Who Are These Masked Attackers?

We talked about our lack of visibility into the attack horizon and the fact that we can’t predict future attacks in our last post. That was one of five attacker-defender disruptions necessary to change the current course of this never-ending cybersecurity war. This post addresses our continuing failure to identify the exploitation of legitimacy or even the source or nature of our attackers.

Today, the average financial institution incurs an annualized cyber-attack expense of $13 million. The most prevalent types of cyberattacks are viruses and worms, malware, botnets, web-based attacks and phishing schemes. We believe that the primary actors targeting the financial services industry are often hackers connected to crime syndicates in former Soviet Bloc countries, but this is pure speculation.

The problem as always is we don’t actually know.

As cybercrime is emerging as the dominant financial news headline, banks have become especially vulnerable to scandal. 80% of banking CEOs consider cyber-attacks to be the biggest threats to their companies’ growth prospects. For an industry with a business model developed on the mantra of “trust,” safeguarding client account data should be a matter of life and death. But, if you just dropped in from Mars, you would have trouble believing that.

Formerly identified as the highest-volume cyber-attack in history, unidentified hackers launched a sweeping DDoS assault which crashed the websites of Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC. In these denial-of-service attacks, hackers took remote control of thousands of zombie desktops, which they then used to send massive amounts of traffic to unsuspecting websites, and since that worked so well, we saw a follow-on flood of DDoS attacks on Dyn in October which expanded on the banking model and took down hundreds of websites effectively bringing the Internet down for several hours across the US. Estimates suggest that tens of millions of users were down most of one day.

The bank attack was 20 times the volume of data that had previously been seen, and twice the previous record for a denial of service attack, with the follow-on attack at least 5 orders of magnitude the impact. We believe the point of each attack was disruption, and if that were the case, the attackers made their point quite convincingly. But, we will never know their real intent or whether these attacks were part of a larger scheme, because we don’t know who they are.

The Islamist terrorist group Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for the financial sector attack, but most of the forensic investigators expressed doubts based on their assumed in-ability to coordinate such a sophisticated series of attacks, and many US Senators are of course blaming Iran. If there were a comedy film making fun of Kim Jong Un involved, I assume we would be blaming the North Koreans. Both of these attacks underscore the problem we have with attribution.

Back in 2010, the NASDAQ was hit with a cyber-bomb that was planted by a suspected group of Russian hackers based on an FBI tracing of encrypted messages to a Russian IP address. Analysts from the NSA also found distinct similarities between the malicious software implanted in the NASDAQ and a program written by Russia’s Federal Security Service (FSB), the successor to the KGB.

But again, we have no concrete evidence of this anymore than we have concrete evidence that the Russians hacked the DNC, Hillary’s email servers or election sub-nets in Bloomington, Indiana.

In October 2014, JPMorgan Chase disclosed that cyber thieves had stolen account data for 76 million individuals and 7 million small businesses (in spite of the $250 million Chase spends every year on cybersecurity). Suspicion initially fell on Russian hackers believed to be working for the Kremlin. But, by mid-October, Federal investigators dismissed any connections to the Russian government.

In February of 2015, a cybercrime scheme concocted by a group of hackers stole over $1 billion from banks in China, Europe, England, Japan, the United States and 25 other countries.

The attackers, now referred to as the ‘Carbanak Gang’, were a multinational group thought to be made up of individuals from Europe, Russia, Ukraine and China. The syndicate infected more than 100 financial institutions around the world, and it is believed but not proven that this same family of malware was used to hack into U.S. Democratic National Committee systems and is the same strain that has also been found infecting an Android app used by artillery units defending eastern Ukraine after Russia invaded Crimea in 2014. But again, no one knows.

Are you getting the sense of a global chaos yet?

The malware, called X-Agent, is also apparently a variant used in a hack of the World Anti-Doping Agency which appeared to support Russian government disinformation campaigns. The forensic analysts identified this group as [probably] Fancy Bear. This strain is also known as APT28, Pawn Storm, Sednit and Sofacy and is guesstimated to originate with a related Russian group known as Cozy Bear - aka CozyDuke or APT 29.

The DNC intrusion has been allegedly attributed by all U.S. intelligence agencies to senior Russian officials, yet not one of these 17 agencies has offered any forensic evidence of the attack.

Attribution has been the Achilles heel of our cyber defense program for years. We don’t know who the actual perpetrators are [as there are so many ways bad guys can obfuscate their trails and/or mis-direct sourcing efforts toward false flags] or what their ultimate objectives may be [was the SONY hack about retribution for a stupid movie insult, or a devious way to oust an unpopular executive through an email outing?] or how on earth they got to be so darned sophisticated so fast.

We have seen story sub-headlines like this one throughout 2016: “The Islamic State’s hacking army doesn’t actually work for ISIS—It’s part of the secret Russian online espionage effort against the West”

Although the loaded term (False Flag) has been hijacked by tinfoil-hat wearers and cyber-wackjobs, it’s a perfectly legitimate and widely used espionage method of venerable heritage. Spy agencies have routinely throughout the years, masqueraded as third parties for operational purposes such as agent recruitment and covert action. The nastier intelligence services will even disguise themselves as active terrorists to further their agenda.

Whether the Russians are or are not responsible for these or other hacks misses the point. The fact that we don’t know who it is or what they want and most importantly how to defend against it is by far the larger issue. Whether the recent use of Android-based malware against the Ukrainian artillery is the work of the Russian military or not, what exactly is anyone going to do about it?

The idea that Vladimir Putin authorized his intelligence agencies to go to cyber war against the West under an ISIS cloak is anything but shocking to anybody informed about longstanding Russian espionage tradecraft. The only innovation here is that it is being conducted in cyberspace. If we knew for sure it was the Russians and had indisputable evidence, do we present it to the UN and demand sanctions? Do we call Vladimir and ask him to stop it please? Do we nuke the whole country and everything around it just in case? Do we set up a closed Internet like China? Of course we don’t.

Targets in recently alleged Russian cyber-attacks include numerous think-tanks, law firms, lobbyists, government agencies, and consultants. There were also almost 4,000 Google accounts targeted in a “spear-phishing” campaign to steal personal and privileged information. It’s clear that this coordinated offensive aimed at the heart of our nation’s capital stole a great deal of inside knowledge about America’s political elite that would be of high value to any foreign intelligence service, not just the Russians.

But again, so what? What was the purpose in the CIA asserting that the attacks on the voting system were of Russian origin and then refusing to offer evidence in support of that claim? When was the last time the CIA ever offered any opinion about anything to anyone?

If you were to just take the small group of data points discussed here and then imagined them multiplied 100-fold, you would have a pretty clear picture of the chaotic cyber-world we live in today. America has neglected counterintelligence for so long that we have allowed foreign intelligence into the heart of our national security services and in business, our failure to take the threats seriously have rendered us virtually defenseless in the face of seemingly countless forms and styles of attack vectors from script kiddies to DDoS floods.

When we flail around in this level of confusion about the identity and purpose of the enemy, combined with the absurd imbalance of information between attackers and defenders and a cybersecurity economy that pits a thirteen million dollar defender against a five dollar attacker, meshed with our inability to see beyond the next hill of threats, it is not surprising that we are losing this war.

The way to win? Put 10 guys in a room for 6 months. And I’ll tell you who they should be.

Merry Christmas.