It is very difficult to track down hackers. However, one mistake can lead to getting caught.
A 25-year-old Finnish hacker has been arrested in absentia on suspicion of a data breach targeting Vastaamo. A European arrest warrant has been issued for him. It’s about Alexander Julius Kivimäkiwho has a background in cyber attacks.
The police have revealed a little more detailed information about how the hacker was tracked down. Check Point’s information security expert Jarno Ahlström attackers can leave traces that can be followed to catch them.
– The traces that usually remain are various log entries and files that have been transferred to the target server. The first thing an attacker aims to do is remove them. He wants to hide his traces of what has been done with the device, says Ahlström.
According to Ahlstöm, however, an experienced hacker usually knows how to cover his tracks so that it is very difficult to track him down.
– It is usually quite easy to cover up one’s own actions. However, depending on the method of attack, things can get more difficult. If the attacker is installing, for example, malware, they cannot be removed by themselves when it is removed. They may contain some clues as to where the attacker is from or whether the same programs have been used elsewhere. That way, the field on which the attack is targeted is expanded.
– So-called hobbyist hackers often use ready-made attack mechanisms and methods made by others, which may leave traces uncleaned. That’s how they usually get caught.
Ahlström says that the attacker primarily wants to cover his location.
– This is one of the first things that a skilled and experienced attacker does when preparing an attack. He does not take any connections from his own machine, but tries to route the attack path as hard as possible to be detected, for example through someone else’s hijacked machine or Tor networks. This is how we try to hide the starting point, i.e. where the action comes from.
How did the Vastaamo suspect get caught?
Kivimäki, who is suspected of the counter attack, already has a criminal history related to cyber attacks. According to Ahlström, this probably contributed to the fact that he was caught.
– The person has already been caught before, so it is very likely that the path left by the attacker has been traced and found out through which he has carried out the attack. It may be that he has used so-called hopping machines on the way, which have been hijacked or come through the Tor network. A very high probability of getting caught is due to something like this, Ahlström thinks.
According to Ahlström, in the Vastaamo case and other similar large-scale attacks, the tracking process is heavy.
– As a rule, it is difficult to intervene in the actions of a skilled attacker in order to catch him. In such cases, we often talk about long-lasting, continuous attacks, where the attacker has access to the system for years, when things can be done slowly and unnoticed. The attacker’s basic goal is that there is nothing to follow.
According to Ahlström, the fact that the Vastaamo case had many victims and received a lot of attention probably had a big impact on the investigation. The fact that there are many victims does not directly affect how easy it is to track down the criminal, but it can make the investigation more efficient.
– The importance of the case has a lot to do with the investigation. If there are a lot of victims, it starts to interest the larger public and the police. The risk of getting caught then increases to a certain extent, Ahlström states.
In the Vastaamo case, Alhström also highlights white hat hackers who use their skills for good.
– The group of benevolent white hat hackers is constantly growing and there is a lot going on there. Even in the Vastaamo case, different white hat hacker communities started to find out if there was something to catch in the case. These stories rarely come to the public because it is about research work in the background. However, it can be valuable to the police and at best helps to catch the criminal.
The suspect’s motive is unclear
According to Ahlström, attackers have different motives.
– It can be purely bullying for one reason or another. Hackers can also seek fame and glory among other hackers on the dark side of the internet. Purely money is also on the mind of many attackers, Ahlström states and continues:
– Different types of extortion cases have been on the rise very strongly. Obtaining information and spreading it are also a common purpose for trying to make money. I would argue that the biggest motive for a determined hacker right now is money.
There is no information about Kivimäki’s motives. He may have sought attention but also financial gain.
– In the Vastaamo case, it is difficult to comment on the initial motives of the attack, but possibly, according to the saying, the situation could have made a thief. After the attack, the information was shared on the Tor network, after which the victims began to be financially blackmailed, says Ahlström.
Correction October 28, 2022 at 12:54 p.m.: Clarified the criminal procedural status of a prisoner who is suspected of a crime.
Even a small mistake could have led the police to track down the hacker. AOP / Roosa Bröijer / screenshot