Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/26/2015
11:00 AM
David Venable
David Venable
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

State-Sponsored Cybercrime: A Growing Business Threat

You don't have to be the size of Sony -- or even mock North Korea -- to be a target.

It’s not just governments that are feeling the disastrous effects of state-sponsored cyber warfare and crime. Recent leaks and discoveries have revealed the existence of, and details about several government hacking organizations around the world. While many of them target governments for intelligence collection, we are starting to see more activity directed towards business. In fact, the private sector is every bit at risk. As recent attacks have shown, you don’t have to be the size of Sony -- or even mock North Korea -- to be a target.

Key players
Chinese cyber operations have typically been economically driven, often with a pure profit motive. Several top technology, aerospace, and defense companies have been breached by Chinese state-sponsored hackers, often in what appears to be an effort to steal intellectual property and identities. China’s approach follows the same guiding philosophy the Chinese Army uses: throw as many people at the problem as possible, regardless of talent or training, and eventually you’re bound to get something. These groups include Deep Panda, Putter Panda/PLA Unit 61398, Hidden Lynx, APT1/Comment Crew, Axiom, and many more.

Russian cyber operations enjoy a unique distinction from the other groups because they are more broadly used to collect intelligence, and like Chinese hackers are also involved in profit-motivated cyber crime. The Russians also have a history of aggressive offensive operations such as the Estonian cyber attacks of 2007 that swamped websites of Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of a statue, and more recent cyber attacks directed at Poland.

Unlike Chinese counterparts, Russian hackers also like to spread ideological influence, a discipline known as “Information Operations” within the intelligence community. This includes “troll farms” staffed with hundreds whose job is to spread ideas and cause the appearance of consensus across online forums and social media. Russian state-sponsored cyber efforts are also unique in that they are known to provide training and mercenary-style hacker-for-hire services to other countries -- possibly even North Korea’s Bureau 121 and Iran’s IRGC.  

Some notorious non-state actors have been working hard to reach levels of sophistication similar to these state-sponsored groups. There have been many reports of mysteriously unattributed and extremely sophisticated hacker recruiting drives across the deep web. Meanwhile state-like organizations such as ISIS have been actively and openly recruiting hackers. To date, ISIS’s “Cyber Caliphate” has not exhibited this level of sophistication, but it’s probably just a matter of time until we start seeing stateless organizations reaching the same level of sophistication as state actors.

Not a theoretical threat
I recently discovered an unidentified Chinese APT group that breached a mid-sized multinational company. The breach was initially suspected when some employees found copies of their own internal documents online, and an investigation began.

The breach was accomplished via a spear-phishing attack targeting a secretary within the company. Clicking a link ultimately installed custom malware on the workstation, which allowed the APT group to use it as a pivot point from which they launched other attacks. Subsequently, they took control of almost every server and workstation within the company. From there, they began slowly exfiltrating sensitive data off their file servers, just a few small packets at a time, all encrypted.

It’s worth noting that this went completely undetected for months. The breach was finally confirmed through the use of a security audit that made use of adaptive behavioral analysis and threat intelligence combined with traditional vulnerability assessment methodologies.

State-sponsored attacks often demonstrate remarkable complexity. Fortunately, these attacks are detectable and preventable. Business must make use of layered defenses comprised of human-monitored intrusion detection with behavioral analysis integrated with routine security testing, predictive threat intelligence, and education in order to stay secure.  

David Venable, Director of Professional Services at Masergy Communications, has over 15 years' experience in information security, with expertise in cryptography, network and application security, vulnerability assessments, penetration testing, and compliance. David is a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
6/2/2015 | 3:38:47 AM
Sponsored hacks are no hit-and-run
One thing that I've noticed is the almost large organization process oriented methodology of government-backed hacks. There's no rush, they patiently wait and gather internal information and access servers and systems until they slowly start to extract information. Maybe working within the breached system for a year or two until the actual leak starts. 

If you, for instance, compare with ransomware type of operations that's in there for the quick buck, these guys are more dangerous since there is no haste. No bills to be paid at home, that's already been taken care of. As you point out, the rationale behind the hack is still making profits but more in an abstract way, like providing intellectual property to your own industry to give them competitive advantages. 

It's always more difficult to protect yourself from the people that have time to wait.
Phil Verheul
100%
0%
Phil Verheul,
User Rank: Apprentice
6/1/2015 | 9:13:59 AM
Nice Article
Well done Dave. Hope we get to read more stuff from you. :)

 
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
5/26/2015 | 3:23:10 PM
I think that we should expect that advanced intruders take control
I think that we should expect that advanced intruders take control "of almost every server and workstation within the company."

Aberdeen Group reported in a very interesting study with the title "Tokenization Gets Traction" that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data.

Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data.

It is an effective approach for most sensitive data fields.

Ulf Mattsson, CTO Protegrity
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...