Are cyber weapons worth it? A look at the economics of hacking back
On 12 May 2017, WannaCry was released into the wild and an epic story began to unfold.
Spawned from a cyber weapon that had been lost by a government agency, WannaCry was a major wake up call for industries around the globe, reminding them in the very loudest way possible that their dependency on tech carries existential risks to their operations.
Yet despite the fallout of WannaCry, governments still contemplate the idea of collecting, storing and using cyber weapons for so-called ‘hack backs’, where they counter-attack an adversary to destroy, disable or snoop on their servers and data.
This grey market for vulnerabilities and cyber weapons is already a highly lucrative one. To provide some context, potent vulnerabilities and their related exploits already reach (and can even exceed) sums of $1m if they target Windows desktops and servers. The figure can doublefor exploits affecting mobile devices (notably, Apple).
If governments follow through with their plans to ‘hack back’, we can expect this market to become even more profitable in the future.
The story of EternalBlue
Eternal Blue, was name given to a Microsoft vulnerability ‘discovered’ by the National Security Agency at some point in 2011 or 2012. The NSA didn’t share its knowledge of the vulnerability with Microsoft, at least not until it was forced to.
By mid-2016, information about the vulnerability and how it can be exploited had somehow been lost by the NSA, and leaked to a hacking group called Shadow Brokers. Shadow Brokers tried (unsuccessfully) to sell this information in August 2016, deciding to publish the files around the turn of the year.
With the cat out of the bag, the NSA’s hand was forced. It had little choice but to come clean about the vulnerability. It informed Microsoft about EternalBlue in March 2017 and, mid-way through the same month, Microsoft released a series of patches to plug the exploit.
Fast forward to almost two months later; WannaCry was wreaking havoc on many organisations all across the globe, exploiting this very same vulnerability. News channels, TV and radio stations, online media, all covered the immediate impact and fallout. Some were even impacted themselves.
It’s been reported that WannaCry and other malware variants exploiting EternalBlue – NotPetya being perhaps the next most famous – caused $9bn worth of damage in just one year. The world’s largest shipping company, Maersk, was hit to the tune of $300m, while costs to the UK National Health Services (NHS) exceeded $100m.
There were many other victims too. Airplane maker, Boeing, was hit in March 2018, while chip manufacturer TSMC fell victim in August 2018. Indeed, TSMC estimated it suffered $170m worth of damage; a figure that can be added to the $9bn total price tag mentioned earlier.
The story of EternalBlue isn’t over yet. Research indicates that millions of computers connected to the internet are still vulnerable.
The economics of the cyber weapons market
There’s no doubt that spending time and money on finding vulnerabilities is financially rewarding. Take the CryptoWall virus – in all its various guises – as an example. CryptoWall v3 alone has generated ‘revenues’ of more than $325m.
The business model and margins in the retail and wholesale of cyber weapons, not to mention the revenue opportunities from offering ‘Cybercrime-as-a-Service’, don’t just make economic sense; they are relatively risk free. Different countries’ cyber legislation is so diverse that a cybercriminal can operate from a safe harbour without fear of prosecution or extradition.
As already stated, vulnerabilities that fulfill certain criteria are particularly sought after and large sums are paid for them. The easier it is to use and the more systems and devices it will affect, the better. In turn, the higher the price it will command.
Selling a high-profile vulnerability to a single user seems to be the least profitable way of running this ‘business’. Instead, the seller will more likely try to sell a vulnerability more than once. On the flipside, any buyer – regardless of their motivation for making the purchase – will want exclusive use of the vulnerability. Requests for exclusivity will increase the price tag placed on any vulnerability. There are no documented cases for this, but an educated guess would suggest the price would go up by a factor of ten, or even more.
If a vulnerability is sold to multiple customers or governments (it doesn’t matter whether they are allies as this can quickly change in politics), the likelihood of losing the vulnerability due to leaks or because it is discovered in the wild is large. That will put deflationary pressure on the price tag and the seller has to maintain a balance between how often a vulnerability is sold and the money requested for it from each buyer.
A game-changing approach is to build up a service model around vulnerabilities. Instead of selling the vulnerability, the cybercriminal licenses its use, simply by providing a platform for ransomware or botnets. This shared use of a vulnerability by many, with all buyers paying a ‘fair’ share (up to 50%) of their own returns to the platform provider, is the modern way of running a cybercrime business. The actors behind this can afford to pay the developers maintaining the platform (even adopting an ‘Amazon’-style approach with recommendations written by happy users) and can also pay for hackers to search for new vulnerabilities, thereby increasing the platform’s coverage and usability.
There are many examples of these ‘as-a-service’ platforms, called CERBER, SATAN, or DOT. It is difficult to gauge their success. But the figures discussed around CryptoWall give some indication of the amount of money that is on the table.
State-sanctioned, state-sponsored, or state-owned
The relationship between these actors and nation states must be put under the microscope.
It makes no difference whether these actors are owned and directed by a government, whether they are funded by a government but act outside the legal controls of an agency setup, or whether they are state-sanctioned. Whatever the nature of the relationship, they have some sort of motivation to support a certain government’s political goals.
Every state-driven actor must maintain its own list of cyber weapons to use as and when needed. There is an intrinsic danger to this, as EternalBlue depicts. Even if that actor is able to maintain the secrecy of such an exploit (and history suggests secrets tend to surface), there will always be other state actors doing exactly the same thing, looking for the same high-profile vulnerabilities to use.
Governments must question whether the likely costs of their societies being impacted by a vulnerability, which once was or still is a national secret, outweigh the benefits of keeping it. There are many government committees around the world discussing the pros and cons of hacking back and keeping vulnerabilities undisclosed. Those in favour cite ‘interests of national security,’ yet what happens if an undisclosed vulnerability – that was previous known to the state – turns against its own critical infrastructure? This is exactly what happened with EternalBlue and WannaCry, but perhaps those lessons have still to be learnt.
Is it worth keeping cyber weapons? A look at the maths
Estimating the global damage of cybercrime each year is not easy, but figures exist. One figure cited is in the range of $6tn, a figure with 12 zeros. Given that cybercrime hits corporate revenues and profits, it follows that this will have a knock-on effect on the amount of corporation tax governments can collect – currently $1.3tn globally.
The maths can be simplified like this:
$6tn in damage multiplied by an average corporate income tax rate of 22 percent, equals $1.32tn in taxes not realized due to reduced income related to damages or costs incurred.
Companies from the IT and telecommunications sector, which are operating critical infrastructures, are top targets for hackers. They therefore need to be as secure as possible. This is where sustainable cyber resilience comes in.
Sustainable cyber resilience is a vital defence against cyberattacks. But what exactly does that mean?
It’s become clear that companies can no longer afford to take reactive measures to protect themselves from hackers. They must minimise their attack surface from the outset and, at the same time, ensure that their systems remain operational even in the event of a cyberattack. The sustainable cyber resilience concept goes one step further than IT security and includes both technological and strategic measures. On the technical side, it is necessary to identify and assess risks and close weak points. On the strategic side, business and IT departments must work closely together to make the resilience processes a top priority.
Here are Greenbone Networks’ top five reasons why sustainable cyber resilience is essential for telecoms providers today:
1. Cyberattacks on telecoms companies are on the rise
Ponemon Institute estimates that nine out of ten critical infrastructures have suffered an attack over the past two years. The telecoms sector is particularly at risk, with attacks coming from all sides, including government agencies establishing covert surveillance and cyber criminals in search of highly valuable personal customer data. Indeed, especially with the introduction of 5G and suspicions (rightly or wrongly) surrounding the use of Huawei equipment, UK telecoms providers have been urged to strengthen their cyber security defences by the NCSC to fend off the growing number of attacks.
2. Telecommunications connect all critical infrastructure sectors
If the telecoms infrastructure fails, other critical sectors will also be affected. Many control systems in energy and water utilities can’t function if they can’t transmit or exchange data. The financial system would come to a standstill; so too would the healthcare system. A telecoms sector that is resistant to cyberattacks is absolutely vital to every walk of society.
3. The target area of telecoms infrastructures is becoming larger
As a result of digitisation, more and more telecoms services have shifted to IP networks. The classic fixed network has become obsolete. Telephony, internet, TV and video streaming are now all IP-based. As a result, communication networks and server systems are becoming increasingly unified. But this also means that hackers can cause massive damage by attacking the IP network. Furthermore, mobile is becoming increasingly important. Many IoT devices use mobile networks and, as a result, cybercriminals have more and more points of attack. The new 5G mobile communications standard will bring even more technical complexity and, with it, the need for new IT security requirements.
4. Nested responsibilities make security more difficult
Many different companies and subcontractors are often involved in telecoms infrastructures. Some of them are located in different countries. Whilst this makes it difficult to provide security it also means that it is all the more important to establish a uniform, consistent level of protection with a resilience concept.
5. The EU NIS Directive makes resilience building blocks mandatory
Since May 2018, critical infrastructure companies in the telecoms sector have been obliged to provide evidence of suitable technical and organisational measures to protect against cybercrime. This is prescribed by the EU NIS Directive. ISO 27001 certification provides a good blueprint for resilience. Among other items, it mandates vulnerability management, an important cornerstone of sustainable cyber resilience.
Minimising risks with sustainable resilience
It’s not for nothing that attacks on telecoms infrastructures are so popular with hackers. Here they find a growing, complex attack surface on which they can cause great damage. ICT companies should therefore do everything they can to make their systems sustainably resilient. For a comprehensive concept of Sustainable Cyber Resilience, ICT companies must take the appropriate technical and organisational measures.
As feared by many security experts, Emotet has learned something new – again. As reported by CERT-Bund on Twitter, the malware is now capable of creating authentic replies to existing emails, encouraging unsuspecting recipients to open infected attachments or click on fake links.
The German Federal Office for Information Security (BSI) has, in the past, issued several warnings about the Emotet malware, which spreads by sending credible-looking spam emails from an infected account to address book contacts. Once it has infected a system, the malware can generate further malicious code, with possible dire consequences for companies. It could cause a halt in production or a complete infrastructure failure, and may even require company networks to be rebuilt entirely.
Hackers have now made the malware even more sophisticated. Indeed, CERT-Bund tweeted that Emotet no longer only uses the sender’s addresses, but can also produce fake replies to emails by making use of ‘read message’ content. It also embeds authentic links to the domain of the supposed sender. The malware makes use of “spear phishing” techniques in which information about the victim’s contacts and communication behaviour is collected in order to create as authentic an email response as possible with malicious code attached. Emotet has automated this process and is therefore able to send a huge amount of authentic emails in a short space of time, spreading malware at high speed.
Even though this malware is becoming more sophisticated, organisations still have an opportunity to act and protect themselves before it’s too late.
Companies can and should deploy counteractive measures
On a technical level, taking a closer look at the structure of malware reveals that there are fundamental ways to protect against an attack. The Emotet infection process uses a number of elements that a resilient infrastructure with a flexible and preventive security architecture can defend against. Having this resilience in place means that the infection is not transmitted immediately, for example, when the email recipient opens an attachment, but only when the associated macros in the attached file, such as a Word document, are executed. This means that with standard MS Office settings, a user must manually activate the malware in the attachment in order to transfer it to the network.
What’s more, most employees don’t even need macros for normal day-to-day business. It is therefore advisable to deactivate them completely by default, preventing manual execution by assigning the appropriate rights. A good vulnerability management tool can help here as they can help identify and manage which user accounts can allow the execution of macros. The same is true for PowerShell or administrator rights, as these are also required for Emotet to load.
Detect reloading of Emotet tools
Even if Emotet has already infected the IT system, there are still defence measures that can be put in place. For example, the malware reloads various tools to spy on access data or encrypted data. These standard tools can be used as indicators of compromise. A vulnerability management tool such as the Greenbone Security Manager can also be used to determine whether reloaded Emotet tools are active in the company’s own IT infrastructure.
Emotet is also distributed from the infected system via the so-called SMB vulnerability, which was made infamous in the WannaCry and Eternal Blue attacks. This vulnerability can be closed with the corresponding update but after the WannaCry outbreak (although many companies made their networks inaccessible to SMB communication from the outside), not all secured their internal communications. Here an examination to pinpoint corresponding weak points is the best way to find any gaps in the system.
Conclusion: Small security measures have a big impact
Large-scale computer failures caused by the Emotet malware can have catastrophic consequences, especially for critical infrastructures such as hospitals as they not only cause economic damage, but also pose a threat to people. Organisations should therefore act before it’s too late and protect their IT infrastructures in the best possible way. To become resistant to phishing attacks from advanced malware such as the new Emotet type, a few coordinated measures, such as deactivating unnecessary macros and closing known vulnerabilities as quickly as possible, are often enough.
https://www.greenbone.net/wp-content/uploads/security-265130_1920.jpg12801920Dirk Schraderhttps://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpgDirk Schrader2019-04-30 14:51:042019-05-15 11:07:13Update: Emotet malware now emulates email conversations, making it even more believable