The hacking trial of Gottfrid Svartholm and his alleged 21-year-old Danish accomplice continued this week in Copenhagen, Denmark. While Gottfrid is well known as a founder of The Pirate Bay, his co-defendant’s identity is still being kept out of the media.
In what’s being described as the largest case of its kind ever seen in the Scandinavian country, both stand accused of hacking computer mainframes operated by US IT giant CSC. This week various IT experts have been taking the stand.
On Tuesday, IT investigator Flemming Grønnemose appeared for the third time and stated that during the summer and fall of 2012, Swedish police had tipped off Danish police about possible hacker attacks against CSC.
According to DR.dk, as part of Grønnemose’s questioning Gottfrid’s lawyer Luise Høj raised concerns over a number of changes that had taken place on her client’s computer since it had been taken into police custody.
Grønnemose admitted that when police installed programs of their own onto the device, security holes which could have been exploited for remote control access could have been closed. However, it appears police also have an exact copy of the machine in an unmodified state.
Further evidence centered around the IP addresses that were traced during the attacks. IP addresses from several countries were utilized by the attackers including those in Cambodia, Germany, Iran, Spain and the United States. German police apparently investigated the local IP address and found that it belonged to a hacked server in a hosting facility.
The server had not been rented out for long, but was still on and had been taken over by hackers, Grønnemose said. According to the prosecution, the same server also featured in last year’s Logica case in Sweden. Gottfrid was found guilty in that case and sentenced to a year in jail.
Another IT expert called to give evidence on the same day was Allan Lund Hansen who had examined the files found on Gottfrid’s computer. Those files, garnered from the CSC hack, contained thousands of names, addresses and social security numbers of Danish citizens. Since the files were in an encrypted folder along with data from earlier attacks on IT company Logica and the Nordea bank, the prosecution are linking the files to Gottfrid.
On Thursday, DR.dk reported that the debate over Gottfrid’s computer being remotely controlled continued. Previously Jacob Appelbaum argued that an outside attacker could have used the machine to carry out the attacks but defense experts from the Center for Cyber Security disputed that.
This week Thomas Krismar from the Center said that Python scripts found on Gottfrid’s computer were able to carry out automated tasks but in this case remote control was unlikely to be one of them.
“There are two characteristics we always look for when we try to discover remote control features. The first is one that starts automatically when you turn on your computer since the attacker will always try to maintain their footing on the computer. The second is one that ‘phones home’ to indicate that it is ready to receive commands,” Krismar said.
The script in question on Gottfrid’s machine needed to be started manually and did not attempt to make contact with anything on the web, the expert said.
Also appearing Thursday were further witnesses including Joachim Persson of Stockholm police who investigated Gottfrid’s computers after his arrest in Cambodia.
Persson said he found a tool known as Hercules, a sophisticated piece of software that emulates the kind of systems that were hacked at CSC. Persson did note, however, that such tools have legitimate uses for those learning how to operate similar systems.
The trial continues.