Whitehat Lessons from $300M Cyber Crime Spree
Chris Merritt - July 30th, 2013
By now you’ve read about the new indictment of five hackers from Russia and Ukraine in what is being called the “largest data breach scheme in the US.” You can read the DOJ press release here and/or a redacted copy of the indictment here [PDF]. In what is really a continuation of the Albert Gonzalez saga, these five victimized many major corporations in the US and beyond, including those we’ve heard about before (Hannaford, Heartland Payment Systems, Global Payment Systems, etc.) and some that are new (at some point one of the accused apparently wrote “NASDAQ is owned”); for a complete list see: Seventeen companies, including banks and retailers, named as victims in hacker campaign.
In all, the defendants are estimated to have stolen 160 million credit / debit card numbers and obtained more than $300M from at least three of the targets, in a campaign that started in 2005 and lasted until the summer of 2012. And, in a blow to US national pride, we learn that they allegedly charged $10 for American credit card information, $15 for Canadian information and $50 for European data. [See this WaPo article to understand the economics behind this price differential.]
[BTW, if you don’t want to wade through the indictment (which, while fascinating, is the legal equivalent of a tar pit), I’d suggest reading this by Brian Krebs in his always excellent blog and/or this by Dan Goodin in Ars Technia.]
Anyhow, besides the breathtaking scope of these guys’ exploits, what can we learn about modern cybercriminal hacking? A couple of things come to mind:
The term Advanced Persistent Threat is generally associated with attacks by nation-states or their proxies (think Conficker or Stuxnet). One of the hallmarks that differentiates these from “normal” attacks is the doggedness of the attackers in getting what they’re after. As Dan Goodin wrote:
Like a rock climber slowly scaling a craggy cliff, [Aleksandr Kalinin] spent months methodically escalating his access into the highly sensitive system. In an instant message he sent six months earlier, after initially gaining less-privileged access, he said, “30 SQL servers, and we can run whatever on them, already cracked admin PWS but the network not viewable yet. those dbs are hell big and I think most of info is trading histories.” … The indictments give a birds’ eye view of the patience and meticulousness hackers employ when penetrating some of the world’s most well-fortified networks. On May 19, 2007, Kalinin allegedly identified a vulnerability in a password-reminder page of the Nasdaq website. Five days later, prosecutors said, he fashioned a text string that injected SQL programming code that allowed him to obtain cryptographically hashed login credentials from the page.
While many may feel that they are not targets of these newfangled APTs, the fact is that even “common” cybercriminals have been pursuing this methodology for years. If an organization has something of value that others want – be it state secrets, cash, or an in to other parts of a valuable supply chain – they are a target. Thus we need to be as persistent in our defenses as the blackhats are in their attacks.
It seems that each defendant had an area of expertise; as reported in Computerworld …
Drinkman and Kalinin allegedly specialized in penetrating network security and gaining access to the corporate victims’ systems, while Kotov allegedly specialized in mining the compromised networks to steal data, the DOJ said. The defendants hid their activities using anonymous Web-hosting services provided by Rytikov, while Smilianets allegedly sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.
It can be difficult when up against an adversary with deep expertise, but it behooves organizations to try to level the playing field by:
- Considering security as an integral part of all IT projects, not just a “bolt on” which can be dispensed with if the schedule gets tight.
- Investing in the people, processes and technologies needed to ensure a security mindset within the organization. Importantly, it’s not just the job of IT to protect users – rather, every employee must understand their responsibilities, and the costs should they fail.
According to the latest Whitehat Website Security study, SQL Injection doesn’t even make it into the website attack top-10 list anymore. And yet, at an OWASP presentation by Jim Manico that I recently attended, it was clear that it remains a very common attack route (to learn more, see his Top Ten Web Defenses presentation at AppSecUSA last fall). And so it was for this hacker crew: most of cases detailed in the indictment involved an SQL Injection attack. Of course, it didn’t stop there. As reported in Help Net Security:
The initial entry was often gained using a “SQL injection attack.” SQL, or Structured Query Language, is a type of programing language designed to manage data held in particular types of databases; the hackers identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network. … Once the network was infiltrated, the defendants placed malicious code, or malware, on the system. This malware created a “back door,” leaving the system vulnerable and helping the defendants maintain access to the network. In some cases, the defendants lost access to the system due to companies’ security efforts, but were able to regain access through persistent attacks.
So, two lessons come to mind from this:
- Just because a vulnerability is not seen so often doesn’t mean it won’t get targeted; after all, if the attack path is well known and relatively easy to implement, why not try that first. ROI is, in the final analysis, the name of the game for blackhats too.
- Once penetrated, malware is used to establish control of the network. And if the attackers are sufficiently motivated, that malware will be novel enough so as not to be caught by typical AV engines. In fact, organizations should be considering a more proactive whitelisting approach, especially on high value targets like servers.
According to this post in The Guardian, the defendants hid their efforts by disabling antivirus software of their victims and storing data on multiple hacking platforms. In addition, Kim Zetter wrote in Wired that …
According to instant messaging chats obtained by authorities, the alleged hackers targeted victim companies for many months devising methods to bypass security and burrow into the networks. Authorities say the defendants gained access to servers using SQL-injection attacks and other methods, then installed network sniffers to siphon data. In some cases, they disabled logging systems to avoid being caught and remained ensconced in breached systems for more than a year before being detected.
Disabling AV and logging to elude detection, hiding for long stretches of time – sounds pretty advanced and APT-like to me. It also suggests that organizations cannot rely on a single technology to keep them safe. Rather, implementing a defense-in-depth approach using different types of technology (perimeter vs. endpoint, reactive vs. proactive, active vs. passive, etc.) will improve visibility and provide the “space and time” required to mitigate attacks.
Bottom line, it’s good that these guys have been indicted (even if not all of them are in custody yet). Because, as Rich Mogull from Securosis wrote: This is a very big win for law enforcement. There aren’t many crews working at that level any more. It also shows the long memory of the law – most of the indictments are for crimes committed around five years ago.
But it does not mean we can relax – there’s plenty that needs to be done to prevent this sort of thing from continuing.