Since this past weekend I have followed the story of an activist hacker, “Phineas Phisher,” who publicly posted a detailed write-up of an illegal attack he carried out last year on a software company that specializes in surveillance technology.
Phineas’ target is ironic in a way. “Hacking Team” sounds as though they would be the ones carrying out the attack, and in many ways they have been, providing malicious software to law enforcement and governments to conduct surveillance on suspects and citizens.
While the process of a persistent and targeted attack against an organization was interesting to read, I also find the public response to such an attack very interesting. When you’re the target of a hack with the goal of humiliation, you may not see much sympathy from the public.
A political hacker such as Phineas Phisher, would have motivation to attack a company like HackingTeam in the same way, an animal rights’ activist might attack a business in food production, or an anti-capitalist might attack a bank.
When the vulnerabilities of the target are laid bare in a gloating way by the attacker, it can bolster an activist’s cause, and give ammunition for those involved in IT and security to point out the flaws and mistakes that allowed the target to be compromised.
The attack that Phineas describes has many of the traits of successful attacks we’ve seen, publicly and in our own incident response services.
He describes redirecting attacks in ways that make it hard to track down the original source. Real attackers will hack third parties, even your organization (if it’s not the ultimate target), to use them as stepping stones to their true objective. Likewise, it might appear to you that an attack comes from directly from another company, when they’re simply a pawn in the hacker’s game. Once an attack is carried out, it can often be very difficult to pin it to an individual or group.
He takes his time in gathering information. Open-source, or publically available, information about a company can tell him a lot about the systems being used by the target, before he ever touches their network. Consider this: How much does your network rely on the obscurity of its configuration for its security?
Despite being a hard target to compromise, Phineas is able to get in through a zero-day attack, one that has not been publically disclosed. This takes a significant amount of time and research to develop. Whether by money or for a cause, the magnitude of resources an attacker is willing to dedicate to compromising your network can be surprising.
“Lateral movement” across their network was comparatively easy. Many organizations focus their defenses on preventing external attackers from gaining access to the internal network, to the point of neglecting how an attacker will move around once they’re inside.
We have seen this countless times on internal penetration tests ourselves. An initial compromise of a single system is going to happen to everyone at some point. Network segmentation and layers of defense can help prevent it from spreading, but it’s often hard to see where that’s necessary until, whether via a test or a real hacker, it’s pointed out how easy it is for an attacker to expand their access.
Who Cares for the Victims?
Among the various ways a business can fall victim to crime, cyber crime results in the least amount of sympathy. You can be the target of a physical break-in and it will be the criminal and their daring actions that dominate the story. If an employee embezzles money from you, it will be their dishonesty that is the topic of conversation. When you’re the victim of cyber crime, however, it will be your own lack of defense and awareness that will come under public scrutiny.
Why is this? “Hindsight is 20/20” as the saying goes. In the absence of regular security testing, it’s easy to overlook the simple mistakes that allow criminals into a network. A motivated attacker is likely to gain some level of access, as in the zero-day attack used in the story above. From that point, if an organization has not taken precautions against lateral movement in their network, many vulnerabilities get laid bare quickly: insecure protocols, weak authentication, bad passwords, and more.
The targets of activist hackers get hit even harder in the court of public opinion, as the primary goal is not profit, but humiliation. While you may not be a target for political hackers seeking to compromise suppliers of surveillance technology, you may be surprised what could make you the target of a similar attack.
Those who dislike your business model, or the perceived unfair practices of your industry may seek vulnerabilities in your network. Former and current disgruntled employees may take action on their grudge. The actions and stances of your employees on their personal social media accounts may make your business a target for those who disagree with them. These attacks can be dangerous, as the motivation is the public humiliation and disruption of operation, without making sense in a risk-reward analysis.
Gone are the days when you can consider yourself “not a target”. The motivation behind hacking your organization may not be known to you today, but it may be known by everyone tomorrow.
For weekly insights into cybersecurity, please sign up here: