In the wake of the recent announcement of a massive data breach at the federal government’s Office of Personnel Management (OPM), blame was quickly laid at the door of state-sponsored Chinese hackers (although U.S. officials fell short of an all-out accusation).

While China denies any involvement, cybersecurity analysts suggest that the breach carried all the hallmarks of a state-sponsored attack, such as evidence of highly organized teams that focus on the same targets, often for years, and outside of regular hours.

Of course, this isn’t the first time the finger has pointed east. In March 2014, OPM systems experienced a similar breach, believed to have originated from China. The private sector isn’t immune either. According to the Associated Press, Mandiant, a Virginia-based cybersecurity organization, concluded in a report in early 2013 that a massive hacking campaign on U.S. business could be traced to an office building in Shanghai run by the Chinese military.

Knowing Thy Enemy Is A Key Defense Strategy

Suspicions about foreign state-sponsored hacking aside, the act of finding out who is behind an attack is getting harder than ever, making it difficult to bring hackers to justice. But that’s not all, understanding where the hack is coming from is key to defending government networks against it.

Hackers Often Leave A Fingerprint

ZDNet reports that even the stealthiest intruders leave a fingerprint. Here are just six examples of potential leads and clues left in a hacker’s crumb trail:

  • Phishing emails and the types of websites infected by malware provide a clue to who attackers are after and what they want.
  • Malware can be linked to a particular group. According to Symantec’s threat intelligence analyst, Alan Neville, if a hacker is “…developing custom tools, and they are sophisticated and modular, it would indicate they might have a professional group behind them and they may even be state-sponsored.
  • Comments in code can indicate the language that the hackers speak.
  • Time stamps in the code indicate the work day and potential time zone of the hackers.
  • How the hacker behaves on the network also leaves clues. For example, storing malware in a particular directory or PC each time or the repeated use of the same commands in a specific order.
  • Because all malware has to contact its command base server at some point to get instruction or to move the stolen data out, investigators get additional clues. These end servers must have an associated domain registered which, with a bit of luck, may be traceable.

Messing Up The Crime Scene To Avoid Discovery

Of course, hackers are well aware of the clues they leave behind and are constantly seeking ways to outwit security systems and investigators, says ZDNet. Whether it’s throwing out red herrings or messing up the crime scene to remove evidence. “It’s definitely getting harder – attackers are trying to stay one step ahead. They are well aware of what security vendors do,” said Symantec’s Neville.

For more information about the data breach at OPM and its true impact on employees, cybersecurity initiatives, and government policy, read: 8 Facts That Have Emerged About the Federal Data Breach at OPM.