Major cyber powers like Russia and China are flexing their muscles, employing large hacker networks to probe the defences of their rivals.
Since the end of the Cold War, old rivals across the globe have initiated the ‘Cyber War’ in its place, a series of covert cyber espionage and sabotage operations designed to gather sensitive information and to disrupt their opponent’s systems and operations.
Take the recent attacks on the US Democratic National Committee (DNC) as a prime example – not only did the attackers stand to gain strategically useful information, they have demonstrated their ability to influence a national election, exacerbating the Clinton email scandal and bringing the Democratic Party’s internal power politics to light.
State-backed attacks are not contained to corridors of power like the Kremlin and the Pentagon, however.
Private enterprises that engage in sensitive activities or support government systems are just as likely to come under attack as public institutions. The same is true for non-profit and regulatory bodies.
As the recent Russia-based hack by so-called FANCY BEAR on the World Anti-Doping Agency (WADA) indicates, activity which is perceived to damage the Russian national character is liable to call down a retributive state-sponsored attack – in this case, as revenge for banning Russian athletes from the Olympic and Paralympic Games for drug use.
FANCY BEAR replicated the WADA’s actions against Russia by revealing American and British athletes’ (so far legal) drug use.
Clearly, being seen to support a particular state’s interests can put an organisation in serious danger of attack.
Organisations of all kinds need to be aware of this powerful type of threat – the days when companies had nothing worse to fear than enterprising fraudsters are long gone.
It is essential that security directors have the knowledge and the tools to defend their businesses against state-prompted cyber threats. To do this, they must first understand the key behaviours of state-sponsored hackers.
Anonymity and the cyber spy
One of the most prevalent tactics amongst this class of actor is ‘denial and deception’ – essentially the practice of using a false identity to throw investigators off the trail.
The anonymity of web-based attacks means that nation-states can operate via puppet actors, making it extremely difficult to prove links between individual hacks and state intelligence.
Even if those links are made, it is still unlikely that analysts will be able to determine the exact origin and purpose of the orders behind them.
For example, FANCY BEAR carried out the WADA breach using patterns which are strikingly similar to known Russian modi operandi.
The waters are muddied, however, by the fact that they also claim allegiance with Anonymous Poland, a hacker group which ordinarily operates within the Polish political sphere and with Polish interests in mind.
As a result, its purported involvement seems suspicious – it certainly doesn’t sit easily with the hack’s clearly pro-Russian motives. This ambiguity makes it extremely hard for analysts to pin down the culprit.
‘Guccifer 2.0’, the hacker behind the DNC leaks, exemplifies this slippery aspect of the state-sponsored hacker. He has presented himself on Twitter and during an ‘in-person’ appearance in September at the Future of Cyber Security event in London as a lone hacktivist out for justice, in the same vein as Edward Snowden and Julian Assange.
However, tell-tale details including his unlikely server hosting locations and his lack of credible backstory point towards a Russian denial and deception operation.
In effect, this means he is likely to be either a puppet actor (potentially even a full-time intelligence agent) or a construct – a straw man designed to draw attention away from the root aims of the state.
The purpose of these distractions is to confound security analysts’ attempts to plug the gaps hackers are entering through – if you don’t know whether you are facing a single hacker in a basement in Kraków or the combined power of a state intelligence agency, it’s hard to know how to prepare against attack.
As a result, it’s essential that security directors have a comprehensive view over all their defence systems in order to identify a wide range of attack types. The best way to counter an unknown enemy is to have visibility into activity at all entry points.
State-sponsored hackers are also often identifiable by their dedication to a specific target. Criminal hacking is usually designed to target the largest possible number of victims in order to increase the chances that someone will click on a malicious link or mistakenly transfer money.
By contrast, state hackers are more likely to have a particular high-value target in their sights, and as such, will often dedicate more time and effort to finding an entry point.
For example, the WADA breach was executed through a successful spearphishing campaign, in which phishing emails were closely tailored to that particular organisation, containing details and inside knowledge which fool employees into believing the communications are genuine.
They then open malicious documents or install malicious software. Another example of this is the so-called ‘CEO scam’ method, in which an email purporting to be from the company chief requests the employee make a money transfer to the attacker.
Organisations need to ensure they have strict communications policies in place in order to combat this, and educate their employees in the types of email they can expect to receive from management, and what is likely to be malicious. Caution is of paramount importance – any irregularity should be viewed with suspicion.
Another frequently deployed tactic is to quietly remain embedded on the network once access has been gained.
For example, some malware can edit its code once installed to mask its presence, making it harder for security solutions to backtrace it and remove it.
It can then gather sensitive data in secret, either extracting personal details or monitoring communications and feeding it back to the hacker. This has the added benefit of allowing the hacker to develop a long-term picture of the target organisation – its habits, regular contacts, ongoing crises and so on.
As a result, security teams need to be aware that a lack of immediate fallout after a suspicious incident does not necessarily mean that the danger is past – it may be only biding its time.
State-sponsored hacking is becoming an increasingly public cyber threat, and organisations across the world need to ready themselves for the possibility of a highly targeted, stealthy attack.
Many organisations are used to the idea of scattergun cyber crime, but are unprepared to meet a well-equipped and dedicated state-level attacker. It is the duty of security operations directors to address this now, and ensure that they have complete visibility into their security posture.
With hackers’ tactics evolving all the time, a comprehensive and flexible threat response is a must – neither governments nor enterprises can afford to leave the back door open.
Sourced by Rich Barger, CIO, ThreatConnect