Weapons of Mass
Hacking
By Aline Sara,
Beirut
In January, cybersecurity dominated discussions at Davos, as international CEOs gathered for the 2015 World Economic Forum (WEF). Taking place on the heels of the Sony hacking scandal, executives worldwide said cybercrime today represented one of the corporate world’s greatest nightmares. They also deemed it a significant source of deterrence to technology investments today.
During the fall, Sony Pictures, an American entertainment subsidiary of Japanese technology and media firm Sony, was hacked in a climate akin to a virtual, modern-day cold war. In June 2014, Pyongyang had allegedly threatened Washington with pitiless action if
Columbia Pictures released The Interview, an action comedy film about two journalists’ mission to kill North Korean leader Kim Jong-un.
In November, the “Guardians of Peace,” a group claimed to have ties to North Korea, hacked into the computer system of Sony Pictures Entertainment – Columbia Pictures’ parent company.
The fiasco made it to the ranks of US President Barack Obama, who accused North Korea of complicity in the aggression. In addition to its political dimension, it cost the global enterprise an alleged $30 million in financial losses and considerably more in terms of its market reputation. Attackers had seized 100 terabytes of information with classified marketing and sales
information, pilot movie scripts, employee salary negotiations, highly personal medical records and more, straining the company’s employee confidence, standing in terms of investment and general commercial status.
Rather than releasing the film worldwide, Sony limited its showing to select theaters across the US. Ultimately, instead of hitting the nation’s big screens as originally planned, The Interview was demoted to a digital rental. Sony, however, is neither the first, nor the last to suffer such a blow.
From November to December 2014, a different form of hacking hit US
In early 2015, 80 million Anthem clients’ accounts were hacked in the country’s [United States] largest healthcare breach.
merchant Target. As many as 70 million customer mailing addresses, phone numbers, payment card data and emails were reported stolen. In early 2015, another 80 million Anthem clients’ accounts were hacked in the country’s largest healthcare breach.
Several years before, in 2007, TJX Companies stores – which include US retailers T.J. Maxx and Marshalls had also made headlines following an information leak that affected some 94 million shoppers.
Other important cybercrime victims of the past two years include, American e-commerce giant eBay, American construction company Home Depot and JP Morgan Chase bank. US companies, of course, are not the only ones suffering.
Neither are corporations with other targets, including the UK Revenue and Customs Department in 2008, the Chilean Ministry of Education in 2009 and the Greek Government in 2011. In 2010, WikiLeaks leaked highly controversial documents pertaining to the war in Iraq and 251,287 United States embassy cables dating from 1966 to February 2010 were made public, making communications between the US State Department in Washington DC and 274 embassies around the world readily available to any netizen.
Cracking the hacking types According Cyrus Salesse, Co founder and CEO of KRYPTON, a Middle Eastbased high value-added service
provider, on the subject of information security and risk management, it is important to differentiate between the various motivations behind a hacking.
During an interview with TRENDS, he said that as an information security services firm, KRYPTON classifies potential attack domains into four categories. Those include (1) “Kiddy” attackers, nuisance groups whose ultimate objective is disrupting rather than destroying or personal interest; (2)Criminal attackers, usually competent individuals, who, alone or in a team, target financial institutions or merchants for financial gain; (3) Industrial Espionage, which consists in removing, copying or recording a competitor’s critical corporate information, and (4) State sponsored attacks, such as the recent Sony scandal, which was attributed to North Korea.
Within the first category, the “Kiddies,” Anonymous is perhaps the most infamous. The loose, leaderless network
means by which they would conduct the hack, he told TRENDS. According to Dean, the nuclear power sector is espe cially well prepared, while the retail and health industries, as demonstrated by the recent Target and Anthem attacks, are not. Given that the risks in the banking and financial sectors have been high for a sustained period of time, they are more prepared and also have the resources.
When asked about governments, Dean said it was hard to broadly compare corporations and governments. “They’re such general terms that you lose the meaningful differences between different industries or government agencies. Some corporations are more vulnerable than some government agencies and vice-versa,” he explained.
Nonetheless, it is fairly easy to note that the best prepared government agencies are in the US ‘Intelligence Community’ and their five-eyes intelligence partners, namely the UK, Australia, New Zealand, and Canada, said the
fellow.“Israel is also well prepared, but this is for the same reason as the financial sectorcompanies: they face the highest risks but also have the resources to invest in security.”
Indeed, “cybersecurity is not simply a matter of technology,” said KRYPTON’s Salesse; “it has to do with people, process, management and governance.” Zooming in on the Middle East, in particular, he highlighted an ongoing lack of will and maturity to implement better protection models.
A vulnerable Middle East
Part oil- affluent, part war torn and with a regional corruption index that runs high, the Middle East is seemingly the optimal environment for cybercrime to thrive.
In 2012, a virus infected an alleged 30,000 machines of Saudi Arabia’s major petroleum and natural gas company, Aramco. It took the company more than a week to recover, slowing the oil market down worldwide. Qatar’s RasGas was also
of activists and hackers – also dubbed hacktivists – is associated with more than hundreds of disruptive operations, whose actions have taken place both on and offline, typically for a political cause rather than monetary gain.
Most recently, last February, articles went viral about a seemingly unprecedented blow to the militant Islamic State group, more commonly known as ISIS. Headlines reported that by intercepting dozens of twitter, facebook and other online media accounts, Anonymous had done what no government could do – compromised the fundamentalists’ recruitment tactics.
Anonymous has, in addition, targeted corporations, such as during 2010’s Operation Avenge Assange, named after Julian Assange, Founder of WikiLeaks, the international, non-profit platform that publishes secret information, news leaks and classified media from anonymous sources. Following political pressure from governments, notably the US, major corporations including PayPal, Amazon and MasterCard stopped or froze their donation capabilities to the WikiLeaks website. In response, Anonymous launched a series of distributed denial-of-service (DDoS) attacks, which momentarily suspended the relevant companies’ online services. In a 2012 article, the BBC (UK) reported it cost PayPal an estimated £3.5 million ($5.38 million).
Evaluating the threat
“The World Economic Forum report is evidence that we’re still playing catch up on assessing so-called cyber risk,” said Benjamin Dean, Cybersecurity and Internet Governance fellow at Columbia University in New York. He notes that risks change pending on the target.
A “threat model” might be used to plan the defense of a given company’s IT systems, which involves identifying actors with an incentive to attack, as well as the
“…we had a case in which a Chinese hacker’s footprints had
been in the bank for a year, and the bank did not even know…”
hit with the same virus, “Shamoon”, which was later claimed by the “Cutting Sword of Justice” group. Last fall, the Egypt-based subsidiary of the UAE’s Etisalat telecom giant, Etisalat Egypt, was momentarily hacked. Over the past few years, banks have also become common targets.
Hacks in the region and their success rate, are on the rise, Salesse confirmed to TRENDS, and Cisco’s 2014 Annual Security Report notes a significant increase in the region’s malware attacks, especially in the energy sector. While financial institutions in other countries are legally obliged to report the incidents to the central banks, many of the countries in the region lack such legislation, which, when combined with a sometimes com-
plete absence of government control, exacerbates the situation.
According to Salesse, banks in the Middle East are attacked almost daily and most of the successful hacks have some collaboration (willingly or not) from within. As such, “mitigating risks is directly linked to the level of appreciation of the management [team] and to the value of the data and information held within the organization or entity,” he said; “we had a case in which a Chinese hacker’s footprints had been in the bank for a year and the bank did not even know.” Salesse also gave the example of two regional banks that, together, lost as much as $19 million, cases in which an employee was complicit in the breach.
As for the government’s role in the matter, Salesse said that it varies. Legislation is not quite mature in many markets, especially within the Middle East. In Lebanon, the central bank does not get involved between card companies and the banks. Jordan and Qatar, however, are involved and have imposed certain procedures, such as the PCI Data Security Standard (PCI DSS), a framework establishing a secure payment card data security process.
That being said, nothing is 100 percent guaranteed and there is a limit to the measures one can take, noted the CEO. Many of these processes are also costly and can take as much as a year to kick in.
In the meantime, however, the Cisco 2014 report estimates that the Middle East cybersecurity sector to be worth $25 billion over the next ten years, meaning corporations might very well be growing more conscious of the extent of the threat.