[BreachExchange] Cyber security: Hackers step out of the shadows with bigger, bolder attacks

[Destry Winant]

https://www.zdnet.com/article/cyber-security-hackers-step-out-of-the-shadows-with-bigger-bolder-attacks/

Stealth and secrecy use to be the hallmarks of cyber espionage and
cyberwarfare, with spies and hackers sneaking in and out of target
networks without leaving a trace or evidence that could be linked back
to them.

But increasingly, cyber attacks are now carried out in fully public
view, and many attackers don't appear to worry so much about keeping
under the radar. Some even seem to go out of their way to make sure
they are spotted.

One example of the way cyberattacks have gone public: the WannaCry
ransomware caused chaos and made headlines around the world, with many
businesses locked out of their PCs by hackers who demanded a bitcoin
ransom in exchange for restoring access to data.

But even if victims opted to give into the attack and pay the ransom
-- which some did -- there was never any means of the attackers
fulfilling their end of the deal.

WannaCry was attributed to North Korea, with Pyongyang having taken
advantage of EternalBlue, a leaked NSA hacking tool, to help power the
spread of the attack. It's still not clear whether it was a bungled
attempt to make money or simply a show of force by the North Korean
regime.

Just weeks later, organisations around the world were hit by what
first appeared to be another ransomware attack dubbed NotPetya. But in
this case it soon became apparent that acquiring cryptocurrency was
never the goal: there wasn't even a means to pay. NotPetya was a
wiper, designed to destroy data on the machines it was targeting, not
hold them to ransom.

The attack was seemingly designed to target Ukraine, but it spread
across the world, causing billions of dollars in damage. In this
instance, the US, UK and a number of other states eventually pointed
to state-backed Russian hackers as the culprits.

North Korea denies involvement with WannaCry and Russia still rejects
that it was behind NotPetya.

But Kremlin-backed hackers have also been accused of a number of other
operations, most notably the cyber attacks and disinformation
campaigns designed to influence the 2016 US presidential elections.
Russian President Vladimir Putin has been ambiguous about Russia's
involvement in these attacks, largely denying it but also suggesting
they could have been the work of 'patriotic' individuals within
Russia.

"All these groups like APT28 or Lazarus, they're putting less effort
into hiding their operations. It's probably because everyone knows
these attacks will happen and they just want to get to specific data
or have a specific influence," says Maya Horowitz, director of threat
intelligence and research at Check Point Software.

"In the past, they used to go under the radar, they used to have their
own opsec so that no one would know that there's any attack and nobody
would talk about cyber and APTs. Now part of the process is just to
create chaos -- so if it's revealed, maybe it's even better, because
it makes people scared."

Rather than stealing data in secret, cyber attacks have now become a
way for some states to show their technical prowess, especially if
they are trying to compete with economically or militarily more
powerful states.

This use of cyberwarfare by some states to level the playing field
with bigger rivals is also likely to be a trend in future.

Critical infrastructure like power, water, healthcare and more are
fundamental to the functioning of modern societies -- and attackers
know this, so they make tempting targets for hacking.

The impact of these attacks has already been demonstrated when large
sections of Ukrainian power grids were taken out in December 2016,
plunging people into darkness and leaving them without heating in the
middle of winter.

Like NotPetya, these attacks have been attributed to Russia. Some
believe it's only a matter of time before state-backed attackers --
wherever they may be from -- try to do to the same to US power.

"What we need to worry about, and something we're not investing a
substantial amount of time in, is investing in critical infrastructure
-- that's what keeps me up at night," says Eric O' Neill, national
security strategist at Carbon Black and a former FBI counter terrorism
and counter intelligence operative.

Having your credit card details stolen is bad, having your personal
information leaked in a data breach is frustrating -- but if hackers
really want to cause damage, they could go after infrastructure.

"If the lights all get shut off and people are fighting at the gas
pump so they can feed their generators, you have serious problems.
Then there's also hospitals which can't run so people die, without
refrigeration we can't feed people -- and the longer it happens, the
worse it gets," says O'Neill.

While that sort of scenario may sound far-fetched, there have been
warnings about weaknesses in critical infrastructure and the potential
for these to be exploited by attackers. If nation-state backed groups
are looking to cause maximum disruption, they can do it by meddling
with critical infrastructure.

"I worry about it: because in a world where we're used to convenience,
if we lose that convenience, the very fabric of society fails and
attackers know that," O'Neill adds.

The world has repeatedly been warned about the threats posed by
powerful hacking operations and despite real-world examples, such as
WannaCry, the risks are still ignored by most people outside of the
cyber security sector. That means the risk of another significantly
destructive incident is still far too high.

"Disruption and destruction are a big category that those of us in the
security industry have in the back of our minds, but the reality is
the next incident may come sooner than we think it's going to," says
Jennifer Ayers, VP of Falcon OverWatch and security response at
Crowdstrike.

"The last destructive incident prior to WannaCry was over a decade
ago, but we weren't ready for it a decade ago, we had a decade to
prepare, but we weren't ready last year, what happens if we're hit
next year?" she adds.

In an ideal world, we wouldn't have to think about having to answer
this question. But as nation-state hacking activity gets increasingly
brazen and increasingly focused on causing damage and disruption over
stealth, it might be that 2019 could be the year when the world has to
face another major destructive cyber attack, and we're still not
ready.