Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Son of a Breach: The Latest Generation of Hackers Made 2012 One Long Incursion for Four Organizations.

Posted
ThreatMetrix
By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

This year proved to be an especially long, hard one for the IT departments of four high-profile organizations, whose networks and databases were in the words of darkreading.com, “thoroughly owned by hackers for months and years at a time, often undetected until government agents came to let them know they’d been compromised….”

Ericka Chickowski, a darkreading.com contributing writer, reviews the four long-term hacks that rocked 2012:

1. U.S. Chamber of Commerce

In the waning days of 2011, news broke that the U.S. Chamber of Commerce fell victim to a year-long attack from Chinese hackers — a common origin for many of the long-term hacks described here. In this instance, the FBI told the chamber that attackers were using servers in China to steal information from its network. The organization could never pinpoint an initial point of entry, but as it investigated it found that attackers had booby-trapped its entire network with backdoors to better steal from its data stores.

Security professional Joe Gottlieb observed that the “publicity of this attack gave us food for thought through the New Year about the way hackers had upped their game in strategic targeting against organizations of all types. It showed a ‘new level of sophistication.’

“The hackers were able to choose the targeted organization — the U.S. Chamber of Commerce. They were able to choose the people within that organization that mattered to them — the individuals known to be working on Asia policy…They were able to obtain all email content, including attachments, exchanged between these individuals and other organizations, several of which must have been relevant to the matters of interest.”

2. Nortel

If one year of unfettered compromise of network and database resources seemed bad, how about ten times that? The security industry had its worst suspicions confirmed about how long attackers could hold onto corporate infrastructures when The Wall Street Journal published insider information that shed light on Nortel’s decade spent under the thumb of Chinese hackers prior to the company’s parceling itself out to Avaya and several other tech firms in fire sales over the course of 2009 and 2010. Interestingly, Nortel did have a whiff of the unmitigated takeover of its network, but never let on to its acquirers about the bad news.

Security researcher Marcus Carey said “The sad reality is that it’s highly likely that Nortel isn’t the only company that has been breached for a long time and is just now deciding to disclose it….”

The Wall Street Journal story heavily featured a former employee who led internal investigations about the attacks who was continually blown off by executives as someone “who cried wolf.” This scenario truly highlights the necessity of consensus building and skilled communication coming from the security department in order to truly catalyze the change necessary to detect and stop the pwnage (to be controlled against your will or defeated by a superior power – in case you hadn’t heard the word before) in its tracks.

3. Japan Finance Ministry

This July, the Japan Finance Ministry let slip that it had been the target of a two-year-long incursion into its networks in 2010 and 2011 by hackers using a remote access Trojan. The malware wasn’t discovered until well after it was active, but Japanese officials said its initial investigation this summer uncovered 123 of 2,000 computers checked were infected.

The long-term viability of a Trojan on Japanese government PCs offers a good example of how today’s attackers are using obfuscated malware to conduct stealthy attacks.

“To get at the root of the problem, security professionals must leverage a great many tools and employ in-depth (and often manual) analysis of log files, network traffic and program code,” wrote Stephen Cobb, author of the recent InformationWeek report, “How Did They Get In? A Guide to Tracking Down the Source of APTs (Advanced Persistent Threats – in case you hadn’t heard that acronym before and wondered why somebody was trying to track down the source of apartments).”

4. Coca-Cola

Any industry vet would tell you that one of the most favorite example scenarios presented at security conferences about IP theft inevitably wander toward analogies that involve Coca-Cola. “If you were Coke and your IP was stolen, what would that mean to your business?” is the type of hypothetical that plenty of speakers have bandied about. But this week the hypothetical was shown to actually have some basis in fact when a report by Bloomberg Business Week uncovered an attack on Coca-Cola in 2009 that cut so deep into intellectual property and secret company data that insiders say it played a hand in scuppering (naval slang for scuttling, which is naval talk for sinking) the beverage giant’s bid to buy a Chinese drinks conglomerate.

Security experts say the attack once again shows the critical need to lock down privileged accounts, as reports show that the Coca-Cola compromise came about first through spearphishing and then got worse through the use of attack targets’ legitimate network credentials.

Security expert Adam Bosnian posited, “Whether they’re called hard-coded passwords, admin passwords, or privileged accounts, they’re all privileged access points that provide a direct — and often anonymous — route to an organization’s most sensitive data and infrastructure.”

ThreatMetrix
By ThreatMetrix Posted