By Byron V. Acohido
Researchers at Cisco’s Talos intelligence unit have now expressed high confidence that the Russian government is behind VPNFilter, a malware strain designed to usurp control of small office and home routers and network access control devices.
If you doubt VPNFilter’s capacity to fuel cyber chaos on a global scale, please peruse the FBI’s recently issued alert about this very nasty piece of leading-edge malware.
Related article: Obsolescence creeping into legacy security systems
VPNFilter is precisely the kind of cyber weaponry nation state-backed military and intelligence operatives routinely deploy to knock down critical infrastructure, interfere with elections and spy on each other.
One of the top analysts on the daily use of malware across the planet is Dr. Kenneth Geers, senior research scientist, at Comodo Cybersecurity. His main duties at Comodo revolve around monitoring and analyzing malware spikes as they unfold on a daily basis, and correlating cyber attacks to global news and political events.
Geers and I met at RSA Conference 2018 and he walked me through the cyber attack trends and patterns he’s currently monitoring. Bottom line: cyber espionage is on the cusp of a golden age; and the only way to deter this is for the private sector to do a much better job of defending home and business networks.
Why so? Because vulnerable networks supply the communications channels and processing power made so easily accessible to cyber criminals and combatants.
For a full drill down on my fascinating chat with Geers, please listen to the accompanying podcast. Â Here are excerpts edited for clarity and length.
LW: Can you characterize what you see on a daily basis?
Geers: I see data from every country on the planet every week, and it is really astonishing, from the standpoint of where malware clusters. I’ve been looking at computer data for a couple of years now and what I have seen, and what fascinates me, is that nation states and advanced cyber criminals are really ahead of the rest of us, when it comes to sensing vulnerabilities and attacking them. Every week and every day we’re seeing malware cluster around elections, military tension, terrorism and big business events, as well.
LW: There certainly have been a lot of these types of events at play. Can you give us some color?
Geers: I’ll give you one example. There was a bombing of a discotheque in Istanbul, more than a year ago on New Year’s Eve; it killed about 40 people. The following day there was the biggest jump in malware in over a six-month timeframe within Turkey.
Geers
When you have a terrorist incident, or even an important election, a couple of dozen foreign intelligence agencies begin leveraging malware to learn about it. So when the bomb went off in Istanbul, we had this massive malware spike the next day. What we saw were intelligence services all writing intelligence reports and wanting to know who did what to whom. They needed the information to fulfill a national security requirement. And they certainly weren’t  going to rely on CNN.
LW: So certain sources would naturally be targeted for intel gathering purposes?
Geers: Absolutely. All nations are using malware and cyber espionage for information gathering. It’s the golden age of espionage because you don’t have to send a James Bond across the border, flying a plane or on skis. The more dramatic and the more unexpected the national security event, the sharper the malware spike and the more dramatic or spontaneous that spike will be.
LW: Is it safe to assume the U.S. is participating fully as well?
Geers: That’s right .This is not just the United States; the Vatican City probably also has a secret hacker team in the basement. They just have too much money, and too many assets to protect frankly. This is just the way espionage is done today. Cyberspace envelops the whole planet. And it’s given us this a new medium to collect information.
Spies and soldiers are using the Internet for their operations, tied to national security requirements and therefore espionage, or for running operations that would facilitate some kind of a military maneuver.
Related article: Wannacry signals wave of attacks using NSA tools
LW: Wannacry made use of cyber weapons stolen from the NSA. Is that part of this?
Geers: That’s an example of malware theft — and muddying the waters of attribution. Wannacry was a case of the Russians, very likely, using American cyber weapons against the Ukraine. It’s all part of the fog of war . . . Basically, if you know where to look, you can find advanced malware every day at any enterprise. You can reverse engineer it, and you can repurpose it. You can replace the payload or replace the command control infrastructure. Youc can put that cyber weapon into another context, and leverage it for your own purposes.
LW: What is the implication for the business community?
Geers: The business community has to be aware that it is a part of the battlefield. In order to route attacks on steppingstones through the Internet, the threat actors have to use third party networks and third party servers. They’ve got to hide their tools and any exfiltrated data, and they’ve got to cleanse the data before they can bring it back into the intelligence service.
So actually there’s this web of malware . . . if you plot it on a chart, depending on the level of granularity you want, it becomes just one blob. In other words, all nations are talking to all other nations, in terms of malware communications, so you can route it a different way every time.
LW: Are you saying that business resources are being highly leveraged?
Geers: That right. It’s just like the crypto miners. So I’m a hacker and I hack your website, then part of your computing resources, are going to be used to mine crypto currency and make a profit for me.
LW: Crypto mining and crypto jacking are a microcosm of criminal cyber attacks and the spy game?
Geers: That’s right. If I’m an American hacker and I want to hit an American bank, I can route my activity through Zimbabwe, Iran and China. And the chances that law enforcement can find me are very low because local law enforcement can’t really interact with these other countries. I can take advantage of the diplomatic tensions, as well, that separate these countries. Cyberspace is great for achieving some level of anonymity.
LW: Do companies need to practice better cyber hygiene to make themselves less susceptible to being pulled into these big patterns that you’re seeing?
Geers: Yeah, it’s both strategy and tactics. On the network, at the server and with users at the endpoints we need best practices. You also have to watch the news and be aware . . . The private sector is definitely abused by advanced players in cyberspace and there’s really no way around it.
