Cyber Intrusions Linked to Global Geopolitics
It took 18 years of responding to breaches before FireEye CEO Kevin Mandia made the connection, the former Air Force computer security officer revealed at a recent conference.
The governments of Iran, North Korea, Russia and China are responsible for 90 percent of attacks on U.S. government agencies and private companies, said a leading cybersecurity expert at a recent conference. Most attacks come in the form of spear-phishing or email-related breaches.
As CEO of cybersecurity firm FireEye, Kevin Mandia has observed thousands of attacks on U.S. companies and government agencies. The former Air Force computer security officer shared what he has learned from these system breaches at the Defense Intelligence Agency's (DIA's) annual Department of Defense Intelligence Information System (DoDIIS) Worldwide Conference this week in St. Louis.
Attacks usually pass through U.S. universities or susceptible third-party infrastructure. Officials usually don’t know their systems have been breached because they are not necessarily the final targets, Mandia explained.
Although the United States and most Western nations can pursue hackers in their own countries, there are few repercussions for cyber attackers in other places. “I do believe that if you are in the United States and you hack, you will get caught,” Mandia said. “We have kind of cleansed the United States of hackers.” For cyber attacks based in Iran, North Korea, Russia and China, though, “very rarely do we take electrons and evidence and go find humans,” the CEO continued. “There are no repercussions [when they] hack us.”
As such, the balance of power has shifted. The United States may be a so-called superpower, but the asymmetrical nature of power in cyberspace leaves America merely “playing goalie” and trying to stop attacks, Mandia said.
He shared that it took 18 years of responding to breaches for him to learn that intrusions are related to the global geopolitical conditions. Intrusions usually are tied to a specific incident.
“It hit me in August 2013, when we responded to an anonymous pro-Assad group called the Syrian Electronic Army seven times in one week,” Mandia said. “At the same time, the United States was threatening to engage in armed conflict in Syria based on Syrian use of chemical weapons.”
The threat of U.S. troops going into Syria triggered several cyber attacks against Western media outlets that had reported on the conflict. “All of the big media outlets were targeted by this group,” he explained. Media company websites were altered and employee emails hacked.
“As geopolitical conditions currently are tightening on Iran, North Korea and Russia, we are going to see additional attacks,” Mandia cautioned.
For a hacker, the trigger can be just finding an employee’s email to compromise. “We all have infrastructure that enables us to run our businesses, but at the same time, it lets faceless people communicate with our employees,” he said. “We are only as secure as our weakest link, which is a human, and when the human clicks on a malicious link in an email, they are attacked. It’s really about getting a human not to execute something. It’s a big problem.”
In some breaches, there is one passphrase that works everywhere on a system, making it susceptible to what Mandia calls “lateral movement” across a network, which can result in significant damage. “So breaking into just one computer at a company lets intruders propagate wildly on your network,” he stated.
FireEye has seen a rise in cyber attacker “influence campaigns,” in which a company’s website is breached, and intruders leak documents in a coordinated manner. These so-called “doxing” attacks are used “to garner some kind of a coalition behind an ideology,” such as the attacks seen in last year's U.S. presidential election and previous European elections.
Mandia said he is amazed that faceless, nameless actors can post stolen documents and somehow have the credibility to be believed in cyberspace. “And with our free press in America, when an organization is ‘doxed’ and information is released, our press actually covers it, the information then spreads with damaging impacts. With a free press, we are vulnerable,” he said.
And the United States can’t retaliate in kind. “There is no ‘eye for an eye’ on this one,” Mandia explained. “If we hacked Putin’s email, what would happen? Nothing. It may even help him.”
Aided by the prevalence of the digital payment system called bitcoin, cyber-related extortions are also on the rise, Mandia pointed out. “There is nothing good about anonymous currency in cyberspace,” he said.
In extortions, cyber criminals break into corporate files and threaten to expose documents unless they are paid in bitcoin. Document extortion can come months or even years after hacking, and the extortionist may be a different person than the hacker. C-level executives or high-ranking officials at private companies are at particular risk for this type of extortion. Mandia is seeing extortions “in the seven figures” and expects that to jump to eight figures soon.
“There used to be honor among thieves,” the CEO said. “You got extorted for $5,000, and when you paid it, the hacker didn’t leak the information. Now you get extorted for bitcoin, and you can make the assumption that whether or not you pay, the stolen data will be Google-indexed on the Internet in the next few weeks.”
Lastly, when asked if the Islamic State of Iraq and the Levant has cyber attack capabilities, Mandia warned that it “only takes one person” to front an attack.
