Posts

When a Hack Occurs, Is It a True Cyber Attack or Cyberespionage?

Published with Permission by:
Lint, James R., “When a Hack Occurs, Is It a True Cyber Attack or Cyberespionage?”, In Cyber Defense, 20 March 2018, Web, https://incyberdefense.com/featured/hack-occurs-true-cyber-attack-cyberespionage/

By James Lint
Senior Editor for InCyberDefense and Contributor, In Homeland Security

The cyber community needs to get its nomenclature settled with regard to the word “cyber attack.” The term “cyber attack” is popular; it creates good headlines and gets good clicks on search engines.

Cyber professionals, however, need to agree on what a cyber attack actually is. That will help cyber defenders to identify priorities and focus on actual problems.

Lists Such as the ‘Biggest Cyber Attacks’ Need to Be More Precise

Some of the more famous “Biggest Cyber Attacks in 2017” lists can be found on Google and other search engines. But these lists often describe events, not actual attacks.

The lists compiled by CNN, Calyptix, TechRepublic and others mostly include the same cyber events. But are these events really attacks? None of the articles mention permanently damaged systems.

Equifax Hack Was a Theft, Not an Attack

CNN Tech states, “Cybercriminals penetrated Equifax (EFX), one of the largest credit bureaus, in July [2017] and stole the personal data of 145 million people. It was considered among the worst breaches of all time because of the amount of sensitive information exposed, including Social Security numbers.”

CNN used a more accurate description: “Cybercriminals penetrated Equifax.” But other media sources put this event on their list of attacks.

Equifax stock is still listed on the New York Stock Exchange and doing business. The company had to upgrade some of its computers, but it did not appear to suffer permanent damage.

Calyptix said that this cyber event could have been prevented by applying an available software patch months before the attack. But the Equifax hack was probably a robbery of opportunity because the unpatched system was vulnerable to hackers. It’s safe to say the Equifax crime happened because hackers wanted to steal information that could be resold.

Office of Personnel Management Database Hack Was Espionage

On June 15, 2015, the Office of Personnel Management (OPM) reported that it had suffered a data breach. Hackers were able to penetrate an OPM database that contained decades of security clearance information and files. The theft of this data affected 21 million current and former government employees and contractors.

Beth Cobert, Acting Director of the Office of Personnel Management, said, “Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

Writing on the Rand Blog, international policy analyst Larry Hanauer said, “The theft of personal information regarding millions of government employees and their associates from an Office of Personnel Management database — which cybersecurity experts have attributed to China — represents an enormous intelligence threat that is still not fully understood.”

Hanauer said the real threat is that “China’s intelligence services could use the data to identify people with financial difficulties, learn potentially embarrassing personal information (such as drug use or mental health issues), or tap into lists of contacts and organizational affiliations to develop seemingly innocuous communications designed to elicit information.”

The OPM hack was clearly espionage. It is definitely a different type of espionage from the days of dead drops and spies grabbing information captured by miniature cameras.

However, today’s counterintelligence workforce may not need photography skills. Instead. cyber skills will be increasingly in demand to prevent events such as the OPM hack from occurring again.

Titan Rain: A Continuing Cyberespionage Effort to Target US Government Secrets

Since 2003, Chinese hackers have been targeting U.S. computer systems in an attempt to gain U.S. secrets. These hackers are part of a wider espionage ring called “Titan Rain.” In 2005, Time magazine described this Chinese cyberespionage conducted against the U.S. government.

ZDnet reported, “The hackers…are thought to have stolen U.S. military secrets, including aviation specifications and flight-planning software. The U.S. government has coined the term ‘Titan Rain’ to describe the hackers.”

The attackers allegedly grabbed specs from the Redstone Arsenal for the mission-planning system for Army helicopters. Unfortunately, the problem with cyberespionage is you often never know what was stolen until much later.

Cyberespionage Is a Better Term Than Cyber Attack

The proper word we should use to better describe some of these hacks is “cyberespionage.” The Oxford English Dictionary defines cyberespionage as “The use of computer networks to gain illicit access to confidential information, typically that held by a government or other organization.”

To avoid further confusion, cyberespionage is the word that should be taught to future cyber defenders and espionage professionals.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 49th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

Regular Software Patches Could Have Prevented Equifax Breach

Published with Permission by:
Lint, James R., “Regular Software Patches Could Have Prevented Equifax Breach”, In Cyber Defense, 3 October 2017, Web, http://incyberdefense.com/james-lint/regular-software-patches-prevented-equifax-breach/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

We often think of Equifax as a company that can be trusted to securely save and control our personal information. But as CNN Money’s Kaya Yurieff reported in September, “A huge security breach at credit reporting company Equifax has exposed sensitive information, such as Social Security numbers and addresses, of up to 143 million Americans.”

It seems that some rookie mistakes were made. However, this breach provides good lessons that can be used to protect future victims.

Splitting Up Your Security May Make for a Weaker Brand

Wired Magazine reported that Equifax started directing potential victims of the breach to a new, quickly constructed website called “equifaxsecurity2017.com.” However, “quickly” often does not mean securely built. Bugs were found in the new site, which was ostensibly designed to discuss protection from breaches.

This revelation is not a confidence builder for Equifax victims. It would have been logical to put the information on the website Equifax.com, which was already online and branded. Using the existing Equifax website would have given customers more confidence that they were getting the correct information.

One possible reason for this change to a new website might have been that Equifax did not trust its own security on its branded website. Yes, Equifax was hacked, but it was the databases containing personal information that were hacked. Normally, the main website could be secured again quickly from a backup disk.

The new website asked people to input the last six digits of their Social Security number to check if their information was compromised in the breach of Equifax servers. But the website asking for this information also had bugs.

Again, that was not a confidence builder for Equifax. Future organizations in Equifax’s situation will probably try to remain on their branded sites.

Using an Established Branded Website versus a Non-Branded Website

Nick Sweeting, a web developer, thought it strange for Equifax to set up a non-branded website. He set up “securityequifax2017.com” (note: the fake site’s name was a simple transposition of two words) to show how traffic could be driven to a wrong or malicious website. Sweeting created the site not to cause harm, but to show the potential damage a non-branded website could do.

Sweeting set up the bogus phishing site to expose vulnerabilities that existed in Equifax’s response page. “I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting told The Verge.

Compounding the confusion for Equifax victims, customers were sent to Sweeting’s website when they called the Equifax help desk. One Equifax employee even tweeted Sweeting’s fake website four times. Luckily, the alternate URL was not malicious.

“A day after the breach and launch of the legitimate help website, scammers had created 194 phishing websites that shared similar addresses with equifaxsecurity2017.com,” USA Today reported on September 21.

Equifax Acknowledged that It Failed to Ensure Software Patches Were Properly Installed

According to a September 24 Wired article by Lily Hay Newman, “The fact that attackers got into Equifax’s systems through a known vulnerability with a patch available galls security analysts. But the company also acknowledged that it knew about the patch when it was first released, and had actually attempted to apply it to all its systems.”

The fact that the company failed to ensure that the patches were properly installed and tested does not bode well for any future court actions against Equifax.

Newman also quoted Michael Borohovski of Tinfoil Security, who commented on Equifax’s mistake of tweeting out the wrong website for victims of the hack: “When your social media profile is tweeting out a phishing link, that’s bad news bears.”

We like to believe that large companies holding the credit history of over 100 million Americans is incredibly strong. Sometimes, that is an illusion.

In this case, just as in the WannaCry ransomware attacks, the Equifax security breach could have been prevented if the company had installed updates on all of its systems. However, this did not happen and Equifax became the latest victim of a preventable hack.

Former Equifax CEO to Face the Senate Committee on Banking, Housing and Urban Affairs on October 4

Equifax’s former CEO, Richard Smith, is scheduled to talk with a Senate committee on October 4. Their discussions will cover Equifax’s security lapses and the Equifax executives who sold stock before this breach was discovered. Currently, there is no proof of insider trading on privileged information, but the appearance of wrongdoing is there.

One of the worst management mistakes made by Equifax in the handling of this incident was stated in CNN Money. Journalist Jackie Wattles noted that “Equifax initially asked affected customers to give up their right to sue the company in exchange for credit monitoring services.”

The concept of breaking even or making a profit during a crisis breach is unusual. Many victims viewed it as outrageous that Equifax wanted to charge fees for doing credit freezes to protect themselves from Equifax’s errors.

Additionally, the idea of giving up the ability to sue for damages in exchange of protection created a public relations nightmare. The company stock has rapidly fallen by 32%. This shows that crisis management and cyber defense failures are costly to executives who are often paid bonuses based on stock prices.

Did State-Sponsored Espionage Play a Role in the Equifax Hack?

While investigations are still continuing, the hackers who penetrated Equifax used techniques that are similar to the techniques used by nation-state hackers. Bloomberg reported, “One person briefed on the probe being conducted by the Federal Bureau of Investigation and U.S. intelligence agencies said that there is evidence that a nation-state may have played a role, but that it doesn’t point to China. The person declined to name the country involved because the details are classified.”

Later, the same article showed that “One of the tools used by the hackers — China Chopper — has a Chinese-language interface, but is also in use outside China.” Most espionage hacks have layers to hide the true identity of the nation-state doing the hack. It will take a few more months to hopefully work towards the attribution of a nation-state identity.

The Golden Rule of Cybersecurity: Patch Now, Patch Often

If this were a humorous article, it might be worth mentioning that in Argentina, Equifax had a system running on weak credentials. Both the login and the password were “admin.”

Of course, this is not a humorous article. The havoc caused by the Equifax breach will last for years. And it could all have been avoided by simply updating the system with the new software patches.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”