A few years ago I wrote an article on the misconceptions around Cybercriminals titled “Your Cybercriminal Has An Image Problem“. It’s been three years since I wrote that and I wanted to take a look back and review whether we (as an industry and as observers) are perceiving the threats in a different light.
The idea for that original article came about as I was at the RSA conference that year and couldn’t help but notice how many of the vendors present used the stereotypical “Hollywood Hacker” imagery in their displays and collateral. Distorting the threat view and perhaps for commercial reasons painting a different picture of the world!
At this time, one of the worst Cyberattacks in history hadn’t yet happened, and we were still three months away from what was going to be dubbed WannaCry. The destructive Ransomware that affected over 200,000 victims and caused millions of dollars of damage to networks ranging across all industries and sectors from Governments to private companies. One of the most severely affected organisations was the National Health Service (NHS) in the UK, where the attack affected all kinds of medical systems, denied access to patient records and left the UK Gov with an estimated bill of £92 million to restore services and affected devices.
Wanna-who?
The cause of this attack wasn’t some bored teenager sat in their bedroom or a group of vigilante Hackers fighting back against the system. What had happened was that a nation-state had lost parts of its Cyberwarfare toolkit! One month before the WannaCry incident the group calling themselves “The Shadow Brokers” leaked a selection of files which they claimed had been stolen from the US’s NSA (National Security Agency) and in this collection was an exploit called “EternalBlue” which targeted an SMB (Server Message Block) vulnerability in Microsoft Windows. Interestingly Microsoft did release an emergency patch in March of 2017 for this flaw which covered Windows Vista through to Windows server 2016 (the latest version at that time), but this was because it became public knowledge and not because the NSA has disclosed it to Microsoft.
When the attack happened, many of those systems were not patched despite it being available, and very quickly it spread, and IT teams found themselves overwhelmed. If it hadn’t been for a British Security researcher: Marcus Hutchins who discovered a Kill-switch within the code which was linked to an unregistered Domain name. He was able to purchase this domain, and after monitoring the attack via Honeypots that his security firm he worked for deployed and realised the malware “phoned home” to this domain and thus effectively acted a kill switch.
In retrospect, this event shone a light on the practice of patching and updating systems and based on my own experience (working for a large Security vendor at the time) forced many organisations to take a deep look at how they dealt with system updates, patches and hotfixes. For some, a culture of complacency had set in around managing such events. For other organisations such as the NHS (and many others), it also was warning around the practice of running end-of-life OS’s such as Windows XP – at the time the NHS had thousands of devices running XP and potentially unpatched and vulnerable systems, across many of its Healthcare Trusts.
Swapping Sides
Hutchins is an interesting character who could also fit the bill of the stereotypical hacker. After getting interested in computers as a child and finding that he had a natural talent and curiosity – which is often one of the most critical skills, then also discovered the darker side of the Internet. After being lauded by the Hacking community for his part in stopping WannaCry, he was on his way home from the Black Hat conference in 2017 when the FBI arrested him as he attempted to board his flight to the UK from Las Vegas. As it transpired, this was linked to an earlier Malware called Kronos, and not as some rumoured at the time (and unfounded) his part in the WannaCry attacks. This malware was designed to attack banking systems, and in 2019 Hutchins pleaded guilty to being a part of its creation between 2011 to 2015. However, in a rare moment of common sense, the US Judge presiding over the case stated that Marcus had “turned the corner” and now used his skills for good and instead of a lengthy prison tern sentenced him to time served and a year of supervised release. Is this a prime example of the Black to White Hat Hacker transition?
So who was behind the WannaCry malware, well the US, UK and other governments announced in late 2017 that they believed North Korea was the main suspect!
Cyberwarfare goes mainstream
The 21st Century is well underway now, and despite Hollywood painting a bleak apocalyptic demise many times over, we have yet to destroy ourselves or incite a robot uprising.
The first Cyberwar has yet to be fought (or at least the first one the public is fully aware of). Still, many nations now possess Cyber offensive capabilities, and there are now hundreds of reported events which could be attributed to Nation-state actors rather than civilians. Things have moved on since the discovery of the Stuxnet worm back in 2010 – which was used to cause significant damage to Iran’s nuclear program. Despite much speculation on its creators, no-one country has claimed responsibility. 5 years later another critical infrastructure attack took place but this time in Ukraine.
Shortly before Christmas, a Cyberattack on three of the primary energy companies managed to knock out the power grid and affected over 200,000 customers. Now, this situation would have been a serious event at any time. Still, it happened during the Russo-Ukrainian war, which was a conflict concerning the regions of Crimea and Donbass. Taking out a power grid or destabilising the civil infrastructure is nothing new in warfare but in previous wars, this was usually done with kinetic munitions, i.e. Bombs not Bytes.
Nuclear weapons remain the apex threat for a small number of countries, and despite no wartime usage since 1945, they remain ever-present in our society as the ultimate deterrent. However, their use comes with severe issues notwithstanding the catastrophic loss of life, but the longstanding irradiation that comes after. However, Cyber-weapons can be just as deadly but without reducing your enemies territory to an inhospitable wasteland for several thousand years. How easier for an attacking or invading country would it be, to disrupt the defensive capabilities of your target, turn off the power grids and confuse other civil apparatus with a few keyboard strokes and well some placed malicious software?
Disrupting power services and taking out nuclear centrifuges is one thing. But in the 21st Century, data is King and the availability to the general populous on all kinds of data from social media to DNA records as well as tracking of Planes and ships is just an app away! One of the more popular apps for flight tracking is the Swedish Flightradar24 which provides data on thousands of aircraft movements each day through a network of ADB-S receivers around the globe. These trackers are a combination of professional deployments and thousands of hobbyist setups running on Rasberry Pi’s and similar devices. These combined with Satalite date give a representation of an aircraft in flight, its speed, heading and other data. All accessible to you and I through its website and mobile app!
On the 29th September 2020, Flightradar24 engineers found themselves battling against the third cyberattack in two days, which had knocked out its services globally. Interestingly this had only disrupted the platform and caused issues for users accessing the site/app and was later attributed to a Distributed Denial of Service or DDoS attack and also no user data had been illegally accessed during the incident. A typical DDoS attack uses a botnet (thousands of infected host systems) to flood the target with requests which ultimately overload the servers and cause an outage, the question, however, was who would want to take out a flight tracking platform? Whilst no individual or group has claimed responsibility for the attack, a few different theories have been floated, and one (and at this time not proven) raises some eyebrows.
At the same time as the DDoS attack, a few thousand miles south of Sweden, the countries of Azerbaijan and Armenia was engaging in each other on the battlefield. These skirmishes were a continuation of the Nagorno-Karabakh conflict and involved Aircraft and Drones on both sides. Most Military aircraft typically do not advertise their location during combat for obvious reasons but could there have been a link between this and the DDoS attacks or was this a coincidence? With the real target, perhaps not Flightrader24 but something else that ran in the same datacenter?
Services like the one above are not the only ones that have concerns over attacks. Back in 2018, the BBC reported about a potential attack on commercial Ship tracking software. The software here was the commercial electronic chart systems used on the bridge for and co-ordinated with the GPS position of the ship. The researcher who discovered this hack realised that many ships didn’t change the default username and password for the satellite communications systems, and this could be accessed to modify the ship GPS position. Whilst the position could only be adjusted by a few hundred feet, that is more than enough to cause an accident. Now imagine if this or other tracking platforms could be used to modify true positions, you could have ships being lost or hitting other vessels due to incorrect reporting. – you could also find that vessels are in one location but report another for nefarious reasons! An attack of this kind may not have happened yet, but I suspect we may see more of these incidents in the future.
The Internet of What!
It seems that in today’s consumer world, every new gadget/toy/car/device must connect to the Internet, but at what cost? A report by IDC suggests that by 2025 we will have over 40 billion connected “things”, which will generate over 79 ZB (zettabytes) of data and just for reference 1ZB = 1,000,000,000TB (Terabyte). Do we need to be connecting everything to the Internet is the question we should be asking ourselves!
Security for many of these items is usually an afterthought, and a quick Google search will yield many results for “hacked” IoT devices. Ranging from compromised Baby Monitors to A Toy Bear whos recordings were hacked in a ransomware attack and even Sex Toys. There are so many connected devices that we now bring into our homes that are either poorly configured or use generic/default usernames or passwords the risk exposure has increased substantially.
For example, imagine a home where they use all kinds of connected devices, from home cameras indoors and out, smart lighting systems, smart heating systems and even smart locks – all connected via WiFi. Now despite having all of this technology, the occupiers of this house have just used all of the default credentials which came with the devices and set up their WiFi router in the same manner. Surely no-one is going to be able to hack these devices and cause issues? Well, the reality is yes, it’s possible, and you can even use a dedicated search-engine for IoT devices to find them. Now imagine a scenario were committing a burglary doesn’t mean breaking the windows but using a laptop and just remotely opening the doors and turning off the alarms, cameras and strolling in! It may seem like a simplified view of the world, but it’s not improbable. Not to suggest that smart homes and these devices are all insecure but perhaps need to consider the security elements of any device we bring into our home and the risks that they might pose.
Where next?
The world in which we live is changing at a phenomenal pace and even the events of this year such as the SARS–CoV–2 (Coronavirus) pandemic have not slowed down the march of technology in our lives. Many of us now work from home thanks to the massive migration from offices as part of efforts to curb the virus, and this means that organisations have had to adapt their practices to ensure users, data and devices remain secure.
The next 3 years will likely bring much more change and innovation and I look forward to seeing what comes next!