In the cyber-espionage thriller Blackhat (2015), Chris Hemsworth plays a computer hacker who is freed from prison to trace a blackhat hacker — someone who breaches computer security with either malicious intent or for personal gain. As often happens, the lines between the real world and the movie world are becoming blurred.
Indeed, if drive-by downloads, ransomware, distributed denial of service (DDOS) attacks, spear phishing, botnets and advanced persistent threats (APTs) sound like they’re from the trailer of the next Mission: Impossible movie, you could be right.
According to Sergey Lozhkin, senior researcher at Russian information security firm Kaspersky Lab, today’s James Bond is more likely to be sitting at a keyboard plotting his next move than engaging in furious gun battles across the globe.
“A small piece of code is way more dangerous than any damage that Bond could do,” Lozhkin says. Today, cyber espionage is the name of the game and it’s usually carried out through advanced persistent threats, continuous and covert hacking processes targeting specific entities using multiple malware tools.
APTs have increased exponentially in number in the past five years, with a number of high-profile cases that have left governments, corporations and individuals red-faced — and out of pocket. The Carbanak APT attack earlier this year left banks across the world US$1bn poorer. The sophisticated malware used, along with the time, effort and resources ploughed into the project, mean it was more than likely sponsored by a rogue government agency, according to Kaspersky Lab.
State-sponsored attacks tend to target specific users, as opposed to the mass-distributed e-mails favoured by cybercriminals. State attackers also develop their own malware with specific goals in mind, while ordinary cybercriminals generally attempt to extract specific valuable information such as credit card numbers and passwords en masse.
Nation-state attackers often try and extract as much information as possible from their targets with the intention of going through it with a fine-tooth comb later.
The Desert Falcons APT was the first known attack by an Arab group. Kaspersky researcher Amin Hasbini says the company was able to determine that Desert Falcons started work as far back as 2011.
“They were quite well organised, consisting of 20 to 30 people working in three groups and from three locations. Each group had different targets, with some targeting mobile users, and others corporate and government users,” he says.
The Desert Falcons APT targeted government, religious, aerospace and military institutions, health organisations, those involved in combating money laundering, media groups, academics, and energy and other utilities.
Hackers were able to infiltrate users in Palestine, Egypt, Israel and elsewhere. They planted a “digital bug” that looked for special intelligence information on systems using Windows and Android and recorded audio as well as looked for SMS and call logs, along with geolocation information.
No one is safe from APT attacks, not even the president of the US, says Kaspersky. In 2014, the CozyDuke APT targeted the White House and the US department of state. Attackers were reportedly able to read President Barack Obama’s e-mails.
Those behind APT attacks tend to seek innovations and blueprints, business plans and budgets from companies, as well as military, space and other information that can be used to create the same products as competitors.
They also look for digital certificates, which are used to sign malware created by them, and create virtual credentials and physical access codes. Scientific research results, which show the different projects that governments are engaged in are also a common target.
Spear phishing
Another popular method of gaining access to systems is through the use of spear-phishing e-mails. Cybercriminals use social engineering techniques to compel users to respond, with e-mails purporting to be from a tax agency (the South African Revenue Service, for example), a regulator or some other government agency, usually by threatening action against them.
The missing flight MH370 saw cybercriminals taking advantage, with e-mails requesting “assistance” and “information” sent to various government and emergency organisations. Those keen to provide assistance downloaded malware in attachments without realising it was an attack vector. As a result, relief organisations were compromised.
Zero-day exploits are also common. Here, attackers take advantage of a vulnerability in an application or operating system, one which developers have not had time to address and patch.
One way criminals strike is by sending an e-mail alerting users to fix the problem. Other times, they take direct advantage of the vulnerability, hacking into systems.
A recent example is a vulnerability in the WordPress content management system that allows hackers to hijack websites through a comment that contains malicious JavaScript.
Distributed denial of service (DDOS) attacks are also commonplace. Here, a banking server, for example, that would usually handle 100 requests per second would suddenly receive a million requests, causing the system to malfunction.
This is known as a volumetric attack, where a huge amount of requests are sent.
Application-level attacks also disorientate the system. “Instead of just saying ‘hi’, it would also shake hands and give a hug all at the same time,” says Alexander Lebedev, head of product intelligence at Kaspersky. This would require more resources and could force a system to shut down. Such shutdowns result in reputational damage to an organisation as well as damage to clients who are unable to pay bills.
There are various online tools — Nemesys and Hulk are two — that can be downloaded to launch a DDOS attacks. According to Lebedev, DDOS attacks very often involve the use of “botnets”, or groups of infected machines that are controlled by one person.
Lebedev says that the underground in which cybercriminals operate uses bitcoins to sell and share services, or even rent a botnet for a criminal network. The price to rent a botnet controlling a thousand devices is just $50/day, according to Kaspersky.
In an operation with Interpol, the company helped take down the Simda botnet, which had been running since 2009 and which controlled 770 000 devices. The botnet was used to launch attacks on news and media organisations around the world. Lebedev says the average cost to a small business from a botnet attack is $52 000.
Ransomware
So-called “ransomware” is another growing problem.
Five years ago, it mostly involved computer users receiving a message from someone who had compromised their machine and locked it down and demanding a fee to unlock it. IT specialists were nevertheless able to unlock these computers, albeit with some effort.
Today, says Lozhkin, the situation is very different. “Hackers have developed cryptors that fully encrypt all your data on your hard drive. The IT guys cannot help anymore,” he says.
The only way to decrypt this data is to pay cybercriminals to obtain a unique key.
Lozhkin says the most vulnerable targets are small businesses and government organisations that don’t have permanent or fully protected IT systems.
Users are typically asked to pay the ransom in bitcoins — to avoid detection — and are even directed to websites where they can change money to bitcoins.
Ransomware offers a huge pay-off. “Malware for ransomware is sold for $5 000. You can go to a botnet owner and gain access to thousands of computers for a minimal price. Income may be up to $25 000/day,” says Lozhkin. Also, cybercriminals do not do everything manually, but have created fully automated systems that decrypt test files and monitor payment. They even use social networks such as Twitter to show clients evidence of decrypted computers once users have paid.
Is anyone safe?
So, is anyone safe? A popular method of gaining access to users’ computers is by giving out USB sticks or even computer mouses that are able to infect computers once connected. And who has said no to one of those? Most people plug them in without giving it a second’s thought.
Nevertheless, cyber security is a shared responsibility, says Kaspersky. Governments need to act to protect citizens’ information and vital infrastructure and companies need to protect clients and employees.
But Kaspersky says the biggest weakness remains the one between the chair and the keyboard. Hackers take advantage of the human factor in developing social engineering methods to gain access to IT systems.
So, think before you click. Or you might end up in some nasty horror story not thought up in Hollywood.
- The writer travelled to a Kaspersky Lab conference in Lisbon, Portugal as a guest of the company