What Goes Around Comes Around: Russia Gets Hacked

Russia has been a prime suspect in recent cyberattacks launched against U.S. government targets. However, Russia has been poked with the other end of the hacker stick.

For more than two months, hacker attacks originating in China have bedeviled Russia’s military and telecom sectors, researchers at Proofpoint revealed last week.

“We also observed attacks on Russian-speaking financial analysts working at global financial firms and covering telecom corporations in Russia, likely a result of collateral damage caused by the attackers’ targeting tactics,” wrote Thoufique Haq and Aleksy F, authors of the report.

The attacks began with carefully crafted emails designed to lure recipients into following a URL to a compressed archive file containing malicious software, or to open an infected Microsoft Word attachment, the researchers explained.

Once infected, a machine downloads a Remote Access Trojan, or RAT, called “PlugX.”

China Connection

“PlugX has been associated with state actors in the past,” said Patrick Wheeler, director of threat intelligence at Proofpoint. “It’s not seen as widely in cybercrime and financial theft as it is in state-sponsored activities.”

PlugX essentially creates a backdoor for attackers in the systems it’s installed on, he told TechNewsWorld. Its repertoire includes downloading malware; mapping systems it’s infected; managing, copying and exfiltrating files; moving laterally to infect other machines and networks; and shutting itself down and removing all traces of itself.

China is one of the chief suspects in the Russian attacks.

“There are attributes in the payload and the infrastructure that suggest the actor is Chinese, but we would hesitate to claim definitively that this is a Chinese attack, because all that information can be spoofed and proxied,” Wheeler said.

There seems to be little doubt, however, that the attack is backed by a nation state or hackers working for one.

“The payload suggests it’s a state-sponsored actor rather than a cybercriminal,” Wheeler observed.

“Cybercriminals are more often dropping things like banking Trojans and keyloggers and other information stealers that are designed to steal or divert funds,” he explained. “This is targeted toward stealing information, exploration, and gaining a foothold in the target organization.”

Fraud Migration

Credit card companies in recent months have been sending their customers new EMV cards with a metallic square in the left hand corner. The square is a computer chip designed to make physical transactions performed with the card more secure.

However, that’s not the case for virtual transactions, such as those performed online. For that reason, the move to reduce physical fraud may serve to push more of it to the virtual world.

The EMV system consists of two parts: the chip on the card; and a reader at the point of a purchase.

When an EMV card is read at the point of purchase, the credit card information is shared with the merchant in encrypted form. That contrasts with cards with magnetic strips, which share information in plain text.

Increased protection offline can lead to increased fraud online. In the United Kingdom, for example, online fraud rates temporarily spiked and “card-not-present” fraud continued to increase since EMV adoption in 2005 — 120 percent from 2004 to 2014.

This same trend likely will emerge in the U.S. after EMV technology becomes widely integrated.

Big Data to Rescue

“EMV affects online fraud because EMV will make it more difficult to use a counterfeit credit card offline,” said Jason Tan, CEO of Sift Science.

“These fraudsters are going to find their main source of income drying up, and they’re going to have to make money in other ways,” he told TechNewsWorld. “Online is lucrative because they can do things on scale and in an anonymous fashion.”

To counter online fraud, merchants will need to deploy systems that can identify likely fraudsters without irritating legitimate shoppers — systems that use machine learning and big data analytics to flag potential Net thieves.

Machine-learning systems can learn about a merchant’s customer base in real time to create an accurate prediction of risk.

“That can drastically improve the shopping experience for good customers, while keeping fraudsters out,” Tan said.

Bull’s-Eye on Healthcare

The healthcare industry was 200 percent more likely to encounter data theft and experienced 340 percent more security incidents and attacks than other industry averages, Raytheon Websense reported this week.

Red flags in recent years have highlighted the healthcare industry’s cyberweaknesses.

For example, the healthcare industry isn’t as resilient to system intrusions as other industries, according to an FBI report released last year.

A number of factors contributed to that, according to the report, including a mandatory January 2015 deadline to transition to electronic health records, lax cybersecurity standards, and more Internet-connected medical devices than ever before.

Moreover, the incentive for cracking into systems is higher in healthcare than in other industries. Medical data commands 10 times the price of financial data in the computer underworld, the FBI noted.

No Silver Bullet

“Healthcare data is valuable. It can create a complete picture of an individual patient that can be traded on the underground cyber economy or repurposed,” said Carl Leonard, a principal security analyst with Websense.

“It can be used for identity theft. It can be used for insurance fraud. It can be used to launch additional attacks on individuals,” he told TechNewsWorld.

The security challenges faced by the healthcare industry can be daunting, but they must be wrangled.

“There is no silver bullet, but there are leaps that healthcare providers can take to better position themselves. Patients are demanding that now. Boards, too, and execs are realizing the grave implications of suffering a data breach,” Leonard said.

“The desire to protect their environments is there,” he added. “They just need to figure out a right way to do that.”

Breach Diary

  • Sept. 14. Jaspen Capital Partners and Chief Executive Andriy Supranonok, both from Kiev, Ukraine, agree to pay US$30 million to U.S. Securities and Exchange Commission to settle civil case involving the theft of more than 150,000 press releases from three business news services. The releases, stolen beforfe they were made public, were used for making inside trades that netted an estimated $100 million in illegal profit over a five-year period.
  • Sept. 15. U.S. District Court Judge Paul Magnuson approves class-action status of banks filing lawsuit against Target over 2013 data breach that compromised some 40 million credit cards.
  • Sept. 15. Charlotte-Mecklenburg Schools in North Carolina have notified 7,600 job applicants that their personal information, including Social Security numbers, was shared with a contractor without proper authorization, The Charlotte Observer reports.
  • Sept. 17. Dmitriy Smilianets, 32, pleads guilty in American court to his role in conspiracy to breach the computer networks of a number of payment processing companies. It’s estimated that the conspirators stole information from 160 million credit cards.
  • Sept. 17. Eset discovers malware, Win32/Spy.Odlanor, that peeks at cards of opponents during online poker games at PokerStars and Full Tilt Poker.
  • Sept. 18. Comcast agrees to pay $33 million to California for accidentally publishing personal information of about 75,000 people who paid to keep the information private.
  • Sept. 18. Private medical data of millions of Americans has been exposed on the Internet through a public subdomain of Amazon Web Services, Gizmodo reports. The custodian of the data, Systema Software, confirmed the error and said it was investigating the incident.
  • Sept. 18. NHS Trust Hospital in the UK says it’s investigating a reported data breach at its Kettering General Hospital in which the Russian hacking group Horux used the facility’s email system to distribute spam advertising illegal goods on the Dark Web.
  • Sept. 18. Cybersecurity firm Sucuri reports that as many as 6,000 websites a day are being infected in a malware campaign that’s targeting WordPress sites. The infection redirects infected-site visitors to a server that attempts to push exploit kits to their computers.
  • Sept. 18. Ponemon Institute releases survey of some 600 IT and security executives that finds only 25 percent of them believe their organizations are cyber-resilient, and just 32 percent feel they can properly recover from a cyberattack.

Upcoming Security Events

  • Sept. 24. 110 Bitcoin or Else! 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Sept. 24. Malware’s Most Wanted: Cyber Espionage–Nation State APT Attacks on the Rise. Noon ET. Webinar sponsored by Cyphort. Free with registration.
  • Sept. 24-25. Owasp’s 12th Annual Security Conference. Hyatt Regency San Francisco, 5 Embarcadero Center, San Francisco. Registration: $995; student, $75.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31 — member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31 — member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1 — member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
  • Sept. 29. The Mozilla Delphi Cybersecurity Study: Towards a User Centric Cybersecurity Policy Agenda. 12 noon ET. Berkman Center for Internet & Society, Harvard Law School, Wasserstein Hall, Milstein East C, Cambridge, Massachusetts. Free with RVSP, will also be webcast live.
  • Sept. 30. What Happened Next? Detecting an Attack in Real Time. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Sept. 30-Oct. 1. Privacy. Security. Risk. 2015. Conference sponsored by IAPP Privacy Academy and CSA Congress. Bellagio hotel, Las Vegas. Registration: Before Aug. 29 — member, $1,195; nonmember, $1,395; government, $1,045; academic, $495. After Aug. 28 — member, $1,395; nonmember, $1,595; government, $1,145; academic, $495.
  • Oct. 2-3. B-Sides Ottawa. RA Centre, 2451 Riverside Dr., Ottawa, Canada. Free with registration.Oct. 6. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Sharonville, Ohio. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 6. UK Cyber View Summit 2015. 6 a.m. ET. Warwick Business School, 17th Floor, The Shard, 32 London Bridge, London, UK. Registration: 550 euros plus VAT.
  • Oct. 9-11. B-Sides Warsaw. Pastwomiasto, Anders 29, Warsaw, Poland. Free with registration.
  • Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.
  • Oct. 14. Latest DDoS Attacks Trends–Excerpts from Arbor ATLAS Global Statistics. 10 a.m. ET. Webinar by Arbor Networks. Free with registration.
  • Oct. 14. Best Practices in DDoS Defense: Real World Customer Perspectives. 11 a.m. ET. Webinar sponsored by Networks. Free with registration.
  • Oct. 15. SecureWorld Denver. The Cable Center, 2000 Buchtel Blvd., Denver, Colorado. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 15-16. B-Sides Los Angeles. Dockweiler Youth Center and State Beach. Free.
  • Oct. 16-18. B-Sides Washington D.C. Washington Marriott Metro Center, 775 12th St NW, Washington, D.C. Free.
  • Oct. 17-18. B-Sides So Paulo. Pontifcia Universidade Catlica de So Paulo, So Paulo, Brazil. Free.
  • Oct. 19-21. CSX Cybersecurity Nexus Conference. Marriott Wardman Park, 2660 Woodley Rd. NW, Washington, D.C. Registration: before Aug. 26 — member, $1,395; nonmember, $1,595. Before Oct. 14 — member, $1,595; nonmember, $1,795. After Oct. 14 — member, $1,795; nonmember, $1,995.
  • Oct. 28. The Cyber-Centric Enterprise. 8:15 a.m. ET. Virtual conference. Free with registration.
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.Oct. 28-29. Securing New Ground. Conference sponsored by Security Industry Association. Millennium Broadway Hotel, New York City. Registration: Before Sept. 8 — member, $895; nonmember, $1,395; CISO, CSO, CIO, $300. After Sept. 7 — member, $1,095; nonmember, $1,495; CISO, CSO, CIO, $300.
  • Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 10. FedCyber 2015 Annual Summit. Tyson’s Corner Marriott, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: $395; academic, $145; government and military, free.
  • Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 24-25. Cyber Impact Gateway Conference. ILEC Conference Centre and Ibis London Earls Court, London, UK. Registration: Before Sept. 18 — end users, Pounds 1,699 plus VAT; solution providers, Pounds 2,699 plus VAT. Before Oct. 9 — end users, Pounds 1,799 plus VAT; solution providers, Pounds 2,799 plus VAT. Before Oct. 30 — end users, Pounds 1,899 plus VAT; solution providers, Pounds 2,899 plus VAT. Standard — end users, Pounds 1,999 plus VAT; solution providers, Pounds 2,999 plus VAT.
  • Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels