Scott Kessler and Eric Rachner are the co-founders of Secure Senses Inc, which provides human intelligence-based cybersecurity services. In an interview with the Cipher Brief, they indicated that “hacking as a service” is on the rise in the Russian hacker community, and that the scale of the problem this represents for American businesses is too large for the government to address it on its own.
The Cipher Brief: How have attack patterns from state-sponsored actors changed, and how do you expect them to change moving forward?
Scott Kessler & Eric Rachner: There have been several identifiable trends. Iranian hackers and Iranian nation-state actors have moved into the top tier along with China and Russia, in terms of raw capability, aggressiveness, and achievement, against some very high-profile targets. Russian hackers have become more established, more institutionalized, and bolder. Chinese hackers continue to run large operations built over long periods of time, integrating open-source and clearnet information with information and access acquired from the darknet. The Chinese leverage their large numbers of people with seemingly limitless patience. They set long-term objectives and do an excellent job of supporting cyber campaigns with easy-to-acquire open-source, clearnet information. It appears that the methodology used to hack the U.S Office of Personnel Management was not particularly technically sophisticated and was due in large part to OPM and OPM contractors not knowing exactly what data was sensitive (and why) and where it was stored or could be accessed from. These are common vulnerabilities in the U.S. The Chinese are sensitive to getting caught (although seemingly more out of shame of any perceived failure than embarrassment about theft or malicious intent), but they are also willing to take very bold risks for significant gains.
While China, Iran, and Russia have different capabilities and approaches, there are also some similarities in the cyber threat space. Attackers and malicious actors in all three countries share at least two similar patterns with respect to attack interfaces: one is an interaction between criminal attacks and "private" hackers, and government or state interests. When national interests, and specifically national security interests, are at stake, the hackers’ activities are coordinated and highly responsive to nation-state interests as defined by their governments. One example, was the activities of Russian hackers during the early stages of the crisis with Ukraine. Recent excellent work by Checkpoint Software showed the partial outsourcing of attacks in the government’s interests to apparently non-government hackers. We also see a second pattern common to Iranian, Russian, and Chinese hackers, where they underestimate the reaction of Western powers to cyber attacks.
TCB: How does Russia typically employ its cyber-capabilities, and what does this say about their cyber-doctrine or goals? How do you think this will change in the future?
SK & ER: One of the most distinctive trends coming from Russia is “hacking as a service.” More and more customized tools and built-to-order malware are coming from Russian hackers. In addition to tools, Russian hackers, groups, and malicious communities offer stolen intellectual property and personally identifiable information tailored to “customer need.” Russian hackers and cyber criminals can provide credit card information, including personal and biographical details, and social security numbers. These “fullz” packages are priced carefully according to the age, reliability, and completeness of the information. Packages containing medical billing and insurance information, for example, are valued higher than just names, address, and complete credit cards. This is due most likely to the relatively longer time it takes to detect medical insurance fraud – an accurate and sophisticated calculation.
In terms of culture and doctrine, Russian hackers display a kind of Janus-faced quality: they show levels of confidence that border on arrogance, while proceeding with an almost paranoid sense of caution in some venues. Russian hackers will sometimes collaborate and sometimes proudly shun collaboration as unnecessary.
Additionally, Russians often use highly aggressive, blunt, brute force criminal practices in their cybercriminal activities, as they feel safe inside Russia and do not fear Western security and law enforcement authorities.
TCB: There have been reports of American businesses being hacked by China, Iran, and North Korea, but Russia rarely comes up in that context. How would you characterize the threat to American businesses from cyber-activities carried out by the Russian government? How does this compare to the threat presented by Russian cyber-criminals?
SK & ER: China has a distinct strategy – a policy – of collecting intelligence to provide Chinese commercial enterprises and state-owned enterprises with a distinctive advantage over competitors in the U.S. and elsewhere.
The Russian and Iranian governments run cyber campaigns with policy and political objectives. Iran in particular seems committed to demonstrating or showcasing its capability in ways that establish it as a player on the world cyber stage. Work by Cylance, in its “Op Cleaver” study, shows that Iranian hackers identify their handiwork and their national origin clearly through tags and signs embedded in their work. This is not to say these things are done clumsily or without consideration. Cylance’s work – some of the finest forensic and analytical work available, and on a par with a nation-state intelligence product, in our view – shows that these tags are often done gracefully and artistically, and in a way that is only likely to be seen by skilled hackers in the most advanced hacker communities. This is consistent with the Iran government’s foreign policy objective to force the advanced nations to take Iran seriously as a major player and a regional Middle East/South Asia power broker.
Russian criminals and their associates in Eastern Europe are the Al Capones and Bugsy Siegels of modern cyber crime. They are highly professional, effective, use good tradecraft, and make a lot of money. The practiced professionalism experienced by many people who have fallen victim to a cryptolocker attack (where a hacker gains access to critical data, encrypts it remotely, and provides the key after being paid a large sum of money) is evidence of this. Cryptolocker attacks are impossible to remedy without paying a ransom unless the victim has a sufficiently resilient data storage capability (a current, secure, offline or remotely accessible back-up).
TCB: What can the US government do to mitigate this threat? What can businesses do? How can the government and businesses better work together to improve this situation?
SK & ER: We know the government’s capability and have the highest respect for what the U.S. intelligence community and security establishment are trying to do in the cyber realm. The work of the cyber community in the U.S. security apparatus is, and must stay, focused on counter-terrorism, defending critical infrastructure, and protecting the homeland. Anyone who has attended a U.S. Government (FBI, DHS, DOE) briefing or discussion at a cyber security gathering, like the RSA conference or Blackhat, has witnessed the long line of professionals from leading tech companies who line up to ask questions and express frustration at what they see as a lack of action by Uncle Sam to help them defend themselves against the Chinese and the Russians. This is usually followed by the U.S. Government representative awkwardly explaining that they do want to help U.S. business, that they are doing everything they can (true, in our view), and encouraging industry to engage with them at every opportunity.
The problems and threats most U.S. companies face are too large for the USG to handle– we need to do most of that ourselves. Where the U.S. government can help U.S. business most is in raising awareness of what has become something much more akin to a public health epidemic than a mere technical threat to U.S. commercial interests. People must increase their awareness of the problem, acquaint themselves with how to operate their businesses as securely and resiliently as possible, and raise their general situational awareness online. As with smoking in the 1970s and 1980s, if the government can run a campaign to alert people to the epidemic and publicize best practices, this will help U.S. businesses face cyber threats in the best possible defensive position.
Eric Rachner is a co-founder and partner at Secure Senses. He has worked in information security for over 15 years, beginning at Microsoft, where he last held the position of Senior Security Analyst. In the years since, he has worked as a consultant, providing security penetration testing and assessment services to clients in Europe, Asia, and all over the United States.
