There’s a battle going on out there, with ‘hacktivists’, spies and criminals trying to steal corporate and government secrets, and cyber security experts struggling to stop them

Cyber warfare

Cyberspace has become the fifth domain of warfare, after land, sea, air and space, according to a recent article in the Economist. According to a high-ranking intelligence source, an estimated 20 countries are ‘sophisticated’ enough to launch a serious cyber attack, including the USA, UK, China, France, Israel, and Iran, which boasts the second-largest cyber army. But while nation states around the world are busy building cyber warfare arsenals, there is another front opening up and the foes aren’t all that evenly matched.

On one side is a global force of hackers - from sophisticated cyber-criminals, to online activists with subversive political aims, or groups of individuals hired to steal company secrets - on the other are the often woefully unprepared corporate security defenders.

Computer security experts do not underestimate the size of the problem. Cyber attack has been recognised by the UK government as a top security concern and, in an otherwise fiscally austere budget, another £650m (€775m) has been allocated to help bolster the country’s cyber defences. Each day, GCHQ, the UK’s spy centre, monitors 80-90 million cyber “incidents”. Meanwhile, one risk manager who wished to remain anonymous told StrategicRISK that his organisation is subjected to thousands of attempted cyber attacks every day.

From a corporate perspective, one of the most serious cyber threats is to intellectual property, which is extremely valuable in the wrong hands, often highly vulnerable and easily stolen from electronic systems without anyone ever noticing.

As McAfee vice-president of threat research Dmitri Alperovitch says: “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised, or will be shortly, with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”

Cyber experts sometimes add a third category to this list: companies that know they’ve been attacked but don’t care. Business leaders can be reluctant to spend the large sums needed on cyber security if there’s no immediate or obvious return on their investment. If intellectual property goes missing it may be some time before a competitor can use that information to their advantage. New products, even with stolen designs, take time to build, for example. As a result there may be no impact on share price or profits for a while. But over time this compromised information can be used to erode a victim’s competitive edge. In the hands of a competitor, the stolen information could be used to build a better product or beat the victim to a key negotiation.

Unsophisticated and opportunistic

Is the rate of intrusions, or ‘compromises’ in the technical jargon, on the rise or is it a new phenomenon? “I find this question ironic,” says Alperovitch. “Because these types of exploitations have occurred relentlessly for at least a half decade, and the majority of the recent disclosures have, in fact, been a result of relatively unsophisticated and opportunistic exploitations.”

Hacker groups like Anonymous and Lulzsec, which recently suffered a blow when one of its founding members turned out to be working for the FBI (see box, overleaf), seek notoriety by stealing organisations’ secrets or attacking government websites. But targeted attacks are much more insidious and occur largely without public disclosures, warns Alperovitch, and they present a far greater threat to companies and governments as the adversary is tenacious and persistent in achieving their objectives. “The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat.”

“Cyber espionage represents a massive economic threat, not just to individual companies but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that suddenly lose out to unscrupulous competitors in another part of the world.”

Cyber warfare

McAfee recently uncovered a shocking high-level hacking campaign, dubbed Operation Shady RAT, which involved infiltrating computer systems from national government to global corporations and non-profit organisations, with more than 70 victims in 14 countries. From ‘secure servers’ the perpetrators lifted countless government secrets, e-mail archives, legal contracts and design schemes - see chart, right, showing which types of organisation were affected and where they were located.

The most common weakness in most organisation’s IT security is lack of an understanding of who the attackers are. As a result, companies often don’t know how to target their defences. If, for example, you know that your competitors are desperate to get hold of the designs for a new product you’re about to launch, you know to bolster your defences around this key corporate asset.

In an investigation into the Operation Shady RAT plot, which ran for five years, McAfee offered some explanations about how the intrusions typically worked. The standard procedure was for a ‘spear phishing’ email containing an exploit (a piece of software or code that takes advantage of a bug or other vulnerability) to be sent to an individual with the right level of access at the company. The exploit, when opened on an unpatched system, would trigger the download of the malicious implant software. That malware executed a backdoor communication channel to the command and control web server. Afterwards, live intruders jump onto the infected machines and move laterally around the organisation establishing more footholds via other infected machines.

Lulzsec members arrested

The FBI arrested five of the top members of the infamous hacking group Lulzsec in March, acting largely on evidence provided by one of the group’s founding members who had been working for the FBI for months.

According to the FBI, the mole was 28-year-old father of two Hector Xavier Monsegur, an influential member of three hacker groups, Anonymous, Internet Feds and Lulzsec, which are allegedly responsible for cyber attacks against various businesses and organisations throughout the world.

Among other things, including bank fraud, the authorities claim that Monsegur was involved in cyber attacks, including the theft and dissemination
of confidential information as well as denial of service attacks against Visa, PayPal, MasterCard, Sony, Fox and the governments of Algeria, Yemen, Tunisia and Zimbabwe.

Stolen emails published on WikiLeaks

These types of electronic attacks are normally perpetrated by different agents than, say, online smear campaigns. Anonymous, one of the most famous ‘hacktivist’ groups, is a loosely co-ordinated global collective with shared ambitions and motivations. On their Twitter account (@AnonOps) members describe themselves as “fighters for internet freedom”, but this hides the full extent of the growing global movement. Anonymous has strong ties to WikiLeaks, as demonstrated by a recent intrusion into US intelligence company Stratfor’s private communications.

Last year Anonymous announced that it had stolen the email correspondence of 100 of Stratfor’s employees. In February WikiLeaks began publishing the hacked emails, unmasking Stratfor’s network of secret sources that it relies on to publish intelligence insights for public and private sector clients.

But Anonymous suffered a blow in March when 25 members of its Spanish wing were arrested when law enforcers swooped in Latin America and Europe. The suspects were involved in cyber attacks originating from Argentina, Chile, Colombia and Spain that targeted sites including Colombia’s defence ministry and presidency and Chile’s Endesa electricity company and national library. Two of the suspects were only 17. “We hope you understand that we are not hackers on steroids. We are activists and what happens in the world matters to us,” said one of the defendants.

The extraordinary thing about Anonymous is the way it recruits a critical mass of sympathisers to participate in its online campaigns. At its heart Anonymous is a group of highly skilled hackers that revel in exposing what they see as moral outrages perpetrated by organisations that represent the status quo. But if these highly skilled hackers fail to penetrate a victim’s security systems then Anonymous launches an online marketing campaign, using Facebook, Twitter and YouTube videos to encourage thousands of other activists to get involved.

These aspiring hacktivists don’t necessarily need any technical skills, just a willingness to participate. By downloading relatively simple open source software, which can be launched via any web-enabled device (including mobile phones), the wider Anonymous community targets the victim’s website to bring it down with excessive traffic. This is exactly what happened during Operation Payback, which targeted the MasterCard and Visa websites when they stopped allowing payments to WikiLeaks. This demonstrates the power and influence that Anonymous now holds.

Getting your corporate IT defences right is the first step in mitigating some of these threats (see Theory & Practice, page 34). But it’s also worth noting that old tricks work the best. The sturdiest IT security in the world is meaningless if a fraudster calls one of your employees and tricks them into giving up a security passcode.

And putting customer experience before cyber security can be a mistake. South Korea’s largest consumer-finance firm, Hyundai Capital Services, learnt the hard way when hackers demanded a ransom to prevent the release of stolen, confidential data. Hyundai’s chief executive now recognises the full extent of the threat. “We are now slowing down the whole organisation. How things look and how they work is now secondary. Security is now first.”

Key points

  • An estimated 20 countries have the capability to launch cyber attacks on other nations.
  • The most serious threat to companies is intellectual property theft.
  • A common weakness in IT security is not understanding who the attackers are.