EclecticIQ Blog

2018 — Playing a Game of Cyber Cat and Mouse

April 04, 2018

Four months into 2018 it’s time to look back at some of the threat highlights that we have witnessed so far this year. We start this 2-part review series with a look back at politically motivated attacks, followed shortly with a summary of crypto mining activities.

Artwork by Dadara

After last year’s large-scale cyber-attacks that had industry and government finger-pointing at numerous nations as perpetrators, it should come as no surprise that just three months into 2018, we’ve seen that trend continue with numerous stories emerging about states under attack, and states fighting back against aggressors. This is probably just the tip of the iceberg. A range of attacks might yet to be discovered or are being kept under wraps for various reasons.

So while the first quarter of this year has come to a close, let’s recap some of the highlights of 2018 in terms of what is generally being referred to as “cyber warfare”*.

These politically motivated types of combat, conducted using sophisticated technology can be considered cyber warfare. This is seemingly on the increase as organizations and governments rely heavily on technology to function, and to store sensitive, personal and private information. Cyber criminals and nation states are aware of this and aim to identify (or buy information on) vulnerabilities within the IT infrastructure, so that they can hack into the systems, steal data or bring systems to a halt, often going unnoticed.

This year’s highlights so far

In December 2017, the German government’s intranet was hacked, with confidential information captured by the hackers. Since the German Interior Ministry confirmed the attack in February, there have been multiple reports about potential adversaries behind the attack, infection vectors and exfiltration methods used.

The compromised learning platform is currently offline and as it was running on an old build, it is still not known how the adversaries were able to hack into the platform. EclecticIQ’s Fusion Center analysts believe that it could be through a compromise of admin credentials or the exploitation of one or more vulnerabilities to gain higher privileges.

According to sources, documents linked to online courses have been manipulated with malware, and it is thought that this led to 17 computers of the government IVBB network being infected with malware. EclecticIQ analysts believe with low confidence that there may have been exceptions added in the network security controls, enabling government staff to access the e-learning system from the IVBB network, and this was how the supposedly closed network was infected.

[Find extensive report “Infection Vector for German Government” with STIX entities here]

While there are different theories about the methods used, perhaps more interestingly is the question of who is behind such an attack. German local media reported that Russian hacking group Fancy Bear, also known as APT28 is behind the cyberattack — while the German Press Agency (DPA), said that security sources had told them that Russian hackers had breached the government network, with malware likely placed in a central government network for up to a year before the attack.

Winter Olympics and False Flags

But attribution of such attacks can be highly problematic, as some adversaries intentionally design their attacks to pin the blame on other stakeholders. For example, The Washington Post suggested that Russian hackers were responsible for a cyberattack against the 2018 Winter Olympic Games opening ceremony, but tried to make it appear as though North Korea was responsible. The report suggested that Russia’s Main Intelligence Directorate (GRU) used North Korean IP addresses to mask their tracks, after gaining access to around 300 computers, hacking routers and distributing malware in the lead-up to and during the event’s opening ceremonies. Politics again here played a big part; the speculation is that Russia was not happy about the ban on its athletes in the wake of a doping scheme, it also knows that North Korea has tensions with South Korea and the United States, so using North Korean IP addresses as a façade would help to deter researchers and government personnel from finding Russian links. Whether or not Russia or hacking groups from the country were involved in either of these attacks is hard to confirm, but nation states are now actively trying to fight back against hacker groups.

[Extensive reports on this topic: “Pyeongchang 2018: Summary of Cyber and Physical Threats” & “Olympic Destroyer — Various Firms Attempt to Attribute”]

Nation States Fighting Back

Take the Dutch intelligence agency AIVD, which local media outlets suggested had access to Cozy Bear for at least a year starting in mid-2014. Reports suggested that it was the Dutch government that alerted the United States to Russian interference in the 2016 presidential election after Netherlands-based officials hacked into the group’s systems and pinpoint their location. They controlled the hacking group’s security cameras and saw what the Russians were doing and who was doing it. This included the hacking of the Democratic National Committee and other operations by the Russians, including a 2014 State Department hack.

What is clear is that while hacker groups with affiliations with nation states have been targeting their adversaries, victims and allies of victims are now fighting back against these types of attacks. Not only by preventing the attacks from occurring, but from monitoring their actions. Attribution isn’t what necessarily matters though, as organizations and governments have to gain knowledge of the actual attack, its tactics, techniques and procedures and how they can learn from it to prevent similar attempts.

The beginning of 2018 has already seen a high number of cyber incidents that seem to be politically motivated, and considering the current political climate it is likely that this trend will continue and perhaps even increase throughout the year.

While we have talked a lot about nation state involvement, it is worthwhile to bring up the issue of attribution of such attacks. The ‘who did it’ aspect gets a lot of attention, but whether this aspect is really that important when so many false flags are flying around is questionable. Follow this blog to not miss out on an upcoming blog post in which we will look into the great attribution debate.

There are various definition for the term “cyber warfare”. In this context it refers to cyberattacks with the motives espionage and sabotage. The incidents mentioned involve at least one nation state that is either the adversary or victim, and/or a threat actor that (seemingly) acts on the interest of a national government.

We hope you enjoyed this post. Follow our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for white papers, threat analysis reports and more.