Attacks/Breaches

3/28/2018
04:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Destructive and False Flag Cyberattacks to Escalate

Rising geopolitical tensions between the US and Russia, Iran, and others are the perfect recipe for nastier nation-state cyberattacks.

Olympic Destroyer. NotPetya. Bad Rabbit. OilRig. These disruptive and in most cases destructive cyberattacks were just the beginning.

Geopolitical tensions typically map with an uptick in nation-state cyberattacks, and security experts are gearing up for more aggressive and damaging attacks to ensue against the US and its allies in the near-term, including crafted false flag operations that follow the strategy of the recent Olympic Destroyer attack on the 2018 Winter Olympics network.

As US political discord escalates with Russia, Iran, North Korea, and even China, there will be expected cyberattack responses, but those attacks may not all entail the traditional, stealthy cyber espionage. Experts say the Trump administration's recent sanctions and deportation of Russian diplomats residing in the US will likely precipitate more aggressive responses in the form of Russian hacking operations. And some of those could be crafted to appear as the handiwork of other nation-state actors.

A shift in Russia's M.O. against the US infamously began in 2016 with the hacks of the Democratic National Committee (DNC), Democratic Congressional Campaign Committee (DCCC), and Hillary Clinton campaign manager John Podesta's email account, all of which were punctuated with data dumps via WikiLeaks, DC Leaks, and Guccifer 2.0.

US companies Merck and Federal Express were believed to be collateral damage from the NotPetya attack Russia forged last year against Ukrainian targets, posing as a ransomware attack but instead wiping data from hard drives at infected sites. But such attacks may well become more direct in the near future, experts believe.

Security experts worry that Russia will continue to ratchet up more aggressive cyberattacks against the US - likely posing as other nations and attack groups for plausible deniability - especially given the success of recent destructive attack campaigns like NotPetya. Not to mention the successful chaos caused by Russia's election-meddling operation during the 2016 US presidential election.

That doesn't mean Russia or any other nation-state could or would cause a massive power grid outage in the US, however. Instead, US financial services and transportation networks could be next in line for disruption via nation-state actors, experts say.

Vikram Thakur, senior manager on Symantec's security response team, says Olympic Destroyer scratched the surface for cloak-and-dagger attacks. "We think the future is going to get even more complicated with actors relying more and more on false flags, in some cases, throwing another group [under] the bus from an attribution standpoint."

"To say the waters are muddied would be such an understatement," he says. Not only are some nations teaming up outside of cyber, but others are happy to pilfer from one another's cyber domains as well: "We're aware of groups happy to steal others' information and sit on their command and control server. We're aware of false flag operations."

But Tom Kellermann, chief cybersecurity officer at Carbon Black, expects more nefarious activity out of Russia, and possibly from Iran and North Korea, against the US. He expects some regimes to team up in the long term to target the US and other Western allies/NATO in cyberspace. For example, the nomination of CIA director Mike Pompeo – who has criticized the Iran nuclear deal – as the new US Secretary of State to replace Rex Tillerson, could spark online retaliation from Iran, he says.

"You're going to see a dramatic escalation of Iranian cyberattacks against US infrastructure" that follow White House and State Department rhetoric, he says. Iran already has dramatically improved its cyberattack capabilities, he says, and he believes it's learning from Russia's tactics. "They're all using the same playbook" now, he says, with similar "kill chain" methods in their attacks and payloads.

Kellermann says he believes Russia is providing North Korea and Iran with the technologies and tactics to advance their attacks. It may not be direct coordination, but there's some element of technology transfer from Russia to those nations, he maintains.

The Iranian OilRig attackers, for instance, have advanced in their ability to mask lateral movement within a targeted organization, he notes, and they have adopted methods similar to Russia's Fancy Bear group, including an AppLocker bypass exploit, indirect code execution, and the increasingly popular file-less malware method where legitimate system tools are used against victims rather than custom malware.

This move away from custom malware to so-called file-less malware also complicates attribution and helps embolden false-flag operations. "[Custom malware] was one of the primary methods for identifying certain groups in the past. Without that, it becomes difficult to determine who the perpetrator might be," Symantec's Thakur says.

That doesn't mean attribution is dead. "It's becoming a lot more challenging. But in the end they are still humans and even if they write scripts in PowerShell or JavaScript or PHP, at the end of the day they will reuse code and are lazy. That helps us" identify them, he says.

North Korea's Hidden Cobra, believed to be behind the sophisticated attacks bank members of the SWIFT network, also is maturing fast. "The M.O. they use against the financial sector reminds me of the M.O. of Russian cybercriminals," says Kellermann. Their custom Trojan development aside, they employed similar communications methods, including a custom binary protocol to beacon back to the C2 servers over TCP port 8080, 8088, and their use of SSL, he says, as well as when they overwrote the ServiceDLL in the Windows registry.

Thakur says his team at Symantec hasn't seen much cooperation among different nations to date. Multiple hacking teams from a particular nation, such as Iran, will work in tandem in an attack campaign, splitting up different stages of the attack. "I don't think different countries are going to collaborate on malware or on different active campaigns. Most are very nationalistic, or have ambitions for intellectual property" theft, he says.

One high-profile exception, of course, was Stuxnet. Although neither the US nor Israeli governments ever took credit for the hack that sabotaged uranium centrifuges in Iran, experts who studied the attacks pointed to fingerprints from both nations' intelligence agencies.

CrowdStrike vice president of intelligence Adam Meyers says he hasn't seen much overlap of nation-state groups working together, but points to nations such as Iran modeling some of their techniques after Russian ones. Take Iran's initial dabbling with destructive attacks via the Shamoon campaign, which hit a couple of targets.

"It was a shot across the bow," Meyers says. But starting in 2016, Iran waged a series of destructive cyberattacks targeting the Saudi government and infrastructure and business, he notes. "That was for maximum impact and psychological impact on the people of Saudi Arabia," he says. "It's what Russia has been doing against Ukraine for seven years."

Meyers believes the issue is more about Iran's cyberweapon capability improving and maturing – likely inspired by Russia's.

Symantec's Thakur says the likelihood of the number of destructive cyberattacks against the US and others increasing in the coming months is "more realistic" now than ever. "It's more about the motivation by threat actors working on behalf of certain countries that will reach the threshold where they would more often cause destruction to someone's network," he says. "There are a lot of factions. It's fair to assume some might get more reckless."

But that doesn't mean widespread critical infrastructure damage. "That doomsday scenario isn't fair. It's extremely unlikely we would face a situation of a widescale blackout across the country," Thakur says. "If anything, there are small pockets of the country that don't have the redundancy or rollover, who might be at elevated risk of cyberattacks and some kinetic" threat, he says.

Even with the recent confirmation by the federal government that Russia's DragonFly  hacking team is well embedded in US power companies and other industrial networks, there's a silver lining, he says. "Today our infrastructure in the US is in a much better place than a year ago" security-wise, he says.

In the runup to a possible meeting between Kim Jong-Un and Donald Trump, meantime, North Korean hacking teams will likely escalate their attacks. "They want to get intel around the US strategy," notes CrowdStrike's Meyers. "And leading up to those meetings, there is increasing pressure on the US government and POTUS to maintain a hard line on sanctions against North Korea … So [North Korea] may step up their criminal operations," especially on the lucrative cryptocurrency mining attacks, he says.

Related Content: 

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/2/2018 | 3:35:40 PM
Re: Disorder is an incentive
And now that fighting with "bits and bytes" has escalated to the evergreen, perennial battle for hearts and minds -- as we've seen with all the #FakeNews hullabaloo.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/2/2018 | 3:32:43 PM
reuse
> "at the end of the day they will reuse code and are lazy. That helps us" identify them"

I'm aware of at least one cybersecurity vendor that boasts that it conducts this kind of analysis to detect what kind of attacks will happen next -- by analyzing code reuse patterns and similar recycling.
josh-mayfield
50%
50%
josh-mayfield,
User Rank: Apprentice
3/30/2018 | 8:39:15 AM
Re: Disorder is an incentive
Dr. T, You're right.  Since we live in the digital space, their behaviors are just as impactful as physical assaults in an age where all was physical.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
3/29/2018 | 6:49:17 PM
Attacks
Olympic Destroyer. NotPetya. Bad Rabbit. OilRig. These disruptive and in most cases destructive cyberattacks were just the beginning. Obviously these are the beginning of more complex cyberattacks, hard to get handle on them anymore.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
3/29/2018 | 6:46:26 PM
Governments
All the governments will continue to protect themselves against the rest going forward. They start developing their own technologies and world will become more divided. This is sad.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
3/29/2018 | 6:44:19 PM
Re: Disorder is an incentive
Now, we fight with bits, bytes, data, and information Good analogy, we just need to be more smarter than criminals.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
3/29/2018 | 6:43:20 PM
Re: Disorder is an incentive
cybercriminals in our digital world They are also impacting our real lives through the digital world.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
3/29/2018 | 6:42:00 PM
Re: Disorder is an incentive
Many of the world-shaping events in human history came about during a time of chaos and disorder. That is true I think, we go and think out of the box when we c8me to the end of the rope.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
3/29/2018 | 6:39:12 PM
Cyberattacks Industry
It looks like Cyberattacks industry is in place and both individuals and governments keep benefiting from it.
josh-mayfield
50%
50%
josh-mayfield,
User Rank: Apprentice
3/29/2018 | 11:58:13 AM
Disorder is an incentive
Many of the world-shaping events in human history came about during a time of chaos and disorder.  While eyes are distracted by the headlines and the uncertainty of what's to come, those with a will to power (cybercriminals in our digital world) take advantage of the circumstances and seize the opportunity for attack campaigns.  

When we fought with guns, bullets, and bombs...this to the took the form of coups.  Now, we fight with bits, bytes, data, and information...this takes the form of targeted attacks and crippling institutions, halting progress and the standard operations of a civil society.

@joshuamayfield
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.