Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/26/2015
11:00 AM
David Venable
David Venable
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

State-Sponsored Cybercrime: A Growing Business Threat

You don't have to be the size of Sony -- or even mock North Korea -- to be a target.

It’s not just governments that are feeling the disastrous effects of state-sponsored cyber warfare and crime. Recent leaks and discoveries have revealed the existence of, and details about several government hacking organizations around the world. While many of them target governments for intelligence collection, we are starting to see more activity directed towards business. In fact, the private sector is every bit at risk. As recent attacks have shown, you don’t have to be the size of Sony -- or even mock North Korea -- to be a target.

Key players
Chinese cyber operations have typically been economically driven, often with a pure profit motive. Several top technology, aerospace, and defense companies have been breached by Chinese state-sponsored hackers, often in what appears to be an effort to steal intellectual property and identities. China’s approach follows the same guiding philosophy the Chinese Army uses: throw as many people at the problem as possible, regardless of talent or training, and eventually you’re bound to get something. These groups include Deep Panda, Putter Panda/PLA Unit 61398, Hidden Lynx, APT1/Comment Crew, Axiom, and many more.

Russian cyber operations enjoy a unique distinction from the other groups because they are more broadly used to collect intelligence, and like Chinese hackers are also involved in profit-motivated cyber crime. The Russians also have a history of aggressive offensive operations such as the Estonian cyber attacks of 2007 that swamped websites of Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of a statue, and more recent cyber attacks directed at Poland.

Unlike Chinese counterparts, Russian hackers also like to spread ideological influence, a discipline known as “Information Operations” within the intelligence community. This includes “troll farms” staffed with hundreds whose job is to spread ideas and cause the appearance of consensus across online forums and social media. Russian state-sponsored cyber efforts are also unique in that they are known to provide training and mercenary-style hacker-for-hire services to other countries -- possibly even North Korea’s Bureau 121 and Iran’s IRGC.  

Some notorious non-state actors have been working hard to reach levels of sophistication similar to these state-sponsored groups. There have been many reports of mysteriously unattributed and extremely sophisticated hacker recruiting drives across the deep web. Meanwhile state-like organizations such as ISIS have been actively and openly recruiting hackers. To date, ISIS’s “Cyber Caliphate” has not exhibited this level of sophistication, but it’s probably just a matter of time until we start seeing stateless organizations reaching the same level of sophistication as state actors.

Not a theoretical threat
I recently discovered an unidentified Chinese APT group that breached a mid-sized multinational company. The breach was initially suspected when some employees found copies of their own internal documents online, and an investigation began.

The breach was accomplished via a spear-phishing attack targeting a secretary within the company. Clicking a link ultimately installed custom malware on the workstation, which allowed the APT group to use it as a pivot point from which they launched other attacks. Subsequently, they took control of almost every server and workstation within the company. From there, they began slowly exfiltrating sensitive data off their file servers, just a few small packets at a time, all encrypted.

It’s worth noting that this went completely undetected for months. The breach was finally confirmed through the use of a security audit that made use of adaptive behavioral analysis and threat intelligence combined with traditional vulnerability assessment methodologies.

State-sponsored attacks often demonstrate remarkable complexity. Fortunately, these attacks are detectable and preventable. Business must make use of layered defenses comprised of human-monitored intrusion detection with behavioral analysis integrated with routine security testing, predictive threat intelligence, and education in order to stay secure.  

David Venable, Director of Professional Services at Masergy Communications, has over 15 years' experience in information security, with expertise in cryptography, network and application security, vulnerability assessments, penetration testing, and compliance. David is a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
6/2/2015 | 3:38:47 AM
Sponsored hacks are no hit-and-run
One thing that I've noticed is the almost large organization process oriented methodology of government-backed hacks. There's no rush, they patiently wait and gather internal information and access servers and systems until they slowly start to extract information. Maybe working within the breached system for a year or two until the actual leak starts. 

If you, for instance, compare with ransomware type of operations that's in there for the quick buck, these guys are more dangerous since there is no haste. No bills to be paid at home, that's already been taken care of. As you point out, the rationale behind the hack is still making profits but more in an abstract way, like providing intellectual property to your own industry to give them competitive advantages. 

It's always more difficult to protect yourself from the people that have time to wait.
Phil Verheul
100%
0%
Phil Verheul,
User Rank: Apprentice
6/1/2015 | 9:13:59 AM
Nice Article
Well done Dave. Hope we get to read more stuff from you. :)

 
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
5/26/2015 | 3:23:10 PM
I think that we should expect that advanced intruders take control
I think that we should expect that advanced intruders take control "of almost every server and workstation within the company."

Aberdeen Group reported in a very interesting study with the title "Tokenization Gets Traction" that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data.

Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data.

It is an effective approach for most sensitive data fields.

Ulf Mattsson, CTO Protegrity
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...