Yahoo’s attribution of its recently revealed hack to a state actor provoked some scepticism in the technology industry. For the average IT professional, it raises some key questions: what are state cyber attacks and do they pose a threat to my business?
The term state attack can be applied quite broadly, covering attacks carried out directly by the state and attacks sponsored or backed by the states but carried out by nominally separate entities.
The idea of a war taking place in cyber space is nothing new, and in many ways is a continuation of existing tensions between countries. As Bob Tarzey of Quocirca says, “as we have all moved online so has state and corporate espionage.”
As in other areas, in cyber space the state can bring its vast resources to bear and outclass the competition.
A hack of internal Democratic Party emails earlier this year was attributed to Russia, while the US and Israel were blamed for attacks on critical Iranian infrastructure.
Jason Larsen, Principal Security Consultant at US security firm IOActive, a company which infamously hacked into a jeep at the Black Hat conference, says that in many famous examples of state cyber attacks, the attacker left their “fingerprints” on the attack so that the victim would know who had done it.
In the Stuxnet attack on Iran, for example, Larsen says, the US and Israel did not try to hide their involvement.
Russian government attacks are mainly aimed at undermining western political stability, Quocirca’s Tarzey says, while China, which he says is the biggest perpetrator, aims to steal intellectual property from Western businesses.
“The Chinese government employs large number of hackers who go about their work as a 9 to 5 job, and it seems so normal to them, that they probably do not even see it as theft,” Tarzey says.
Larsen of IOActive adds that “The Chinese MO is that they stage things: they have specialists. They have the guys that hack into a system, then those guys go away. Then the new guys map out the place and figure out how it will go. Then they have the specialists that do the attack, followed by the guys that clean up.”
From a Western perspective, Larsen says that countries such as the UK and US work closely together and have similar styles to each other.
“The US gets accused of bringing everything and the kitchen sink: bureaucracy, lots of bureaucracy. Personal US attackers are cowboys. They don’t really have a plan; they just hack into everything. There could be easier or subtler ways but they just beat their way through till they get to their objective.
“US Government has lots of bureaucracies. You see their payloads. Rather than being a small crafted payload, they bring this 20 MB thud that has everything a bureaucrat wants.
“You have to have all of these things such as non-attribution and end up with these monster payloads. By the time you build the thing it’s monstrously overbuilt.”
Larsen says that this feature stood out during the attack on Iran. However, if the attackers had wanted to, they could have mimicked the style of another country, such as China.
The use of a hack to make a statement is one way that these hacks differ from ordinary criminal attacks. When making money is the key, hackers will be keen to keep the hack, as well as their identity, hidden for as long as possible in order to maximise their profits.
This political point-making manifests in other ways. For example, an attack on the Ukrainian power grid late last year, according to Larsen, was carried out in an unnecessarily theatrical way.
“Anyone who has the skill to hack in has the skill to write a piece of code to open the breakers. Instead they let the operator watch as they clicked and opened all the breakers. They wanted the operators to sit there and freak out.”
From the victim’s perspective, the attribution is also political: in many cases it would be perfectly possible to pretend that no hack had happened. For example, infrastructure failure could just be blamed on an outage.
All of this means that if the attacker or the victim is not trying to make a point, it is very difficult to attribute it with any certainty or for the general public to determine that an attack has even taken place.
Unlike invading a country or launching an airstrike, it is easy for states to obscure their involvement in cyber space.
Larsen says that the “beauty of cyber is that it’s easy to throw the blame on someone else.
“In the cyber realm you never really know who did it unless they let you know.”
Chris Pogue, Chief Information Security Officer at Nuix says that “it’s just a few mouse clicks for me to launch an attack from Tulsa, Oklahoma, and make it look like it’s coming from Moscow, Russia.”
Cameron Brown, an independent cyber defence adviser, notes a few examples where attribution has been difficult: the cyber-attacks launched upon Estonia in 2007, and South Korea in 2009.
“The Estonian authorities were convinced that the Russian government perpetrated the cyber-attack. They admonished the Russians publicly and requested military assistance from NATO.
“Yet, some investigators contend that Russia was not the protagonist, with attack sources reportedly traced to Brazil and Vietnam. In the case of cyber-attacks against South Korea, authorities were certain that the source of attack was unequivocally North Korea.”
To add to the confusion, Brown says, it was then conceded that the attacks may have originated from at least six countries, including the United Kingdom and the United States.
It’s not surprising, then, that there is some scepticism around Yahoo’s attribution of its hack to a state actor. But this doubt doesn’t really help the average business that has to look out for these attacks. Is there, in fact, anything that can be done to stop an attack by such a formidable adversary?
Companies that are targeted have little means to respond.
“In the US and elsewhere there is considerable debate about enacting legislation that would allow private entities to retaliate against cyber-incidents,” says Cameron Brown.
“Countermeasures that stretch beyond localised network perimeters and into foreign jurisdictions are likely to break the laws of both the originating and target countries.”
As Brown says, “nation-states are afforded use of force privileges to safeguard their sovereignty, and civilians and businesses are not.”
He warns that those targeted may be ill-equipped to deal with the blowback of direct engagement with such an adversary.
In legal terms, Helen Davenport, a Director at Gowling WLG, also notes difficulties:
“There is a distinction between the ‘state’ and the ‘actors’ themselves. Whilst the options for companies to take action against a foreign state in the event of a breach would be limited, and would require the involvement of the company’s own state, legal recourse is available against the party that was responsible for the hack as would be potentially available against any other equivalent hacker.
“However, it is generally more difficult to pursue cyber criminals across jurisdictions and any state sponsored actors may well have greater resources and more sophisticated ‘tools’, making them even harder to pursue.”
Regardless, Steve Manzuik, Director of Security Research at Duo Security’s ‘Duo Labs’, says that defending against a state goes back to standard security strategy.
“This is part of the problem we have in security. Companies are running out and buying different technologies to do different stuff. It ends up being expensive with big teams to run it, but these companies are still getting breached.”
Manzuik says that the starting point still needs to be the basics.
“A lot of the big hacks we’ve seen, if they had first done the basics they’d be more secure: strong passwords, patches and two-factor authentication.
“On the state side, you do your basics first, then you do your monitoring where you have critical assets.”
It is clear that state cyber attacks will remain a menace to those companies of interest to foreign adversaries. In the face of such a danger, the only solution is to take security as seriously as possible.