From Yahoo to nuclear power stations, what are state hackers doing?
Yahoo’s attribution of its recently revealed hack to a state actor provoked some scepticism in the technology industry. For the average IT professional, it raises some key questions: what are state cyber attacks and do they pose a threat to my business?
The term state attack can be applied quite broadly, covering attacks carried out directly by the state and attacks sponsored or backed by the states but carried out by nominally separate entities.
The idea of a war taking place in cyber space is nothing new, and in many ways is a continuation of existing tensions between countries. As Bob Tarzey of Quocirca says, “as we have all moved online so has state and corporate espionage.”
As in other areas, in cyber space the state can bring its vast resources to bear and outclass the competition.
A hack of internal Democratic Party emails earlier this year was attributed to Russia, while the US and Israel were blamed for attacks on critical Iranian infrastructure.
Jason Larsen, Principal Security Consultant at US security firm IOActive, a company which infamously hacked into a jeep at the Black Hat conference, says that in many famous examples of state cyber attacks, the attacker left their “fingerprints” on the attack so that the victim would know who had done it.
In the Stuxnet attack on Iran, for example, Larsen says, the US and Israel did not try to hide their involvement.
Russian government attacks are mainly aimed at undermining western political stability, Quocirca’s Tarzey says, while China, which he says is the biggest perpetrator, aims to steal intellectual property from Western businesses.
“The Chinese government employs large number of hackers who go about their work as a 9 to 5 job, and it seems so normal to them, that they probably do not even see it as theft,” Tarzey says.
Larsen of IOActive adds that “The Chinese MO is that they stage things: they have specialists. They have the guys that hack into a system, then those guys go away. Then the new guys map out the place and figure out how it will go. Then they have the specialists that do the attack, followed by the guys that clean up.”
From a Western perspective, Larsen says that countries such as the UK and US work closely together and have similar styles to each other.
“The US gets accused of bringing everything and the kitchen sink: bureaucracy, lots of bureaucracy. Personal US attackers are cowboys. They don’t really have a plan; they just hack into everything. There could be easier or subtler ways but they just beat their way through till they get to their objective.
“US Government has lots of bureaucracies. You see their payloads. Rather than being a small crafted payload, they bring this 20 MB thud that has everything a bureaucrat wants.
“You have to have all of these things such as non-attribution and end up with these monster payloads. By the time you build the thing it’s monstrously overbuilt.”
Larsen says that this feature stood out during the attack on Iran. However, if the attackers had wanted to, they could have mimicked the style of another country, such as China.
The use of a hack to make a statement is one way that these hacks differ from ordinary criminal attacks. When making money is the key, hackers will be keen to keep the hack, as well as their identity, hidden for as long as possible in order to maximise their profits.
This political point-making manifests in other ways. For example, an attack on the Ukrainian power grid late last year, according to Larsen, was carried out in an unnecessarily theatrical way.
“Anyone who has the skill to hack in has the skill to write a piece of code to open the breakers. Instead they let the operator watch as they clicked and opened all the breakers. They wanted the operators to sit there and freak out.”
From the victim’s perspective, the attribution is also political: in many cases it would be perfectly possible to pretend that no hack had happened. For example, infrastructure failure could just be blamed on an outage.