking-gun link to many people’s favorite suspect: North Korea — but it’s so far come up empty.

That’s because tracing the source of a cyber attack is really difficult, if not impossible, said Brian Laing, vice president of marketing and business development, at AhnLab’s office in Silicon Valley.

“It varies depending on the level of attacker,” said Laing, who said he has been involved in the technical side of cyber security since the 1990s.

Sometimes the IP address can directly locate a hacker, said Laing. He once found a hacker based at a university computer lab thanks to the address, but only because the hacker was directly accessing the server without routing his traffic through other machines or using obfuscation techniques. In that case, he was able to determine the precise terminal in the lab that was being used.

Often though today, it’s much tougher.

“Most of the time, people are going through a network of owned machines or they are bouncing [their data traffic] off various proxies and in and out of the Tor network, so it can be very difficult to ultimately trace it back to an IP address,” he said.

Proxy servers work as intermediate relays for traffic while the Tor network is a global system for anonymizing traffic. Tor makes it all-but impossible to discover the ultimate source of an attack.

The highly anonymous nature of Tor makes it popular with dissidents and people in authoritarian countries, but it’s also popular with hackers and those involved in illegal activities.

Laing said it doesn’t take a state-sponsored hacker to execute an anonymous attack these days. Often the software involved can be downloaded from hacker web sites.

“You’ve got multiple stories of kids downloading various botnet access, infecting small numbers of machines and then infecting other networks. You don’t even need an organization behind you,” said Laing.

So chasing IP addresses, if the attackers are clever, could be an exercise in futility.

But there are other ways to identify a hacker, or at least get an idea of who they are.

“You break down the code and see certain things in the code that tie back to the individual,” he said.

The software code will sometimes provide clues such as snippets of a certain language, styles of writing code or pieces reused from other attacks. All of those can help build up a profile of the author.

The increasing number of anonymous attacks and those launched for financial gain marks a big change in the threat landscape.

“I liken it to graffiti,” he said.

“Graffiti started and still is an art form, but it has devolved into people tagging their names wherever they can. Cyber attacking is the opposite. It was people blasting things out and defacing websites to gain standing and recognition, but now attackers are lying in wait and trying to remain undetected.”