A hacker claiming to work at the Department of Energy’s "Department of Petroleum and Natural Resources" sent bogus job notices in early 2015 to employees at the National Institutes of Health.
The malicious "phishing" email claimed DOE was looking for 137 workers "to join our oil field refiners in California, Texas and Minnesota refineries," according to a summary of the hacking incident obtained under the Freedom of Information Act.
Never mind that DOE is not in the business of operating refineries. The department’s Office of Inspector General jumped on the case, hoping to dig up digital clues as to the spoofer’s origin.
A DOE special agent found someone had logged in to the email accounts tied to the phishing campaign from internet protocol addresses in Gambia in West Africa.
Not long afterward, the case went cold, reflecting an ongoing challenge in U.S. cybersecurity: finding the culprit.
"Unfortunately, Gambia is not a member of the 24/7 network," a Department of Justice source wrote to DOE in response to a request for more evidence, referring to an international cybercrime agreement roping in more than 70 countries. "So we have no [point of contact] there to make a preservation request, and even if we did, the U.S. has no [mutual legal assistance treaty] with Gambia."
The message was polite but clear: You’re in for way more trouble than it’s worth, tracking down some would-be identity thief who didn’t even compromise DOE systems.
The difficulty of tracing hackers, scammers and "script kiddies" back to their original location is a long-standing problem in global cyberdefense.
Many private cybersecurity companies don’t even offer services to tie a given cyber intrusion or attempted hack back to a particular group or country, given the thorniness of attribution in cyberspace. Hackers can easily take measures to obfuscate their identity, switching out IP addresses and routing stolen data through digital hop points that often cross multiple countries.
Beyond the technical challenges, other bureaucratic hurdles await, as demonstrated by a trove of Office of Inspector General records released to E&E News under the FOIA request.
Internet service providers delete or refuse to turn over key evidence. Foreign law enforcement agencies drag their feet. Previous agents assigned to a case may use sloppy record-keeping practices, making it harder to piece together shreds of IP addresses, email login times and other digital trails.
Spearphishing in Savannah
In one case dating to December 2011, hackers targeted workers at DOE’s Savannah River Site nuclear lab with spearphishing emails aimed at stealing login credentials. The unknown assailants successfully compromised 31 usernames and passwords on the site’s unclassified computer network, according to a closing memorandum from OIG, which had been called in to investigate.
DOE blocked the malicious links, reset the hacked accounts, reset passwords, scanned the targeted computers for any more viruses, wiped and rebooted affected systems, and finally notified victims.
Then the real investigation began.
Given the security sensitivities at a DOE-run nuclear site, an assistant U.S. attorney in South Carolina "demonstrated interest in the case," DOE recounted.
Department of Justice investigators sent a request for preservation of evidence to Endurance International Group, which turned up "one IP address of interest."
DOJ pinged Bluehost Inc., the internet service provider that hosted the suspicious address, a unique identifying number assigned to a computer. But Bluehost only held on to its subscriber records for 30 days, meaning that lead fizzled out.
In July 2012, more than six months after the spearphishing emails had been sent, Assistant U.S. Attorney Dean Eichelberger requested the federal government close the case "due to insufficient investigative leads."
Tracing ‘LulzSec’
In June 2011, part of DOE’s Y-12 National Security Complex in Oak Ridge, Tenn., fell prey to an "SQL injection" cyberattack — a simple hacking technique to squeeze nonpublic information from online databases — based on IG records.
The server hit by the attack contained only test data, according to a summary of the incident, "and did not contain any actual information of value."
That didn’t stop a disciple of the "LulzSec" hacking group from bragging about the successful SQL injection on Twitter.
"Open source research revealed a Twitter message on the internet posted by a user named ‘PHSY’ … which depicts what appears to be a successful attack against an internet facing website at Y12/[the National Nuclear Security Administration]," DOE’s internal watchdog reported.
DOE called in the FBI to set a "pen trap and trace" for two IP addresses tied to the intrusion.
Digital pen registers can track certain information typically associated with IP addresses, like browsing history, time spent online and the IP addresses of other computers contacted by the tracked machine.
But once again, further leads eluded investigators, and DOE noted "no further investigative actions are warranted in this case."
FBI did manage to capture other hackers affiliated with the LulzSec and "Anonymous" collectives, but to the best of DOE’s knowledge, "these arrests have not been in relation to the Y12 intrusion," the OIG agent said.
Rare win
The FOIA documents did reveal a few wins for federal cybersecurity investigators.
On May 1, 2012, the Oak Ridge National Laboratory reported suffering a website defacement and malware infection. The case was markedly similar to concurrent cyber intrusions at NASA, the Army and the Air Force — all hailing from the same IP address. California utility Sempra Energy was also affected.
Twitter accounts under the pseudonym "zyklon b" admitted to the hack of the Oak Ridge web servers, according to the investigative summary. U.S. authorities quickly discovered that French and German officials had tracked the identity of "zyklon b" back to a French national and minor living in Nantes, France.
On June 22, 2012, DOJ and the State Department signed off on a mutual legal assistance treaty urging French authorities to investigate and arrest the hacker with the horrific screen name.
French police made an arrest three days later, and a tribunal in Nantes ultimately found the young hacker guilty of hacking multiple organizations, placing the 16-year-old on probation. He was sentenced to 200 hours of community service and fined about $8,700 for court fees.