Daily Management Review

As Spying And Crime Tools Mix, Blame Game For Cyber Attacks Grows Murkier


As Spying And Crime Tools Mix, Blame Game For Cyber Attacks Grows Murkier
On the face of it looked like a menacing new industrial espionage attack by Russian cyber spies and Veteran espionage researcher Jon DiMaggio was hot on its trail three months ago.
clues in the programming code indicating its authors were Russian speakers, covert communication channels for grabbing documents, an advanced Trojan horse for stealing data from inside organizations, and targeted phishing emails common to government espionage were all the hallmarks that were there.
He found out that he was tracking a lone-wolf cyber criminal and it took weeks before the lead cyber spying investigator at Symantec, a top U.S. computer security firm, figured it out.
Saying the case is a run-of-the-mill example of increasing difficulties in separating national spy agency activity from cyber crime, DiMaggio won't identify the name of the culprit, whom he has nicknamed Igor. He said that Transdniestria, a disputed, Russian-speaking region of Moldova, was the place of origin of the hacker.
"The malware in question, Trojan.Bachosens, was so advanced that Symantec analysts initially thought they were looking at the work of nation-state actors," DiMaggio told Reuters in a phone interview on Wednesday. "Further investigation revealed a 2017 equivalent of the hobbyist hackers of the 1990s."
As tools once only available to government intelligence services find their way into the computer criminal underground, the example highlights the dangers of jumping to conclusions in the murky world of cyber attack and defense.
"The attribution problem", using technical evidence to assign blame for cyber attacks in order to take appropriate legal and political responses, id what it is referred to by security experts.
Whether Moscow may be attempting to disrupt national elections taking place in coming months across Europe and whether Russia used cyber attacks to influence last year's U.S. presidential elections were the questions that echo through the debate.
At the International Conference on Cyber Conflict in Tallin this week, the topic is a big talking point for military officials and private security researchers.
"Attribution is almost never a clean, smoking-gun," said Paul Vixie, creator of the first commercial anti-spam service, whose latest firm, Farsight Security, helps firms track down cyber attackers to identify and block them.
Cyber security threats were ratcheted to a whole new level after credit for leaking cyber-spying tools that are now being turned to criminal use, including ones used in the recent WannaCry global ransomware attack, were taken by a mystery group calling itself ShadowBrokers which has raised the stakes.
And to enable hacking into the world's most used computers, software and phones, ShadowBrokers has threatened to sell more such tools, believed to have been stolen from the U.S. National Security Agency, in recent weeks.
"The bar for what's considered advanced is lowered as time goes by," said Sean Sullivan, a security researcher with Finnish cyber firm F-Secure.
Last year, at a major airline, an online gambling firm and a Chinese automotive software maker, which are all customers of Symantec products used to secure their business networks, infections popped up and the Moldovan hacker's campaign to steal data and resell it on the web came to light only after such incidents.
“Considering the audacity of this attack, the financial rewards for Igor are pretty low,” DiMaggio wrote in a blog post on his findings to be published on Wednesday.
In part because the attack singles out only a handful of specific firms rather than the wide-ranging, random attacks used by many cyber criminals to scoop up the greatest number of victims, Symantec rates Trojan.Bachosens as a very low risk virus as a threat.
"I think those days are over when we can say in black and white: We know this is an espionage group," DiMaggio said.
Calculating that exposing the methods of the attack will be enough to neutralize them, the Symantec researcher has not reported Igor to local authorities.