Seeking the source of the data breach

The trail could lead to any other country and could even come back to Malaysia, according to a cyber expert


The Internet protocol (IP) address in Oman linked to the breach of 46.2 million cellular phone records could just be the proxy to mask the cyber criminals’ exact whereabouts, and tracking the “digital trail” would not be easy, said experts.

Cyber criminals would use false source IP addresses or proxy servers in other countries to hide their identity or location.

Hackers would bounce their request over various proxies to confuse authorities on the source location.

Cyber security experts said the investigation into the data leak could have tracked IP addresses of other countries and not just Oman.

The cyber expert said local authorities need to verify with the related country’s security operations centres (SOCs) to identify the owner of the IP.

“The real question is, who holds the IP address? If it is tracked to Oman, they need to contact Oman’s authorities.

“But it is much more complicated. They could find that the IP belongs to a proxy server in Oman.

“The trail could lead to any other country and could even come back to Malaysia,” the cyber expert — who wants to remain anonymous — told The Malaysian Reserve.

Malaysian authorities have been on the trail for the source of 46 million stolen cellular phone users’ records leaked by a third party.

The leak, believed to be the country’s largest such breach, was sold online to interested buyers. The data was sold for one bitcoin (RM34,111.24). The records contain personal information and phone sensitive data which could be manipulated by interested parties.

The authorities are said to have identified a few potential sources of the data breach, but has not announced whether the breach was due to computer hacking or data stealing.

The IP address in Oman was a clue to the data selling, but each Internet connection from corporate servers to individual home or WiFi links at a restaurant are allocated an IP.

The computer security expert said the speed to pinpoint the breach would depend on how many countries the IP addresses would lead to.

“More IPs of other countries mean more SOCs need to be communicated to. Thus, more time will be needed,” the source added.

The police, together with other related parties including the Malaysian Communications and Multimedia Commission, and CyberSecurity Malaysia, are working on a few leads.

Police had revealed that the leak believed to have occurred during the data transfer process at a telecommunications company.

“If that was the case, it can be concluded that they have reached the end of the digital breadcrumbs — or at least the trail that was in Malaysia,” the source said.

Another information technology expert said the Oman IP address could be the result of an IP spoofing. Spoofing can create a misleading IP address. Moreover, one source pointed out a technique called “The Onion Router” (TOR) network.

“TOR network is used to hide the user’s original country or IP that you browse from. For example, (once) he or she logs in to the TOR network, from Malaysia it goes to the UK, then to Holland, then reaches servers in Malaysia,” the source said.

Simply put, the TOR network is proxies on steroids, with fully dynamic IPs from one node to another until it reaches the destination. “It is going to be tough to trace. (There are) 1,001 possibilities,” the source said.

Experts also have not ruled out disgruntled employees who had resigned to be the source of the leak.