Threat geography: Why certain kinds of cyberattacks come from certain places

To understand the threat landscape, you need to know about history, economics, and more.

00 title threat geography

Coming from all directions

A security expert looking at different kinds of Internet attacks coming from different countries begins to see patterns emerging. "All kinds of attacks come from all over the world," says Ben Johnson, chief security strategist and co-founder of Carbon Black. But "particular attacks are more common in particular places (or are at least more overt), and there are reasons to that. Often it fits into the capabilities of the population, the story that the attacker is trying to build, and the goals of the team or teams conducting the attacks." A look at the reasons behind differences in threat geography can help illuminate the some important facts about world politics and economics.


'I chop your dollar'

Sadly, for many Westerners, Nigeria is synonymous with 419 scams, a form of email catfishing named after a section of Nigeria's criminal code. The region's poverty relative to the West creates incentives to follow through with all the communication needed to snare a victim. "Africa doesn't have a lot of job prospects, and therefore spending a few minutes here or there sending emails from an Internet café can pay an annual salary if a few people bite," says Carbon Black's Johnson. F-Secure Security Adviser Erka Koivunen says that many Nigerians see their victims as "rich Westerners that are being rid off their money," as this amazing music video extolling the practice illustrates.


A low-bandwidth scam

Nick Espinosa, CIO and chief security fanatic at BSSi2, thinks the prevalence of these types of scams in Africa reflects the region's technological situation."Essentially why certain attacks seem to come from certain areas is because of two critical factors: The bandwidth and computing capability of the region, and the access to talent and genius in hackers in the area. Nigeria has been developing a reliable Internet infrastructure but many areas there do have not a lot of bandwidth or computing firepower to create and sustain a resource heavy attack. That requires a connection that won't drop or disconnect with any real frequency and also large quantities of processing power." 419 scams are, in other words, the attack of choice for a Third-World cybercafé running ancient PCs.

Eastern Europe

The wild east

Eastern Europe is responsible for what F-Secure Security Adviser Sean Sullivan calls "commoditized crimeware."In part, this is due to the laws there surrounding cybercrime.

"The law allows the development of malicious code in these countries, or else there would be no strong penalties," says Sullivan.

Barry Shteiman, director of labs at Exabeam, elaborates: "In Romania and Ukraine, where there are limited to no laws regarding hosting and Internet monitoring, essentially anyone can do anything unsupervised in a public data center or from their homes. Because of this, and their location relatively central to Europe, these countries are favorites as malware command and control server locations."

Eastern Europe

Lots of knowledge, few opportunities

Maxim Kovalsky, director of intelligence production -- cybercrime at Flashpoint, points out that Eastern European countries have "advanced higher education systems (particularly in mathematics) but limited employment opportunities." This is in part due to widespread corruption.

"The corruption of government processes interferes with legitimate business development, explains F-Secure's Sullivan. "Somebody with the talent to develop software finds themselves in this position: Attempt to grow a legitimate software business in the open, and risk that a competitor bribes officials to shut you down -- or develop malware kits for use in Western countries, and if eventually caught, suffer minimal punishments. It's economically rational to pursue the criminal option. The end result is that exploit kits, crypto-ransomware and banking trojans find space to be developed in Russian-speaking countries."


From greed to glory

Particularly in Russia, cybercrime has taken on nationalist implications. Flashpoint's Kovalsky says that "the generation now in their mid-30s became involved in cybercrime in the late 1990s and early 2000s, when Russia was trying to integrate into the global economy. They view their activities in entirely realistic terms: as theft." But the younger generation is "thirsty for the propaganda coming out of the Kremlin and appear to have internalized its key tenets: that Russia is resurging despite being surrounded by enemies, and needs to sever economic dependencies with the West. In their minds, the West has become an undisputable enemy. These hackers have been emboldened by tacit support from the state in their mission to damage Western interests."

F-Secure's Sullivan notes that "one recently analyzed crypto-ransomware variant will not infect computers that have Russian language support enabled."


In the army now

China is more famous for its government-sponsored cyberattacks. "The Chinese government in particular has been known to engage in cyber-espionage for years," says Curt Wilson, senior threat intelligence analyst at Arbor Networks. "Threat activity in the name of national interests and in defense against perceived threats takes many forms, and it has been speculated that various patriotic hackers may also be engaged in such operations against other nation-states."

Ryan Trost, CTO of ThreatQuotient, points in particular to APT-1, a hacker group linked to the People's Liberation Army. "China is our go-to scapegoat for nearly every breach until proven otherwise by hired incident response teams," says Trost.

REUTERS/Pichi Chuang

Jumping ahead

China's hacking activities have fairly specific goals. "China has decided that cyber espionage is a way to accelerate their place on the global stage," says Carbon Black's Johnson. "It's not that other countries don't do it -- in fact, a lot do. It's just that by sheer volume and significance, China is top of the list when you think about cyber espionage."

Jon Condra, director of East Asian Research and Analysis at Flashpoint, said, "It's long been believed that China is following a 'leapfrog' style of development, in which the government seeks to acquire foreign technologies in order to bypass the middle stages of economic development and thus catch up to the West in shorter order."

Chinese hacking

Blurred lines

Chinese hacking campaigns against the West help illustrate that the division between private companies and government and military is not as firm as we might like to think. "You also have to somehow draw a distinct line between true 'economic espionage' and traditional espionage conducted for military or geopolitical advantage," says Flashpoint's Condra. "Because the production of war materiel and advanced weapons systems has been outsourced to private industry (Lockheed, Skunkworks, BAE, Boeing, etc.), it is increasingly difficult, even from a legal sense, to separate the two."

United States hackers

Look in the mirror

Westerners shouldn't be so quick to think of Internet attacks as being the province of others, though. "It should be noted that the U.S. typically ranks first in countries found to have the most cybercrime," says Damian Caracciolo, vice president and practice leader of CBIZ Management and Professional Risk. "If you exclude espionage as a broad category, then hacking, phishing, spyware/malware, and extortion tend to be the most common forms of cybercrime that originates domestically."

And if we don't exclude espionage? "I think we all know it goes without saying that the United States is at the top of most lists for malicious activity," says Daniel Smith, Radware's Emergency Response Team researcher. "The U.S. is hotbed for espionage and surveillance, and also has a large percent of young adult hacktivist fighting for social and political change."

cyber threats

Everyone is everywhere

Finally, while these broad trends are important to keep in mind, it's just as important to not let them blind you to the diverse array of threats coming from all directions. "It's dangerous to fall into threat categorizations, as not all bots are from Russia, and not all Chinese are after US military secrets," says Jayson Street, InfoSec Ranger from Pwnie Express. "Security professionals make themselves vulnerable to attacks when they don't investigate the possibility of that 419 being from Kansas or Paraguay. The internet has no borders, boundaries or categories. Attackers are global, profit-driven individuals. While you may physically know your neighbors and border countries, on the internet you're just a number. Attackers don't see region or nationality; they see IP addresses, and profitable possibilities."

Copyright © 2016 IDG Communications, Inc.

Related Slideshows