Lessons from a hack

Urs Küderli Partner and Leader Cybersecurity and Privacy, PwC Switzerland 22 Oct 2017

What links spies, hackers, cookies and a grey Aston Martin DBS? The answer can be found in the indictment against four suspects that the U.S. Department of Justice published last week. The four individuals are accused of breaching into the networks of a large telecommunication company in 2014 and of stealing large amounts of client data. Despite the legal jargon (albeit with a few sparks of technical details), the reading of the document reveals some interesting aspects in regard to cyber security.

The blurring line between cyber crime and cyber espionage

Cyber security experts have repeatedly pointed out that intelligence services are keen on taking advantage of the abilities of cyber criminals by hiring and mandating them for penetrating into their targets’ networks and siphon out sensitive data. The indictment confirms this practice. Two of the defendants are allegedly officers of a foreign intelligence service and have been accused of “[directing] criminal hackers, […], to gain unauthorized access to computers of companies”.

The increasingly blurring line between cyber crime and cyber espionage makes the attribution of cyber incidents more complex. As cyber criminals offer their services and tools on underground markets of the dark web, a same tool can be used in several campaigns and by different threat actors, even intelligence agencies. Hence, the approach for declaring the instigators of a cyber attack needs to go beyond the mere technical details (i.e., the so-called indicator of compromise [IOC], such as the signature of malware used or the IP addresses of command and control servers). The attribution process must take into account nontechnical aspects such as the nature of the target and the type of the information stolen. These elements are then to be interpreted within a geopolitical framework.

Tools, techniques and procedures

The indictment gives an interesting insight into the techniques used by criminals to gain unauthorized access to a system. The methods listed by the Department of Justice include advanced techniques such as spear phishing and cookies minting. In the first case, the hackers had sent ad hoc tailored e-mails designed to resemble messages from a trustworthy source luring the recipients to either open an attachment carrying a malware or to click on a malicious link. In the latter, the suspects had forged session cookies to gain unauthorized access to the e-mail accounts of the victim. Furthermore, in order to make the task of the investigators more difficult and to “reduce the likelihood of detection”, the criminals had covered their tracks by leasing servers in different countries and using VPN. Once inside the system of the breached company, they also had run log cleaners to erase their traces.

The indictment does not report either the malware used or any IOC, it however highlights the high skills and versatility of cyber criminals these days. They are professionals able to use a large set of tools and to combine different techniques ranging from social engineering to the use of malware. When defending your company’s network, you have to be aware of this and consequently implement a comprehensive security infrastructure without neglecting employees’ awareness training.

Collateral damage

The victim of the breach is a well-known e-mail provider with millions of users and even more e-mail accounts. By breaching the company’s network, the hackers had gained access to thousands of e-mail accounts. According to the charges, the suspects had had access to accounts of journalists, politicians, government officials, sales managers and even to the ones belonging to a Chief Technology Officer. Among the victims there were also 14 employees of a Swiss Bitcoin wallet and banking firm.

The intelligence officers were more interested in personal information about specific political targets; on the other hand, the hackers rather sought financial data for their personal enrichment. Apparently, the business activity was somewhat lucrative as the list of the forfeited goods mentions a grey Aston Martin DBS.

As widely reported in the media, the breached company was in the process of being acquired. In the aftermath of this very disclosure and of another previous one, the price of the deal was reduced by $300 million. Also, taking responsibility for the breach, the company’s CEO decided to renounce her annual bonus. Yes, a security breach can have heavy and real repercussions for the company and its employees.

Recommendations

This breach showcases the importance of not having your personal and business data on a single webmail without protecting it. We strongly recommend using encrypted communication for any sensitive information. Moreover, the criminals reused the stolen passwords to log into other accounts belonging to the users. As a good security reflex, you should never reuse your password across different services.

PwC strongly believes in a holistic approach to cyber security by offering a wide variety of services covering all the phases of the cyber lifecycle: from strategy and policy development to its implementation and to incident response. PwC cyber security services can help your company improve its security posture to face old and new threats.

 

Contacts

Urs Küderli

Partner and Leader Cybersecurity and Privacy, PwC Switzerland

+41 58 792 42 21

Email

Contact us

Prafull Sharma

Prafull Sharma

Partner, Cloud & Digital Leader, PwC Switzerland

Tel: +41 58 792 18 72