Online hackers are leaving surprising clues for cyber sleuths based on the time of their attacks — a trail suggesting the computer criminals are punching a clock for shift work.
The new research on cyber sleuthing patterns may change the notion of hackers as counterculture rebels — more importantly help cybersecurity experts halt online assaults and hit back.
Chinese hackers, for instance, are on a Monday-Friday, 9 a.m. to 5 p.m. schedule, Beijing time, indicating they are likely paid employees based in that time zone.
Researchers at Analysis Intelligence, a company that analyzes cyber threats, looked at “the temporal signature of activities by hacker groups and use[d] those to discern their pattern of life – basically their work week – for matching with national work weeks/schedules” across the globe, they write in a new posting on their site.
For instance, activities of the Syrian Electronic Army, a hacker group linked to the regime in Damascus, start with a bang on Sunday, the beginning of the work week in Syria.
They taper off to almost nothing by Friday and Saturday, the weekend in Syria and 14 other Muslim countries. Israel also has a Friday-Saturday weekend.
The al-Qasam Cyber Fighters, a group believed to be sponsored by Iran, shows the most activity Monday-Wednesday, when banking business in the West is at its peak, but is also active Saturday and Sunday.
The weekend in Iran is Thursday and Friday, when the group’s activities are at a low ebb.
Both these groups show a temporal signature matching that of “a regular state-employed hacker week in the Middle East.”
By contrast, hacking carried out in the name of Anonymous, the anarchistic, leaderless online alliance, peaks at the weekend “which indicates that they are mostly students or western people with ‘normal jobs’ that use weekends for hacking,” the researchers determined.
To get the temporal signatures, researchers analyzed information from their Recorded Future database — a massive collection of reports about hacking from dozens of public sources compiled by their firm.
“Obviously it’s only one signal, but potentially a quite interesting one,” the researchers conclude.