Cyberspace: beyond the rule of law?
Cybersecurity and cyber espionage have been in the headlines the past few years as leaked stories relating to government-sponsored activities have appeared and sabre rattling between aggrieved nations has moved to the public domain.
At the same time an increased volume of distributed denial of service attacks (DDoS) on banks and other institutions carried out by apparently noncriminal perpetrators have raised the profile of this kind of scenario. As a result government security level warnings have been issued to financial institutions – and to businesses in other sectors – that the threat of intrusion through gaps in their IT security is very high, whatever the motive.
So what is different in this from traditional hacking and other online crime and fraud? For one thing there is the simple fact of increased attack frequency; more importantly there are also a whole new cast of perpetrators to be aware of and a whole new set of motives behind them. Just to add to the fun, their signatures and methods are blurring as each set adopts techniques from the other either for reasons of efficiency or simply to hide behind and cover their tracks.
If you think of it as a spectrum, at one end there are the traditional organised crime rings and at the other end are the government-sponsored espionage intrusions; these new players live somewhere in the middle and their motivation could largely be categorised as political.
Further dividing that a broad characterisation could be the ideologically motivated activists who want to damage capitalism through its most obvious institutions the banks, and the politically motivated – a very loose set of rebels and terrorists, depending on whose side you are on.
Most visible of this latter group is the Syrian Electronic Army, which has launched DDoS attacks on US media websites, particularly the New York Times. Some observers at first thought a 2010 intrusion at Nasdaq was the work of a similar group, but five people have been recently indicted for criminal activity intended to steal personal details for use in subsequent frauds (see panel).
It is thought that the perpetrators had deliberately made it look as though the attack was politically motivated but it is no less worrying for that. “The Nasdaq attack is interesting because of the specific application they attacked once they were inside the network, which held a great deal of information about Nasdaq-listed companies and their directors, which suggests that what they were after was information that could be used in financial fraud – if you have the email address of the treasurer of a Nasdaq-listed business, then you can send him an email and try to get a piece of malware on his computer,” says Paul Henninger, global product director, Detica NetReveal. “What they didn’t do was try to access any of the mission critical systems, that are used for trading purposes. So they weren’t trying to take down Nasdaq. The disturbing thing about it is that they were able to do it and steal information about large companies, but the more disturbing thing is that had they been differently motivated, once they were in the network they could have done much more significant damage to the global economy had they wanted to.”
A turning point in this whole saga came a few years ago when it was revealed that Iranian nuclear processing capabilities had been degraded through a cyber-attack using malware code known as Stuxnet. This code specifically attacked the centrifuges used by the Iranians, disrupting their alleged plans to build a nuclear weapon.
The nature of the target immediately pointed to political motivation while the structure of the malware revealed that whoever created it had considerable resources at their disposal: the code used two so-called Zero Day exploits. At the time, such exploits were considered very valuable in the traditional world of hacking and online crime. They are hard to create and impossible to defend against, but they are one-off items – Zero Day refers to the day of its first deployment, after which system administrators will scramble to deploy patches that render the exploit useless. The deployment of two in a single attack, plus the nature of the target, pointed to government involvement and most people assume that it was the work of the Israeli and US security services.
Nasdaq attack: a game-changer?
The attack on Nasdaq OMX’s systems in 2010 set off alarm bells that are still ringing to this day – when the exchange suffered a systems failure this summer, several early accounts assumed that hackers were again responsible.
The fact that it was a different sort of failure doesn’t negate the underlying concern. As the Wall Street Journal reported at the time, “The Nasdaq situation has set off alarms within the government because of the exchange’s critical role, which officials put right up with power companies and air-traffic-control operations, all part of the nation’s basic infrastructure.”
In July this year, five men were indicted in New Jersey, charged with conspiring in a hacking and data breach scheme “that targeted major corporate networks, stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses”, according to the US Department of Justice.
The defendants allegedly sought “corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information they could exploit for profit”. The defendants are charged with attacks on Nasdaq, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.
According to the second indictment filed in Newark federal court and other court filings, the five men each served particular roles in the scheme. Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each allegedly specialised in penetrating network security and gaining access to the corporate victims’ systems. Roman Kotov, 32, of Moscow, allegedly specialised in mining the networks Drinkman and Kalinin compromised to steal valuable data. Court documents allege that the defendants hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. Dmitriy Smilianets, 29, of Moscow, allegedly sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.
Tellingly, the DoJ points out that “it is not alleged that the Nasdaq hack affected its trading platform”. For many cyber-security specialists, that misses the point. “These five didn’t go for the infrastructure, but how do you know someone hasn’t already?” said one security consultant at a bank, who asked to remain anonymous. “That’s the scary thing – it’s not paranoia: you have to ask yourself, who else has been going through your unlocked windows?”
Why this matters to banks and financial services is that exactly the same techniques, coupled with more mundane approaches such as denial of service, can be equally used by the other side and there is evidence to suggest that the waves of DDoS attacks on US banks over the past two years – or at least some of them – have been carried out by hostile governments or other politically motivated groups. Iran, North Korea, Al Qaeda and others will easily fit into that photo-fit.
Traditionally, hacking was the WarGames scenario from the 1983 Matthew Broderick film – a bright teenager in a room using a telephone line to play chess with the Pentagon. Then there were small-scale criminal gangs, particularly in the former Soviet bloc countries.
Henninger says that things have changed enormously. “It is no longer the teenagers downloading a piece of malware from a website,” he says. “The reason that’s important is that commercially available firewalls can mainly catalogue that sort of stuff and can defend you from them. When you have a cyberattack from 20 PhDs, they are designing their own custom attacks and commercially available firewalls are much less able to identify them. It would be unusual for you to have seen those attacks before. The approach you have to take to defend against this more severe threat is a real sea change: how do you profile them and identify their signatures? How do you break them down into their component pieces and defend against them? Zero Day attacks used to mean that the first day a new piece of malware was introduced was like a product launch; now Zero Day attacks are more the rule than otherwise.”
Yaron Dycian, vice president of products at Trusteer, agrees. “The landscape has changed enormously. When Trusteer was founded, the concept of malware as a financial or corporate espionage threat was science-fiction,” he said. “We saw the first one in 2008: fast forward to 2013, and we are looking at numbers where one in 1,000 machines are affected with malicious software that can steal from your computer or gain remote access. We now know of companies that have been taken down by these things – Nortel is the most famous, but look on the internet; the list is endless – and it is now getting noticed by people at the board level. Everything has changed in terms of the presence of these threats and awareness of them. “
He also agrees that the attackers are becoming more capable. “We are dealing with people on an on-going basis where you can see the sophistication of the attackers,” he says. “I am not talking about nation states that have endless budget and sophistication. Even just the ordinary criminal gangs of three 27-year-olds sitting somewhere in a relatively lawless country can wreak havoc: the complexity and sophistication of what they do is enormous.”
The commoditisation of the threat means that the world, in this respect, has changed, to a point where Dycian paints a gloomy picture. “From an IT security perspective, no organisation today has real IT security given the level of these threats,” he says. “From statistics in the field, I can tell you that every organisation with over a few thousand employees has at least one machine that is infected by malware that can be remotely controlled from the outside. They can build firewalls and what-not and invest hundreds of millions in this, but eventually one of the computers in the network will be infected. Most CIOs know this and don’t know what to do about it. There is no such thing today as a secure network.”
Martin Borrett, director of the IBM Institute for Advanced Security Europe says that part of this change relates to the way that technology has developed. “The technology landscape itself continues to change and evolve: we see cloud, we see mobile,” he says. “The way people choose to access services and the types of device they are using is changing all of the time. That in itself, and the way data is moving around, is creating new vulnerabilities and risks. There is no 100% security: how you manage that situation, gain the right security intelligence and manage the risk of fraud becomes important.”
Detica’s Henninger says the movement to the cloud highlights a more general issue. “People move data and applications to the cloud in general to make it easier for legitimate individuals including staff and customers, to interact with. Unfortunately, it is also easier for people with bad intentions to do so,” he says. “The movement to the cloud is similar to the movement to online banking or the remote management of utilities. This is the core of the problem: if you make it easier for good people to get access to your technical resources you have made it much easier for the criminals to do so, and you’ve got take that into account and build a defence that is proportional to that risk.”
Henninger argues that the blurring of the lines between criminal, hacktivist, terrorists and state-sponsored espionage mean that the thresholds of acceptable risk alter significantly and that changes the level of defence that has to be put in place. “If you look at the potential threats to financial infrastructure, if it’s financially motivated, you can manage it to a point where it is economically acceptable,” he says. “However, if you look at it in the paradigm that comes from the people who are defending governments and nations, you don’t talk about managing terrorism: there is no level of terrorism that is okay – the threshold there is zero terrorism. Increasingly, those two things are converging: historically you could manage to accept a level of credit card fraud because of the nature of these attacks and the scale of the attacks. The threshold is converging much more towards the national security standard, which is, ideally, unbreachable.”
He points to the Nasdaq scenario as highlighting the difference. “How many breaches of Nasdaq are okay? Probably none. How many breaches are okay for a credit card issuer? Historically, one in 10,000 or something like that: it’s part of the cost of doing business,” he says. “Once you have the element that someone is in your network, the standard for what is acceptable changes. It is not acceptable to have one breach a month because once they are in the network who knows what they are up to. Once you add cyber-attacks to fraud attacks you get a situation similar to that what governments face: it is not acceptable to have a single hacker to your network, because you just have no idea what they’re up to.”
The Syrian Electronic Army vs. The NY Times
One of the most visible recent Hacktivst campaigns has a lesson for CIOs.
“It makes lots of sense for a Hacktivist group that wishes to display their message and show that they exist to go after high end media,” says Barry Shteiman, senior security strategist at Imperva. “The Syrian Electronic Army have been actively hacking Twitter accounts of news sites and have recently escalated to hacking into the websites themselves. This is in an essence, what Hacktivism is. There is no profit involved – making all of us aware of the Syrian rebellion is their goal”
Shteiman says “based on available resources, the New York Times hack is in fact a DNS service breach,” which is a problem at one of the paper’s service providers. “While a company like the New York Times may be able to secure their own platforms, harden their systems and regularly check for vulnerable components on premise, it is a much harder when some of that infrastructure is provided by a third party like an ISP or a DNS Host. At some point, CIO’s need to realise that critical pieces of their online entities are controlled by vendors, and that security policies should apply to them as well.”
For him this is the effect of the change in the threat profile from different sources. “The thing that is in the process of changing is the mix between the motivations for government-sponsored cyber-attacks and financially-sponsored cyber-attacks. If you take the Nasdaq compromise it was as interesting for what they would trying to do is what they weren’t trying to do,” he says.
Historically financial criminals are looking for financially valuable information such as account information they can either sell on the black market or use to perpetrate some sort of payment fraud. Government-sponsored cyber-attacks tend to be intended to compromise critical infrastructure or to steal valuable intellectual property.
“The real threat I think people are waking up to is that as these two groups converge you have a bunch of people who are quite good at compromising bank accounts and another bunch of people who are quite good at compromising infrastructure and they are starting to mix,” says Henninger. “The potential threat is that cyber fraud criminals start to work for the government-sponsored guys and if that happens, which it has not yet, you potentially have to include banking infrastructure on the list of things that are vulnerable to cyber warfare in addition to power lines and utilities.”
Currently, the trend is the other way around. “There have been a half-dozen attacks in the last six months that I know about where people have used cyber threat techniques to perpetrate financial fraud,” he says. “What they have done is to use techniques like denial of service attacks to compromise networks and the goal, on some level, was to make it look like they are activists. What they’re actually doing is creating a ‘cyber smokescreen’ for a bank theft. The conversion, at least at this stage is actually cyber criminals using activist techniques to perpetrate their attacks. It is not a good thing, but is not the worst thing that can happen.”
What this means in terms of Defences against the Dark Arts, is a change of approach. “Institutions have cyber defences and transaction processing checks, but they need to link them, says Henninger. “You have two opportunities to stop them. If you’re able to detect the cyber intrusion or if you know the accounts are being accessed, you’re much better position to monitor those accounts to make sure that you’re sensitive to any kind of suspicious activity on them, whereas before they were two completely separate spheres. The criminals see them as two techniques they can use to steal money from bank customers; banks need to start looking at it that way as well.”