From wiper attacks to cyber extortionists, here are some "old faves and new twists" feds should be mindful of.
Hacking trends are not like fashion fads. They don't go in and out each year. They withstand defenses by advancing, in terms of stealth and scope.
So there will be no 2015 "What’s Hot and What’s Not" list of cyber threats confronting federal agencies.
Instead, here is a list of hacker "Old Faves and New Twists" feds should be mindful of.
Old Fave #1: Distributed Denial of Service, or DDoS, attacks that shut down agency systems temporarily by bombarding them with bogus traffic
New Twist: Wiper attacks that destroy and leak government data. A wiper virus allegedly was used against Sony to copy and erase company hard drives
This development is not new. In 2012, bad guys wielded the so-called Shamoon virus to wipe clean 30,000 employee work stations at Saudi Aramco, Saudi Arabia’s state-owned oil company.
What is new is the potential magnitude of the devastation, says Dave Aitel, a former NSA computer scientist. "I would say this is the No. 1 threat that U.S. corporations, critical infrastructure, state-local governments and the federal government should be concerned with," he says.
Trend Micro Chief Cybersecurity Officer Tom Kellermann, a former World Bank data risk analyst, puts it bluntly: Now, "hackers burn the house down after burglarizing it.”
Experts still expect DDoS attacks to pose a threat, as they evolve in sophistication. There is a growing underground market for "rent-a-bots," hordes of hacked computers that criminals can borrow, for a fee, to amplify their attacks, Aitel says.
"DDoS extortion and DDoS as cover for a more serious attack," such as data removal, "are just a few updates on an old attack that should be taken seriously going forward," he says.
Old Fave #2: Malicious insiders who leak data, like ex-federal contractor Edward Snowden and former soldier Chelsea Manning, who both exposed classified intelligence
New Twist: Unwitting insiders who leak data, including third-party contractors who leave network passwords lying around
"Everybody is worried about service providers, from the HVAC providers to professional services firms," says Alan Raul, lead for Sidley Austin's privacy, data security and information law practice. Target’s HVAC vendor, for example, allegedly fell for a phishing email that stole his passcode to the retailer’s payment system.
That said, Raul and other analysts stress agencies still should be worried about willful leakers. "Wikileaks, in my view, is one of the first cyber weapons we’ve seen," says Aitel, now chief executive officer of security consultancy Immunity, referring to the website to which Manning spilled secrets.
Old Fave #3: Retailer payment system infections that scrape credit card data
New Twist: Feds fight back with chip-and-PIN government purchase cards.
"If PIN and chip, or PIN and sign, were to come into force as the government has mandated for federal credit card usage," under an October presidential executive order, "that should make point-of-sale scraping less risky . . . with any luck, we will be moving away from that," says Raul, a former vice chairman of the White House Privacy and Civil Liberties Oversight Board.
Old Fave #4: Criminals bust agency networks to steal personal information so they can sell it to identity thieves
New Twist: Extortionists break into networks to steal business data so they can blackmail organizations with it. Ask Sony about this.
Criminal groups will find it harder to make money off filched IDs, as personal information becomes better protected and chip-and-PIN payment cards reduce fraud, says Chris Finan, former White House cyber adviser and cyberwarfare planner for the Defense Advanced Research Projects Agency.
However, as C-suites grow increasingly concerned about leaks denting reputations, hackers who hold sensitive data hostage will reap rewards, he says.
Old Fave #5: Piercing cloud servers to steal credentials stored in bulk on the Web
New Twist: Raiding a multitude of individuals’ smartphones for data stored inside the device itself, in apps like ApplePay and Bitcoin wallets
“Consumers will increasingly host payment data on mobile devices as more convenient mobile payment methods gain adoption,” says Finan, now head of cyber startup Manifold Security. “Malware that rips payment credentials from mobile devices at scale will become more prevalent, as batch extraction from central servers becomes more difficult.”
Old Fave #6: Hackers redirect news website visitors, including federal employees, to evil, impostor websites
New Twist: Hackers pollute legitimate news sites with invisible malware that gloms on to government computers
Kellermann’s research points to a 600 percent increase in these “watering hole” attacks this year.
Old Fave #7: Attackers hijack systems remotely through the Web
New Twist: Attackers command systems through online and real-world trespassing
"Think a possible attack on an electrical substation," says Mike McNerney, a security consultant at Delta Risk who previously served as a cyber policy adviser for the secretary of defense.
Old Fave #8: Stealing intellectual property to use for competitive advantage, as in the many cases where Chinese nationals allegedly stole IP from U.S. companies and agencies
New Twist: "Using information itself as a weapon to embarrass, intimidate or extort,” McNerney says
Old Fave #9: Terrorist organizations, like al Qaida, recruit extremists through social networks
New Twist: Terrorists corrupt computer networks
"While a significant computer network attack capability -- at least on par with major nation states -- may not be within the reach of organizations such as ISIS in the very near term, they may increasingly turn to cyber extortion as a means to supplement their kidnapping and ransom business," says Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University. This could mean injecting "ransomware" that freezes a computer's data until the victim divulges certain information, in essence kidnapping data.
Old Fave #10: Cyber gangs expand their criminal networks to move stolen IDs and cash
New Twist: Cyber gangs team with the real-world mafia to move product
"As the physical and cyber domain converge, so too will organized crime -- old criminal organizations will increasingly cooperate with their newer tech savvy criminal counterparts," says Cilluffo, who served as a special assistant to President George W. Bush. Russian organized crime “will take on even greater significance in both the cyber and physical domain in the days ahead.”