We’re all human, you know? That’s roughly the trick that the hackers most likely relied on when, earlier this year, they managed to steal over 24,000 files from a defense contractor.
The Pentagon won’t say what files went astray, or the level of secrecy associated with the contents of the stolen data. But we can assume that at least some of it was highly secret–secret enough that Deputy Defense Secretary William J. Lynn III felt compelled to admit to the attack during a speech about the future of cyber policy yesterday. Lynn said it concerned some of the U.S.’s “most sensitive systems, including aircraft avionics, surveillance technologies” and more, before hinting that foreign powers were behind the attack and using it to declare cyberspace the next battleground.
What went down? We spoke to Nick Percoco, digital security expert and SVP at Trustwave’s SpiderLabs, and familiar with exactly this sort of cyberattack, to get some insight.
How The Hack May Have Begun: Email Scams
The fact that the 24,000 stolen files came from a defense contractor is significant, Percoco notes. It’s likely easier to get this sort of data from a contractor than launching an all-out attack on Pentagon servers themselves, because companies are full of people–people who are used to doing business in our digitally connected world. And even though an employee of a defense contractor is probably way more switched on to digital security than you or I, it’s still not impossible to cheat someone with access to secret files into placing malware on their work laptop.
All it would take for a dedicated hacker is some basic research. If you wanted to steal data like this, you could start by targeting a particular employee via email–“We’ve seen this happen to defense contractors,” Percoco notes. “Using technology like Google, and LinkedIn and other social networks” hackers could find out who best to target. Say they pick a particular EVP, and work out their email address is “JohnSmith@defencecontractorX.com.” Then they work out who their colleagues or bosses may be all the way up to CEO level.
Then it’s as simple as going to a source of hacking code using your underworld contacts (or using some of your own) and getting access to a “zero day exploit“–a new loophole in a computer or software system’s security that hasn’t been publicly discovered yet, and hence is still open for hacking use.
This is where the hack escalates. “In this case, they’d been looking for a zero-day exploit in, say, the Adobe PDF reader. And then they’d take a nice creative pen out and draft up a document that looks like it should be something important,” Percoco said. After this, the hacker would set up something like a disposable Gmail account and make the screen name the same as one of the target’s peers or the CEO of the company. Then they’d “craft up an email that says ‘Here’s an important document, some new announcement we’re working on. Please review it and be ready for a call at 10 a.m. today.'” The trick is to send this to the target at around 7:30 a.m. local time, because the “best time to send those types of things is right before someone’s had their coffee.”
Typically the sleep-addled victim would trust the email as it’s supposedly from a colleague, then launch the embedded PDF (or other faked document). Usually it causes the newly launched program–Adobe Reader in this example–to crash. But as it crashed, it would actually be installing malicious code on the machine. The virus is injected.
How The Attack Began: Website Sting
A similar attack is possible using a faked-up website that looks like it’s actually related to the target company–one of those odd-looking, badly maintained websites that kinda looks official that we’ve all surfed to at some point and been confused by.
Some of these are actually storage pens for targeted malicious code, carefully honed to appear high on Google searches with SEO tricks. And when, say, a marketing official from the target company Googles to find out how their brand is being referenced around the web, they may stumble across one of these fake sites and trigger the release of malware onto their machine.
What Happened Next: Access Is King
Once the malicious code has been installed on the machine, the “sky’s the limit,” particularly via the email exploit. A well-coded virus code can evade detection and hide on the computer, doing various wicked things.
Often the “sole purpose of the executable is to go and find files on the person’s computer and archive those in a zip file or RAR file, and then attempt to extract them from the system,” Percoco said, based on his experience. The code could try lots of different routes, using FTP or HTTP or other protocols to get those files off the system. It’s something he’s seen in “many environments” and, worryingly, they’re often “highly successful in getting those files.” The code is typically designed to work on Windows machines, with almost no such exploits targeted at Macs–but Percoco agrees that this is at least partly due to the assumption by a hacker that a business user will be using a PC, not a Mac.
The success would be based on the fact no one’s seen this particular kind of attack before (a zero-day exploit payoff) and it would easily circumvent any protective anti-virus software installed on the machine–because the protection doesn’t know to look out for this type of virus. The only real way to avoid this sort of attack for the target to “avoid clicking on documents,” which is clearly unlikely in the case of a business computer user.
A smarter hacker would select a network administrator at the target company, because they’re human, too. Their machine likely has even more interesting files that have data on network security, what kind of code is let in and let out of company firewalls, and so on.
Getting access to this sort of data (via the same email hack as described above) could let a persistent hacker penetrate a company’s network and install a backdoor onto it–totally circumventing security because then “the attacker doesn’t have to come in from the outside, they have code running on that system that will basically open up a connection back to the attacker”–not something network security is expecting. Then you can gain access to passwords and credentials to worm your way in further, eventually finding whatever sensitive data you’re looking for.
The result could be a grim violation of company security. “We’ve seen those for a number of years, in all sorts of companies including government-type companies as well,” Percoco says.
Who Did This?
It’s easy to see how a hacker could gain access to a machine and even a company network, and how easy it can be to transfer stolen files from infected computers to the hacker. But who is the hacker? The Deputy Secretary of Defense was careful to link it to “foreign” attackers–and considering this year’s hacking news, we’re instantly imagining China is to blame.
Percoco says his company does hundreds of investigations every year on attacks like these, and it’s “very, very difficult to trace an attack to a specific person and specific political motivation.” That’s unless it’s a hacktivist attack, when a group like Anonymous posts the data online and admits it was to blame–and even then “you don’t know where these people are actually located.”
A hacker could take his laptop down to a coffee shop, buy a cup of joe and “get on their free Wi-Fi system. And now they go and start looking around the world to find a computer that has a security weakness.” Once they find it, they can use the hacked computer for a targeting scenario like the one described above, where they send a tainted email. Anyone tracing the code back after the attack was detected may find it sourced on a corporate computer in, say, China. And then they’re stuck–because no one’s “going to let the U.S. government come in and do a forensic investigation on some business located in China.”
Furthermore, it’s rare that even this first Net address is where the attack is coming from–“they’re always jumping through one or many systems” Percoco says, which could be in numerous nations and thus completely confound any attempts to track them. Which means the attacker actually could be located anywhere.
The Cold Cyberwar?
[Image: Flickr user Boston Public Library]