Once upon a time, breaking into the Democratic National Committee required non-virtual thieves picking real door locks and going through file cabinets. And stealing the design secrets of a fighter jet was considered a “black bag” job that utilized the talents of a spy who knew how to work a tiny spy camera. Then, the stealthy spy could pass the micro-film to a courier by exchanging identical brief cases.
Times have changed.
In the last few days, two stories have shown us, if we still needed more evidence, how modern espionage has evolved into hacking. Cyber spies can conduct first-class intelligence operations without leaving their desks at the IT departments of their Dr. Evil-ish security agencies.
Spies Like Us
Yesterday, The Washington Post said that Russian government hackers had penetrated the DNC’s computer network.
According to security experts who were brought in by the DNC, the cyber spies thoroughly compromised the DNC’s computers and were able to read all email and chat traffic.
Unfortunately, this news is hardly a surprise. In fact, we predicted this would happen.
It’s believed that two separate and perhaps competing Russian hacking groups were involved, with one of them having broken into the DNC network as far back as last summer. No financial information about donors was taken. The hackers were engaging in espionage, gaining access to the DNC’s opposition research on Donald Trump.
And then on the Korean peninsula, South Korean officials said 40,000 documents related to the wing design of the US’s F-15 fighter jet had been taken by their friendly neighbors to the north.
We have more information about the Russian spies, so let’s look at that incident first.
One of the Russian cyber groups involved in the DNC was identified as Cozy Bear. This is the same group responsible for attacks at the White House. The second group is called Fancy Bear, and they have been known to exploit zero-day vulnerabilities.
Security experts say that both groups have also used phishing attacks in the past. Cozy Bear and Fancy Bear are believed to be connected to Russian intelligence agencies.
At this point, though, we’re not sure exactly how the gangs broke into the DNC network.
However, we do know that once in, they inserted remote access trojans (RATs) and implants that allowed them to remotely log keystrokes, execute commands, and transfer files. The Russian cyber gangs also used Command and Control (C2) techniques, which embed the commands to control the RATs in an HTTP stream.
As far as IT admins were concerned, some users at the DNC were communicating with one or more web sites, when in fact these C2 web sites were run by the cyber gangs and used to orchestrate the attack.
The Russian cyber spies also hid their actions by using PowerShell commands — malware-less hacking. And they also stole credentials with Mimikatz, which was run as a stealthy PowerShell script, in a Pass-the-Hash/Pass-the-Ticket attack.
Putting on our intelligence analyst’s hat, I think we can say with good confidence that the North Koreans used similar techniques. A phish mail, for example, involving fake Apple IDs was used to initially enter Sony in Pyongyang’s massive doxing of that company.
The current attack that was launched against Korean Air Lines began in 2014. The North Korean cyber spies likely used the aforementioned stealth techniques to keep their implants and document exfiltration activities below the radar.
If you’ve been following along, none of the above — unfortunately — should be new to you. In fact, for anyone who’s been keeping track of hacking incidents over the last few years, these different techniques and tools are just familiar parts of the landscape.
We’ve known for a very long time the smart hackers get around perimeter defense using phishing, SQL-injection, or zero-day vulnerabilities. And then once in, they have many ways to remain stealthy and avoid triggering virus scanners.
Instead of trying to build a higher wall, a more practical approach is to spot the hackers when they’re inside and then prevent them from accessing and exfiltrating sensitive data.
In both the DNC and Korean Air Lines incident, the IT teams eventually noticed some anomalies. However, at that point, it was far too late in terms of preventing the surveillance of internal emails and the removal of data.
A far better solution is to automate the anomaly detection so that when files are accessed at unusual times for a given user or PowerShell executables launched by users who hardly or never run these apps, then the alarms will go off.
We are, of course, talking about User Behavior Analytics (UBA). As these incidents teach us, the protection of sensitive data is too important to be based on hunches or the blind luck of an alert IT person looking at audit trails.
Instead, UBA’s predictive algorithms can compare current access patterns against historical records in order to spot the hackers in closer to real-time.
Think of UBA as giving your IT group the power to spy on hackers and cyberspies. It’s far more efficient and cheaper than training and outfitting an agent. Sorry, 007!
Got UBA? Learn more about how Varonis can protect you data.