The security industry expects the number of cyber-espionage attacks to increase in 2012 and the malware used for this purpose to become increasingly sophisticated.
In the past two years there has been a surge in the number of malware-based attacks that resulted in sensitive data being stolen from government agencies, defense contractors, Fortune 500 companies, human rights organizations and other institutions. (See also “How to Remove Malware From Your Windows PC.”)
“I absolutely expect this trend to continue through 2012 and beyond,” said Rik Ferguson, director of security research and communication at security firm Trend Micro. “Espionage activities have, for hundreds of years, taken advantage of cutting-edge technologies to carry out covert operations; 2011 was not the beginning of Internet-facilitated espionage, nor will it be the end,” he added.
Threats like Stuxnet, which is credited with setting back Iran’s nuclear program by several years, or its successor, Duqu, have shocked the security industry with their level of sophistication. Experts believe that they are only the beginning and that more highly advanced malware will be launched in 2012.
“It is quite possible that we will see another of these threats in the near future,” said Gerry Egan, director of security response at Symantec. Duqu was used to gather design documents from companies that manufacture industrial control systems and could be a precursor to future Stuxnet-like industrial sabotage attacks, Egan explained.
“It is likely that new Duqu variations will cause mayhem in early 2012,” said Jeff Hudson, CEO of Venafi, a provider of enterprise key and certificate management solutions. “We have to be on a new state of alert to safeguard our assets and be better prepared to respond when the threat strikes.”
Battles, But Not Cyberwar
However, despite the emergence of Stuxnet and Duqu, security experts don’t believe that the world is actually watching a cyberwar in progress.
“To have any opposing action earn the title of ‘War’, there must be a declared state of conflict, and to my recollection, this has never happened in the case of CyberWar,” said professor John Walker, a member of the Security Advisory Group at ISACA, an organization that certifies IT professionals, via email.
“However, if we were to frame the question relating to ‘CyberConflict’, then I would consider this to be a very different case, where regular aggressive deployment of such capabilities occurs in one form of another in support of either a political or military purpose,” he added.
Countries like the U.S., U.K., Germany, China and India have established specialized teams and centers to defend government assets against cyberattacks and to even retaliate, if necessary. However, determining who is behind Internet-based hostile operations with certainty is impossible most of the time and that’s just one of the problems.
“All countries are wrestling with the question of retaliation,” Gerry Egan said via email. “If a blatant act of cyber war has occurred, how does one country retaliate and to what extent? What is a proportionate response?”
Threats like Stuxnet and Duqu could very well lead to major international cyber-conflicts in the future, but for now companies and governments should be more worried about cyber-espionage attacks that use simpler data exfiltration tools.
These unsophisticated, yet effective, pieces of malware are known in the security industry as Advanced Persistent Threats (APTs) and are usually distributed via social engineering. Operation Aurora, Shady RAT, GhostNet, Night Dragon and Nitro, are all examples of APT attacks reported during the last couple of years that have affected hundreds of organizations worldwide.
Bracing and Training
The number of APT attacks is likely to escalate in 2012 and defending against them requires frequent employee training and more aggressive protection technologies like those based on white-listing, file reputation, and application behavior.
“People still represent the weakest link in security for a large amount of enterprises and that is the reason they are targeted,” Ferguson said. “Training still has an important place in an organization’s security planning but it needs to be ongoing training, not a one-time only event.”
“So far we have been doing a much better job patching software than patching people,” said Amichai Shulman, CTO at security firm Imperva. “I spent time in the military trying to educate people about information security. It didn’t work there and it won’t work anywhere else.”
There should be a shift in protection paradigms and more control should be put around the data source. Restricting which applications can read certain information and detecting anomalous behavior, like sensitive data being accessed at strange hours of the day or being transferred in large quantity, is part of the solution, Shulman believes.
Technologies that can check a file’s reputation, age and regional popularity, before allowing it to be executed on a system can also be used to block APTs that were designed to evade traditional anti-malware detection methods.
“There is no doubt that major organisations need to be far more aware of the potential effects of malware,” said Jeff Hudson. “If this issue isn’t on the agenda of your board right now then the board is negligent,” he concluded.
LOS ANGELES (TheWrap.com) – Shots are being fired in the world of the digital camera.
California-based Red Digital Cinema alleges that a former executive at Delaware-based Arri engaged in corporate espionage when he hacked into the email server of a third camera company, according to a complaint Red filed December 21 in U.S. District Court in California.
According to the lawsuit, which was obtained by TheWrap, Red alleges Arri used the hacked emails to give its Alexa camera a competitive advantage over Red’s Epic camera.
Red alleges unfair competition based on email hacking, invasion of privacy, conversion, misappropriation of trade secrets and unlawful trade practices, among other charges.
In September, Michael Bravin, Arri’s ex-VP of market development for digital camera products, pleaded guilty to unlawfully accessing the email server of Band Pro Film Digital while he was employed at Arri.
Bravin, who had previously worked for Band Pro, was charged with computer fraud and email hacking and, following a plea agreement, was sentenced to two years’ probation, among other penalties.
Now, Red says some of the emails Bravin copied had sensitive information about the company’s technology, including the Epic camera. Some of the emails were from Red personnel including founder Jim Jannard, Red also alleges.
At the time of the hacking, Red was allegedly in confidential business discussions with Band Pro, discussing a potential joint venture. Arri employees — including Chief Technology Officer Glenn Kennel and Vice President of Camera Products Bill Russell — were aware Bravin was engaging in the hacking, Red says. Therefore, Arri is liable, according to Red.
“Red is informed and believes, and thereupon alleges, that Bravin saved or forwarded, either directly or verbally, the information obtained from the Band Pro emails to other Arri executives and employees,” the suit says.
Additionally, Red alleges that Arri started a false advertising campaign leading up to the launch of the Alexa camera, and that Bravin — using his real name and a pseudonym — posted on a Red blog, RedUser.net, disparaging the company’s products. Red says one of the Web-blog board’s policies is that users do not use false names.
Red is seeking damages, disgorgement, restitution and injunctive relief. The company is seeking a jury trial.
“It was quite shocking to them, that the vice president of Arri would steal business emails for use at Arri,” lawyer Gregory L. Weeks, who represents Red, told TheWrap.
A representative for Arri did not respond to TheWrap’s request for comment.
Movies including “The Hobbit,” “Prometheus” and “The Girl with the Dragon Tattoo” were shot with Red cameras.
“Hugo,” “Pariah” and “New Year’s Eve” were shot with Arri cameras.
There have been so many examples of cyber espionage that it is now the norm to just accept that it is rampant. MI5 in the UK, the German Chancellery, Titan Rain, GhostNet, the Pentagon email hack, Google Aurora – all are examples of cyber espionage, most on the part of China. But to date no evidence has been put forth other than claims from the injured parties.
Thanks to reporting from Anthony Freed of InfoSecIsland we have learned over the past few days that a group of Indian hackers that align themselves with Anonymous (the catch all movement for hackers these days)  have breached several Indian government servers and uncovered gold. If taken at face value their hacking has revealed
1. The Indian government has source code for Symantec’s AV software, albeit of 2006 vintage.
2. The Indian government is strong arming cell phone manufacturers to provide back doors into their handsets.
3. The Indian government is in possession of confidential internal communications from the US-China Economic and Security Review Commission (USCC).
And now in a new development we learn from Freed:
“Now YamaTough has provided potentially damning evidence that the Indian government is actively engaged in espionage efforts targeting not only the USCC, but potentially thousands of US government networks, ranging from those of federal agencies to systems used by state and municipal entities.”
YamaTough is part of The Lords of Dharmaraja hacking group in India.
You can see the difference between these unfolding events and previous claims of cyber espionage. The exfiltration of terabytes of data on the US Joint Strike Fighter or last March’s theft of “24,000 documents” has never been proved. They are just claims from admittedly credible sources. Thanks to a hacker group in India, InfosecIsland has source material that demonstrates wide spread cyber espionage on the part of the Indian Government which the hackers may publish.
This is a historically significant development for those of us who track cyber espionage.
ANCHORAGE, Alaska (AP) — The U.S. Army charged an Alaska-based soldier Monday with attempted espionage, saying he communicated and transmitted national defense information to someone he believed was a foreign intelligence agent.
According to the charges, 22-year-old Spc. William Colton Millay of Owensboro, Ky., intended to aid a foreign nation.
“Millay had access to the information through the course of his normal duties both stateside and on a previous deployment, and although the information was unclassified, Millay believed that it could be used to the advantage of a foreign nation,” according to a description of the charges released by Army officials.
Officials would not identify the country Millay believed the so-called agent represented or if their investigation involved a sting operation. Millay was assigned to a combat tour in Iraq from December 2009 to July 2010, and he served in Korea, according to information provided by the Army.
Brazil may have been banned from bond work – but not from high-stakes politics. As vice president of field operations for the campaign of the former pizza- company chief executive and top-tier Republican White House wannabe, aides said the operative from northeastern Pennsylvania is part of Cain’s inner circle of five top aides. Another member of that circle, press aide J.D. Gordon, said Brazil is “essential.”
“This is an old and tired story,” said Gordon of Brazil’s ties to the Philadelphia probe. He said he had discussed inquiries from the Daily News with Brazil yesterday. “He was never accused of anything and never targeted.”
Gordon said the 2006 finding by the National Association of Security Dealers that prevented him from associating with its member firms was not important because Brazil never was a registered securities dealer – precisely the reason that the industry watchdog group was probing his work for two mid-Atlantic bond firms.
Brazil’s murky background is sure to add volume to complaints about the quality of Cain’s campaign staff, which has been reeling in recent days from its handling of sexual-harassment allegations, as well as from Cain’s seeming lack of knowledge of foreign-policy issues, including a disastrous, fumbling answer to a question about Libya. Cain, who had been leading in some national polls, has now fallen behind Mitt Romney and Newt Gingrich in new surveys.
Brazil’s story is colorful. Until three years ago, the now-aide to a tea-party favorite was a Democrat, known for his ties to the family of that party’s stalwart Hillary Rodham Clinton, the secretary of state.
In the past two years there has been a surge in the number of malware-based attacks that resulted in sensitive data being stolen from government agencies, defense contractors, Fortune 500 companies, human rights organizations and other institutions. (See also “How to Remove Malware From Your Windows PC.”)
“However, if we were to frame the question relating to ‘CyberConflict’, then I would consider this to be a very different case, where regular aggressive deployment of such capabilities occurs in one form of another in support of either a political or military purpose,” he added.