State sponsored computer hacking networks have begun to proliferate around the world putting transportation systems, power stations, water treatment facilities and electrical plants around the world at enormous risk. The United States is under constant attack from rogue nations. Even our allies have organizations that eavesdrop on and infiltrate American entities stealing intellectual data from unsuspecting companies. Rogue nations are constantly attacking military and government facilities attempting to steal data and gain access to our critical infrastructure.
The largest and one of the most sophisticated state sponsors of computer hacking is China, according to Jamie Blasco, Director of AlienVault Labs, who actively tracks down hackers. The evidence against Chinese hacking is found in the attacks themselves including references to Chinese time zones and the Mandarin language. The Chinese use proxies to conceal attacks, however, AlienVault has been able to trace connections to the last hop (the destination router) which was always in mainland China. One hundred and forty attacks on American companies were traced back to a single building in Shanghai suggesting a well-organized, well-funded network. Attacks take place over months or years. The attacks are very sophisticated; however some can be quite simple.
Hacking has been simplified with the availability of cheap software that can be found and purchased on the web. One instance of a hack sends emails to users that appear to be legitimate, asking users to click a link. Only one person in an organization needs to click the link to infiltrate the company. Once clicked, the attacker is now able to establish a beachhead (a caputred position from which attacks can be launched) and observe what the user is doing on their PC, and the attacker can also access all information on the hard drive. Hackers move to other machines throughout the network until they find the information they want. According to Andrew Beckett, Head of Cyber Security at Cassidian, “You can get attack techniques and attack tools very cheaply from the internet. You can buy expertise that wasn’t available for traditional methods of espionage.” He continued to say “even quite small countries actively engage in state-sponsored cyber-attacks for the purpose of supporting state industries through the theft of intellectual property or disruption.”
The Players
Different styles of attacks appear from different countries.
China: Appears to be the most active sponsor of computer hacking. China has a military elite branch called Unit 61398 that has been responsible for stealing hundreds of terabytes of data from at least 140 organizations in English-speaking nations according to security firm Mandiant. About 20 high profile hacker groups originate from China, and some are thought to report directly to the People’s Liberation Army (PLA) including Comment Crew and Putter Panda; hacker groups suspected of working directly out of PLA buildings since 2007.
France & Germany: Known to have an offensive online capability that could be hostile to the U.S. and U.K. It was recently revealed that Germany spied on the F.B.I., U.N. bodies and the French foreign minister.
Iran: In 2009 Iran’s computer infrastructure was compromised by Stuxnet. The hacking group Tarh Andishan was created in response to the Stuxnet attack. This group has developed full-blown cyber warfare capabilities. “Operation Cleaver,” active since 2012, targeted at least 50 organizations including military, commercial, education, environmental, energy and aerospace fields.
North Korea: Bureau 21 is a hacking group that originates from Pyongyang, North Korea calling themselves the “Guardians of Peace.” This group was responsible for the high-profile hack of Sony Pictures in retaliation to “The Interview”, a movie depicting the assassination of Kim Jong-Un. Defectors claim Bureau 21 belongs to the General Bureaus of Reconnaissance, which is North Korea’s military spying agency.
Russia and Eastern Europe: Are known to originate the most sophisticated attacks that require vast resources and several months to complete. The Russian organization APT28 where APT stands for Advanced Persistent Threat has engaged in advanced cyber espionage since 2007. Russia is considered to be one of the world’s leaders in cyber-warfare. The group has attacked military and political targets in the U.S. and Eastern Europe, including specifically valuable targets such as Georgia. The Russians even targeted N.A.T.O. and hacked unclassified White House networks and may have targeted Ukraine. The cyber-attacks against Georgia are the first in history to be the precursor to a full-scale military invasion.
Syria: The Syrian Electronic Army (SEA) is a collection of university students in Syria or its allies who deliver propaganda for Syrian President Bashar al-Assad. Attacks targeted CNN, The Washington Post, and TIME magazine in 2013. The SEA once convinced the public that a bomb went off in the White House injuring President Barack Obama, causing the Dow Jones index to drop by a full percent.
U.K.: It’s now known that the U.K. also has an offensive capability, although its targets are less clear.
United States: Former C.I.A. member Edward Snowden exposed widespread surveillance of telecoms and the internet inside and outside the United States. A hacking group called “Tailored Access Operations” is run by the National Security Agency (NSA). Snowden revealed to the German newspaper Der Spiegel details revealing TAO and the fact that the NSA has collected telephone data from thousands of Americans and overseas intelligence targets. Dean Schyvincht claims to be a TAO Senior Computer Network Operator from the Texas office. Dean says “over 54,000 Global Network Exploitation operations in support of national intelligence agency requirements” have been carried out since 2013 with a staff of just 14 people.
Visibility is the largest problem. Firms must be held responsible for releasing information regarding the extent of damages after a cyber-attack occurs. The U.K. has targeted support for 160 companies that are crucial to the economy and infrastructure. All firms are being encouraged to admit when they have been attacked, and the E.U. is considering making this a legal requirement, much like the U.S. already does with Data Breach Reporting Laws. Firms should have a post-incident response that includes the ability to shut down or section off certain systems, as well as a plan to deal with their customers. Cassidian is a global defense and security provider, working to protect the UK, France, and Germany. Cassidian protects government and military departments. Analysts scan computer chatter, searching for suspicious activity. Repeated password or connection attempts with unusual volumes of traffic will draw suspicion and be escalated up the chain of command. This is an active monitoring solution involving humans protecting sensitive targets in the UK, but it’s only a part of the equation when considering securing the infrastructure of a nation. Protecting a nation’s infrastructure can be very difficult when you consider that power station’s, oil refineries’, and water purification station’s technology is sometimes 20 to 30 years old. Turning these systems off may not be safe.
High-tech monitoring is not the only answer to this security question. Testing of independent hardware controllers has become a priority as well. If hardware controllers of power stations are hacked, they could be sabotaged without warning. If someone was to access these controller systems they could reprogram them to have potentially millions of machines waiting to attack the latest target.
With money flooding into malicious attacks through the internet, no one is truly safe. Countries doing the most attacking have the upper hand in the cyber war. Any institution believing their defenses cannot be compromised will struggle to respond when they find an attacker in their system. It’s crucial that businesses small and large work to protect their intellectual property and the Personally Identifiable Information (PII) of their customers. Failing to do so can result in huge losses for a company that can reach into the millions of dollars and affect them negatively for several years. Most of them will be lucky to survive with a business still intact.
WatchPoint Data has the security tools and forensic experts a business needs to secure your network and prevent those massive breaches from happening. WatchPoint Data incorporates a procedure of Prevention, Detection, and Response. Keeping systems patched and free of vulnerabilities, using state of the art software, like Carbon Black, to detect malware and intrusions and responding to any threat large or small. Closing the security gaps and strengthening a company’s cyber defenses is the main focus of WatchPoint Data.