• United States



Contributing writer

10 deadliest differences of state-sponsored attacks

Dec 01, 20149 mins
Advanced Persistent ThreatsCybercrimeData Breach

There are some key differences about attacks that originate with foreign governments, and ignoring these differences could prove deadly

If you believe that protecting against cyberattacks from government agencies requires the same processes as defending against any other threat — well, to some extent, you are right. Government agencies will happily use easy “script kiddie” tools and well-known exploits to get into your systems to avoid tipping their hand about who they are and what they’re really after. And they have the money to buy and use the most advanced tools used by criminal organizations to get into your payments data. So protecting against these kinds of common attacks is necessary if you are trying to protect yourself against state-sponsored attackers — but it is not sufficient. There are some key differences about attacks that originate with foreign governments, and ignoring these differences could prove deadly. 1. They’re going after different types of data Vandals are out to make a loud splash, so they’ll go after public-facing websites, or just randomly disrupt whatever’s within reach. Criminals will go after stuff they can sell. Foreign nations will hit embassies and government agencies for political information, said Jaime Blasco, director of labs at San Mateo, CA-based AlienVault, Inc. And they’ll go after private companies, as well — and not just defense contractors, either. “If specific companies have developed a technology or method to do something, they might steal information to gain that information for competitive advantage for Chinese companies,” he said. And they’ll also go against personal information or business information that would provide them with insights they need to break into more companies. Blasco was part of the team that took down UglyGorilla, a Chinese hacker who broke into computers at five U.S. Companies including Westinghouse Electric Co. and United States Steel Corp earlier this year and stole trade secrets and other information.

Blasco also uncovered Sykipot, a China-based attack which was able to bypass two factor authentication and steal trade secrets from the automotive and aerospace industries. “What we thought was a primary reason for gain might not be as obvious anymore,” said Carl Wright, general manager at San Mateo, CA-based TrapX, which recently uncovered a Chinese attack against international shipping and logistics companies. For example, an attack against certain types of agricultural equipment might produce valuable insights about grain production, he said. 2. The might not be after data at all Foreign governments are after power, and not just in the “information is power” kind of way. They’ll go after another country’s actual power grid, fuel pipelines, or nuclear reactors. “They would be also happy causing disruption in government services, taking out communication systems, disrupting a nation’s economy, or causing reputation damage of state-related institutions,” said Jeff Williams, CTO at Palo Alto, CA-based Contrast Security. Of course, we play this game as well. it’s pretty well accepted that the U.S. was behind the Stuxnet attacks that took out the nuclear reactors in Iran and delayed their ability to produce weapons significantly, said Williams. 3. They’re operating on a longer timescale Criminals and vandals are after quick payoffs. “When you steal someone’s credit card, the time period that that’s a valuable asset is very short,” said Carl Wright, general manager at San Mateo, CA-based security firm TrapX. “At some point, the credit card company cancels that credit card and the consumer is issued a new card.” A foreign government, by comparison, could have unlimited patience. “They might get in and sit there for a while and not try to do a whole lot until they feel the time is right,” said Ben Johnson, chief security strategist at Waltham, Massachusetts-based Bit9, Inc. In fact, he said, they might actually patch vulnerabilities they find in order to keep anyone else from getting in and setting off alerts. “If they think they tripped up a defense, they might lay low for a little bit,” he said. “Or, on the flip side of that, if they think they’re about to be kicked out because the company is killing off the user accounts, they might grab data as fast as possible.” 4. They might never be discovered According to this year’s Verizon breach report, 84 percent of the reported attack discoveries were made by third parties. This is particularly the case of credit card data, said D.J. Vogel, a partner in the security and compliance practice at Naperville, Ill.-based professional services firm Sikich LLP. When payment data is stolen, there are numerous third-parties involved that might sound the alert, he explained. The individual consumer, for example, who finds unusual charges on her bill. The payments processors and credit card companies who monitor transactions for unusual patterns. Law enforcement agencies eavesdropping on illegal credit card number auctions. But when it comes to the theft of trade secrets, it could be years before the victim finds out — if they find out at all, he said. “The industry as a whole is less likely to identify state-sponsored attacks, he said. “It’s much easier to fly under the radar, and not be detected.” And even if a company discovers that it’s been attacked and data was stolen, that’s still not the whole story. “The million-dollar question becomes what the heck they’re doing with it?” asked Dodi Glenn, senior director of security intelligence and research labs at Clearwater, FL-based ThreatTrack Security, Inc. “Are they trying to design another apple iPhone and sell it cheaper? Or are they trying to tap into an iPhone with some vulnerability that they’ll never disclose? They don’t make it known what they do with the data. We can only infer what they’re targeting.” 5. They’re not afraid to get physical Despite what you see on television, a criminal isn’t likely to follow a company executive around in order to physically infect their laptop or cellphone with malware. The cost — time, travel expenses, possibility of getting caught — are too high. It’s much easier to go after some other executive who has a phone that can be hacked without physical contact. In the case of state-sponsored attacks, however, especially within that state’s own borders, the costs and risks are minimal. In fact, they might actually set up a meeting with the targeted executive, said Michael Shaulov, CEO at San Franscisco-based Lacoon Mobile Security, Inc. Then all they need is a little private time with the laptop or cell phone in order to infect it. There are even several ways to infect iPhones, Shaulov added. And, of course, a foreign nation-state often has full access to its own telephone networks. 6. The airwaves aren’t safe The airwaves aren’t safe either, Shaulov added. “In Russia, they discovered a couple of fake mobile cell towers,” he said. “Every time someone would pass through that coverage area, someone in the government would intercept their communications.” The same approach works on foreign territory as well, he added. A mini cellphone tower can be hidden in a suitcase and carried to a location close to the target, or placed in a vehicle in order to have a larger coverage area. “If you look out the window and see a white van, be suspicious,” he said. 7. They stay on target A financially-motivated criminal wants to see the biggest return on their investment, so they’ll go after the least-defended companies first. “There are certainly plenty of targets,” said Steve Hultquist, chief evangelist at Sunnyvale, Cal.-based RedSeal, Inc. “I can just go on to the next one.” A company doesn’t have to have perfect security to defend itself — all it has to do is avoid being the lowest-hanging fruit. A state-sponsored attacker, however, is motivated by strategic gain, not financial. They’ll keep after a company, its employees, and its business partners, until they get in. 8. They have a large, well-organized team Criminals are most likely to work alone, or in loosely-affiliated teams. A state-sponsored attacker, however, might be working out of an actual office, under a well-trained project manager. “State-sponsored cyberattacks are much more likely to be organized and run by a large group of people,” said Jeff Williams, CTO at Palo Alto-based Contrast Security. “They’re going to have a full lab full of people trained and executing a whole bunch of attacks against a whole bunch of things at once.” And they’ll work around the clock, added Udi Mokady, CEO at Israel-based CyberArk Software, Ltd. “It’s based on people working shifts with well-managed processes and development,” he said. “They behave like a development arm and are able to carry out sophisticated attacks.” And speaking of development… 9. They’ll create new zero-day exploits A foreign government can afford to create a brand new, unique zero-day attack to go after individual targets. “They are deeply talented and likely spend substantial resources to identify zero day vulnerabilities,” said John Dickson, principal at San Antonio, TX-based Denim Group, Ltd. “They have shown willingness to have a lot of people spend a ton of time trying to get into certain places.” And the foreign government would then keep those vulnerabilities secret, to use them again, or to ensure that it’s attack wouldn’t be discovered. A criminal is also interested in getting the maximum use possible out of an exploit, but within a much shorter time frame. An exploit that’s sitting around not being using isn’t making them any money and, given how slowly some companies patch, even a discovered exploit can remain profitable for years to come. 10. They set the bar for other types of attacks “The reality is that US companies and government agencies only barely prepared for the very lowest level of threat – the auditor,” said Contrast Security’s Williams. And auditors are always several years behind the curve, because they use regulations and standards drafted years before. That means that most organizations are unprepared for techniques commonly used today by all types of hackers, such as automated tools. “We should be building systems designed to resist the attacks that we expect ten years from now, not the attacks occurring two years ago,” he said. That means that all organizations should be getting ready to face long-term, well-coordinated, almost invisible attacks. “In ten years, this type of attack will be available to even unskilled attackers, and we should be preparing our critical infrastructure to withstand it,” he said.