To say that 2015 has so far been seen new heights of corporate and government computer attacks, as well as an escalation in the sheer daring of those hacks, is to risk understatement.
The list grows daily: 80 million health insurance records stolen from Anthem Insurance; 27 million private personnel records swiped from the U.S. Office of Personnel Management; the breach of unclassified systems and the White House, State Department, and Joint Chiefs of Staff, and on and on.
Computer network security professionals have been left scrambling just to fix the hacks that have already happened, let alone prevent new attacks. The situation is so dire that some analysts told VOA they worry the “good guys” might never catch up.
These attacks, of course, occur for a wide range of reasons: hunting for credit cards, governments spying on adversaries, or “hacktivists” trying to make a statement are a few examples.
Yet as distinct as the reasons and actors may be, some security analysts increasingly worry about a new trend of groups and attacks that are trying to blurring the traditional lines between crime and espionage. And that, they say, is only going to make preventing future attacks all the more difficult.
When cybersecurity analysts talk about the Internet, they tend to uses phrases like “threat field” or “threat space,” meaning the entire range of threats that any given group, corporation or government might face online.
Different targets have widely varying threat fields. For example, an aerospace firm working on classified military projects will have a very different threat space from that of a large consumer retailer like giant retailer Target, which in turn would have a different threat space than a small political activist group.
“Groups conducting cyberattacks may use similar tactics, like spear-phishing, but they’re very different, both in nature and in motivations,” says Patrick McBride, vice president of communications at iSight Partners, one of the largest U.S. cyber-threat intelligence firms. “The starting point is the difference between information and intelligence.”
McBride says it isn’t enough for government or corporate security officials to build strong cyber defenses around their systems to fend off future hacks. They have to understand the threats unique to their enterprise – and that means understanding the opponents they face and their motivations.
“The bad guys are the competition,” he said. “You need to head into this as you would against any adversary, with knowledge about what they do and have a strategic plan to fight back.”
Information versus intelligence
In both the cyber and military spheres, analysts often draw a distinction between information and intelligence.
“Information is raw and unfiltered,” McBride said. “It’s unevaluated when it’s delivered, it’s pulled from every source, there could be truth in there or falsehoods, it may not necessarily be relevant. Intelligence is processed and sorted information. Someone actually has to sort through the noise to establish the truth.”
For cybersecurity analysts, this is key. Learning of a new hack on your computer network and when it happened is information, but discerning who was responsible and what their goals are is intelligence that can help prevent a future attack.
This becomes even more important when you consider the types of hackers that usually target specific government agencies or corporations with large amounts of secret data.
“These are persistent threats that don’t give up, and are always refining new techniques of how to breach your system,” said McBride. “A lot of the nation states that we monitor, or at least the actors that appear connected to those nation states, they’re utilizing new techniques and tools in far-flung regions or more obscure places and refining them before they show up at your doorstep.”
There’s another important intelligence distinction: the difference between crime and spying.
“Cyber criminals and hacktivists are looking for financial gain pretty much, or to make a statement,” says Sarah Hawley, a member of iSight’s cyber espionage team. “Those conducting cyber espionage are looking for bodies of information that gives them a strategic advantage over their adversary. They are covert, and they want to persist.”
Hawely said iSight is tracking approximately 30 threat groups with a “Chinese nexus” or base. She’s quick to add that China is not alone in the online espionage game.
While data thieves might just want to get in and out of a system quickly and then move on, cyber-espionage groups often employ long-term tactics that mix tried-and-true tricks, such as spear-phishing, combined with newer techniques.
Hawley cites one Chinese-nexus group that targeted defense industry conferences, then cross-referenced attendees with publicly available contact information to build a sophisticated spear-phishing campaign.
“That led us to believe that they used these lists as a means to acquire targets, likely for their access to sensitive databases related to defense and aerospace technologies,” Hawley said. “We’ve seen multiple Chinese-nexus attacks like this targeting a variety of industries; we’ve also seen this from Russia.”
‘Cyber Caliphate’ and the ‘Tsar Team’
Yet as troublesome as hacks like this can be, Hawley also points to another trend – one designed to confuse the target’s intelligence and scramble the lines between espionage and crime.
A good example of this blurring came earlier this summer when iSight investigators started looking deeper into a group calling itself the “Cyber Caliphate” – a hacktivist group purportedly supporting the broad goals of the Islamic State extremist group.
In February, Cyber Caliphate hackers created headlines when they temporarily seized control of the Twitter and YouTube accounts for the U.S. Central Command, posting incendiary threats and comments. Other targets, such as Newsweek magazine’s Twitter feed, were also briefly compromised.
But Hawley says researchers at iSight Partners later unearthed evidence that the Cyber Caliphate wasn’t all it seemed.
“We determined that they were a false front for Russian actors we called ‘Tsar Team,’” she said. “We began to see technical indicators that the two were sharing resources, and we determined that the two groups are either one in the same, or at the very least are connected by some over-arching organization.”
Tsar Team is a Russian-based cyber-espionage group that earlier had targeted NATO, the Ukrainian government and the European Union using a zero-day vulnerability known as “Sandworm.”
“Ultimately we determined that Tsar Team and the Cyber Caliphate were using the same infrastructure,” said Hawley. “That type of cover could give them the freedom to spread propaganda, test new hacking tools and techniques, and espionage campaigns down the road. But it also confuses efforts to determine actors and motivations.”
And creating confusion in intelligence of just who is behind cyberattacks and what their motivations are only makes the difficult job of protecting sensitive computer networks from hackers harder still.