Vulnerabilities / Threats

5/26/2015
11:00 AM
David Venable
David Venable
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

State-Sponsored Cybercrime: A Growing Business Threat

You don't have to be the size of Sony -- or even mock North Korea -- to be a target.

It’s not just governments that are feeling the disastrous effects of state-sponsored cyber warfare and crime. Recent leaks and discoveries have revealed the existence of, and details about several government hacking organizations around the world. While many of them target governments for intelligence collection, we are starting to see more activity directed towards business. In fact, the private sector is every bit at risk. As recent attacks have shown, you don’t have to be the size of Sony -- or even mock North Korea -- to be a target.

Key players
Chinese cyber operations have typically been economically driven, often with a pure profit motive. Several top technology, aerospace, and defense companies have been breached by Chinese state-sponsored hackers, often in what appears to be an effort to steal intellectual property and identities. China’s approach follows the same guiding philosophy the Chinese Army uses: throw as many people at the problem as possible, regardless of talent or training, and eventually you’re bound to get something. These groups include Deep Panda, Putter Panda/PLA Unit 61398, Hidden Lynx, APT1/Comment Crew, Axiom, and many more.

Russian cyber operations enjoy a unique distinction from the other groups because they are more broadly used to collect intelligence, and like Chinese hackers are also involved in profit-motivated cyber crime. The Russians also have a history of aggressive offensive operations such as the Estonian cyber attacks of 2007 that swamped websites of Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of a statue, and more recent cyber attacks directed at Poland.

Unlike Chinese counterparts, Russian hackers also like to spread ideological influence, a discipline known as “Information Operations” within the intelligence community. This includes “troll farms” staffed with hundreds whose job is to spread ideas and cause the appearance of consensus across online forums and social media. Russian state-sponsored cyber efforts are also unique in that they are known to provide training and mercenary-style hacker-for-hire services to other countries -- possibly even North Korea’s Bureau 121 and Iran’s IRGC.  

Some notorious non-state actors have been working hard to reach levels of sophistication similar to these state-sponsored groups. There have been many reports of mysteriously unattributed and extremely sophisticated hacker recruiting drives across the deep web. Meanwhile state-like organizations such as ISIS have been actively and openly recruiting hackers. To date, ISIS’s “Cyber Caliphate” has not exhibited this level of sophistication, but it’s probably just a matter of time until we start seeing stateless organizations reaching the same level of sophistication as state actors.

Not a theoretical threat
I recently discovered an unidentified Chinese APT group that breached a mid-sized multinational company. The breach was initially suspected when some employees found copies of their own internal documents online, and an investigation began.

The breach was accomplished via a spear-phishing attack targeting a secretary within the company. Clicking a link ultimately installed custom malware on the workstation, which allowed the APT group to use it as a pivot point from which they launched other attacks. Subsequently, they took control of almost every server and workstation within the company. From there, they began slowly exfiltrating sensitive data off their file servers, just a few small packets at a time, all encrypted.

It’s worth noting that this went completely undetected for months. The breach was finally confirmed through the use of a security audit that made use of adaptive behavioral analysis and threat intelligence combined with traditional vulnerability assessment methodologies.

State-sponsored attacks often demonstrate remarkable complexity. Fortunately, these attacks are detectable and preventable. Business must make use of layered defenses comprised of human-monitored intrusion detection with behavioral analysis integrated with routine security testing, predictive threat intelligence, and education in order to stay secure.  

David Venable, Director of Professional Services at Masergy Communications, has over 15 years' experience in information security, with expertise in cryptography, network and application security, vulnerability assessments, penetration testing, and compliance. David is a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
6/2/2015 | 3:38:47 AM
Sponsored hacks are no hit-and-run
One thing that I've noticed is the almost large organization process oriented methodology of government-backed hacks. There's no rush, they patiently wait and gather internal information and access servers and systems until they slowly start to extract information. Maybe working within the breached system for a year or two until the actual leak starts. 

If you, for instance, compare with ransomware type of operations that's in there for the quick buck, these guys are more dangerous since there is no haste. No bills to be paid at home, that's already been taken care of. As you point out, the rationale behind the hack is still making profits but more in an abstract way, like providing intellectual property to your own industry to give them competitive advantages. 

It's always more difficult to protect yourself from the people that have time to wait.
Phil Verheul
100%
0%
Phil Verheul,
User Rank: Apprentice
6/1/2015 | 9:13:59 AM
Nice Article
Well done Dave. Hope we get to read more stuff from you. :)

 
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
5/26/2015 | 3:23:10 PM
I think that we should expect that advanced intruders take control
I think that we should expect that advanced intruders take control "of almost every server and workstation within the company."

Aberdeen Group reported in a very interesting study with the title "Tokenization Gets Traction" that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data.

Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data.

It is an effective approach for most sensitive data fields.

Ulf Mattsson, CTO Protegrity
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-8298
PUBLISHED: 2018-09-24
Multiple SQL injection vulnerabilities in the login page in RXTEC RXAdmin UPDATE 06 / 2012 allow remote attackers to execute arbitrary SQL commands via the (1) loginpassword, (2) loginusername, (3) zusatzlicher, or (4) groupid parameter to index.htm, or the (5) rxtec cookie to index.htm.
CVE-2018-14825
PUBLISHED: 2018-09-24
A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable...
CVE-2018-17437
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17438
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17439
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.