Ashley Madison: Who are the hackers behind the attack?

By Mark Ward
Technology correspondent, BBC News


A lot of data has been released about Ashley Madison but some facts of the breach of the dating website's database remain stubbornly elusive, not least who are the hackers behind the attack?

They call themselves the Impact Team and seem to have formed solely to carry out the attack on the infidelity website. There is no evidence of the group stealing data elsewhere before it announced itself with the Ashley Madison attack on 15 July.

Comments made by Noel Biderman, chief executive of Avid Life Media, which owns Ashley Madison, soon after the hack became public suggested it knew the identity of at least one of the people involved.

"It was definitely a person here that was not an employee but certainly had touched our technical services," he told security blogger Brian Krebs.

Stronger skill set

Since then, little new information has been made public about the hack, leading some to assume that the information Avid had about a suspect would soon lead to an arrest.

But it did not, and now gigabytes of information have been released and no-one is any the wiser about who the hackers are, where they are located and why they attacked the site.

The group is technically pretty competent, according to independent security researcher The Grugq, who asked to remain anonymous.

"Ashley Madison seems to have been better protected than some of the other places that have been hit recently, so maybe the crew had a stronger skill set than normal," he told the BBC.

They have also shown that they are adept when it comes to sharing what they stole, said forensic security specialist Erik Cabetas in a detailed analysis of the data.

The data was leaked first via the Tor network because it is good at obscuring the location and identity of anyone using it. However, Mr Cabetas said the group had taken extra steps to ensure their dark web identities were not matched with their real-life identities.

The Impact Team dumped the data via a server that only gave out basic web and text data - leaving little forensic information to go on. In addition, the data files seem to have been pruned of extraneous information that could give a clue about who took them and how the hack was carried out.

Identifiable clues

The only potential lead that any investigator has is in the unique encryption key used to digitally sign the dumped files. Mr Cabetas said this was being employed to confirm the files were authentic and not fakes. But he said it could also be used to identify someone if they were ever caught.

But he warned that using Tor was not foolproof. High-profile hackers, including Ross Ulbricht, of Silk Road, have been caught because they inadvertently left identifiable information on Tor sites.

The Grugq has also warned about the dangers of neglecting operational security (known as opsec) and how extreme vigilance was needed to ensure no incriminating traces were left behind.

image copyrightReuters
image captionRoss Ulbricht was arrested after failing to cover his tracks

"Most opsec mistakes that hackers make are made early in their career," he said. "If they keep at it without changing their identifiers and handles (something that is harder for cybercriminals who need to maintain their reputation), then finding their mistakes is usually a matter of finding their earliest errors."

"I suspect they have a good chance of getting away because they haven't linked to any other identifiers. They've used Tor, and they've kept themselves pretty clean," he said. "There doesn't seem to be anything in their dumps or in their missives that would expose them."

The Grugq said it would need forensic data recovered from Ashley Madison around the time of the attack to track them down. But he said that if the attackers were skilled they might not have left much behind.

"If they go dark and never do anything again (related to the identities used for AM) then they will likely never be caught," he said.

Mr Cabetas agreed and said they would probably be unearthed only if they spilled information to someone outside the group.

"Nobody keeps something like this a secret. If the attackers tell anybody, they're likely going to get caught," he wrote.

More on this story