Olympic Destroyer. NotPetya. Bad Rabbit. OilRig. These disruptive and in most cases destructive cyberattacks were just the beginning.
Geopolitical tensions typically map with an uptick in nation-state cyberattacks, and security experts are gearing up for more aggressive and damaging attacks to ensue against the US and its allies in the near-term, including crafted false flag operations that follow the strategy of the recent Olympic Destroyer attack on the 2018 Winter Olympics network.
As US political discord escalates with Russia, Iran, North Korea, and even China, there will be expected cyberattack responses, but those attacks may not all entail the traditional, stealthy cyber espionage. Experts say the Trump administration's recent sanctions and deportation of Russian diplomats residing in the US will likely precipitate more aggressive responses in the form of Russian hacking operations. And some of those could be crafted to appear as the handiwork of other nation-state actors.
A shift in Russia's M.O. against the US infamously began in 2016 with the hacks of the Democratic National Committee (DNC), Democratic Congressional Campaign Committee (DCCC), and Hillary Clinton campaign manager John Podesta's email account, all of which were punctuated with data dumps via WikiLeaks, DC Leaks, and Guccifer 2.0.
US companies Merck and Federal Express were believed to be collateral damage from the NotPetya attack Russia forged last year against Ukrainian targets, posing as a ransomware attack but instead wiping data from hard drives at infected sites. But such attacks may well become more direct in the near future, experts believe.
Security experts worry that Russia will continue to ratchet up more aggressive cyberattacks against the US - likely posing as other nations and attack groups for plausible deniability - especially given the success of recent destructive attack campaigns like NotPetya. Not to mention the successful chaos caused by Russia's election-meddling operation during the 2016 US presidential election.
That doesn't mean Russia or any other nation-state could or would cause a massive power grid outage in the US, however. Instead, US financial services and transportation networks could be next in line for disruption via nation-state actors, experts say.
Vikram Thakur, senior manager on Symantec's security response team, says Olympic Destroyer scratched the surface for cloak-and-dagger attacks. "We think the future is going to get even more complicated with actors relying more and more on false flags, in some cases, throwing another group [under] the bus from an attribution standpoint."
"To say the waters are muddied would be such an understatement," he says. Not only are some nations teaming up outside of cyber, but others are happy to pilfer from one another's cyber domains as well: "We're aware of groups happy to steal others' information and sit on their command and control server. We're aware of false flag operations."
But Tom Kellermann, chief cybersecurity officer at Carbon Black, expects more nefarious activity out of Russia, and possibly from Iran and North Korea, against the US. He expects some regimes to team up in the long term to target the US and other Western allies/NATO in cyberspace. For example, the nomination of CIA director Mike Pompeo – who has criticized the Iran nuclear deal – as the new US Secretary of State to replace Rex Tillerson, could spark online retaliation from Iran, he says.
"You're going to see a dramatic escalation of Iranian cyberattacks against US infrastructure" that follow White House and State Department rhetoric, he says. Iran already has dramatically improved its cyberattack capabilities, he says, and he believes it's learning from Russia's tactics. "They're all using the same playbook" now, he says, with similar "kill chain" methods in their attacks and payloads.
Kellermann says he believes Russia is providing North Korea and Iran with the technologies and tactics to advance their attacks. It may not be direct coordination, but there's some element of technology transfer from Russia to those nations, he maintains.
The Iranian OilRig attackers, for instance, have advanced in their ability to mask lateral movement within a targeted organization, he notes, and they have adopted methods similar to Russia's Fancy Bear group, including an AppLocker bypass exploit, indirect code execution, and the increasingly popular file-less malware method where legitimate system tools are used against victims rather than custom malware.
This move away from custom malware to so-called file-less malware also complicates attribution and helps embolden false-flag operations. "[Custom malware] was one of the primary methods for identifying certain groups in the past. Without that, it becomes difficult to determine who the perpetrator might be," Symantec's Thakur says.
North Korea's Hidden Cobra, believed to be behind the sophisticated attacks bank members of the SWIFT network, also is maturing fast. "The M.O. they use against the financial sector reminds me of the M.O. of Russian cybercriminals," says Kellermann. Their custom Trojan development aside, they employed similar communications methods, including a custom binary protocol to beacon back to the C2 servers over TCP port 8080, 8088, and their use of SSL, he says, as well as when they overwrote the ServiceDLL in the Windows registry.
Thakur says his team at Symantec hasn't seen much cooperation among different nations to date. Multiple hacking teams from a particular nation, such as Iran, will work in tandem in an attack campaign, splitting up different stages of the attack. "I don't think different countries are going to collaborate on malware or on different active campaigns. Most are very nationalistic, or have ambitions for intellectual property" theft, he says.
One high-profile exception, of course, was Stuxnet. Although neither the US nor Israeli governments ever took credit for the hack that sabotaged uranium centrifuges in Iran, experts who studied the attacks pointed to fingerprints from both nations' intelligence agencies.
CrowdStrike vice president of intelligence Adam Meyers says he hasn't seen much overlap of nation-state groups working together, but points to nations such as Iran modeling some of their techniques after Russian ones. Take Iran's initial dabbling with destructive attacks via the Shamoon campaign, which hit a couple of targets.
"It was a shot across the bow," Meyers says. But starting in 2016, Iran waged a series of destructive cyberattacks targeting the Saudi government and infrastructure and business, he notes. "That was for maximum impact and psychological impact on the people of Saudi Arabia," he says. "It's what Russia has been doing against Ukraine for seven years."
Meyers believes the issue is more about Iran's cyberweapon capability improving and maturing – likely inspired by Russia's.
Symantec's Thakur says the likelihood of the number of destructive cyberattacks against the US and others increasing in the coming months is "more realistic" now than ever. "It's more about the motivation by threat actors working on behalf of certain countries that will reach the threshold where they would more often cause destruction to someone's network," he says. "There are a lot of factions. It's fair to assume some might get more reckless."
But that doesn't mean widespread critical infrastructure damage. "That doomsday scenario isn't fair. It's extremely unlikely we would face a situation of a widescale blackout across the country," Thakur says. "If anything, there are small pockets of the country that don't have the redundancy or rollover, who might be at elevated risk of cyberattacks and some kinetic" threat, he says.
Even with the recent confirmation by the federal government that Russia's DragonFly hacking team is well embedded in US power companies and other industrial networks, there's a silver lining, he says. "Today our infrastructure in the US is in a much better place than a year ago" security-wise, he says.
In the runup to a possible meeting between Kim Jong-Un and Donald Trump, meantime, North Korean hacking teams will likely escalate their attacks. "They want to get intel around the US strategy," notes CrowdStrike's Meyers. "And leading up to those meetings, there is increasing pressure on the US government and POTUS to maintain a hard line on sanctions against North Korea … So [North Korea] may step up their criminal operations," especially on the lucrative cryptocurrency mining attacks, he says.
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.