Tom Kellerman, Head of cyber security strategy, VMWare Carbon Black, explains why geopolitical interference is a growing area for concern among cybersecurity experts
With another UK General Election under our belt, the battle for leadership was fundamentally fought and won online.
Today governments face ever-more sophisticated hacking and online influence campaigns from cyber criminals. For example, evidence points to the fact that Russia interfered in the 2016 US election and as we near the 2020 US presidential election it’s guaranteed geopolitical tensions will once again play out in cyberspace and creating cyberattacks.
Threats from the East
We should not forget that Russia is not the only nation with an eye on upcoming elections. Both US and UK officials have warned about nation state efforts to disrupt the democratic process with attacks emanating from multiple countries. Concerns are around not only the possible hacking of campaigns, but also about the spread of disinformation on social media and potential efforts to breach voting databases and even alter votes. The alarm around this tampering goes beyond the possibility that adversaries could directly affect election results, the mere hint of any interference could undermine public confidence in vote tallies.
From my perspective, this fear is not unfounded, and we recently saw similar concerns being raised in our latest Global Incident Response Threat Report (GIRTR). This is the fourth report that we have run of this nature and we interviewed top incident response (IR) professionals from around the world. They are saying that ongoing geopolitical tensions involving China, Russia, North Korea and Iran are leading to cyberattacks.
Additionally, this research shows that most of the today’s cyberattacks now include tactics such as lateral movement, island hopping and destructive attacks. Advanced hacking capabilities and services for sale on the dark web compound the issue, as does an unprecedented collaboration among nation states. These realities pose a tremendous risk to targets with decentralised systems protecting high-value assets, including money, intellectual property and state secrets.
This means that targets who fail to increase their defences accordingly are paying an ever-steeper price, as the frequency of destructive attacks continues to climb. We found that financial gain drove most attacks in 2019, but we also found that IR professionals are concerned about these same tools being deployed to interfere with elections. To this point, among respondents working in the US, 59% said risk around election process and security has increased to a significant extent since 2016. Within that same group, 65% said they believe the 2020 US elections will be influenced by an outside entity.
Defenders need to collaborate like attackers do
As attackers develop communities on the dark web to share experiences and trade in custom tools, defenders need to take the same collaborative approach. While financial interests reign supreme, concerns over the elections and maintaining integrity demonstrates how a wide range of verticals are under threat.
The report highlighted that visibility is the greatest challenge for IR professionals today and this is not just about seeing endpoints, but being a part of user exchanges and cybersecurity communities to see the bigger picture.
Attackers have become dramatically more sophisticated and very well organised. The scale of the threat is growing. The challenge for IR firms and global organisations is to match the cooperation of the adversaries, jointly developing solutions and sharing information that empowers responders to enter each fight with the upper hand.
There were seven additional key findings that came through clearly from our research and these were:
1. China and Russia are responsible for the lion’s share of cyberattacks in 2019. When asked which country accounted for the most attacks, IR professionals said Russia (29%) and then China (18%), followed by North America (11%) and North Korea (4%).
2. Financial gain was the primary motivation for 90% of attacks, a sharp increase from 61% in the first half of 2019 and a shift from previous years when we have run this report, when intellectual property theft and stealing customer information topped the list.
3. IR pros said they experienced destructive/integrity attacks in about 41% of attacks, a 10% increase on the past two quarters. This is an ominous trend as cyberspace is becoming more punitive.
4. There has been a continued rise in attackers using island hopping (41% of total attacks, up 5% since Q1 of 2019) and lateral movement (steady at 67% of attacks, well above 2018 averages).
5. Attackers are adapting. Custom malware was used in 41% of attacks, up from 33% in Q1 of 2019. The use of commodity malware has seen a slight decline, from 57% last quarter to 54%.
6. There’s been a significant increase in use of outside threat intelligence feeds
7. Voter databases from previous elections are readily available from high-reputation vendors on the dark web for less than $100. In total, from a single listing, information on more than 81 million voters is currently available for sale.