Data loss, privacy violations, stolen source code, malware development, and more. In hindsight, 2013 was busy year for security professionals, as well as a costly one for the organizations and individuals targeted by criminals.
As mentioned, 2013 was a busy year with regard to security incidents. While there's still a month left, the fact remains that one-hundred million plus records have been compromised during the past eleven months. The source of this loss has been blamed on everything from nation state attacks and activists, to hackers with an agenda.
No look back at 2013 can skip Edward Snowden, and given the scale of news related to him, an entire retrospective could be dedicated to the topic. The former NSA contractor leaked anywhere from 50,000 to 200,000 documents to the press (Glenn Greenwald and Laura Poitras). His actions exposed the expansive data collection and surveillance operations of the NSA and their partners, including Britain's GCHQ. Specifically, the materials leaked by Snowden exposed programs with names such as PRISM, Boundless Informant, and Tempora. These programs are now known to have been managed with little to no oversight, and to have overstepped their mandate in some cases.
Snowden's saga is on going, and the government's reaction to his disclosures has sparked countless debates in Congress. These debates carried over to the public, where some call him a traitor, while others call him a hero. In June, federal prosecutors charged Snowden with theft of government property, as well as unauthorized communication of national defense information, leveling the 1917 Espionage Act against him. Currently, he resides in Russia where he was granted asylum for one year in August.
Snowden's disclosures have had a disastrous consequence however. In Britain, it was recently reported that the staff at the Guardian (the newspaper to first report on Snowden's leaked data) may face terrorism charges for their coverage and handling of the Snowden documents . Such charges, or worse convictions, would cripple the journalism field and silence those who act as the public's eyes.
Additionally, Snowden's disclosures have also had a ripple effect in the private sector. Silent Circle and Lavabit closed their email services out of concerns over government surveillance. However, the upside to the Snowden saga is that the public has started experimenting and adopting secure communication standards, including using Off-the-Record for chatting, PGP for email, and Tor for browsing. While these options are not wide-spread, general discussions about them and how to use them are taking place more frequently, which is viewed as a good thing by privacy advocates.
While recent, the breach at Adobe makes the list of notable security incidents in 2013 both for the number of records compromised, and the fact that Adobe also had source code taken during the attack.
In early October, Adobe disclosed publically that they were the victim of an extensive data breach, one that impacted 2.9 million customers worldwide.
The attackers accessed Adobe customer IDs, as well as encrypted passwords, customer names, encrypted credit and debit card numbers, expiration dates and "other information," according to Adobe Chief Security Officer, Brad Arkin. In addition to the customer data, Adobe noted at the time that source code for Adobe Acrobat, ColdFusion, and ColdFusion Builder were also accessed by the attackers.
Weeks later, Adobe amended their disclosure to report that source code for Photoshop had also been accessed by the attackers, and noted that the number of users that had their accounts exposed was in fact 38 million. While this update was being delivered, a file containing 150 million Adobe usernames and passwords started circulating online.
Making matters worse, Adobe admitted in early November that the passwords accessed by the attackers were not properly secured. They were encrypted, not hashed.
Adobe's incident placed focus on data protection, and served as a reminder that large corporations are just as vulnerable to attack, and just as likely to make basic mistakes, as any other company. The takeaway lesson for many is that security is hard, because one little mistake can lead to ruin. Attackers only need to get it right once, while companies like Adobe need to get it right every time, all the time — an impossible task.
In February, the concept of attacking the supply chain was refreshed in the minds of many, after Bit9, a vendor that specializes in application whitelisting technologies, disclosed that hackers had stolen code-signing certificates from its network, and used them to deliver malware to three customers.
Bit9 said in statements at the time that the attackers were successful due to operational oversights, in which Bit9's own product was not installed on the computers within its network that were targeted. Due to this mistake, attackers gained access to code signing certificates and used them to sign malware. The digital signatures marked the malicious applications as trusted, so Bit9's customers had no idea they were under attack, and the defenses they deployed to protect against such an attack were defeated by a technological wolf in sheep's clothing.
A short time after the Bit9 attack was initially disclosed, the company reported that the attackers had leveraged an SQL Injection flaw in one of their forward-facing Web servers in order to gain access. In all, the attackers signed 32 malicious applications with Bit9's certificates.
Researchers at Symantec identified the Bit9 attackers, and noted that they were guns-for-hire out of China. Symantec named the group Hidden Lynx, and commented that they were able to run multiple campaigns at once, breaching some of the world's best protected organizations. They were linked to a string of attacks on news websites in Japan in September by researchers at FireEye.
Activism, often resulting in data loss and downtime, was another key element of the security world in 2013. As noted by Kaspersky Labs', in their recap of the year's events, one of the weapons of choice for activists online is DDoS.
This year, DDoS attacks were constant, but one stood out from the rest. In March, Spamhaus suffered a sustained DDoS attack that at peak reached a throughput of 300gpbs. An organization that has been in conflict with Spamhaus since 2011, Cyberbunker, was the immediate suspect, but the owner denied responsibility. However, he did claim to be the spokesperson for those behind the DDoS campaign. Spamhaus mitigated the attack by moving to CloudFlare.
Also using DDoS, Anonymous launched several operations in 2013, protesting various organizations, governments, or lending support to various causes in Poland, Greece, Singapore, Indonesia, and Australia. Moreover, Anonymous used DDoS and website defacements against MIT and the U.S. Department of Justice.
"Its clear that our dependence on technology, together with the huge processing power built into todays computers, means that were potentially vulnerable to attack by groups of people with diverse motives. So its unlikely that well see an end to the activities of hacktivists or anyone else choosing to launch attacks on organizations of all kinds," Kaspersky noted in their yearly review.
The Syrian Electronic Army:
Another activism-based series of events this year centers on a group of hackers that take a pro-Assad stance when it comes to Syria's turmoil. Known as the Syrian Electronic Army (SEA), the group launched a series of propaganda attacks that targeted the websites and social media profiles of several news organizations.
The SEA has been active since mid-2012, but they initiated a run in 2013 by attacking various media organizations including the Associated Press, Thompson Reuters, The Guardian, CBS News, NBC News, The NY Post, the Washington Post, CNN, US Weekly, Slate, Mashable, and Fox News.
The SEA uses Phishing in order to gain access to the social profiles held by their victims. In July, they allegedly targeted Truecaller, a company based in Sweden that operates one of the world's largest phone directories, with some 20 million users globally. The SEA claimed to have taken 500GB worth of data, but while Truecaller confirmed the security breach, they disputed the SEA's claims.
May, Twitter warned media organizations that they needed to be aware of the SEA and others like them, and take precautions to protect their accounts. The attack Twitter focused on was Phishing. The warning came after the Associated Press account on Twitter was hijacked by the SEA to report that President Obama was injured after an explosion at the White House.
Social engineering led to the attack on the NY Post in August, but instead of propaganda, the SEA just tagged three of the media outlet's Twitter accounts with a message of "Syrian Electronic Army Was Here..."
Days after that attack, the SEA targeted Outbrain.com, the company behind the recommended content links on the bottom of articles published by more than 400 websites. According to Outbrain.com, the SEA spoofed their CEO's email account in order to launch a successful Phishing attack. This yielded access to employee credentials, and those were used by the SEA to search corporate email for additional passwords, including those for internal systems.
The group remains active, but slowed down towards the beginning of September.
Watering hole attacks:
Watering hole attacks seemed to skyrocket in 2013, as criminals and nation states alike used them to launch various campaigns or track those who speak out in support of a given cause. One of the largest watering hole attacks targeted employees at Facebook, Apple, and Twitter.
In January, a forum called iPhoneDevSDK was targeted, and used to host a Zero-Day Java exploit. The attack was discovered a month later, but not before developers at Facebook, Apple, and Twitter were compromised. While never confirmed, it was reported that developers at Microsoft were also swept-up during the attack as well.
Subsequent investigation into the code used by the attackers, including the code injected into the iPhoneDevSDK website, showed that the attackers were actively using it as early as September 2012. Sources close to the investigation into this incident told Reuters that hundreds of companies, including defense contractors, were infected by the same malware.
Earlier this year, watering hole attacks were discovered on Tibetan websites, selectively targeting Chinese speaking people visiting the Central Tibetan Administration and the Tibetan Homes Foundation. Moreover, the Uyghur website maintained by the Islamic Association of Eastern Turkistan, was the source of another notable watering hole campaign.
In February, Mandiant gained instant attention, and placed a spotlight on nation-state hacking. The firm released a report that exposed APT1, a group allegedly run by Unit 61398 of the People's Liberation Army out of China.
Mandiant called the group one of the most persistent of China's cyberthreat actors, and said that they've got a sinister track record, including compromises at 141 companies, spanning 20 major industries.
Mandiant's report led to a massive amount of mainstream media coverage, which placed the topic of nation-state hacking center stage early in 2013, and led to plenty of public and political debate, that continues to this day. At the time the report was released China, as expected, denounced it and denied that they were launching cyberattacks against the U.S. China's Foreign Ministry noted that the U.S. is often the number one source of cyberattacks against their nation.
China and North Korea were both blamed for attacks targeting South Korea in 2013. These attacks made headlines both because of their targets, and because they happened after the Mandiant report. Thanks to the APT1 report, any security incident that might be state-sponsored became a lead story.
In March, South Korean banking and television broadcasting networks were targeted by malware that wiped master boot records. Some 48,000 systems were infected by the destructive malware.
Security firm McAfee, examining the March attacks, concluded that they were part of a much larger campaign, designed to steal military secrets. The infection of banking and television broadcasting systems, and the subsequent destruction, was only one aspect to the attack, McAfee noted at the time.
While those attacks were going on, the attackers were developing a watering hole attack that would target visitors to a military-focused social networking website. The malware delivered from that attack, would search the infected system for document types of interest and send a copy to the attackers. Speculation said that China was behind the incident.
However, in July, Chun Kilsoo, director of South Korea's Internet Security Center, told reporters that North Korea was to blame. Moreover, Kilsoo blamed the north for attacks against South Korean government websites in June, on the 63rd anniversary to the start of the Korean War, citing IP addresses assigned to North Korea as proof positive.
The June attack was mostly DDoS-based, but several websites were also defaced. Local media reports at the time suggested that data was compromised as well, but those reports were never confirmed.
CSO would like to give a tip of the hat to Ryan Naraine, Brian Honan, Sarah Pottratz, Juan Carlos Vázquez, Eric Cowperthwaite, Greg Barnes, and Guillaume Ross for their suggestions and input.