Cybersecurity: A peek into the nuts and bolts of a state cyber apparatus

Wolfgang Schurr Partner and Leader Cybersecurity and Privacy, PwC Switzerland 10 Mar 2017

WikiLeaks, the platform that has in the past released thousands of classified US diplomatic cables and, more recently, emails from the Democratic National Committee, has now published leaked documents which it claims came from the CIA. The documents detail tools the intelligence agency uses for surveillance. This includes notably kits to penetrate computers (from Windows to OS X), mobile phones (iOS, Android) and many other devices.

It has been known for some years that intelligence services also launch cyber attacks. In so doing, they add new malware and create new “threats” to the security landscape. The secret way services operate has contributed to certain expectations, at times exaggerated, as to what their capabilities are. The leak offers us a peek into what a state intelligence service does and how it operates to breach systems. For cyber security specialists, this is in a way a boon to learn how they can make their network more resilient – provided that they are in measure to correctly digest the information.

Furthermore, because of their sometimes sizeable budget, a few intelligence services can set the tone as to what is the most sophisticated way to perform successful and stealthy attacks. The leaks provide, however, a slightly different perspective.

Should we be worried?

One of the stories to make the headlines concerned spying via Smart TV. It is, however, much less scary than it may sound. The TVs were not hacked remotely, but malware was introduced physically into them.

Many intelligence services go after specific targets. The way they operate means that they will seek to obtain further information about what a specific person is up to because the agency will already have received a hint from another source that the person is involved in terrorist activities, nuclear or chemical weapons proliferation, or organised crime for instance. The agency then works its way through to have surveillance in place – be it through remote cyber means or through human intelligence (HUMINT) and up-close support by a network of assets (recruits).

What the leaks show is that agencies, logically, can use their strongest assets to put such surveillance systems into place, humans: either they physically go in themselves or utilise these recruits to inject malware via up-close support. Regardless of an organisation’s cyber security, it is very likely that the agency will be able to circumvent it this way. For an intelligence service to use a Smart TV as a bugging device is in the end not so different than if they had installed their own in-house-developed listening device after breaking into a target’s home.

Therefore, if an organisation comes into the crosshair of an intelligence service, it may have bigger problems to worry about than only to know whether it is under surveillance.

Similarly and in addition, up-close physical contact is commonly utilised by such intelligence agencies in a broad set of countries to gain persistence into mobile devices. Such activities often take place in hotel rooms where unsuspecting users sometimes may leave telephones, iPads, and laptops unattended for a few hours at a time. It may only take a matter of seconds for a trained operative to equip a personal device with new software or hardware. If successful, these agencies may harvest a treasure trove of information, which could include all email communications, as well as the ability to monitor live sound and video, banking transactions, and geolocation coordinates and much more – essentially a complete pattern of life. (Patterns of life are akin to human fingerprints making it possible for intelligence agencies to maintain detail awareness of a target’s actions.) It is therefore wise to maintain awareness of the location of all personal devices during business trips to foreign destinations in order to minimise access to such devices by unauthorised individuals.

If there is a point on which to rejoice is that in this latest apparent tool release, a few commonly known communication applications, which use encryption to keep people’s conversations private, seem to be genuinely safe to use. As the leaks appear to indicate, state intelligence services utilise Trojans to penetrate targets’ cell phones, highlighting that they probably have not been able to crack the encryption algorithms. Users may find comfort in that their private sphere may very well remain protected in some circumstance and for some mobile device models.

What are the largest takeaways?

The toolkit exposed is less sophisticated and impressive than others, which would stem from a signal intelligence agency. This is probably because certain agencies can use other “human” means to gain an entry point into a network.

All intelligence agencies are not alike and many within the same countries operate under different mandates, authorities, and areas of specialisation. Such is the case for this most recent release of tools associated with an agency focused on the collection of foreign intelligence through highly targeted activities and sometimes via up-close tactical operations – mass surveillance is generally not considered associated with the operating principles of an agency not focussing on signal intelligence, in other words.

As a consequence, the released information does not contain zero-days, and shows that intelligence services can reuse portion of codes garnered on the internet or already deployed by criminals and other intelligence services. Albeit from being practical, this also adds to the confusion for whoever tries to attribute the attacks honouring the principles of deception and plausible deniability.

A second point which follows is that many of the leaks showcase that the agency merely makes good use of unpatched systems. Some of the released information may well be quite old – such as a document concerning the rapid copying of 3.5 inches disk – but it seems in accordance with PwC’s views that many unpatched systems still leave the door open as much to criminals as to intelligence services.

Open questions

The US intelligence community has been very much in the spotlight for the past couple of months – and the timing for the release of the leaks could not be more awkward. It comes at a time when intelligence agencies have likely been tasked to take action against those responsible for influencing the democratic electoral process in the country. The timing hence raises the question whether there are motives behind the leaks other than the obvious ones. If we are to accept recent reports of such activities, then such a release of tools may signal a pre-emptive action designed to hinder retaliation. This should incite us to be cautious as to how we interpret them and not to take information at face value, especially as some of it may also not be genuine.

Once more, the leaks appear to seek to damage the organisation at least in two ways: it will have to rebuild tools to ensure that it can continue its surveillance of terrorists and others; and it will have to double its efforts to ensure to its international partners that information they give to the agency will remain confidential.

Threat intelligence?

Now that this information about a state’s capabilities lies in the open, it makes sense to integrate it into an organisation’s security posture: professional criminals are likely to seek to reuse what they can perceive as top-notched hacking tips. To do so requires understanding the context of the information (of the leaks but also of the functioning agencies behind the leaks) and having appropriate technical systems in place.

How PwC can help

PwC is a global leader in security services and has multiple threat intelligence teams globally including in Switzerland. Combined with our threat intelligence, PwC can provide the tools, methods and (if needed) people to detect, and respond to, advanced attacks in an intelligence-driven way.

PwC built one of the world leading threat detection and intelligence platforms "Secure Terrain", the platform is based upon the most advanced analytics technology to pull information out of large amounts of data that traditional methods would not be able to digest.