To understand the threat landscape, you need to know about history, economics, and more.
Coming from all directions
A security expert looking at different kinds of Internet attacks coming from different countries begins to see patterns emerging. "All kinds of attacks come from all over the world," says Ben Johnson, chief security strategist and co-founder of Carbon Black. But "particular attacks are more common in particular places (or are at least more overt), and there are reasons to that. Often it fits into the capabilities of the population, the story that the attacker is trying to build, and the goals of the team or teams conducting the attacks." A look at the reasons behind differences in threat geography can help illuminate the some important facts about world politics and economics.
The wild east
The wild east
Eastern Europe is
responsible for what F-Secure Security Adviser Sean Sullivan calls
"commoditized crimeware."In part, this is due to the laws there
surrounding cybercrime.
"The law allows the development of malicious code in these countries, or else there would be no strong penalties," says Sullivan.
Barry Shteiman, director of labs at Exabeam, elaborates: "In Romania and Ukraine, where there are limited to no laws regarding hosting and Internet monitoring, essentially anyone can do anything unsupervised in a public data center or from their homes. Because of this, and their location relatively central to Europe, these countries are favorites as malware command and control server locations."
"The law allows the development of malicious code in these countries, or else there would be no strong penalties," says Sullivan.
Barry Shteiman, director of labs at Exabeam, elaborates: "In Romania and Ukraine, where there are limited to no laws regarding hosting and Internet monitoring, essentially anyone can do anything unsupervised in a public data center or from their homes. Because of this, and their location relatively central to Europe, these countries are favorites as malware command and control server locations."
Lots of knowledge, few opportunities
Lots of knowledge, few opportunities
Maxim Kovalsky,
director of intelligence production -- cybercrime at Flashpoint, points
out that Eastern European countries have "advanced higher education
systems (particularly in mathematics) but limited employment
opportunities." This is in part due to widespread corruption.
"The corruption of government processes interferes with legitimate business development, explains F-Secure's Sullivan. "Somebody with the talent to develop software finds themselves in this position: Attempt to grow a legitimate software business in the open, and risk that a competitor bribes officials to shut you down -- or develop malware kits for use in Western countries, and if eventually caught, suffer minimal punishments. It's economically rational to pursue the criminal option. The end result is that exploit kits, crypto-ransomware and banking trojans find space to be developed in Russian-speaking countries."
"The corruption of government processes interferes with legitimate business development, explains F-Secure's Sullivan. "Somebody with the talent to develop software finds themselves in this position: Attempt to grow a legitimate software business in the open, and risk that a competitor bribes officials to shut you down -- or develop malware kits for use in Western countries, and if eventually caught, suffer minimal punishments. It's economically rational to pursue the criminal option. The end result is that exploit kits, crypto-ransomware and banking trojans find space to be developed in Russian-speaking countries."
From greed to glory
Particularly in Russia,
cybercrime has taken on nationalist implications. Flashpoint's Kovalsky
says that "the generation now in their mid-30s became involved in
cybercrime in the late 1990s and early 2000s, when Russia was trying to
integrate into the global economy. They view their activities in
entirely realistic terms: as theft." But the younger generation is
"thirsty for the propaganda coming out of the Kremlin and appear to have
internalized its key tenets: that Russia is resurging despite being
surrounded by enemies, and needs to sever economic dependencies with the
West. In their minds, the West has become an undisputable enemy. These
hackers have been emboldened by tacit support from the state in their
mission to damage Western interests."
F-Secure's Sullivan notes that "one recently analyzed crypto-ransomware variant will not infect computers that have Russian language support enabled."
F-Secure's Sullivan notes that "one recently analyzed crypto-ransomware variant will not infect computers that have Russian language support enabled."
In the army now
In the army now
China is more famous
for its government-sponsored cyberattacks. "The Chinese government in
particular has been known to engage in cyber-espionage for years," says
Curt Wilson, senior threat intelligence analyst at Arbor Networks.
"Threat activity in the name of national interests and in defense
against perceived threats takes many forms, and it has been speculated
that various patriotic hackers may also be engaged in such operations
against other nation-states."
Ryan Trost, CTO of ThreatQuotient, points in particular to APT-1, a hacker group linked to the People's Liberation Army. "China is our go-to scapegoat for nearly every breach until proven otherwise by hired incident response teams," says Trost.
Ryan Trost, CTO of ThreatQuotient, points in particular to APT-1, a hacker group linked to the People's Liberation Army. "China is our go-to scapegoat for nearly every breach until proven otherwise by hired incident response teams," says Trost.
Jumping ahead
China's hacking
activities have fairly specific goals. "China has decided that cyber
espionage is a way to accelerate their place on the global stage," says
Carbon Black's Johnson. "It's not that other countries don't do it -- in
fact, a lot do. It's just that by sheer volume and significance, China
is top of the list when you think about cyber espionage."
Jon Condra, director of East Asian Research and Analysis at Flashpoint, said, "It's long been believed that China is following a 'leapfrog' style of development, in which the government seeks to acquire foreign technologies in order to bypass the middle stages of economic development and thus catch up to the West in shorter order."
Jon Condra, director of East Asian Research and Analysis at Flashpoint, said, "It's long been believed that China is following a 'leapfrog' style of development, in which the government seeks to acquire foreign technologies in order to bypass the middle stages of economic development and thus catch up to the West in shorter order."
Blurred lines
Chinese hacking
campaigns against the West help illustrate that the division between
private companies and government and military is not as firm as we might
like to think. "You also have to somehow draw a distinct line between
true 'economic espionage' and traditional espionage conducted for
military or geopolitical advantage," says Flashpoint's Condra. "Because
the production of war materiel and advanced weapons systems has been
outsourced to private industry (Lockheed, Skunkworks, BAE, Boeing,
etc.), it is increasingly difficult, even from a legal sense, to
separate the two."
Look in the mirror
Look in the mirror
Westerners shouldn't be
so quick to think of Internet attacks as being the province of others,
though. "It should be noted that the U.S. typically ranks first in
countries found to have the most cybercrime," says Damian Caracciolo,
vice president and practice leader of CBIZ Management and Professional
Risk. "If you exclude espionage as a broad category, then hacking,
phishing, spyware/malware, and extortion tend to be the most common
forms of cybercrime that originates domestically."
And if we don't exclude espionage? "I think we all know it goes without saying that the United States is at the top of most lists for malicious activity," says Daniel Smith, Radware's Emergency Response Team researcher. "The U.S. is hotbed for espionage and surveillance, and also has a large percent of young adult hacktivist fighting for social and political change."
Finally, while these broad trends are important to keep in mind, it's just as important to not let them blind you to the diverse array of threats coming from all directions. "It's dangerous to fall into threat categorizations, as not all bots are from Russia, and not all Chinese are after US military secrets," says Jayson Street, InfoSec Ranger from Pwnie Express. "Security professionals make themselves vulnerable to attacks when they don't investigate the possibility of that 419 being from Kansas or Paraguay. The internet has no borders, boundaries or categories. Attackers are global, profit-driven individuals. While you may physically know your neighbors and border countries, on the internet you're just a number. Attackers don't see region or nationality; they see IP addresses, and profitable possibilities."
csoonline
And if we don't exclude espionage? "I think we all know it goes without saying that the United States is at the top of most lists for malicious activity," says Daniel Smith, Radware's Emergency Response Team researcher. "The U.S. is hotbed for espionage and surveillance, and also has a large percent of young adult hacktivist fighting for social and political change."
Finally, while these broad trends are important to keep in mind, it's just as important to not let them blind you to the diverse array of threats coming from all directions. "It's dangerous to fall into threat categorizations, as not all bots are from Russia, and not all Chinese are after US military secrets," says Jayson Street, InfoSec Ranger from Pwnie Express. "Security professionals make themselves vulnerable to attacks when they don't investigate the possibility of that 419 being from Kansas or Paraguay. The internet has no borders, boundaries or categories. Attackers are global, profit-driven individuals. While you may physically know your neighbors and border countries, on the internet you're just a number. Attackers don't see region or nationality; they see IP addresses, and profitable possibilities."
csoonline