Increasingly, cybercrime is not just being perpetrated by hackers and syndicates within U.S. borders, but those that operate outside them. And, many of the countries where these online attackers operate are either actively supporting them, or at the very least, allowing them to thrive and perpetuate their crime. “Russians, for example, turn a blind eye to a lot of crime, they have a more permissive attitude toward organized crime,” says Gary McGraw, chief technology officer at Cigital, a software security firm based in Dulles, Va. “The government looks the other way.”
Russia and a number of countries in Eastern Europe initially emerged as hacker havens – areas of the globe where cybercriminals could ply their trade without worrying that the government or state law enforcement would crack down on their work, or expend much effort to extradite them to the United States or other countries that would penalize or jail them. Why here? Eastern Europe has been a haven for cybercriminals since the internet began, according to Rick Howard, chief security officer at Palo Alto Networks, a network security company based in Santa Clara, Calif. “Many of these countries have excellent engineering schools [and] when the wall came down in 1989, there was no work for these brilliant engineers,” he says. “Some of them went into cybercrime in order to make a living. Some organized crime factions scooped these technicians up to add cybercrime to the portfolio.”
Johannes Ullrich (left), dean of research for the SANS Technology Institute (STI), which educates managers and engineers in information security practices and techniques, and chief technology officer of the SANS Internet Storm Center, a division of STI which keeps track of malicious activity on the internet, agrees that Russian and eastern European cybercriminals often work together, creating “a strong criminal infrastructure… with a good range of technically savvy individuals.”
But the threat is no longer isolated to a single region, or even a single class of nefarious groups. In countries like China, Ukraine and Iran, and some countries within the Pacific Rim, South America and Africa, a tolerance for fraudulent activity combined with the emergence of more skilled engineers – who may lack for legitimate opportunities – are creating more of these hacker hotspots throughout the globe. “It really comes down to there being a climate that's conducive to the proliferation of cybercrime,” says Casey Ellis, CEO and co-founder of Bugcrowd, a San Francisco-based vulnerability assessment company. “Of course, not everyone with cybersecurity chops in these parts of the world are malicious, but this does somewhat explain the concentration of gifted hackers in those parts of the world.”Kevin Epstein, vice president of advanced security and governance for Proofpoint, a Sunnyvale, Calif.-based provider of SaaS and on-premises solutions, agrees. “Any city or geographic region that hosts smart people with access to computing technology will breed hackers,” he says. “Whether those hackers choose gainful legal employment or a life of crime depends on the same factors that would influence residents to pursue legal or illegal activities in the physical world. As has been proven over centuries, a poor economy and minimal law enforcement presence can push even honest citizens into committing criminal acts.”
In some countries, particularly Iran and China, the offensive capability can be a direct result of sponsorship by the states themselves, Ellis adds. Increasingly, malware distribution is “controlled by the nation-state and the highest bidder,” according to Hugh Thompson, chief technology officer and SVP of Blue Coat Systems, a Sunnyvale, Calif.-based provider of security and networking solutions. The whole discipline is becoming more professionalized in these countries that support it, he says, pointing up the improved quality of phishing emails with fewer misspellings or tell-tale signs of their point of origin. Criminals based in these hacker havens, he says, are getting far more sophisticated about writing in the local language of the countries where they are perpetrating their exploits. As well, they and putting in false clues, making it harder for companies and law enforcement to trace malicious code back to the source.
As a result, we will see two distinct kinds of havens for internet-based criminal activity, says Andrea Little Limbago, principal social scientist at Endgame, an Arlington, Va.-based vulnerability research firm, and co-author of a whitepaper, “Operational Cyber Intelligence,” for the Intelligence and National Security Alliance (INSA). She believes countries like Ukraine and Belarus are havens for non-state criminal networks, whereas Iran, China and Russia are havens for state-sponsored espionage. The low barriers to entry and weak economies make criminal behavior on the internet a relatively easy, low-risk, high-reward alternative to traditional crime in places like Eastern Europe, where criminals are motivated by opportunity, she says. Conversely, groups in Iran, China, and Russia are usually either state-sponsored or motivated by nationalism. These groups have emerged to lead cyber-espionage efforts on behalf of their states' economic or military interests.
Attacks emanating from these hacker havens are not only growing in number and sophistication, but are increasingly becoming more high-profile, more damaging and harder to root out. Ellis points up the widely publicized, and highly embarrassing, hack on Sony's internal systems, which has been attributed to North Korea, as well as Operation Aurora, a series of information security attacks against Google tracing back to 2009, which reportedly came from groups in China. Since many of these emerging hacker havens have poor relations with the United States, or have a wide base of citizens that dislike U.S. policies, there is a ripe climate for these attacks to be directed toward U.S. companies, government agencies and private citizens.
In countries like Iran, China and Russia, governments employ digital statecraft externally as part of espionage campaigns, but also internally as part of propaganda or information suppression campaigns, Limbago says. “Computer intrusions against adversaries are not only condoned, but are also supported and perceived as a legitimate aspect of the state's global strategy,” she adds. Russia condones the global bank breaches with ties to Russian-based groups, while also hampering law enforcement efforts. Particularly in the former Soviet bloc countries, Limbago says that states will often turn a blind eye to criminal activity, even if they aren't necessarily protecting the transnational groups perpetrating the crime. The government of Ukraine, for example, was recently linked to $1 billion in global banking heists executed by individuals hiding out there.
Chinese hackers have been implicated in cyberattacks on the U.S. Office of Personnel Management, the U.S. Postal Service and National Weather Service, and the theft of F-35 jet fighter blueprints from Lockheed Martin and its contractors, as well as exploits against steel industry companies such as Alcoa, U.S. Steel and Westinghouse. Indeed, Howard says that China has been famous for cyberespionage ever since TITAN RAIN, the code name that the U.S. Department of Defense used to label cyberespionage activities from the Chinese government, became public in the early 2000s. Meanwhile, system breaches of the White House and U.S. State Department unclassified networks, Neiman Marcus and J.P. Morgan Chase & Co. have been traced back to groups in Russia. Similarly, the cyberattacks on Home Depot and Target, as well as the pernicious Zeus malware can be linked to groups or individuals in Eastern Europe. Groups in Iran were implicated in a series of denial of service attacks on U.S. banks in 2012.
There are examples of hackers in Ukraine, Russia and the United States, says Marc Maiffret, chief technology officer for BeyondTrust, a a global cyber security company based in Phoenix. “And, of course, no day goes past where an attack isn't linked to China.”
It's not just a matter of sophisticated state-sponsored hacking mixed with everyday cybercrime, according to Maiffret, but also that foreign intelligence agencies will do things like hacking or leveraging existing cybercrime networks or botnets in order to piggyback these systems and better blend in with the noise.
Vikram Phatak, CEO of NSS Labs, an information security research and advisory company based in Austin, Texas, is increasingly seeing a blending where cybercriminals are “reservists” for their governments. Pakistan and Syria are just the latest hacker hotspots that Phatak has seen emerge.
And, this widespread protection is also paving the way to more sophisticated exploits. State-sponsored hacking does not necessarily create centers for protection, but what they do is create a resource-rich environment to support globalized attacker anonymity or obfuscation, says Peter Tran, senior director for the advanced cyber defense practice at RSA, a Bedford, Mass.-based computer and network security company. “It achieves this by creating economic ecosystems for cybercriminals and nation-state hackers to collaborate, partner or use a globalized channel over the internet to monetize malware as a commodity.”
Industry observers say that these hacker havens will continue to evolve and flourish. ISIS (the Islamic state of Iraq and Syria) is gaining traction with its digital activities, and given the established nexus between criminal groups and terrorist organizations, it seems likely that they will explore digital theft and espionage as well, according to Limbago. Similarly, Latin American drug gangs, such as Los Zetas and the Sinaloa cartel, have a similar organizational structure to groups in Eastern Europe and have demonstrated criminal activities in the cyber domain. There also are signs of Russian organized crime syndicates in places like Peru that could transfer their knowledge to local groups, exploiting some of the under-governed spaces and government corruption, she says. “Many of these countries are particularly susceptible,” Limbago adds, “because they have an IT infrastructure that is mature enough to enable cybercriminal behavior coupled with weak rule of law and preexisting criminal networks.”
Fighting the hidden foe: Integrating cybersecurity
It is hard enough to combat the existing cybercrime threat on our own home turf – with the weight of local and federal law weighing in support. But how can organizations hope to limit the effect of malicious hackers who operate far from the reach of U.S. law and under the protection of their own sympathetic governments?
Many experts say that the first step is understanding that it might not be a matter of if, but when, these foreign hackers will come calling.
“I believe that these days there isn't a single company in the United States with more than 50 employees that hasn't already been compromised in some way,” says Rodney Joffe (left), senior vice president, senior technologist and fellow for Neustar, a Sterling, Va.-based firm that provides real-time information and analytics. “Unfortunately, a lot of companies refuse to believe that.”
Government protection, or even support, has boosted these adversaries to the point that typical counter-measures simply will not do, according to Peter Tran, senior director for the advanced cyber defense practice at RSA. These criminal elements have an unprecedented business model that legitimate businesses can't keep up. “Companies, industries and governments have used traditional approaches to cyber defense that have been reactive as opposed to intelligence-driven,” he says.
And, as the Internet of Things seeps into more areas, the attack surface for foreign hackers will only increase, says Hugh Thompson, chief technology officer of Blue Coat Systems.
A lot of the advice offered by experts is just for organizations to operate solid, standard cybersecurity hygiene and protocol. Rick Howard, chief security officer at Palo Alto Networks, says that since organizations will never be able to keep out every advanced adversary, they must instead make it extremely difficult for them to operate. Specifically, he recommends deploying security controls at each point in the kill chain; configuring and adapting each security control to function properly; regularly capturing metrics for each deployed security control so that the security department can confirm that it is doing what it is originally designed to do; and reviewing initial design considerations and making the appropriate changes.
While organizations have no control over these malicious attacks, managing their own vulnerabilities and response is key, says Casey Ellis, CEO and co-founder of Bugcrowd. “Identify your assets and prioritize their protection. Determine where your vulnerabilities are – in your code, your networks and your processes – and run through scenarios within your company to determine how you'd react and what would happen if a breach were to occur,” he says.
However, companies will likely need the support of the U.S. federal government and law enforcement if they want to slow the forward progress of activities at the source. “Companies, industries and governments must find a way to adjust the cost-benefit calculus using tools of cyber, diplomatic, legal and economic statecraft,” says Andrea Little Limbago, principal social scientist, Endgame. Currently, there are economic sanctions against Russia, Iran and North Korea – three of the leading countries involved in state-sponsorship of digital economic and intellectual property theft against the United States, she points out. Additionally, the FBI just placed a $3 million bounty on Evginy Bogachev, a Russian hacker and the world's most wanted cybercriminal, and Senator Mark Warner (D-Va.) recently called for increased efforts to combat cybercriminals in Ukraine as a condition for a military aid package to that country, says Limbago.
“Integrating cybersecurity cooperation into other forms of cooperative agreements can impact governments harboring non-state sponsored criminal groups as well,” Limbago says. “All of these tactics – both sticks and carrots – must be thoughtfully employed to impact the risk calculus of adversaries.” – KEH