Over the past few days the US Department of Justice has announced charges against two international cybercriminal groups which also dabbled in espionage activities and are linked to government entities.
This development is welcome and must be cheered, but it will not go very far in terms of actual deterrence to prevent other groups from indulging in similar attacks.
Therein lies the dilemma of those in charge of cybersecurity. Proving a cyberattack, and identifying the perpetrators, is a horrendously complicated task sometimes costing millions of dollars. Yet the end result will hardly ever result in a jail term that can act as a deterrent for others, unless the present international laws change.
The APT menace
Both hackers charged by the DOJ used what is known as advanced persistent threat (APT) attack vectors, arguably the deadliest of the many tools that hackers have in their armoury.
If anything keeps cybersecurity personnel awake at night it is the spectre of an APT attack. The term is broadly used to describe a cyber-attack in which a hacker or a team of hackers establish an undetected and long-term presence on a network of a target organisation, usually to mine sensitive data.
There have been instances where an APT intrusion has gone undetected for years. These attacks use a combination of different ways to penetrate a network, ranging from innocuous phishing email, malicious code and even backdoors built into legitimate programs and devices.
APT attackers carefully choose their targets and look to steal sensitive information which could range from state secrets to Intellectual Property (IP). These intrusions could also potentially be used to sabotage critical infrastructure during a crisis and even to delete databases of important organisations like the military, in order to render their IT systems useless.
What differentiates APT activity from other types of hacking like ransomware is that these groups are usually backed by government entities and this blurs the line between what is criminal activity and what is state-backed espionage. Another important differentiation is that APT groups play for the long-term and an attack could be mounted for more than a year, waiting patiently for a vulnerability to appear.
On September 18, the US charged three Iranians for hacking into a US satellite firm to steal classified information. According to newly unsealed indictment documents apart from the satellite company, the Iranian nationals targeted more than 1,800 user accounts in the US and foreign companies, including employees in the aerospace and satellite technology sectors in the US, UK, Australia, Israel and Singapore.
In December 2018, FireEye identified the group, known in cybersecurity circles as APT39, as an Iranian cyber espionage group responsible for widespread theft of personal information.
John Hultquist, Senior Director of Analysis at Mandiant Threat Intelligence, a part of cybersecurity firm FireEye, which monitors APTs globally, notes that APT39 has focused heavily on the telecommunications and travel industries as part of an effort to collect customer data and personal information on targets of interest.
Mr Hultquist adds: “These efforts could threaten the customers of victim organisations who may then be physically endangered by the Iranian security services. As the (US) Treasury report confirms, victims of APT39 activity have been ‘subjected to arrest and physical and psychological intimidation’ by Iran’s Ministry of Intelligence. Mandiant has been tracking the group for over five years,” he adds.
In the second indictment, announced on September 16, the US Justice Department brought charges against five alleged Chinese citizens who were accused of hacking more than 100 companies in the US, including technology companies, game makers, universities and think thanks through what is called APT41.
The US Justice Department also charged two businessmen, who were arrested in Malaysia, for their role in trying to profit from the group’s intrusions into game companies to steal and sell digital goods and virtual currency.
Mr Hultquist notes that APT41 has been the most prolific Chinese threat actor tracked by his organisation over the last year. “This is a unique actor, who carries out global cyber espionage while simultaneously pursuing a criminal venture.
“Their activity can be traced back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into traditional espionage. APT41’s ability to successfully blend their criminal and espionage operations is remarkable,” he adds.
Co-opting criminal gangs
Sharing a broader picture, Mr Hultquist observes that intelligence services leverage criminals such as APT41 for their own ends because they are an expedient, cost-effective, and deniable capability.
“APT41’s criminal operations appear to predate the work they do on behalf of the state and they may have been co-opted by a security service that would have significant leverage over them.
“In situations such as this, a bargain can be reached between the security service and the operators wherein the operators enjoy protection in return for offering high-end talent to the service. Furthermore, the service enjoys a measure in deniability when the operators are identified. Arguably, that is the case right now,” Mr Hultquist adds.
The two indictments by the US Department of Justice are the result of painstaking work. At the end of the day even though the names of the perpetrators are out, as long as these individuals do not leave their home country and travel to a jurisdiction which has an extradition treaty with the US, there is no way that they can be prosecuted.
In the case of APT41, apart from naming the members, the US prosecutors obtained warrants to seize websites, domains and servers associated with the group’s operations.
While this would effectively shut down APT41’s current operations, they could very well morph into a different group and carry on their activities. As of now, the only tools in the hands of the US Justice Department and other similar entities in other countries is the ability to “name and shame” the perpetrators, a tactic that is of dubious effectiveness given that many of these actors have the support of the state apparatus in their country of residence.
APT attacks are not US specific. The 2018 cyber-attack in Singapore that led to the leak of 1.5 million SingHealth patients’ data was clearly and unambiguously linked to a state-back APT group.
The 2017 attack on the National University of Singapore and the Nanyang Technological University, which was mounted to steal research data, was also allegedly the handiwork of an APT group.
The only way forward, as this writer has repeatedly emphasised, is the drafting of international cybersecurity laws and setting up a mechanism for their implementation. However, that’s easier said than done.
Speaking to this writer some time ago, the FireEye CEO, Kevin Mandia, emphasised the view of many other experts that drafting rules of engagement for both online espionage as well as cybercrime would be the easy part. But the caveat to add here is that despite that, the UN and other world bodies have been at it for 20 years without coming up with a set of rules acceptable to all.
The difficult part is punishing the guilty. As things stand that is almost impossible as the two US Justice Department indictments show. In society people obey laws not just for a high moral purpose.
They obey them because there are clear and unambiguous repercussions for not doing so. For cybercrime, there is no mechanism to ensure repercussions and this is something that really needs to be paid attention to.
The beauty of the Internet is that there are no barriers. However, it remains to be seen how long that remains so unless rules and enforceable laws are put in place to curb criminal activities.
Time and patience is running out and one can envisage a situation where a group of nations decide enough is enough and erect a wall around themselves to ensure that bad actors situated in countries with lax cybersecurity laws can’t get in.
The problem is that to keep out one bad actor, thousands of legitimate Internet users may be shut out from a large part of the internet. That is bad for the users, bad for innovation and bad for growth. Firewalls are good for individual companies but bad for the worldwide web.
We may be hurtling towards that eventuality, faster than we think, in the absence of credible international efforts to reign in cybercrime.
Amit Roy Choudhury, a media consultant, and senior journalist, writes about technology for GovInsider.