Hardly a month has gone by this year without a multinational company such as Google Inc. (GOOG), EMC Corp. or Sony Corp. (6758) disclosing it’s been hacked by cyber intruders who infiltrated networks or stole customer information. Yet no hacker has been publicly identified, charged or arrested.
If past enforcement efforts are an indication, most of the perpetrators will never be prosecuted or punished.
“I don’t have a high level of confidence that they will be brought to justice,” said Peter George, chief executive of Fidelis Security Systems Inc., a Bethesda, Maryland-based data protection consulting firm whose clients include International Business Machines Corp. (IBM), the U.S. Army and the Department of Commerce. “The government is doing what they can, but they need to do a lot more.”
In the U.S., the FBI, the Secret Service and other law enforcement agencies are confronting what amounts to a massive crime wave that’s highly organized and hard to combat with traditional methods. The hacker organizations are well-funded and global, eluding arrest except in the rarest of cases.
Attacks are coming from organized crime groups based in Eastern Europe and Russia, from industrial spies in China and from groups such as LulzSec, whose members appear to reside mostly in the U.S. and Europe and seem more interested in publicity than in making a profit from their crimes.
LulzSec took credit for hacking into Nintendo Co.’s computers, an intrusion the Kyoto, Japan-based company disclosed June 5, describing it as unsuccessful. Last week it was Google, which revealed an attempted hack, originating in China, into the Gmail accounts of U.S. government officials, military personnel and journalists. Days before that, it was military contractor Lockheed Martin Corp. (LMT), which said its network had been penetrated by an unknown intruder.
LulzSec said June 3 it also had attacked the Atlanta chapter of InfraGard, an information-sharing organization of companies that is affiliated with the Federal Bureau of Investigation to thwart cyber crime.
“We are facing a very innovative crime, and innovation has to be the response,” Gordon Snow, FBI assistant director of the cyber division, said in an interview at the agency’s Washington headquarters last week, before news of the InfraGard breach broke. “Given enough money, time and resources, an adversary will be able to access any system. Companies need to understand that.”
Pablo Martinez, who heads up cybercrime efforts at the Secret Service, compared the current challenge to early efforts the U.S. made to combat drug cartels in the 1980s.
“What the Secret Service has to do is take the successful model that we introduced in South America to defeat some of that stuff and incorporate it in what we do in cyber,” he said.
That would require substantial international law enforcement cooperation and intelligence sharing, said Martinez, whose agency has jurisdiction over bank cyber crime.
In the meantime, the attacks are taking a rising toll on companies and even government agencies, raising concerns about whether the FBI and other enforcement units can handle what appears to be an increasing surge of cyber-criminal conduct, dating back almost two years.
In late 2009, hackers breached the secure computer networks of Mountain View, California-based Google and at least 20 other major U.S. companies in what was dubbed Operation Aurora. They stole proprietary data and company secrets, according to Google and private cyber-security companies.
Hackers also broke into the databanks of BP Plc, Exxon Mobil Corp. (XOM), Royal Dutch Shell Plc (RDSA) and at least three other major energy companies over a two-year period ending this year. They stole millions of dollars of data on global oil reserves, according to McAfee Inc. and documentation in leaked e-mails of the cyber security firm HB Gary Inc.
Cyber thieves stole the account data of 100 million global customers from Sony computer networks in April, the second- largest data breach in U.S. history, according to the Open Security Foundation.
“These are turning points we’re witnessing,” said Anup Ghosh, founder of the Fairfax, Virginia-based cyber security firm Invincea Inc. and a former Pentagon cyber scientist. “What you’re seeing is the loss of the U.S.’s competitive position on a global scale,” he said.
Law enforcement is hampered by the borderless nature of the Internet and by sophisticated methods used by attackers, cyber experts said.
“If you are looking at the Google systems that are being hacked from a country like China, there is no ability to track those activities back to individuals,” said Nicholas Percoco, head of Trustwave Corp.’s SpiderLabs.
A spokesman for China’s foreign ministry said June 2 that blaming the country for the hacking of Google customer accounts is “unacceptable” and added that the Chinese government disapproves of and punishes Internet hacking.
Attackers deliberately base their operations in countries that provide limited law enforcement cooperation with the U.S. or where long-standing relationships between agencies don’t exist. Prominent examples include Ukraine, Romania, Russia and China, U.S. officials said.
“I can talk to the Ukraine all day and even identify who is responsible, but that doesn’t mean they are going to jail,” said E.J. Hilbert, a former FBI cyber investigator who is president of the New York City-based cyber-security firm Online Intelligence.
The Justice Department, FBI and Secret Service say they have allocated more resources to the fight against cyber crime. Each can point to some successes. Last fall, the Justice Department announced the arrest of 39 individuals in Operation Trident Breach, a takedown of a $70 million international bank- fraud ring that used computer worms to steal account information.
U.S. agents only arrested the so-called money mules responsible for setting up bogus bank accounts designed to move stolen money abroad. They weren’t able to detain any of the kingpins they believed had organized the crime spree from the safety of eastern Europe.
One of the most successful U.S. prosecutions followed the indictment of Albert Gonzalez in August 2009 on charges related to the theft of 130 million credit card numbers from Heartland Payment Systems Inc. (HPY), the Princeton, New Jersey-based payment processor. Gonzalez, a Miami resident who worked as a federal informant and admitted that he led an international ring, was later sentenced to 15 to 25 years in prison. Other members of his gang, believed to be located in Russia or Eastern Europe, haven’t been charged in the case, U.S. officials said.
Both Snow and Martinez pointed to successes that aren’t related to arrests, including hard-fought operations to take down web boards where cyber “booty” obtained from intrusions is exchanged or the disabling of infrastructure used by cyber thieves to commit crimes.
Snow cited the recent Justice Department dismantling of the Coreflood botnet, a network of more than 2 million infected computers that was used by Russian cyber thieves to steal financial information. The operation was the first time U.S. authorities had targeted command-and-control servers used to direct such botnets. Snow said it showed law enforcement is now taking some innovative approaches.
“I don’t think it’s right to conclude that because there are not a lot of arrests that law enforcement is not doing its job,” he said.
Brazen and Public
Cyber-security experts said hacking attacks haven’t necessarily increased in recent months. They’ve just become more brazen and public. A self-styled group of hacker-activists known as Anonymous began launching high-profile cyber attacks in December, announcing their efforts on websites and openly discussing details on web boards known as Internet relay chats or IRC’s. Such so-called hacktivists have said they are motivated by punishing activities they dislike.
Anonymous took credit for taking down the websites of Mastercard Inc. and Visa Inc. (V) in December as payback for the payment processors’ suspending use of their networks by WikiLeaks, an organization that publishes secret documents on its website.
Ransacked HB Gary
In February, Anonymous hackers ransacked the computer files of HB Gary, a Sacramento-based cyber-security firm, posting online 60,000 captured internal e-mails. Officials at Tokyo- based Sony said they found a folder named Anonymous inside their computer networks following the loss of account holder information, with a file that read “we are legion,” an Anonymous motto.
Hilbert said LulzSec appears to be loosely linked to Anonymous and has some of the same members. The group took responsibility for defacing the website of the nonprofit broadcast service PBS at the end of May, as well as for a later attack against Sony and another against News Corp. (NWSA)’s Fox television network.
Unlike Chinese or Eastern European-based hackers, members of Anonymous and LulzSec may be more vulnerable to arrest because of the methods they use and the way they are organized, according to cyber-security experts who track them. Leaders are based across several countries in Western Europe and in the U.S.
They often discuss illegal acts on web boards using pseudonyms that investigators may ultimately be able to link to real identities, the experts said, asking not to be identified because of fear of retaliation by the groups.
In December, the FBI seized evidence in the U.S., including server logs, computers and telephones from Anonymous leaders in multistate raids. Snow said that he couldn’t comment on a continuing investigation.
To contact the reporters on this story: Michael Riley in Washington at firstname.lastname@example.org; Greg Farrell in New York at email@example.com; Ann Woolner in Atlanta at firstname.lastname@example.org
To contact the editor responsible for this story: Michael Hytha at email@example.com