Report: Mercenaries Behind APT Attacks'Espionage as a Service' Offers Governments Deniability
An increasing number of sophisticated cyber-attacks are not being launched by governments - or their intelligence services - but rather by opportunistic mercenaries who sell whatever they can steal to the highest bidder, according to a new report. While their customers might include governments, they might just as well include a victim's business competitor.
See Also: 12 Top Cloud Threats of 2016
The report from information security consultancy Taia Global examines the growth of "espionage-as-a-service" being offered by for-hire hacking groups. "These mercenary hacker groups range from small groups with little funding to specialty shops run by ex-government [employees], to highly financed criminal groups who use similar, if not identical, tactics to nation state actors," the report says. "That they are rarely discovered is due in part to their skill level and in part to being misidentified as a state actor instead of a non-state actor if they are discovered."
The practice of attribution - identifying the who, what, where, when, and why of an online attack - has made headlines in recent weeks, as a result of the FBI and National Security Agency both publicly stating that North Korea was behind the hack of Sony Pictures Entertainment, which involved devastating wiper malware being unleashed against the business on Nov. 24, 2014. Based on the scant evidence that has been published by the FBI, however, many information security experts continue to question that attribution.
Mercenary Backers: Sometimes Oligarchs
Attacks targeting financial data have often been ascribed to criminal groups, while attacks that target intellectual property have typically been classified as APT attacks and ascribed to a government, Jeffrey Carr, CEO of Taia Global, tells Information Security Media Group. But the time has come to acknowledge the rise in mercenary attacks, he says. "Their existence should force us to re-examine how we place the blame on a government, or how we place the blame on a hacker group, and if we can't, then we really need to question what we think we know, and how much of that is valid."
Carr says the likely backers - or at least clients - for mercenary groups may include Russian and Ukrainian oligarchs, Chinese millionaires - and billionaires - as well as Mexican cartels engaged in counter-espionage activity.
From a political standpoint, getting attack attribution right - or wrong - can have profound geopolitical implications. "What we're saying is that these hackers-for-hire have probably been misread and identified as government activities, versus mercenary activities," Carr says. "How much of what we have blamed on China, Russia, Israel or whoever, on their governments, is actually wrong? Who are we missing? Who are we misidentifying, amongst these groups, which in turn is driving really horrible government policy?"
The Taia Global report cites two cases as evidence of increased mercenary activity.
One case involves Su Bin, a Chinese businessman with residency in Canada. Bin, who is currently incarcerated while the Canadian government moves to strip him of his residency, was charged in an FBI complaint in June 2014 and indicted in August by a U.S. grand jury on five felony charges. Those include conspiracy to steal trade secrets and to illegally export defense articles related to the F-22 and F-35 fighter jets, as well as the C-17 transport aircraft.
According to Taia's report, Bin ran a mercenary group in which he acted as the subject matter expert and data broker, while two of his China-based co-conspirators - also indicted, but not named - handled network penetration and data stealing. Bin's attack campaign began in 2010, the indictment says, and included his team stealing 630,000 digital files - totaling 65 gigabytes of data - on the C-17 alone.
Taia Global also cites a July 2014 report from the cybersecurity team at Airbus Defense and Space about an APT-style campaign run by a group of attackers, who appeared to be Chinese, that it dubbed Pitty Tiger. It said the group had attacked four targets, mostly based in Europe, which it declined to name, although there was one from each in the defense, energy, telecommunications and Web development sectors.
In its report, the Airbus investigators say Pitty Tiger appears to be working independently of any government. "Pitty Tiger is probably not a state-sponsored group of attackers," the Airbus report says. "They lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector."
Sounding a Warning
Alan Woodward, who's a visiting professor at the department of computing at England's University of Surrey, concurs with Carr's warnings over the rise of mercenary-led attacks online.
"I've been saying for some time that there appears to be mounting evidence that some of these attacks do seem to be conducted on behalf of nation states," he says, rather than by them. But it's a "very, very black market," he says, which makes such attacks quite difficult to unravel.
The information stolen in these attacks is often difficult to trace, Woodward says. Stolen credit card numbers or personally identifiable information, for example, typically show up on carder forums. By infiltrating these underground online forums, law enforcement agencies can often "follow the money" and potentially identify who stole the information in the first place, then attempt to arrest them or disrupt their operations. But stolen intellectual property, Woodward says, doesn't appear to have surfaced on the same forums.
The Nature of Sony Attack
Woodward says that the Sony Pictures Entertainment hack may well have been the work of a mercenary group. "What I suspect we will find is a group of people who may be tied to North Korea in some way, but who do it in some way where there's plausible deniability - and if you're one step removed, it's great [for a government], because you can say: 'We didn't commission this, we didn't start this attack.'"
Woodward, who's also a cybersecurity advisor to Europol, likens espionage-as-a-service attacks to the proxy wars fought during the Cold War, in such places as Angola and Vietnam by the CIA-funded Air America, before the conflicts escalated into a full-blown battle, as well as the Bay of Pigs invasion, which was funded by the CIA but involved Cuban nationals. The difficulty of tracing back mercenary funding gave governments a degree of deniability that they were involved in any way, he says. "It was very difficult to prove, often, which is why the Cold War never became a 'hot war,' because you had plausible deniability, you could never trace who was paying."
The same now goes with the rise of cyber-attacks, aided by the fact that, based on the doctrine of asymmetric warfare, small powers can have a large effect online. "Rather than invest half your gross domestic product in developing a nuclear weapon, why not put 30 guys in a room with computers, and they can start attacking someone who is theoretically much more powerful?" Woodward asks. "But the problem is, if they get annoyed, the [victims] can come back at you with armed aggression."
The so-called Tallinn report from the United Nations states that cyber-attacks can be viewed as armed aggression and treated as an act of war.
Defending Against Mercenaries
Because of the rise of online attacks by mercenaries, potential victims need to ensure they have in place "the appropriate defensive measures, to safeguard their intellectual property," Taia Global's Carr says. He recommends they begin by identifying what material would be important to either a foreign government, or a business competitor, depending on their sector.
"You can build a pretty difficult wall to penetrate, in terms of extracting the data," Carr says. "And that's the key." He recommends using virtualization to make data more difficult to reach; data-loss prevention tools to track and block suspicious behavior; as well whitelisting to prevent unauthorized code from running on corporate systems.
"It's not about keeping them out, because it's too difficult," Carr adds. "But you can be successful at making it extremely difficult to remove these valuable files from your network," regardless of whether the attack gets launched by a malicious insider, or by someone external to the organization, be they working directly for a government, or for a team of mercenaries.