Inspecting the global underground of cyber espionage

The WannaCry ransomware set a historical milestone in the evolution of cyber threats. The incident illustrates the vulnerable interaction of the digital domain with critical infrastructure, public services and industry. Security experts are now looking at the strategic implications of global cyberattacks.

Kenneth Geers
Kenneth Geers

– WannaCry demonstrates the global nature of the cyber threat, reaching far beyond traditional sovereignty and law enforcement jurisdictions. The WannaCry worm spread across 150 countries within one day, and the list of victims, from Britain’s National Health Service to Deutsche Bahn, Spain’s Telefónica and FedEx, suggests that cyberattacks threaten both civil society and national security, says Kenneth Geers, senior research scientist at Comodo.

Geers is formerly a Senior Global Threat Analyst at FireEye. He wrote “Strategic Cyber Security” and was editor for “Cyber War in Perspective” and “The Virtual Battlefield”. I met Geers at the Paranoia 2017 Conference on Cyber Security in Oslo, Norway.

The attribution problem

Identifying the perpetrator and analyzing the motive behind cyberattacks is difficult, but an important job for cyber security researchers.

– There is simply too much antiquated and vulnerable infrastructure in the world, offering potential attackers fertile ground for a myriad of malicious campaigns. Nation-state involvement is possible, and the small amount of money actually paid to the WannaCry attackers suggests that its true purpose could be political, such as a false flag, proof-of-concept, or distraction of the world’s attention from some other, more important, and hidden operation, says Geers.

Cyber forensics is challenging work because it is easy for nation states to hire private hackers as a cover.

– The number one problem is attributing an attack to a specific state. With global infrastructure, hackers can route the attack across the entire planet. We do C2 (command and control) server analysis and map communication between servers on a global scale. Advanced command and control analysis can identify attackers, associate attacks, and disrupt ongoing malicious activity. On some level, there is communication between all the countries of the world and most attribution mapping uses a very large dataset over many years, he says.

Putting crumbs together

Geers is trying to figure out who is watching and for what purpose.

– In big cases, like Moonlight Maze with Russia and Ghostnet with China, the studies collected enormous amounts of data over many years. We found that the majority of the hands on code management happened between 9 am and 5 pm Russian and Bejing time. When collecting data over several years we can attribute the attack with a high level of certainty, he says.

– We also analyze what the hackers are looking for. If someone is looking for information about “torpedo propeller math”, it is obvious that this is not a minor hacker. Besides Chinese or Russian intelligence, very few organizations are interested in this topic. If you put all these crumbs together you get a better picture, says Geers.

Manipulating the perception of reality

Geers is a member of the NATO Cyber Center, the Atlantic Council and has over 20 years of experience from the US Army, NSA and NCIS. According to Geers, the most important aspect of cyber security is the ability to manipulate the perception of reality.

– Look at how Stuxnet in Iran not only destroyed physical infrastructure, but also changed the screen the industrial control systems managers were looking at. This is not just a technical marvel – it is also a philosophical one, says Geers.

Geers points to Operation Orchard in 2007 where the Israeli Air Force bombed a nuclear reactor in Syria.

– How did the Israeli planes cross the border into Syria without being shot at? The most likely explanation is that Israel hacked Syrian air defense infrastructure. Nobody knows this for sure, but the Syrian air defense specialists could have been watching yesterday’s clouds, he says.

The security industry know from Trojan attacks aimed at the banking industry that it is possible for a period to manipulate finances.

– Cyber criminals can steal money from your bank account, but you cannot see it from your own computer. Not only do they manipulate physical bits but also someone’s perception of reality. All we know is what we know from the computer screen, which opens up for “man-in-the-middle” attacks, he says.

The digital “order of battle”

A key activity of hostile nations is mapping vulnerabilities in the infrastructure to prepare for future attacks.

– There is automated code for mapping vulnerabilities, and countries like Russia or China do this all the time to map target infrastructure. Intelligence agencies have automated code to assess “order of battle”, he says.

Traditionally “order of battle” is about how many tanks and planes the enemy have, where they are located, and how to prioritize attacks.

– With automation, an attacker can assess a target’s “order of battle” and potential vulnerabilities in cyber space across the entire planet in a few minutes. We sometimes feel overwhelmed by the amount of data, but we are making better code to slice through it. We have tools to analyze and understand huge amounts of data at a strategic scale, he says.

Diplomatic solutions

Geers is frustrated that even with comprehensive attribution analysis, there is little one can do to stop similar attacks in the future. He believes that diplomacy has a crucial role in stabilizing the world of cyber security.

– Both Obama and Trump have met with Xi Jinping. After these meetings, there was a massive decrease in data collection from China in the USA. I am sure there is a lot of espionage still going on, but this indicates that there is a diplomatic solution to these problems, says Geers.

The cyber security industry has seen how the NSA, CIA and the Democratic Party was doxed. He finds it hard to imagine bigger targets, but thinks the US and Europe are well prepared for a real cyber war.

– In the end, the west is ultimately in the stronger position. The same way that Napoleon and Hitler were surprised by the strategic depth in Russian geography, the strategic depth in cyberspace will surprise anyone attacking the USA. In the event of a real cyber war, whatever that looks like, the USA will use this strategic depth to win, he says.