The University of East Anglia campus. Public domain

By Leo Hickman   
20 July 2012 Norfolk police’s Julian Gregory explains why investigation into the University of East Anglia’s hacked emails was so complex On Wednesday, Norfolk Police announced that it was formally ending its two-and-a-half-year investigation into the theft of thousands of private emails stored on servers at the University of East Anglia‘s Climatic Research Unit (CRU) – an event that has commonly come to be known as “Climategate“. Detective chief superintendent Julian Gregory, the senior investigating officer, said that due to the three-year statutory limitation placed on the investigation by the Computer Misuse Act 1990, he was closing the case now because there was no realistic chance of bringing a prosecution ahead of the third anniversary of the theft in November. He did say, though, that the “the data breach was the result of a sophisticated and carefully orchestrated attack” and that there was “no evidence to suggest that anyone working at or associated with UEA was involved in the crime”. Norfolk Police gave a press conference yesterday in which it revealed some more details about the investigation. For example, DCS Gregory said that the hacker(s) had, whilst accessing the university’s servers remotely via the internet, breached several passwords in order to gain access to the emails and other documents. He also said that officers had examined CCTV footage at CRU to investigate the possibility – subsequently ruled out – that a member of staff might have been involved. DCS Gregory confirmed, too, that it was highly unlikely to have been a chance discovery by a hacker. It was a targeted attack. No other university in the UK experienced a similar attack over that same time period, he confirmed. (The hackers breached CRU’s servers “certainly more than three times” between September and November 2009.) There was no evidence, he said, that the hack was committed, or commissioned, by a government or an individual/organisation with commercial interests. He added: “This appears to have been done with the intention of influencing the global debate on climate change and ultimately that affects us all. To not have done the best we could on this investigation would have been neglect.” I was unable to attend the press conference in person. (Norfolk Police has produced a transcript of the press conference as a PDF, as well as broader background information here.) But yesterday afternoon I was able to put some further questions to DCS Gregory over the telephone. Was the level of expertise required to pull of this kind of hack way beyond the kind of knowledge of, say, someone working in an IT department, or very familiar with computers, might have? Yes, absolutely. What is the hard evidence that you actually recovered? Our technical investigation focused on CRUWEB8 [the web server that was first accessed by the hacker] and CRUBACK3 [a back-up server containing the emails which was accessed via CRUWEB8]. We identified the attacks that came in and their methodologies and some of the activities they undertook. The proxy servers they used either don’t have the log switched on, or if they do they are overwritten within 24-48 hours. Hackers tend to choose proxy servers in countries where law enforcement agencies might find it challenging to get co-operation, or to get information. From the outset, you’re almost on a hiding to nothing, to be perfectly frank. So all that early speculation that a Russian server was involved so it must be a Russian, etc., was meaningless speculation? Absolutely. We’re not getting into naming countries, but I think it’s fair to say that most continents were involved. As you know, you can be sitting on your computer, and causing something to happen on the other side of the world with a few clicks of the mouse. […]

Climategate detective: ‘I’m deeply disappointed’ we didn’t catch hacker