Critical Information Infrastructure - Next in Hacktivism!

Hacktivism has gained considerable popularity and dominance both in the internet and society. Lately, “anonymous” hacking group added more popularity to this word, “hacktivism”, by launching series of cyber attacks against various governments worldwide compromising and publicly disclosing the classified data. Government officials recognize hacktivism as a form of cyber terrorism but many call it a non-violent way of protest, no blood, no tear gas while protesting against weak government policies.

In the past, Internet has observed many cyber attacks from hacktivist groups including Distributed Denial of Service (DDoS), website defacements and full-disclosure of confidential information to the public domain. Until “anonymous” hacking group came into existence in 2008, most of the reported cyber attack incidents included website defacement or mass defacements and few incidents of DDoS. Even “anonymous” group started their operations with DDoS and defacements but sooner the strategy shifted to disclosing high volume of confidential data to public domain. Such high volume of data used to be downloaded from the compromised targets those either belonged to the government or private organizations which process or store classified data having national interest associated to it. Posting such classified data into public domain helped civilians recognize the weak policies of the government and corruption in the system. The idea was to bring awareness in the society and the idea worked to a great extend.

Later, DDoS and website defacements were preserved as a power-play options in a cyber attack by the hacktivists but focus was kept on data disclosures, at few instances the opportunity was shared with Wikileaks as well which follows the same notion on bringing awareness about screwed policies of different governments to the society.

Media played a considerable role in providing visibility to the “anonymous” hacking group and more youngsters were attracted to participate in the protests worldwide. Group leaders started offering free hacking classes on various online channels to the new comers on hacking techniques and methods to maintain anonymity while hacking. The hacking operations used to be organized online utilizing social media or private channels to target a specific country's infrastructure, government department or a private organization and every member would participate passionately.

Moreover, many hackers or small hacking groups across the world started to launch their “anonymous” style operations without even knowing who are the part of the “anonymous” group and without any directions from the group leaders or organizers. Such isolated hackers or groups simply did the job of attacking the targets and posted the slogans of “anonymous” group on the defaced websites or along with the disclosed data and started proudly treating themselves as part of the group or protest. Sooner, federal departments busted few anonymous leaders to give a temporary halt to the group activities but they appeared to be unstoppable and the operations continued, though the magnitude of the attacks appeared to be lowered down than before.

“Anonymous” and other hacking groups using “anonymous” as an umbrella name like to stay in mainstream media with the news about their disclosures or achievements to gain confidence of the society, attract more youngsters and showcase their strength to the governments worldwide. Chances of hacktivists to start targeting critical information infrastructure of various countries in the very near future becomes simply predictive since it clearly meets their objectives and gets them more than desired. Shifting the attack paradigm from website defacement or data disclosures to taking down industrial control systems or critical infrastructure can be next agenda for most of the hacking groups worldwide. Where website defacements or DDoS attacks don't make a noise in every part of the society, bringing down a critical infrastructure would disturb the governments with a great force than ever and become international breaking news in no time.

There have been incidents where public disclosures were made on easy hacks to compromise SCADA systems running nation's critical infrastructure. Stuxnet, marked as a state funded operation to disrupt the Iranian nuke plant, is an old story by now but acted as a good case study for the hacktivist groups. Though, launching Stuxnet kind of operations without getting state involvement is a costly afair for hacktivists but it helped in understanding the difference in impact of taking down a website and a critical information infrastructure.

No country is actually fully geared up to protect their critical infrastructure from cyber attacks in its true essence and many countries don't even recognize the threat. It has become need of the hour for the national cyber security or critical information infrastructure protection agencies to revisit their action plan before it brings embarrassment to them and their nation.

“You can't stop others from attacking you, but can very well secure yourself!”

Cyber Command Center - Honeypots or the Underground Honey?

After the USA established its cyber command center (USCYBERCOM) to counter cyber-attacks and protect its cyber space, it became the next project for most of the governments across the world. Russia and South Korea lately announced to have their own cyber command center and many other countries are also pursuing the project. Both the cyber offensive and defensive operations are vital part of cyber command center. At many instances, teams engaged in offensive and defensive operations are required to work together and share the intelligence to carry out joint operations.

Teams responsible for defending nation’s cyber space often deploy honeypots in various forms to keep surveillance on the attackers. Honeypots offer intelligence inputs to an extend but requires considerable analysis. Analysis generally provides information about the attackers which often is unreal and attack vectors used in the cyber-attack but neither directly provides the information already taken away by the attacker, nor the real targets of the attacker which can only be guessed to a certain level.

Cyber offensive prefer alternative approach to increase the intelligence level by directly or indirectly setting up underground cyber economy which to an outsider, appears to be an independent setup being operated by the group of hackers. Underground cyber economy is to offer technologies and resources required to launch cyber-attacks and are availed for a price. The buyer of such resources could be independent hackers or state funded groups who wish to launch cyber-attacks against their targets utilizing plug-n-play attacking tools and hiding their identity. Such resources could be online antivirus scanner, anonymity tools, malware, exploits, servers, domains, paid traffic, and much more. Russia and China are known countries to have such setup in place. It is not confirmed to be a state funded setup, wild guesses are allowed though. Establishing such setup brings huge risks to the country of getting alleged for originating cyber-attack from its soil but doesn’t bring a difference to a cyber-offensive team of a powerful country.

By offering such resources in an organized way, offensive teams not only get the attack vectors but sometimes real location of the attacker, complete information about the targets, custom tools utilized by the attacker, and almost everything required. Most of the intelligence gathering process is stealth to avoid losing credibility and later the customers. 

In a scenario, let’s assume that a hacker from country ‘A’ takes a server in country ‘C’ on monthly lease and setup a command and control (C&C) panel of a botnet on that server. He operates the botnet for about 1 month to compromise 5000 targets and add them to his C&C. While he is getting loads of information from the targets which is stored in the server on lease, experts from country ‘C’ copy the entire information for their own analysis. Out of 5000 targets, there might be targets of interest to country ‘C’ and the entire information comes for highly discounted price and also information about the attacker stays in records for any future investigation.

In another scenario, an attacker utilizes anonymous VPN from country ‘A’ to hide his identity and launch cyber attack against target country ‘B’. Country ‘A’ and ‘B’ are strategic allies and the attack is quickly investigated to book the attacker in no time.

There can be scenario of scanning a malware in online antivirus engine before propagating it to the targets. The malware can be recorded, analysed and busted in no time. There could be more scenarios which can help in tracing the attacks or to gain valuable information.

Not many countries are pursuing such setup in their offensive cyber capabilities due to the involved risk but such setup could yield into high returns if utilized in an effective, organized and controlled manner. 

Cyber Warfare - "Return on Investment"

Most of the CIOs talk about ROI ("Return On Investment") before initiating any project for their organization. Risk vs Mitigation cost metrics helps them deriving the ROSI ("Return On Security Investment") in a simplest form and the calculation can be made more complex and accurate by adding more parameters to the metrics, often single dimensional. The ROI is often calculated for each information security project that is floated out from the private sector or government departments.

Information security projects are meant to safeguard CIA (Confidentiality, Integrity and Availability) of owned information assets and it is much straight forward to calculate and justify the ROI at early stages of such projects with great level of accuracy. 

Most of the governments around the world are now concerned to raise their cyber offensive capabilities to counter different kind of threats and to pursue their objectives (economic, political, defence and power play). “Cyber Warfare” is discovered to be a fancy term used for state funded cyber offensive operations. I don’t like using this term as it is more like a media friendly term but can’t leave the eye catching sense of it.

Many countries including Malaysia, Germany, Bahrain, Indonesia, Qatar, Mangolia, Egypt, and more were lately discovered to be using cyber offensive software to monitor activists, journalists or carry out cyber espionage/disruption operations against other countries. USA, Israel, China, Russia, and Iran don’t require special mention for using similar software to meet similar objectives. 

Cyber offensive capability of any country is considered to be a requirement or some time mandate for national security, if utilized with integrity. And above paragraph doesn’t mean any bad for the mentioned countries, but some of these are alleged to be involved in serious cyber attacks against other nations and India has claimed to be a favourite victim many times in the past.

Cyber warfare operations are meant to abuse the CIA principles and the ROI is completely dependent on the well planned strategy followed by a seamless execution. Since such operations need continuous strategic and tactical feed until completion, estimating ROI at an early stage of a cyber warfare operation might be altogether different than the figures achieved at completion. 

It is tend to be difficult to justify the ROI from cyber warfare operations to the stake holders if right methodology is not followed to calculate it. Returns from such operations can’t just be ZERO but can even go in negative if the cyber attack is detected and the operatives are traced back. In contrary, even a small piece of information can bring highest form of returns irrespective of the strategy and execution. 

The methodology to calculate returns from cyber warfare operations requires multidimensional metrics approach. Most of the countries with matured cyber offensive capabilities (don’t need a mention) seem to follow similar methodologies to maximize their operational throughput and raise the capabilities further. Whereas, countries those are still in development phase of cyber warfare capabilities are either relying on single-dimensional metrics based approach resulting into imaginary ROI figures or don’t have any concrete ROI calculation process at all which eventually becomes show-stopper in expanding the capabilities further, leaving them in development phase forever.

Chinese Hackers or Cyber Monarchs!

It’s high time to learn that the last cyber espionage or attack came from China and I wonder why it’s always China? Are Chinese so smart, well organized, funded, equipped Or most of the intelligence agencies from across the world just believe into it for the sake of it? Being a security professional, I never trust media briefings or expert views, just like most of the others like me “don’t”. My point of view on cyber warfare might be pretty different than fellas, but my belief into it doesn’t disappoint me often. Be it terrorism or cyber terrorism I always commend the strategy originating from one of the countries, I know you know which country and I feel sorry when I sound so bitter but the truth ain’t sweet either. I met a few intel folks from across the world and the discussion on a cyber attack originating from Russia is mostly considered to be a proxied attack but China is always a scapegoat by default.

One of my close ally from NTRO (National Technical Research Organization) – India who has been into Cyber Security for most of his life, once publicly said that “all attacks having Chinese signatures doesn’t mean to have occurred from China” but it was less attained by the government of India and neither by any other Intel agencies in the world. By naming China in every cyber attack case, are we simply trying to satisfy our sheer ego of being a good investigator or are we deliberately missing upon the true investigation. I know Cyber investigations are hard to be carried forward just like our sins but doesn’t mean that we close our handbook, calling it “Made in China”.

No denial, Chinese are carrying enough strength to defeat my belief but they also have an underground economy much like Russian Business Network (RBN) in Russia. If someone was to carry out Cyber espionage or attack from India, he would be a fool if not super fool, to have his Command and Control (C&C) within Indian borders and same goes for any fool/expert in other countries. Even more, C&Cs do not often enjoy direct connections from the victims and mostly jumps through intermediate proxies before it manages to dine with the victims. Managing a large infrastructure for cyber espionage where there are no credit cards in the story, is not something of interest to most cyber criminals. So either these operations are assumed to be from cyber police or funded cyber criminals and better call them respectfully as state funded cyber monarchs.

The Cyber attack anatomy has misled most of the researchers and investigators in the recent times due to rapid rise in underground hacking economy across the world and nearly 75% operations being state funded in my opinion than normal hacking/espionage attempts for bank data/credit card numbers. I would like to refrain from calling website defacements as cyber attacks which most of the media friends don’t like to miss upon.

One of close Russian friends and a well renowned security researcher lately contacted me to get information about some company who had compromised some sensitive computers of Russian government departments using an unknown and custom malware. He was smart enough to find the company name through reverse analysis of the malware and I love him for what he does all the time. It didn’t came as a surprise to me since I remember state funded operations, may be it would be Georgia this time who paid that company to do the job. But I felt good since he didn’t name Chinese so blindly just like everyone gives out a judgement before the case actually started.

Chinese are smart, well equipped and organized to launch massive cyber attacks against critical infrastructures but at the same time, we shouldn’t forget about rising capabilities of other countries especially USA, who can manage to eat away the entire food, claiming/revealing Chinese food can only be prepared in the Chinese Restaurants and leaving rest of the countries to taste the spicy part of it.