Nation state cyber attacks have never had a higher profile. The sheer volume and sophistication of threat activity today means reporting of incidents has flooded the mainstream media over the past few years. In another post I’ll asked several experts how they characterise the current threat, and the implications of the thorny attribution problem.
But that leaves us with a difficult question to answer: what happens next? Are we headed towards inevitable cyber-conflict?
Not according to former GCHQ deputy director of cyber, Brian Lord.
“It is highly unlikely for a fair time yet that cyber will be the only domain in which a full-blown conflict will occur, and for the foreseeable future will be complementary to traditional warfare not instead of,” argued Lord, now MD of cyber at PGIO. “But the road to conflict will have a very heavy cyber-dimension.”
Could the establishing of cyber-norms help prevent a major conflict in the future? Experts were sanguine about the prospect. Lord claimed the journey to such an end would be “very slow”.
“The abilities of international (and indeed national) legislation and treaties to keep pace with the speed of technological risks challenges (and opportunities) is, in todays’ world sadly lacking and those who want to sidestep outdated rules can easily find a way to do so,” he told me by email.
FireEye senior analyst, Fred Plant, claimed countries are already negotiating cyber-related issues on one-on-one, which could form the basis for wider agreements.
“However, ‘cyber-norms’ are still ultimately rooted in what states determine to be acceptable behavior among other states, and this can differ greatly from one country to another. Cyber-espionage activity against dissidents, for example, can be considered a natural extension of long-standing norms in many authoritarian states whereas Western countries consider such operations to be highly controversial and intertwined with domestic surveillance,” he added. “Serious incidents can occur when these disagreements collide. Conversely, escalations can also occur when rogue countries are already regularly violating international norms, as North Korea-sponsored actors have demonstrated.”
For SecureData head of security strategy, Charl van der Walt, the world’s superpowers are already “preparing the battlefield” via a “cyber-land grab” which involves compromising key machines, probing CNI for weaknesses and compromising supply chains whilst removing risk from their own. The effect of this is to slowly balkanise cyber-space, as smaller nations ally themselves with one side of the other and the world sinks into a protracted Cyber-Cold War, he claimed.
“Day by day, it seems as if the ‘global’ internet is slowly splintering along geopolitical lines. While this ‘cyber-balkanisation’ may have many fronts, it’s perhaps seen most clearly in the recently renewed focus by the US government on integrity in its supply chain, blocking foreign tech providers from competing for contracts in strategically important sectors. Foreign providers in this complex chain of inter-dependencies have been caught in the crossfire as collateral damage,” he told me.
“As we can expect that all cyber super powers are engaging in this activity this presents smaller or developing nation-states with a challenge. As recent history and basic logic clearly shows, for a nation-state that does not have the skill, finance or other resources required to secure and control the hardware and software it uses all the way from the up, it is effectively impossible to protect itself from the offensive operations of more capable nations. So the smaller nation is thus forced to choose the lesser of the evils: aligning itself with the cyber super power it distrusts the least and accepting that it can no longer engage the others for fear of being compromised.”
In the meantime, it’s likely that the escalation of nation state offensive activity will trickle down into the cybercrime underground – as evidenced most clearly in the NSA exploits used to spread WannaCry ransomware in 2017. For van der Walt, “government investment into offensive cyber capabilities is like air being blown into a balloon.”
“Everything offensive is getting bigger and badder and governments are producing an entire new generation of ‘cyber warriors’ with training, skills, experience and exposure that has never been seen before,” he concluded. “Eventually these people will leave military service (like all soldiers eventually do) and find their way into the civilian landscape in one form or another. Many will undoubtedly end up somewhere else in the Cyber Military Complex, but the rest of the world (including crime) will no doubt also be impacted by their experiences.”
China, Russia, Eastern Europe, the Middle East – the list of hacking hotspots on the radar of most threat intelligence operatives is growing all the time. But what about Japan? For such an apparently technologically advanced nation, you might be surprised to learn its cybercrime underground is still in its infancy.
The security giant claimed that Japanese cybercriminals haven’t yet built up the technical know-how to create malware themselves, preferring to buy from other countries and then share tips on how to use it on many of the local underground bulletin board forums.
These forums also sell the usual suspects of child porn, stolen card data, stolen phone numbers, weapons, and so on.
There were several interesting distinctions Trend Micro uncovered between the Japanese cybercrime underground and elsewhere:
- Cybercriminals accept gift cards from Amazon and the like in lieu of payment
- CAPTCHA in Japanese is used to access the forums, keeping their membership mainly to locals
- URLs for some secret BBSs hosted on Tor and other anonymising platforms can actually be found published in books and magazines
- Japanese cybercriminals are ultra cautious, even using code words when discussing certain contraband, like the kanji character for “cold” when referring to methamphetamine.
So far, the notorious yakuza organised crime gangs have largely stayed out of the game, and that’s the way it’ll stay for some time to come, report author Akira Urano told me. That’s because of a combination of strict cybersecurity laws and the fact that offline scams still work a treat. But it might not be that way forever.
“If ever organized crime groups like the yakuza ever venture into darknets, all they would need is the aid of tech-savvy individuals to engage in criminal transactions,” Urano argues in the report.
I was curious to hear a second opinion on Japanese cybercrime, so I asked FireEye’s local experts.
They hit me with a few stats from the National Police Agency (NPA) which show that, infancy or not, there’s a pretty healthy cybercrime industry in Japan.
Some 88 people were arrested for cybercrimes in the first half of the year, 58% of whom were Japanese. The country is also a major victim of banking fraud – second only to the US, according to other stats.
The country’s public and private sectors also have to withstand a barrage of likely state-backed cyber attacks, launched from outside the country.
Japan’s strengths in advanced technology and engineering, as well as its hand in territorial disputes, have made it a target for China.
Aerospace and defence, transportation, high-tech, construction and telecoms are some of the highest risk industries.
FireEye told me the following by email.
“FireEye observes similar tactics and techniques on Japanese networks as we see elsewhere in the world. However, the key difference is localization: APT actors tailor their phishing e-mails, CnC infrastructure, and even their exploits to Japanese end users. For instance, we have observed threat activity against Japanese targets exploit the Japanese Ichitaro word processing system; zero days against the program are not uncommon.”
I’ve just been putting together a piece for IDG Connect on tech predictions for China and Hong Kong in 2015. It’s always difficult to fit in all the comment I manage to get on these pieces, so here’s a bit more on the cyber security side of things, from FireEye threat intelligence manager Jen Weedon.
The long and the short of it is “expect more of the same” from China. The US strategy of naming and shaming PLA operatives ain’t really doing much at all.
“In the next six to twelve months, targeted data theft by China-based actors is likely to remain consistent with patterns we have observed in the past,” Weedon told me by email.
“We expect Chinese threat groups to conduct espionage campaigns that are in line with the Chinese central government’s political and development goals.”
So what exactly will these goals be in 2015? Well, according to Weedon we can expect data theft to focus on climate change and the tech sector.
“China’s ongoing pollution challenges provide strong incentive for threat actors to steal data related to technologies that can help China stem the environmental impact of its heavy reliance on coal,” she said. “We also expect cyber espionage activity against governments and policy influencers in the run-up to the 2015 UN Climate Summit as China seeks intelligence to enhance its negotiating position on global climate policy issues.”
As for the tech sector, China is stepping up its efforts to develop homegrown computing and semiconductor policies – ostensibly for reasons of national security, ie to close down the risk of NSA backdoors in US kit.
“As the country pursues these goals, we anticipate Chinese actors will leverage data theft to supplement knowledge acquired through legitimate channels such as joint ventures with experience foreign partners,” Weedon told me.
“We regularly observe China-based threat actors target firms engaged in joint ventures with Chinese enterprises.”
Territorial disputes in the South and East China Seas will also continue to drive cyber espionage activity, she said.
As for beyond that, we’ll just have to wait until after the National Development and Reform Commission (NDRC) outlines development priorities for the 13th Five Year Plan.
“As the central government solidifies its goals for the 2016 to 2020 timeframe, we expect further clues to emerge about which topics are likely to enter threat groups’ cross hairs in 2015 and beyond,” said Weedon.
It’s very much a question, therefore, not of whether China will continue its blatant state-backed cyber espionage campaigns, but where it will focus its considerable resources.
Last week APT and anti-malware firm FireEye announced the creation of a new Cyber Security Centre of Excellence (CoE) in partnership with the Singaporean government. It didn’t make many headlines outside of the city state but I think it’s worth a second look for a few reasons.
First up, FireEye is pledging 100 trained security professionals to this new regional hub, to provide intelligence to help the local government protect its citizens and infrastructure from attack as well as benefitting the vendor’s customers across APAC.
FireEye is one of the few infosec companies I’ve spoken to in this part of the world that is prepared to talk at length about the specific problems facing organisations in the region. More often than not when I try to go down this avenue with a vendor I’ll be told about how threats are global these days and attacks follow similar patterns no matter where you are on the planet.
While I know this is true to an extent, it was nevertheless refreshing to hear FireEye’s APAC CTO Bryce Boland tell me that the reason for building a team in Singapore was to have the necessary local language and cultural skills to deal with specific regional threats.
“We have a lot of countries here, many of which have tense relationships, so we see a lot of that boil over into cyber space,” he told me.
As well as the various hacktivist skirmishes that periodically hit the region, such as those between the Philippines and Indonesia or China and Japan, there are also more serious IP-stealing raids which stems from the fact that APAC represents more than 45 per cent of the world’s patents, Boland added.
As a result, regional organisations face almost twice as many advanced attacks as the global average.
Another reason the news of FireEye’s new CoE warrants attention is what it says about the approach to cyber security by the respective governments of Singapore and Hong Kong.
Although Hong Kong threw HK$9 million (£730,000) at a new Cyber Security Centre in 2012, my impression is that Singapore is more proactive all round when it comes to defending its virtual borders.
It was a view shared by Boland, who pointed to Singapore’s ability to attract and support infosec players looking to build regional headquarters there, as well as its efforts to attract globally renowned speakers to an annual security expo.
In my experience, what few events there are in Hong Kong are poorly attended, attract few speakers from outside the SAR, and rarely provide the audience with anything like compelling or useful content.