The mainstage of the RSA Conference in San Francisco | Photo from RSA Conference Flickr

Published: February 27th, 2020

More countries are following the lead of China, North Korea and Russia and stealing economic secrets from companies to help firms in their own nations, the annual RSA Conference has been told.

Dmitri Alperovitch, who last week left his position as CTO of CrowdStrike to launch a non-profit cyber policy think tank, warned in a keynote Wednesday that Vietnam, India, South Korea and Pakistan are now hunting the globe for intellectual property, and more may join.

The blame for the increase, he added, falls at the feet of Washington, which for too long was officially silent as Chinese hackers broke into American firms.

Also:

RSA Conference: Democratize security, says Cisco official, and McAfee urges work on quantum-resistant solutions

RSA Conference: Infosec pros ‘don’t share any wins’ and it makes them look like ‘losers’ says RSA president

 

“Unfortunately we didn’t stop China early enough,” he said. “The (U.S.) government really did not pay much attention to this until relatively recently. And we’re now paying the price, not just in terms of all the intellectual property that has been stolen by the Chinese government from Western networks, but now other countries have jumped into this space.

“We’ve established a defacto norm where we have told the world we will tolerate this activity, that stealing intellectual property from the commercial sector even for your own companies is OK.

“We’ve got to get back to deterrence.”

Lull in attacks

There was a roughly 18-month lull after Chinese President Xi Jinping came to an agreement with President Barack Obama to stop stealing intellectual property, he said.

However, since then Chinese economic theft has been going on “unabetted.”

But the Chinese may be thinking twice after the U.S. Justice department laid a number of charges for several data breaches against Chinese officials allegedly part of the People’s Liberation Army. Perhaps its a coincidence but recently evidence of the PLA cyber activity has disappeared, said Alperovitch.

“From everything I’ve seen and people in the industry I’ve talked to the Chinese really seem to be impacted by the U.S. Justice Department actions, the indictments, in a way that I have not seen from any other actor –not from the Iranians, not from the Russians, not from the North Koreans.”

Perhaps, he said, individuals have been punished for being caught. But he admitted it’s also possible PLA hackers have merely been transferred to other government units. It’s common now to trace cyber incidents back to China’s Ministry of State Security, he said, or outside groups it contracts with.

Only this month have allegations against the PLA come back with the U.S. Justice department charges involving the Equifax hack, he said.

Trend and predictions

Alperovitch used most of his speech to look back at trends in 2019 and on what to expect this year.

The spread of ransomware was the big trend last year, he said, with criminals finding new ways to spread the malware and infect victims.

While the distribution of the GandCrab variant was shut last May, two months later a new version emerged with new capabilities: Meanwhile the Ryuk variant added the ability to leverage the wake-on-LAN capability of computers to mount shares and then encrypt the device.

Paying a ransom may not solve all of a victim firm’s problems, he warned. While most well-known gangs will give decryption keys, but one recent company he knows of finding the decryption program was so buggy it took down the IT infrastructure.

Practice backup recovery

And don’t think that merely having an off-site backup of data is the answer. Another company told Alperovitch it paid a ransom even though it had a backup after realizing how much it would cost to restore all the data.

The lesson: “Make sure you practice your disaster recovery techniques. Just because you have (a backup) doesn’t mean you can restore quickly.”

The good news is that usually ransomware attackers usually take some time to move around the network before deploying the malware, so an intrusion might be discovered.

As for this year, expect major destructive cyberattacks from Iran against Western targets. Alperovitch predicted that in December, and he said it’s more likely after the U.S. assassination of Iranian General Qassem Soleimani on January 2nd in a missile strike.

After a relatively quiet 2019 in which it spent most of its time on neighbours like Ukraine, expect Russian hackers to be more active against economic targets, he said.

No cyber peace

Despite the work of a number of organizations, some of which are affiliated with the United Nations, “we’re not going to have cyber peace any time soon, I’m sorry to say. All countries in this realm are jumping into this space (cyber-attacks).

“We’re not going to have cyberwar, either, I believe because the reality is that in this domain what’s most effective is for countries to operate below that threshold of the use of force. This is where cyber really shines.”

CISOs should be watching for two trends: Because platform companies are doing a better job of sealing operating systems malware creators will increasingly target applications. That will mean malware will live in browsers — meaning attackers will have to regularly infect devices — and memory. “Smash and grab” attacks may increase. Memory-based attacks will pose problems for defenders because there’s less visibility into hardware.

Kubernetes containers will become “the new operating system,” and therefore face new attacks.

Biggest worry

His biggest worry is hackers manipulating application source code in what is called supply chain attacks. One of the most infamous was the insertion of the NotPetya wiper into the tax software of a Ukrainian firm. It is believed Russia was behind the attack and was aimed at Ukrainians. However, the malware escaped and caused havoc around the world.

“Insider infiltrations at large tech companies, both cyber and large platforms companies, is going to be a huge issue,” he added, noting that two former Twitter employees were recently charged with spying on user accounts for Saudi Arabia.

Alperovitch also took a shot at his colleagues. It’s frustrating to go through the convention’s exhibition show and see — as usual — each vendor urging attendees to buy its product to solve a problem it has identified that needs to be solved. He cautioned infosec pros to carefully decide what their priorities are and then see if products meet them.

He believes U.S. legislators are increasingly eager to regulate in a number of areas, including making encryption back doors mandatory, which is why he wants to set up what he calls a “policy accelerator” to offer advice.

Finally, Alperovitch suggested not everything is bad news.

“Offence against hard targets is becoming more costly. Companies are doing well, organizations are doing well, are actually able to defend themselves even against the most sophisticated adversaries. You just need to make it a priority and invest in it.”



Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA
Download Now