Pierluigi Paganini September 18, 2012

The defense of cyberspace is becoming one the most concerning question to approach, governments all around the world are massively investing in cyber technology with the resultants that the number of cyber operations is increasing exponentially.

William J. Lynn, U.S. Deputy Secretary of Defense, states that:

“as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare . . . [which] has become just as critical to military operations as land, sea, air, and space.“

The message launched by official demonstrates the high interest of government in the development of cyber warfare capabilities oriented to cyber espionage and cyber offensive.

Despite the potential effects of the use of cyber weapons and the damage caused by offensive operations represent major concerns for intelligence agencies, very frequently are discovered clues of cyber attacks that have the main purpose to steal sensible information and intellectual property from the victims.

Who is behind these cyber attacks?

Analyzing the statistics it is possible to note that the majority of attacks are related to hacktivism and cybercrime activities, the data demonstrate a growing trend for cyber warfare attacks but it is expected that they represent only the tip of the iceberg.

To identify a cyber attacks is becoming every day more and more difficult, in my previous post I presented a study released  by the security firm FireEye, named “Advanced Threat Report” related first half of 2012, that provides an overview of the current threat landscape, evolving advanced malware and advanced persistent threat (APT) tactics, and the level of infiltration seen in organizations’ networks today.

The document presents and alarming scenario, the organizations are assisting to an impressive increase in advanced malware that is bypassing their traditional security defenses.

It’s quite common to assist that a malicious agent is able to elude common defense mechanisms remaining stealth for long period in which it operates under coverage.

The problem is mainly related to cyber espionage activities and its impact in any sectors, from defense to communication, causing serious damages.

We are not able today to exclude that a cyber weapon is operating undetected and it is known that at least 140 countries are working on the development of new agents that will crowd cyber space soon.

The organization are facing with a dramatic explosion of the diffusion of advanced malware in terms of volume and also in effectiveness in bypassing traditional signature-based security mechanisms. Most of these attacks are considered as state-sponsored due the nature of the targets systems and the abilities of the malicious agents to exploit 0-days vulnerabilities.

Most state-sponsored malware are designed for activities such as data-gathering, cyber espionage or sabotage, we have a large casuistry on features identifies in the malicious agents, but the same scope are persecuted by cybercriminals and hacktivists.

Distinguish the origin of attacks is not simple, in many cases the cybercriminals operate exactly in the same way state-sponsored hackers do, selecting specific sector as privileged target and operating with malware that mainly act in stealthy mode.

We must consider also the cybercrime is not always considerable a totally separated cyber threats, cyber criminals operate in the name of business and they steal sensible information to sell them to hostile countries.

According Myla Pilao, director of core technology marketing at Trend Micro’s TrendLabs, the attacker’s intent is fundamental to discriminate a cyber attacks from a state sponsored operation, and let me add also that the context of operation and the real identity of the attacker have the same importance.

What make more hard the identification of the origin of attacks is the consideration that in the cyber space there are no boundaries and an offensive could be started from a domain associated to any countries.

Indications on the presence of a state-sponsored attack are related to the target addressed and the region where the agent has counted the greater number of infected host, let’s think for example to Flame that hit mainly Middle Eastern countries with cyber espionage intents or Stuxnet that concentrated its efficacy against Iranian nuclear plants.

The limited geographic area could highlight the presence of an ongoing intelligence campaign interested in gathering sensible information and conducting espionage.

Phil Lin, director of product marketing at FireEye, noted:

Still, all of these characteristics can also be found in advanced malware used by cybercriminals for regular attacks, which makes the geographical attribution of cyberattacks “the most difficult task”, Lin observed.

“Cybercriminals from one country can easily set up ‘command and control (C&C)’ servers used to store exfiltrated data in a different country leading to incorrect attribution of the nationality of the threat actors, not to mention their ultimate nation-state ties,”

The level of complexity of the agent used could be a condition necessary but not sufficient to qualify the product of a state sponsored project.

My opinion is that despite a deep analysis on the victims of the attacks in many cases it’s hard to find evidences of a state involvement due the increased sophistication of the malware, powerful agents that are able to destroy their tracks.

In the future the number of operations has will increase and it is “extremely unlikely” that in absence of an international regulatory in cyber warfare a country will openly admit sponsoring operation.

The only escape way that I see is the definition of a regulatory because I am convinced that, in the absence of strict rules, technical capabilities of the states will evolve in an unpredictable manner and it will impossible to qualify the nature of malicious code and to discover the identity of its creators.

Pierluigi Paganini