The face of hacking gets uglier: how the diplomatic landscape affects what is happening in cyberspace

22 September 2015 – Cyberattacks from Russia have increased because of sanctions related to the Ukraine while assaults from Iran have dropped over recent months, thanks to the recent Iran nuclear deal.

So says David DeWalt, FireEye‘s chief executive officer, who said these changes show how the diplomatic landscape affects what is happening in cyberspace even though the overall trend is towards increased attacks. From tracking 50 or so offensive hacker groups three years ago, FireEye is now monitoring 350 groups who are busy “stealing, disrupting and spying,” according to DeWalt.

FireEye personnel were conducting one of their many EMEA regional press briefings, this one in Madrid. As I noted in a previous post, Spain has become the third biggest target of APTs – advanced persistent threats – in the entire EMEA region over the recent months. FireEye noted that Israel and Saudi Arabia are the largest targets, both attacked more than Germany and the UK. The reason for Spain’s prominence isn’t clear, said FireEye.

As cyber security experts have noted numerous times, state-backed hackers in Russia work closely with cybercrime elements which have been been particularly active in targeting U.S. retailers such as Target as well as equity and hedge funds over the last two years or so.

FireEye noted that attacks targeting credentials and log-in details, as well as assaults targeting supply chains rather than targeted organisations directly, are becoming more commonplace. Energy, government and aerospace are the industry verticals most on the front line but most industry sectors are affected to a lesser or greater extent.

And, said a FireEye staffer, they estimate that the median time for firms to simply detect attacks is 205 days, or around seven months. And it takes around a month (32 days) to respond to attacks. DeWalt said major breaches such as eBay, Adobe and, more recently, the US government’s Office of Personnel Management leak are making the security situation worse.

In particular, FireEye has seen data harvested from last month’s breach of the Sabre airline reservation system abused in follow-up attacks. Credential stealing or using credentials to carry out further attacks is the arms race we’re in with attackers and these ID “data dumps” will continue to create huge problems downstream.

These were also the points we picked up at the Georgetown Law School’s “Cybersecurity Law Institute” (a brilliant event; held every year; I encourage you to attend): stolen IDs and software vulnerabilities are the hackers’ two main tricks. DeWalt noted the two were brought together over recent months in successful attacks that planted backdoored operating systems onto Cisco routers. These attacks were carried off remotely and used to redirect packets.

Well, at least the Chinese government is not involved in this horseplay.  When U.S. national security adviser Susan Rice issued a “stern” warning to China yesterday that state-sponsored cyber espionage must stop, China’s president Xi Jinping noted (preparing for an imminent state visit to the U.S.):

“The Chinese government does not steal commercial secrets or support Chinese companies which do so. Cyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions”. 

Phew. That’s a relief.