How we trace the hackers behind a cyber attack

December 4, 2015 by David Glance, The Conversation
The fingerprints might indicate China, but that’s not so easy to prove. Credit: Shutterstock

The Chinese military has been imputed for the recent cyber attack on the Australian Bureau of Meteorology (BOM).

The Chinese government has, of course, denied its involvement. And it does seem somewhat convenient that it is being blamed for this latest high profile breach.

It is therefore a legitimate question to ask what evidence there may be to implicate China in this particular incident.

Unit 61398

Much of what we know about the Chinese military involvement in hacking has come from work done by security firms like Mandiant, which first detailed what it knew about the activities of the Chinese People's Liberation Army's infamous Unit 61398.

Mandiant analysed the activities of this cyber espionage unit which, according to Mandiant, had hacked 141 companies over a seven year period, targeting any intellectual property it could find.

During that time, Unit 61398 stole hundreds of terabytes of data, sometimes doing so over a period of years. Mandiant had put together a profile of this unit, which employs hundreds of staff with a range of technical and linguistic skills. It was even able to identify specific individuals within the unit and the work responsibilities each of them had.

The United States district court of Pennsylvania was also able to charge five members of this unit relating to the hacking of US companies.

Building a profile that identifies a particular hacking group involves looking at the source of attacks or figuring out the origin of the machines that operate as command and control. In the case of Mandiant's analysis of Unit 61398, all of the attacks that it reviewed originated from Shanghai.

The analysis of identifying a specific "threat group" involves creating a "digital fingerprint" of the and using that to distinguish one group from all the others. This process looks at the methods and tools the hackers use to get into systems, what information they choose to take and the care they exercise to disable alarms and remove any evidence.

Weakest link

It is important to examine the entire profile of an attack because it is not sufficient to rely on isolated evidence like the source of an attack. In July of this year, the US Office of Personnel Management was hacked, resulting in the theft of personal information on 22 million US government workers.

The Chinese hackers responsible used US-based servers for their attacks. The particular groups involved were probably sanctioned by the Chinese government but were not in Unit 61398.

The difficulty with using past information to establish a digital fingerprint is that the hackers' techniques change constantly as they work to stay ahead of those trying to identify them. Unit 61398 had an arsenal of 40 different types of malware that are identifiable as long as the versions of the software do not change.

However, the process for all of the hacking groups is largely the same. The weakest link in an organisation is its people, who often fall for standard phishing emails that trick the user into downloading a piece of malware. This software can give hackers access from which they can "escalate their privileges" or get more authority to access other machines and services.

At the same time, malware can be installed on compromised machines to give broader access to the network and this can be controlled by "command and control servers" that provide an interface between the hackers and the compromised machines.


To a certain extent, all hackers look alike. They can often be identified as non-English speaking, but identifying them as Chinese relies on tracing back to a source which is not only located in China but shows that the user was using a Chinese keyboard or had their computer language set to Chinese.

Identifying hackers as Chinese relegates those hackers to being beyond the law. The Chinese government has not moved to stop these groups and would certainly not hand them over to western governments for trial.

However, it is entirely possible that hackers from other countries are using Chinese servers as another layer of cover for their own activities. It would be foolish to believe that it is only the Chinese government that is involved in state-sponsored hacking, as all governments have an interest in commercial and military espionage of this sort.

There are also criminally motivated hacking groups and politically motivated "hacktivists". Separating out attack groups relies on being able to identify the separate hallmarks of their craft which security agencies and companies are getting much better at doing.

Explore further: Cyber breach at the Bureau of Meteorology—the who, what and how, of the hack

Related Stories

US official: Charges possible if Chinese hackers keep it up

November 11, 2015

The U.S. could consider criminal charges or sanctions against China if the U.S. determines hackers there are violating an agreement not to conduct economic cyber espionage on American industry, a senior Justice Department ...

Chinese military hackers target space industry

June 10, 2014

A Chinese military unit has run a hacking campaign that includes sending bogus email in a bid to intercept Western satellite communications and aerospace secrets, a US security firm said.

Cybersecurity firm: Chinese hacking on US companies persists

October 19, 2015

Chinese hacking attempts on American corporate intellectual property have occurred with regularity over the past three weeks, suggesting that China almost immediately began violating its newly minted cyberagreement with the ...

Recommended for you

New method analyzes corn kernel characteristics

November 17, 2017

An ear of corn averages about 800 kernels. A traditional field method to estimate the number of kernels on the ear is to manually count the number of rows and multiply by the number of kernels in one length of the ear. With ...

Optically tunable microwave antennas for 5G applications

November 16, 2017

Multiband tunable antennas are a critical part of many communication and radar systems. New research by engineers at the University of Bristol has shown significant advances in antennas by using optically induced plasmas ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Dec 05, 2015
Don't the Chinese Government realise this spying with backfire on them.

At the moment China is buying vast tracts of farm land and food production capability from Australia.

If the Chinese don't know already, Australians are very pissed off about out Governments kow-towing to China.

We sold a strategic interest in a major port facility to Chinese interests despite US objections, and now Australian mothers can't buy enough powdered baby formula because it is being scalped by Chinese exporters for China.

This is just the beginning of the red pacman.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.