Part one of this series provided a basic framework of today’s cybersecurity environment, as well as basic terms for legal professionals to understand in discussing and addressing the risks of security breaches. Now that you can talk some of the cybersecurity lingo, let’s discuss a few of the major cyber-attacks that have plagued organizations.
Headliner cyber attacks
A host of cyber-attacks have hit the headlines in the past few years. Here are four major categories that many have heard of, but may not have understood fully:
1. Zeus3 Trojan (financial gain). This malware targets financial institutions through a web-based attack. A Trojan horse is a type of malware that appears to perform a desired function, but instead opens a “backdoor” that allows unauthorized access to a visitor’s computer. The backdoors are typically invisible to most users. Zeus is a Trojan horse that steals banking information by one of three general methods:
- Infecting a web browser to take advantage of vulnerabilities in browser security (known as “man-in-the-browser” or MITB)
- Recording keystrokes in a covert manner (“keystroke logging”)
- Employing advanced methods of capturing web data within browsers (“form grabbing”)
Trojans typically enter an organization by one of two methods. The first uses previously compromised websites to deliver “drive-by-downloads,” which are typically either downloads authorized by users who do not understand the consequences, e.g., counterfeit executable programs or other downloads that happen without the user’s knowledge. This can occur when users are visiting a website, viewing an email message or clicking a deceptive pop-up window. In these cases, the websites have been compromised in some manner, and end-users have almost zero opportunity to discover this fact because the web server is not part of the organization’s network. Another method is “phishing,” which is an attempt to acquire user names, passwords and credit card information by pretending to be a trustworthy entity in electronic communications, such as those from social websites, auction sites or online payment processors.
Zeus Trojans were first identified in 2007 while stealing information from the U.S. Department of Transportation. In July 2009, Zeus was found to have compromised 74,000 accounts on the websites of Bank of America, NASA, Amazon and others. In 2010, the Federal Bureau of Investigation announced a major international crime network had used Zeus to hack into U.S. computers and steal approximately $70 million. More than 2,411 companies and organizations domestically and internationally have been affected by criminal operations running the Zeus.
Zeus is difficult to detect because of its stealth characteristics. An estimated 3.6 million PCs in the U.S. are infected, and the number continues to grow as users continue to click links in emails and websites that contain vulnerabilities.
2. Flame / Stuxnet (industrial espionage). Stuxnet is a replicating malware program (“computer worm”) discovered in 2010 that is an example of malware designed to have an effect on the physical world. Stuxnet targets supervisory control and data acquisition (SCADA) systems, which control and monitor certain industrial processes. For example, Stuxnet was used to attack particular nuclear facilities in Iran. It has extensive network mapping and eavesdropping capabilities and spreads through Microsoft Windows to target Siemens industrial software and equipment. The purpose is to spy on and subvert industrial systems.
“Flame” is a similar type of malware discovered in 2012 that is being used for targeted cyber-espionage in Middle Eastern countries. Flame can record audio, screenshots, keyboard activity and network traffic. It can also record Skype conversations and uses computers as Bluetooth beacons that work to download contact information from Bluetooth-enabled devices like cell phones, smartphones and tablets. In addition, flame malware can activate computer and laptop webcams without alerting users that it has done so.
3. Operation Aurora (IP theft). This cyber-attack was conducted by advanced persistent threats (APTs) with ties to operations in China. Google disclosed this attack in January 2010 following an attack beginning in 2009.
The attack’s primary goal was to gain access and modify source code repositories at high-tech, security and defense contractor organizations. The attack works through software configuration management (SCM) which tracks and controls changes in software. The Google breach aimed to both steal intellectual property (in this case, source-code repositories, which is the equivalent of stealing the secret formula for Coca-Cola) and covertly investigate state dissidents and their email and financial accounts.
Following a breach, the attack provided a backdoor connection that appeared to be a secured connection (SSL) to command and control severs running in Illinois, Texas and Taiwan. The breached computer then searched corporate intranets for vulnerable systems and sources of intellectual property, including source-code repositories.
4. Conficker Worm (botnet). Also known as “Downup,” “Downadup” and “Kido,” this worm (replicating malware) targets Microsoft Windows operating systems and uses “dictionary attacks,” i.e., attempts to determine decryption key or passphrases by trying hundreds or millions of possibilities, on administrator passwords. A botnet forms a collection of Internet-connected computers that have been compromised by malicious software and can be controlled as a group without the knowledge of their owners or IT groups. Botnets can be bought and sold to the highest bidder or used by the hacker in charge for his own purposes, such as taking down a company’s Internet presence by leveraging the botnet to orchestrate a distributed denial of service attack (DDoS), disrupting business or operating as a spy within the technological borders of a company to steal any passing information.
Conficker was first detected in 2008. It infected millions of government, corporate and personal home computers in more than 200 countries, making it the largest known computer worm infection since 2003. In January 2009, the estimated number of infected computers reached up to 15 million.
The first variant of Conficker spread through the Internet by exploiting a network service vulnerability in certain Windows PC and Server systems. A second variation of the virus included the ability to spread over local area networks (LANs) through removable media and network shares. Several European government networks were attacked, including the French Navy, the U.K. Ministry of Defense, the German armed forces, the U.K. House of Commons and other local municipal and law-enforcement networks.
At least five variants of Conficker have been discovered since 2008, dubbed “A,” “B,” “C,” “D” and “E.”
This discussion introduces some of the better-known attacks that have made headlines over the past few years. Although we only scratch the surface of the evolving sophistication of recent attacks, understanding the nature of these breaches is a necessary step in working with security and IT teams to manage organizational risk. Learning how these attacks occurred in the past provides insight into the appropriate approach to manage and combat current risks. Knowing how the bad guys think is the first step toward knowing how to defend against them.
Part three of this series will discuss strategies to address today’s cybersecurity risks. Stay tuned for more.