Lieberman Software asked a range of security professionals attending Black Hat 2013, held in Las Vegas at the end of July, a series of questions on their perception of state-sponsored attacks. The consensus is that the US is losing the battle (57.7%); that most companies do not know whether they have been breached (74.3%); that most organizations consider themselves to be likely targets at some point within the next six months (62.9%); and that only 40% are confident that they would detect such an attack.
Martyn Croft, co-founder of the Charities Security Forum and CIO of The Salvation Army UK, said: “I'm not surprised by the figures and I'd certainly have to agree with the pessimistic view that it's probably going to increase.”
Amar Singh, ISACA Security Advisory Group London Chair, is surprised – but only because he thinks things are even worse: “I would have imagined this figure to be higher than 58% because most organizations will lose the battle if they end up on the target list of a state-sponsored attacker.”
Commenting on the survey, Philip Lieberman, president and CEO of Lieberman Software, said, “The majority of organizations are prepared for amateur hackers and low-level criminals, but are completely ill-equipped to deal with today’s advanced nation-state foes.”
The survey itself was undertaken before news of the amount of money spent and resources used by the NSA in its own “offensive cyber operations” became known over the last few days. Last month a South Korean newspaper reported that a “contingent of 3,000 cyber warfare experts under the Reconnaissance General Bureau [of North Korea] wage cyber terrorism against the South.”
This week, sales literature for the FinFisher ‘government’ spyware was leaked onto the internet. This is just one of several trojans developed for and used by governments around the world – others include CIPAV, Bundestrojaner and DaVinci.
Luis Corrons, technical director at PandaLabs, told Infosecurity why such malware remains successfully deployed in state-sponsored attacks despite the publicity. “The effectiveness of any malware sample,” he said, “is directly proportional to the resources spent”; and nation states generally have far greater resources than criminals. “In a state-sponsored targeted attack,” he explained, “the most important part is the ability to be undetected.” The attackers – government contractors, for example – can easily discover which security technologies are being used by the target.
“Then,” he continued, “it is as ‘simple’ as replicating the same scenario (operating system, security solution, etc) and verifying that the malware is not detected. As soon as it is flagged they will tweak it to avoid detection until they have the final version.” And once that has been achieved, “they will infect the victim and will be spying/stealing information until they are detected – which could be a matter of days, months or even years.”
Now apply the existing success of state-sponsored (and plain criminal) hacking to the evolving IPV6 world, “the next generation internet protocol that will allow every single human being on this planet to own at least 2000 fixed and permanent cyberspace addressees. Think about the attack surface when your TV, watch, wristband and car’s engine have a unique cyber space address and will be always connected to cyberspace!” warns Singh.