Vulnerabilities / Threats

5/26/2015
11:00 AM
David Venable
David Venable
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

State-Sponsored Cybercrime: A Growing Business Threat

You don't have to be the size of Sony -- or even mock North Korea -- to be a target.

It’s not just governments that are feeling the disastrous effects of state-sponsored cyber warfare and crime. Recent leaks and discoveries have revealed the existence of, and details about several government hacking organizations around the world. While many of them target governments for intelligence collection, we are starting to see more activity directed towards business. In fact, the private sector is every bit at risk. As recent attacks have shown, you don’t have to be the size of Sony -- or even mock North Korea -- to be a target.

Key players
Chinese cyber operations have typically been economically driven, often with a pure profit motive. Several top technology, aerospace, and defense companies have been breached by Chinese state-sponsored hackers, often in what appears to be an effort to steal intellectual property and identities. China’s approach follows the same guiding philosophy the Chinese Army uses: throw as many people at the problem as possible, regardless of talent or training, and eventually you’re bound to get something. These groups include Deep Panda, Putter Panda/PLA Unit 61398, Hidden Lynx, APT1/Comment Crew, Axiom, and many more.

Russian cyber operations enjoy a unique distinction from the other groups because they are more broadly used to collect intelligence, and like Chinese hackers are also involved in profit-motivated cyber crime. The Russians also have a history of aggressive offensive operations such as the Estonian cyber attacks of 2007 that swamped websites of Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of a statue, and more recent cyber attacks directed at Poland.

Unlike Chinese counterparts, Russian hackers also like to spread ideological influence, a discipline known as “Information Operations” within the intelligence community. This includes “troll farms” staffed with hundreds whose job is to spread ideas and cause the appearance of consensus across online forums and social media. Russian state-sponsored cyber efforts are also unique in that they are known to provide training and mercenary-style hacker-for-hire services to other countries -- possibly even North Korea’s Bureau 121 and Iran’s IRGC.  

Some notorious non-state actors have been working hard to reach levels of sophistication similar to these state-sponsored groups. There have been many reports of mysteriously unattributed and extremely sophisticated hacker recruiting drives across the deep web. Meanwhile state-like organizations such as ISIS have been actively and openly recruiting hackers. To date, ISIS’s “Cyber Caliphate” has not exhibited this level of sophistication, but it’s probably just a matter of time until we start seeing stateless organizations reaching the same level of sophistication as state actors.

Not a theoretical threat
I recently discovered an unidentified Chinese APT group that breached a mid-sized multinational company. The breach was initially suspected when some employees found copies of their own internal documents online, and an investigation began.

The breach was accomplished via a spear-phishing attack targeting a secretary within the company. Clicking a link ultimately installed custom malware on the workstation, which allowed the APT group to use it as a pivot point from which they launched other attacks. Subsequently, they took control of almost every server and workstation within the company. From there, they began slowly exfiltrating sensitive data off their file servers, just a few small packets at a time, all encrypted.

It’s worth noting that this went completely undetected for months. The breach was finally confirmed through the use of a security audit that made use of adaptive behavioral analysis and threat intelligence combined with traditional vulnerability assessment methodologies.

State-sponsored attacks often demonstrate remarkable complexity. Fortunately, these attacks are detectable and preventable. Business must make use of layered defenses comprised of human-monitored intrusion detection with behavioral analysis integrated with routine security testing, predictive threat intelligence, and education in order to stay secure.  

David Venable, Director of Professional Services at Masergy Communications, has over 15 years' experience in information security, with expertise in cryptography, network and application security, vulnerability assessments, penetration testing, and compliance. David is a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
6/2/2015 | 3:38:47 AM
Sponsored hacks are no hit-and-run
One thing that I've noticed is the almost large organization process oriented methodology of government-backed hacks. There's no rush, they patiently wait and gather internal information and access servers and systems until they slowly start to extract information. Maybe working within the breached system for a year or two until the actual leak starts. 

If you, for instance, compare with ransomware type of operations that's in there for the quick buck, these guys are more dangerous since there is no haste. No bills to be paid at home, that's already been taken care of. As you point out, the rationale behind the hack is still making profits but more in an abstract way, like providing intellectual property to your own industry to give them competitive advantages. 

It's always more difficult to protect yourself from the people that have time to wait.
Phil Verheul
100%
0%
Phil Verheul,
User Rank: Apprentice
6/1/2015 | 9:13:59 AM
Nice Article
Well done Dave. Hope we get to read more stuff from you. :)

 
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
5/26/2015 | 3:23:10 PM
I think that we should expect that advanced intruders take control
I think that we should expect that advanced intruders take control "of almost every server and workstation within the company."

Aberdeen Group reported in a very interesting study with the title "Tokenization Gets Traction" that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data.

Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data.

It is an effective approach for most sensitive data fields.

Ulf Mattsson, CTO Protegrity
Intel Says to Stop Applying Problematic Spectre, Meltdown Patch
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/22/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.