I’m interrupting my series of 2009 mega-trends and 2010 projections to discuss the current situation in cybercrime.
What a crazy week. First Google says it is prepared to
pull its business out of China after cybercriminals used Trojans to hack into Gmail accounts of anti-Chinese government human rights activists. Then it becomes clear over
30 corporations from the Internet, Media, Finance and Technology, as well as defense contractors were also attacked last month. The hackers were reportedly looking for intellectual property
and source code. Yikes.
In the aftermath of all of this, the governments of
Germany warned the public not to use Microsoft Internet Explorer, to move instead to using Firefox or Chrome. I don’t speak French, but “Le CERTA recommande l'utilisation d'un navigateur alternative” seems quite clear.
As I said, crazy week. No wonder security executives call this a
watershed moment. I’d even go further and say it’s a dawn of a new era in information security: the era of high-profile
In my Curse of the Were Laptop blog I suggested that the next big threat on corporate networks will not come from insiders or from direct attacks; it will come from employees infected
Which is what happened here. On January 12th, Google posted a blog titled “a new approach to China”. In the blog Google shared that multiple corporations were attacked by taking
over employee PCs, and that there’s evidence the perpetrators attacking Google tried to access the gmail accounts of human rights activists that oppose the Chinese regime. Google alleged that the source of the attack was in China.
As a result, Google said it would stop censoring search results in google.cn and review its entire operation in China, pulling off completely if need be. Later on Google announced it had stopped plans to launch its new Android phone in China. Without going
to the political ramifications of Google’s statement, this blog post started a virtual war between the red giant and the search giant. The US secretary of state
Hillary Clinton called China to seriously investigate the allegations, raising the issue to a national foreign policy level.
The full scale of the highly coordinated attack on multiple corporate targets was revealed by McAfee, who named it
Operation Aurora. According to the anti virus company, a zero-day vulnerability in Internet Explorer combined with a known vulnerability in PDF allowed cybercriminals access into employee
PCs in multiple corporations.
The employees opened a Spear Phishing email containing a poisoned PDF file, and triggering a chain of exploits that ended up with the cybercriminals taking over their machine. This
RSA Online Fraud Report describes what Spear Phishing and Whaling (spear phishing for senior executives) look like. For those seeking a more technical description of the attacks, you can try
Once the PC was compromised a Trojan was then downloaded to the machine and following that the corporate network was accessed from the hijacked end-point. Google, Adobe and 32 other companies are said to be the targets of the attack.
Note that the attacks were not directed at the network. They were directed at corporate employees, and their objective was reportedly to steal intellectual property by first taking over the end-points, and from there continue to breach the corporate network.
This methodology is made possible by the combination – almost a celestial alignment – of two major trends that ripened in 2009:
high-grade Trojans and unprecedented
Who was behind the attack? The fact that the attack was well coordinated and combined tried and true techniques such as spear phishing and PDF poisoning with a rare zero day exploit and various pieces of advanced malware suggests a certain degree of sophistication,
but not something beyond the capability of talented, knowledgeable hackers wishing to get their hands on intellectual property. It could also be a foreign-power-backed industrial espionage effort as suggested by
USA Today, the
Wall Street Journal and
Krebs on Security. One has to wonder, though: in such situations you want to have a silent excursion and get away with a lot of assets without leaving incriminating traces. This wasn’t the case with Operation Aurora. It was quite noisy.
In any event, the first bullet in a virtual war was fired. Google vs. China; Cybercriminals against 34 giant corporations; France and Germany vs. Internet Explorer (due to the new zero day vulnerability); there are a lot of interests at stake.
It will also be an interesting decade from a cybercrime perspective. Employees are one of the weakest links in corporate security; cybercriminals and cyber warfare specialists now fully understand that.
The current defenses cannot suffice, and the industry must think of a new defense doctrine.
As general advice I’d say: go and talk to the security folks in the financial sector. They’ve been fighting an almost identical problem for years: rather than rob the bank, the fraudster penetrates the user accounts. The same thing is happening now in the
enterprise. Here’s what worked well in the financial struggle against the Dark Cloud of cybercrime: multiple layers of visible and invisible defenses; behavioral profiling of user activities; collaborative threat mitigation; cybercrime intelligence and pro-active
countermeasures. In the enterprise space you can add advanced Data Leak Prevention technologies, Virtual Desktops complete with embedded controls, and desktop hardening to the mix. But essentially the same principals can work in the corporate fight against
these emerging cyber threats.