A cyber attack is defined as a ‘computer to computer attack that undermines the confidentiality, integrity or availability of a computer or information resident on it’. The Prussian philosopher, Karl von Clauswitz, observed that: ‘Every age has its own kind of war, its own limiting conditions and its own peculiar preconceptions.’
As we advance into the fourth industrial revolution with digital transformation taking place in everything from our utilities’ infrastructure, banking, right through to the Internet of Things (IoT), digitisation is changing and improving our lives. However, it also offers opportunities for those who wish to threaten our way of life. Covering a difficult subject with complex solutions, here are the top ten take-outs from the recent event:
1. The world’s first cyber missile launched
Information can be gathered over many months or years. Hackers can infiltrate systems covertly and remain undiscovered. The world’s first ‘cyber missile’, Stuxnet, was launched to specifically attack nuclear fuel refining centrifuge systems and therefore to sabotage the enriching of uranium. Stuxnet code, thought to have been in development since 2005, is still labelled as ‘highly classified’ by the USA.
2. Denial of service (DoS) attacks and botnets
A denial of service attack sees criminals aim huge amounts of requests at a company’s servers. Overloaded and overwhelmed, the servers are flooded and unable to respond to legitimate requests. The criminals launch such attacks as revenge, blackmail or for reasons of political activism. To boost the server flooding powers of their DoS attacks - and so take down bigger targets - hackers moved to distributed denial of service (DDoS) attacks.
Rather than use just a single machine to broadcast rogue requests at a victim’s systems, hackers built up teams of machines. These machines are themselves often victims. They are unwilling members of a botnet - a network of machines that have been infected and captured by malware that puts the computers under the criminals’ control. Botnets can contain tens of thousands of machines. The machines’ legitimate owners are often unaware their computers are part of a botnet. A DDoS sees a whole botnet turn its collective focus on to a single server and take it offline, often with calamitous consequences for the owner.
3. Fanning the Flame
Kaspersky said of Flame: ‘It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded [to do] so by its master… Overall, we can say Flame is one of the most complex threats ever discovered.’ Flame has probably been active since 2010 and has been replicating through the Windows Update Service to steel a huge range of passwords, screenshots, chats and files as well as streaming from webcams and microphones. Through a mirrored ethernet port, it captures all the traffic to and from a customer’s computer.
4. The Foreign Intelligence Surveillance Act
In 1978, the USA passed a law to allow wiretapping of both aliens and US citizens if they were thought to be a member of a foreign terrorist group or a foreign agent. In the 21st century, wiretapping evolved into data mining with Prism, the USA’s collection program, targeting internet companies to access unlimited information - this includes emails, chat, videos, photos, VoIP, files, video conferencing and social media details.
5. Social Network - the perfect place to share an attack
Building a cyber weapon is accessible for millions of people. Just as connectivity enables people to post and share with friends via Facebook, MySpace, Twitter, YouTube etc, so access and proliferation can be used with less innocent intent. If someone publishes a picture to his ‘friends’, within 1.2 minutes, it could be sent to 4,920 computers (friends of friends). After 2.4 minutes it could potentially be on 341,015 computers across the globe.
6. The rules of cyber warfare
As a response to the changing methods of warfare in society, the Tallinn Manual on the International Law Applicable to Cyber Warfare, created by NATO, examines what cyber warfare is and how conflicts should be conducted. In conjunction with the Red Cross and US Cyber Command, the manual advises on targets that shouldn’t be attacked - hospitals, dams and nuclear power stations. It also says it is acceptable to retaliate against cyber attacks with traditional weaponry where the cyber attack has led to death or severe property damage. In effect, hackers are legitimate targets for a counterstrike.
7. Cyber attacks - more advanced, more sustained
The incidence of cyber attacks has increased across the board with more hacking, malware, social, physical and environmental hacks. Targets include major infrastructure including the power grid, telecommunications, transportation, utilities, banks and financial institutions as well as personal data / information theft. As cyber criminals move away from DoS attacks, there is a new trend towards data theft.
8. Not all hackers are made the same
Cyber security threats have many different faces. (1) Short and irritating attacks perpetrated ‘just for kicks’ by fledgling hackers experimenting from their bedrooms. (2) Slightly longer, more sophisticated attacks that are conducted by criminal groups looking for monetization and information of value. (3) Corporate espionage seeking to exploit former or current employers’ vulnerabilities for money. (4) Nation sponsored attacks, finding value in intellectual property, critical assets or political motivations.
9. State-sponsored espionage
Of all the hackers, state-sponsored attackers offer the longest, most covert and most sustained threat. An advanced persistent threat was once only thought to be the domain of state-sponsored espionage and weaponisation. However, recent years have seen non-state sponsored groups conducting large scale intrusions for their own ends. Some of the shadowy organisations who have been found gathering data, deploying malware, disrupting and damaging systems include Chafer, Cadelle, Rocket Kitten, Shamoon and Shamoon 2.
10. The APT 28 Group
Also known as the Fancy Bears, Cozy Bears, STRONTIUM, Sednit and Sofacy Group, the APT 28 group has been active at least since 2007 and has the objectives of stealing economic and political information, mainly for geopolitical purposes. It typically targets foreign governments, defence, dissidents, military and media. Analysing the data, the malware samples were compiled Monday to Friday, between 8am and 6pm, local Moscow and St Petersburg time, and most of the samples were executed by a keyboard with Russian language settings.
Fighting back in the cyber war
Just as the attacks originate online, so they can be fought online. Today, most criminal activity goes through the web, sharing messages and intentions. The art of web intelligence is the ability to read, collect and understand the plans for criminal or terrorist activity to effectively prevent attacks at an early stage. Web intelligence is a mix of HUMINT (human intelligence), SOCMINT (social media intelligence), text mining, distillation approach, multi-language support and sentiment analysis. There are three levels of data sourcing.
The first involves using open source information from social platforms and professional databases; the second uses social engineering operation techniques to generate lawful access and extraction from trusted sources; and the third is to utilise the dark web to gain access to information using bogus avatars and cover stories. Just as there are new threats emerging, so government agencies must work together to mitigate the threat. Intelligence units must work with law enforcement, cyber crime units and financial crime units to protect the government, commerce, critical infrastructure and to preserve the civil liberties we all hold dear.
Our sincerest thanks to Claudio Cilli for presenting the talk and to Dalim Basu of the BCS North London Branch for his hard work organising the event. Find out more about events in London and throughout the UK