Cybercrime Groups and Nation-State Attackers Blur TogetherNorth Korean Hackers are 'Rational Actors,' Ex-Intelligence Chief Warns
"This is not a crazy state; this is a rational state pursuing rational objectives."
So said Robert Hannigan when describing North Korea's cybercrime activities during a keynote speech at the recent Infosecurity Europe conference in London (see Visual Journal: Infosecurity Europe 2018).
Hannigan should know. Until early last year, he headed the Government Communications Headquarters, which is the U.K.'s signals intelligence, cryptographic and information assurance agency. GCHQ is broadly equivalent to the Australian Signals Directorate and the U.S. National Security Agency.
In a speech at Infosecurity Europe titled "Weaponizing the Web," Hannigan explored "nation-state hacking and what it means for enterprise cybersecurity," focusing in particular on Russia and North Korea. He also touched on Iran, which he said could easily turn to cyberattacks in reprisal for the Trump administration announcing last month that the U.S. was withdrawing from the Iran nuclear deal.
But first, he focused on cybercrime gangs.
Cybercrime Gangs Get Agile
Many successful cybercrime gangs model themselves on legitimate businesses, Hannigan said, in that they have a corporate structure - led by a CEO-type figure - and make use of various specialties, including intrusion specialists, experts at transforming network beachheads into permanently compromised systems and data miners, among others. Gangs can operate from anywhere, and typically pay corrupt law enforcement officials to look the other way.
"When you look into some of these areas of the dark web, you can see some real creativity going on."
The name of the game for the most successful cybercrime gangs is to typically break in, then hang out, studying an organization and its network for weeks or months to see what's worth stealing.
Hannigan said cashing out stolen proceeds remains difficult, especially as law enforcement agencies have gotten better at following the money. Whereas five years ago, gangs would have attempted to use money laundering, "today it's mostly bitcoin," and while using that to launder funds may not be straightforward, criminals have a financial impetus to do it (see Criminals Hide 'Billions' in Cryptocurrency, Europol Warns).
The best cybercrime gangs iterate constantly and never throw good money after bad. "One of the impressive things, I dare say, is that they are [able to conduct] a classic Harvard business school measure of success, and to drop product lines where they're not producing the goods and invest in something else - they're agile," Hannigan said.
Online criminals also continue to prefer the easy score. "It's still ultimately true that they're looking for soft, cheap, high-volume targets in crime; they're not looking about and investing a lot of money in small targets unless it's very, very lucrative," he said.
Hannigan said the sophistication of online attacks - including much more advanced and automated tools for sale on cybercrime marketplaces - is clearly on the rise.
"When you look into some of these areas of the dark web you can see some real creativity going on," he said.
Political and Profit Motives Blend
Another trend: Cybercriminals not only selling to nation states but sometimes acting as proxies or mercenaries for them.
"In some cases, you can see these groups sitting in the same room, and in some cases, you can see where people have been conducting state activity during the day, and then doing crime activity at night," Hannigan said. "It's an interesting mixture of profit and political intent."
Many researchers suspect that may have been the case with the WannaCry ransomware outbreak that occurred in May 2017, and which multiple governments have attributed to the Pyongyang-based government of North Korea (see British Security Services Tie North Korea to WannaCry).
"This is not a crazy state; this is a rational state pursuing rational objectives."
Researchers have noted that the malware didn't appear to have been fully developed because there was no way for its controller to verify who had or hadn't paid a ransom. That gave rise to questions about whether it was a side project for someone whose day job might be working for a nation-state, or whether someone accidentally released it early.
Russia's Cybercrime Incubator
Looking beyond North Korea, Hannigan turned to Russia, and he noted that trying to separate what might be attacks launched by a Russian criminal enterprise from explicitly state-sponsored activity can be extremely difficult, thanks to well-documented ties between the two. Intelligence experts say that the Russian government for years has allowed cybercrime gangs to operate from inside the country, provided they don't attack Russian or allied targets, as well as help the intelligence services from time to time (see Nation-State and Cybercrime Gangs: Lines Blur).
Hannigan said the Russian government's cybersecurity efforts stretch back to the early 1990s, even though, as he noted, there wasn't much to attack online back then. But in the last 10 years, the Russian government has made a serious investment, "in terms of people and money," he said.
Trends: Live Testing, False Flags
Even so, the motives of Russian operators aren't always clear. Sometimes attacks ascribed to Russia look like experimentation, while at other times they look like prepositioning - for example, inside utility networks - to potentially launch a destructive attack, Hannigan said (see FBI Seizes Domain Controlling 500,000 Compromised Routers).
One trend, however, is clear. "Russia has been very keen on live testing things," Hannigan said, mentioning everything from weapons in Syria to cyberattacks against the likes of French broadcaster TV5Monde, which in 2015 had 12 of its 18 channels knocked offline for 18 hours (see French Officials Detail 'Fancy Bear' Hack of TV5Monde).
"It's not clear why Russia wanted to do that, but it is consistent with a doctrine it has of live testing and of false flagging," he said.
Indeed, on the false flagging front, credit for the TV5Monde attack was claimed by a previously unknown group that called itself CyberCaliphate, but which intelligence agencies in France and beyond have said was really Russia.
Another example: The 2016 hack of systems tied to the U.S. Democratic National Committee. There is now wide agreement that a hacking team, known as Fancy Bear, aka APT28, that's tied to Russia's military intelligence agency GRU perpetrated the DNC hack. A supposed individual named Guccifer 2.0 subsequently handed the files, some of which had been altered, to WikiLeaks for distribution.
Subsequently, however, failures on the part of Guccifer 2.0 revealed that the whole operation appeared to involve Russians and likely the GRU (see Analysis: VPN Fail Reveals 'Guccifer 2.0' is 'Fancy Bear').
Geopolitical Chaos Provides Cover
Much, however, remains unclear about campaigns operating from Russia. For example, who exactly are the Shadow Brokers and how might they relate to the Russian government? The group set up shop in August 2016 and began to sell or release exploits from the Equation Group, which many believe to be the U.S. National Security Agency (see Ethical Debate: OK to Pay Shadow Brokers for Exploit Dumps?).
"We don't understand what the relationship between the [Russian] state and [the Shadow Brokers] might be," Hannigan said.
Unfortunately, today's geopolitical chaos provides cover for the Russian government's hacking operations, Hannigan said (see Geopolitical Instability Is CISOs' Latest Challenge).
"While the world is in a certain amount of turmoil ... then what's to stop them being just a little bit reckless? And doing it online always gives you a certain degree of deniability," Hannigan said. " The problem, I think, is that the risk of miscalculation is huge."
For example, when attackers start tampering with industrial control systems or hospitals, "it's only a matter of time before someone gets killed."
Better Incident Response
The U.K. government hasn't been sitting idly by while this has been happening. Under Hannigan's leadership, GCHQ in early 2017 launched the National Cyber Security Center. The NCSC gathers together CESG - the information security arm of GCHQ - as well as the Center for Cyber Assessment, Britain's computer emergency response team CERT-UK and the cyber-related responsibilities of the country's Center for the Protection of National Infrastructure (see UK Stands Up GCHQ National Cyber Security Center in London).
The NCSC is designed to help British organizations better defend themselves against cyberattacks as well as respond to breaches. While moving the country's emergency response team under the aegis of an intelligence agency raised some eyebrows, at least initially, numerous information security experts have told Information Security Media Group that this model has numerous upsides, especially when it comes to helping businesses respond to security incidents, and they expect it to be repeated elsewhere.
NCSC has already helped to investigate a number of major data breaches in the U.K. (see Dixons Carphone Breach: 5.9 Million Payment Cards Exposed).
Such incident response capabilities are arguably more important than ever now that the EU's General Data Protection Regulation is in force.