The biggest hurdle to catching cybercriminals is usually that they are hard to identify or connect to alleged crimes.
Sometimes, a suspect is identified but nobody knows where they are.
And then there is the rarer but frustrating situation where the authorities are sure they know the identity of an attacker, and where they live, but still can’t apprehend them.
This seems to be the case with Behzad Mesri, alleged by US prosecutors to be behind May’s spectacular attack on HBO that resulted in the leaking of 1.5TB of data, including un-aired episodes of several popular shows, a Games of Thrones script, staff contacts, account credentials, and financial data.
Quite a haul, that reportedly came with a gloating ransom note demanding “our 6-month salary in bitcoin,” equivalent to $6m (£4.5m).
The barrier to arresting Mesri – who allegedly used the online alias “Skote Vahshat” – is that he lives in Iran, a country the US has notoriously poor relations with, let alone anything resembling an extradition agreement.
If they did somehow nab him, the indictment submitted to the United States District Court in Manhattan suggests he’d be quite a catch.
This claims Mesri is connected to an Iranian hacking group calling itself the Turk Black Hat Security Team, which appears to be well known within Iran.
Says the indictment:
As a member of that group, Mesri conducted hundreds of website defacements…against websites in the US and elsewhere.
HBO wasn’t his only target, it seems.
He accessed HBO’s content by compromising multiple user accounts, it adds, which at least reduces the troubling possibility that the attack was aided by a malicious insider who is still in place.
Is publicly pursuing a man beyond reach a cry in the dark?
It might appear so until you read that the FBI is so sure it has its man, it has released a photograph of him and added his name to its scary most wanted list.
This is significant. Most countries have something similar, but none has the abstract menace of the FBI’s – being added to it is still a powerful way of signalling that the US will pursue a suspect for as long as it takes to hold them to account.
As acting US attorney Joon H. Kim put it:
The memory of American law enforcement is very long.
Which might suggest that the US thinks that making his status public will act as a deterrent to other hackers, and perhaps even to Iran itself, to hacking conducted from inside Iran’s borders.
Still, there’s a risk that by adding a suspect on the list, this boosts their notoriety and prestige within hacking circles.
The irony is that Mesri’s alleged activities did little apparent harm to HBO’s business, indeed a separate sequence of accidental leaks of show episodes by the company’s business partners was probably more damaging.
The great HBO hack won’t be remembered as another Sony Pictures disaster by any means – but it might come to be viewed as the moment the US decided to demystify hacking by making it personal.
terry
OK so we can believe that the criminal is so bad that he leaves a trail of evidence that can prove who he is, but if the criminal is so incompetent, then how bad as HBO at leaving their data unprotected and not encrypted? The story is not that low quality criminals leave evidence – the real story is that major corporations like HBO are even worst and do not provide adequate protection to their data.
Jim
I agree, but I should point out that it’s not that a “bad criminal” leaves a trail. It’s the really good (excellent?) criminals can erase their tracks. And even they might leave a footprint. I once found a hack based upon the fact that the criminals purged the logs at a particular crime. If they really were top-tier, they would only have purged the entries in the log pertaining to only their own activity.
But, you’re right that HBO didn’t protect themselves very well. In a follow-on to the story above, my ISP refused to believe their device had been hacked. Even ISPs make blunders in security.
John E Dunn
HBO hasn’t explained the weaknesses that led to the attack in any detail so commenting on those would be abstract speculation.
Max
I don’t know how big the FBIs most wanted list is, but if stuff like website defacement puts you on there it ought to be quite long.
AndrewP
“Mesri conducted undress of website defacements”.
What, he’s created soft porn too?
Paul Ducklin
Fixed, thanks!