The word on cyber-espionage from Symantec

Posted on May 29, 2015

CYBER-ATTACKS aimed at penetrating thousands of well-defended organizations worldwide have shown a disturbing rise in sophistication, and there is considerable concern now about these attacks being state-sponsored, just like in the movies. At least, that’s the idea we get from a report last April, amid news reports that month of cyber-attacks on Malacañang’s own sites.

“Governments sponsor such cyber- attack for various reasons, political or strategic, not necessarily with the use of violence [in contrast to state-sponsored terrorism],” security consultancy expert Ace B. Esmeralda said in response to an e-mail by this writer, in connection with the 2015 Internet Security Threat Report last month by the Symantec security team.

A global leader in storage, security, and systems management solutions, Symantec cited the possibility of state-sponsored cyber-espionage owing to such factors as the chosen targets and sophisticated methods of attack.

The objective is to serve notice to the target of the attacker’s capability and, yes, also to gather vital data that could be used by the attacking state for whatever purpose -- which in turn could also be used to disrupt the cyber-operation of another government, or any other enterprise abroad.

As for the frequency of these attacks, Mr. Esmeralda enumerated three possible major reasons: “the ‘convenience’ of staging attacks remote or from a console in one’s bedroom, the increase in the numbers of hackers and [of the] cyber[-]savvy population, and more funding given by government under the name of national security.”

Preeti Agarwal of Symantec said in the report that industrial control systems (ICSs) are major targets for cyber-attacks at the national security level.

Mr. Esmeralda said the ICS is similar to a “person’s brain or a command and control center of [a] community’s critical infrastructure.”

ICSs are devices managing, monitoring, and controlling critical infrastructure in the industrial sectors such as transportation, electricity, oil, natural gas, water and wastewater systems, among others, Ms. Agarwal said.

Mr. Esmeralda said ICS are the general term used for other control systems such as the supervisory control and data acquisition (SCADA).

“These infrastructures could be electric power distribution (Meralco), power generation [power plants], mass transportation systems like airlines and trains, telecoms, and medical services. Disrupting the controllers will shut down the services or [make] the systems go awry and fatal especially to transportation systems. If seen [from] macro or [large-scale] level, the effects to socioeconomic sectors could be devastating,” he said.

The Symantec report cited Waterbug, Regin, Dragonfly, and Turla as cyber-campaigns that have penetrated ICSs, embassies, and other targets. Developers of Waterbug, for instance, can create a spear-phishing campaign sending e-mails to targets with a secret Trojan payload to infect and compromise computers.

Tactics such as carefully crafted e-mails, zero-day exploits, and scheming watering hole web site attacks can be used to evade detection.

In the case of Regin attack, regarded as one of the more sophisticated cyber-espionage malwares, attackers acquire powerful tools to spy on businesses, governments, researchers, infrastructure operators, and even private individuals. Its capabilities include remote access, password theft, deleted file recovery, screenshot captures, and network traffic monitoring.

Symantec further described Regin as “highly suited to persistent long-term surveillance operations and its level of sophistication implies that a nation state created it.” In fact, it took almost eight months for the Symantec team to dissect Regin last year.

Turla targets governments and embassies of former Eastern Bloc countries, using watering hole and spear-phishing campaigns. It provides attackers remote access to infected computers, thus letting them copy and delete files, as well as connect to servers, among others.

“Turla, or whatever they are called by different entities, is a snake [not just a worm or malware]…designed to exploit the weakness of Windows operating systems of governments and those dealing with governments in Europe and United States,” Mr. Esmeralda said in his e-mail.

Dragonfly, on the other hand, targets industrial equipment manufacturers, petroleum pipeline operators, and electricity generators -- primarily the energy sector which counts among the strategically important ICSs. Many of these targets are said to be located in the United States, Germany, France, Spain, Italy, Poland, and Turkey, among other countries.

Symantec said the attack could have damaged or disrupted the energy supply in these affected countries even more had the attackers “used the sabotage capabilities open to them.”

Nevertheless, it appears that Dragonfly has less destructive goals, focusing on espionage and persistent access instead of the fundamental objective of sabotaging infrastructure.

What poses as a setback is how many of the ICSs have been installed and operating for several years now, Ms. Agarwal said, also noting that the systems were “developed before Internet-based technologies were used in businesses and were designed with a focus on reliability, maintainability and availability aspects, with little-or-no emphasis on security.”

Thus, the security policies of these ICSs were embedded in a “security-through-obscurity approach using physical isolation, proprietary protocols, and specialized hardware,” she added.

Several ICSs are becoming Internet-enabled, which makes it easier to monitor and control the devices, but the main entry point of cyber-attacks today is still “poorly protected Internet-accessible, critical infrastructure devices,” she said.

Mr. Esmeralda, for his part, explained: “When automation and computers were in their infancy stages, the security concerns were [focused] on physical attacks -- tangible attackers versus physical computing devices.”

Internet connectivity introduced new forms of threats, he also pointed out. “The new threat landscape includes the increased level of insider compromise through vulnerable personal devices connected to a network.”

This is where threat intelligence comes in, which is an essential component for any organization in understanding the possible threats infiltrating its network. Mr. Esmeralda defined threat intelligence as “simply knowing what are the dangers that could inflict damage to an ICS.”

“It is also analyzing the threats and [determining] the probability and severity of occurrence. ICSs are not exposed to risks if they are not vulnerable to threats. For the ICS, being forewarned is being prepared. It is knowing your enemy.” -- Lorela U. Sandoval