Whether it’s your phone, your computer, TV, or even a refrigerator, all those connected devices that we depend on in our daily lives have become targets for an ever-growing cadre of cyber criminals. The Cipher Brief spoke with two Flashpoint officials, Chief Scientist Lance James and Subject Matter Expert Vitali Kremez, to discuss the trends in the cyber threat environment and strategies for stopping cyber attackers.
The Cipher Brief: In market place areas where hackers trade information and buy tools, are there any trends or behavior patterns that can categorize how these market places work and how they are changing in any substantial way?
Vitali Kremez: The main difference is, we have a marketplace in the deep web and a market in the dark web. What I mean by a deep web marketplace is shops that are in the open web and also are available to any user – you just need to register an account and you can shop for credit cards.
There are also shops on the dark web. The difference is the deep web forums are mainly maintained by Russian actors, mainly eastern European guys, who are selling credit data. They are not necessarily selling guns and drugs. In the dark web sites, we have seen more drugs, but the Russian side of things is more focused on financial data and more financially motivated activities, such as selling credit card data.
Lance James: Say you are looking at an adversary, look at them as competition. If we’re a trading platform on the good side of the law, we’re selling bank or stock information. They’re doing the same thing, just selling information that they have stolen from other people. When you think about the Russian side of it, it’s more like a trading platform.
TCB: Is there a way to disrupt these marketplaces in a way that would influence how the hackers behave subsequently?
VK: Deeper markets are basically out of Russia. What’s interesting is now we’ve seen Russia be more open to indicting hackers. Maybe there is a way for us to continue this dialogue with Russian authorities – recently, they arrested 50 hackers involved in activities – and see if they would be willing to cooperate with our U.S. interests and indict a few card shop directors and managers. That would be facilitating the takedown of the card shops. This is one way – the follow the bad guys approach.
The follow the good guys approach is to make sure that banks can reissue cards immediately by identifying the breach point, and have a quick, rapid response. Usually the best thing to do is mix rapid response and the cessation of opportunities based in the countries where they operate.
The case I can talk about, we were able to indict and arrest a major cyber criminal leader, Vadim Polyakov, when he was on vacation. Nobody sees this fraud anymore because we have been able to get to the root cause of the problem, as opposed to doing the whack-a-mole game of indicators and infrastructures.
TCB: With the previous case you discussed, is the strategy of leadership decapitation an effective approach to stopping these groups?
LJ: It depends on the group. For instance, if you look at Romanian groups, you take one out, more pop up. It’s all based on the economic structure. Some of the stuff is becoming more commoditized, and these forums are allowing and attracting actors. They will attract lone actors from enterprises and they’ll become their own enterprise, and then they’ll loop. That’s why we are seeing such an exponential growth in cyber crime in general.
On precision targets or organizations that are very specific in doing heists or things like that - yes. It doesn’t mean other groups won’t, but those groups tend to work in their own business sections. When the Zeus Gameover was taken down, that took down a huge supply of multiple different pieces of malware or campaigns.
When you cut those and hit the supply chain it slows them down on some technical use that makes their malware stop working and it forces them to have to go back. When you think about it from a social psychological perspective, it changes what people want to buy what product. They say, “your malware is not working for me anymore,” and they move on. Those techniques can work, especially because the reason for the success of the underground sales market place is its reputation system. You get five stars, you are a good seller. There is an honor among thieves in that system.
When you hit that and ruin a reputation, it can knock something out, and if it’s a big product that was used by many criminals, you do hurt it. It can vary though, depending on the organization.
TCB: It’s interesting that you understand cybercrime in terms of a marketplace.
VK: It’s competitors. Make them fail, make it hard for them to get this data, make sure the buyers will see it. Make sure they miss their deadlines on the malware. There is a force in the dark web that exists, and currently, it should be part of the equation that businesses should be taking care of.
Thinking about this competition and regular business stuff, there is also the dark web. It’s a force that businesses should budget into their expenses to be dealing with. It’s a war of attrition. Make them fail. Create decoys. At Flashpoint, we disrupt them. We make sure they fail with certain tactics or techniques we employ. Make sure all of their colleagues look at them as not being competent enough and they lose their reputation.
LJ: It’s really a lot of psychological operations in some sense. Let me explain something. We’re talking cyber threat intelligence versus business risk intelligence. Cyber is a domain. When I say domain I mean land, air, space, sea, cyber. As you can see from the DNC (Democratic National Committee) hack, it’s very kinetic, whether it’s on cyber or not. Everything is influence and reputation.
To give a broader example with the DNC, whether it’s Russia or not, it already has caused massive influence on our politics. You’ve never seen a DNC convention like it was. Every hack nowadays is super influential. It’s just a medium now, but it has kinetic effect. People stealing credit cards has a kinetic effect on their day. In bulk, it has a kinetic effect on their money. Stopping the money from getting out there is just one of the techniques you do. That’s preemptive – you talk about getting there before they can actually get their money out. It hurts their sales.
TCB: Is medical data becoming a hotter commodity than credit card data due to its longevity? Are you seeing any new commodities that are emerging?
VK: We’ve seen healthcare and insurance company databases become more popular amongst cyber criminals. We’ve seen cases of attacks where cyber criminals steal the insurance company’s Personal Identity Information (PII) and Personal Healthcare Information (PHI) necessary to answer all the secret questions and log into your health insurance provider. So they can definitely do, not only extortion, but they can also do financial fraud on top of that.
In light of all of these new attacks, we’ve seen extortion become a new thing. Like the Dark Overlord who was able to recently reach or get access to the healthcare source code of 20 or so healthcare institutions in two months. The tactics he used are interesting, from a technical perspective, but what he did with it is cyber extortion. He pulled out all the CEOs and CFOs and said, you actually have to pay me for this data. He was also offering data for a ridiculous amount of money—$600,000 in bitcoins, which has never been sold to cyber criminals. Cyber criminals treat this data as valuable. They don’t need millions of PII, they need targeted PII.
LJ: It’s a higher value to the actual health institute. It’s their data, and they are reaping the hurt on the money. When it comes down to it, there are regulations and fines, they could lose their entire business. If you’re a private doctor, you could lose your entire business off of that exposure. Whereas in the underground, the markets are not as high for them to buy, like you said, such specific targets. It reminds me of ransomware. We are seeing this trend, whether it’s ransomware, malware, or it’s breaching, the trend of, “I’m going to blackmail you.”
But coercion is a very interesting thing because I wonder what happens when it’s not about the money. What else can they make people do? And that’s a vey dangerous concept. Can they cause insider threats to somebody? Can they blackmail? Can they coerce? That is a weapon in espionage.
For all we know, as things are moving into coercion and influence, nation-states may start hiring these cyber criminals to utilize these techniques to put pressure on certain situations, as well as a proxy for their nation-state activities. There is a lot of scary extension into where this is going. We said content is king, so if you lose all of that, that’s your business right there, that is where your money is coming from. Once it’s out there, it’s out there.
TCB: What do you think the threat environment is going to look like moving forward? How do you anticipate hacker behavior targeting tactics, etc. changing over the next couple of years?
VK: The marketplaces will change in terms of the shift to EMV – a technology standard for smart payments card—technology with credit card data. It is becoming harder for criminals to monetize credit cards. With the mandatory PIN and chip technology, those points of cell breaches at Target and Home Depot are becoming less valuable. You don’t have the PIN for all of those millions of credit cards. There is no way to monetize this data. So what’s the point?
LJ: Criminals are going to start moving more to the mobile side of it because of the two factor authentication. But if you notice, for instance, that when you want to check your mail, even if it requires two factor on something else, you get access to it fully here. This is now the new target. There is going to be an increase on even possibly cross-domain hosting. So, you get an infection on your computer, you plug your phone in and it moves over with a payload that is also focused on getting it and lining it up.
As for other things, I’m worried about where ransomware is going until it gets controlled. There is a psychological shift in our climate right now no matter what. The bad guys are learning about this psychological shift.
VK: We’ve seen with lots of criminals doing tokenization attacks. Think about Google wallet and how you can transact by scanning a new iPhone with QR (quick response) code. There are certain attacks that target through that.
LJ: The last part of it is the evolution of logic bomb, which is basically ransomware with a payload. Even in the 1990s, when every virus was an assembly and some would smoke up your entire computer and overheat your computer’s hard drive. Logic bombs were prominent and they were what you heard about in cyber thrillers.
Today, the scariest part about ransomware is not with big business. You can’t just hit a big bank or business with ransomware. They are going to quarantine, and they have disaster recovery. The biggest problem is the people who are running say a flower shops for ten years in New York and making their livings off of that, and the next thing you know everything is at stake.
That’s going to be interesting because it is literally the basics of security. You use email, you click on something, and boom. There is nothing you can do to prevent that these days. I’ve clicked on things. Everybody clicks on things. We’re human.
What scares me the most is when I see some of the messages back from the people who are attacked. There are a lot of people who lie about paying the ransomware. They tell their company they didn’t pay it. But they lied because it’s a company computer and they are afraid of getting fired. Especially when the CTO gets hit. You talk about the ego.
Where do we go from that? The biggest threat I’m seeing these days is influential hacking – hacking to influence behavior. The problem with this is in the media. For example, we look at the DNC and we see this Russia stuff. Let’s pretend it wasn’t Russia for a second. Don’t you think someone just got a really cool idea once they learn what just happened there and saw that effect? What happens when cyber criminals learn that effect? What happens when that is the playing field?
Now there are emerging markets between cyber criminals and nation-states. There are emerging markets of just ideas. How many people in the world are out there when they start looking and see the effect just of that hack, it influences an entire election. You can get a lone wolf doing something like that.
What happens when other people start realizing the power of that? We’re seeing all of the hacktivists right now, they are young and usually kids, so they don’t know how to get beyond the strategic psychological techniques to influence, but they have many powers here. They are motivated by one simple thing: Internet fame, Internet attention. That’s going to evolve.
Now you’ve seen cyber threat intelligence evolve from tactical to strategic. You think the criminals are not going to evolve either from tactical to strategic? Everybody is getting creative.
