government – SurfWatch Labs, Inc.

Despite recent media attention surrounding nation-state hackers infiltrating government organizations and attempting to influence elections, the bulk of government-related cybercrime tends to be driven by less sophisticated and more ideologically-motivated campaigns carried out by hacktivist actors, according to a new report from SurfWatch Labs.

govriskchart — Government sector risk scores compared to the average for all sectors over the past year.

Government is the third most active sector when it comes to cybercrime, behind only information technology and consumer goods, and more than a third of the government CyberFacts collected by SurfWatch Labs this year have been related to hacktivist activity — far more than any other sector.

“The global reach of the Internet and social media along with the relative anonymity of cyber-attacks has provided hacktivists with a larger platform than ever to share their message, recruit new actors, and ultimately impact organizations,” noted the report, Cybercrime Gets Political: Automated Tools and Growing Reach Empowers Hacktivists.

It continued: “As a result, the most common cybercrime story in the government sector has involved websites and data being targeted by hacktivist groups resulting in service downtime, website defacement, and various types of information being stolen and publicly leaked.”

government-atep-4 — SurfWatch Labs’ data shows that hacktivists have been the top trending actor category across many different government subgroups so far this year – in some cases appearing in more than two-thirds of CyberFacts.

Hacktivist-driven data breaches are not a new problem for the government sector. In 2013, the FBI warned that anonymous hacktivists using Adobe exploits were able to infiltrate agencies such as the U.S. Army, the Department of Energy, and the Department of Health and Human Services in order to steal sensitive information.

“It is a widespread problem that should be addressed,” the 2013 alert stated.

Three years later, hacktivists remain as a top source of government-sector data breaches.

2016-09-27-govbreachactors — Hacktivists are the top trending known actor group associated with government data breaches so far in 2016.

Government agencies across the world have been targeted by hacktivists using well-known attack vectors such as SQL injections, social engineering and stolen credentials.

For example:

Shortly after Anonymous Philippines defaced the COMLEC website in protest of “questions and controversies” surrounding the country’s electoral process, LulzSec Pilipinas posted the entire COMLEC database online. The incident has been described as the largest government-related data breach in history – affecting more than 55 million people.
A hacker supporting Palestine published the names and personal information of FBI and Department of Homeland Security employees. The hacker said he first compromised the email account of a Department of Justice employee. Then he socially engineered access to the portal by pretending to be a new employee. Finally, he was able to find databases of employee information on the DOJ intranet.
The Anonymous #OpAfrica campaign led to several breaches including a one terabyte dump of information from Kenya’s Ministry of Foreign Affairs and International Trade. Kenya’s Ministry of Information and Communications Technology cabinet secretary Joseph Mucheru said the information was stolen due to a phishing attack that duped employees into clicking a link to change their credentials, which provided the hacktivist access to email accounts.
A hacker known as Hanom1960 breached several government agencies – including the Costa Rica Ministry of Culture and Foreign Affairs, the Columbia Ministry of Information Technologies and Communications, and Columbia’s Ministry of National Education – and subsequently leaked information on various government employees. “I see many mistakes in [their IT] systems,” the hacker told news outlets. “It is something that does not concern governments.”

Hacktivists are often characterized as graffiti artists or vandals that simply deface websites and cause other nuisance-level problems for organizations.

Those types of attacks are common, with SurfWatch Labs’ data showing that website downtime and website defaced are the most popular effects of hacktivism; however, the threats from hacktivists go beyond those simple attacks.

According to the report:

“Government officials noted in 2015 that the bulk of the cybercrime-as-a-service economy may be powered by as few as 200 individuals, yet those services put traditional cybercrime tools such as malware, botnets and DDoS attacks at the fingertips of a vastly larger pool of actors. … This trend, along with the large number of federal, state and local government agencies across the world, the global reach of hacktivist actors, and a never-ending series of political causes means that hacktivists have the ability, reach and will to cause harm to government organizations on a level never before seen.”

Hacktivists don’t have the resources of state-sponsored actors, but they are much more open about their attacks — often using public channels to coordinate attacks, gain media attention and recruit other actors to the campaign.

“This chatter can lead to valuable threat intelligence around what types of organizations are being targeted, how those attacks are impacting organizations and, ultimately, what can be done to better protect your organization,” the report concludes. “Monitoring hacktivist chatter and utilizing external cyber threat intelligence, along with your own internal data, can help to paint a full picture of the cyber risks facing your organization, determine what assets are at greatest risk, and inform where cyber defense efforts should be focused in the future.”

For more information, download the full report, Cybercrime Gets Political: Automated Tools and Growing Reach Empowers Hacktivists.

Recent Espionage Activity

As mentioned above, there have been five espionage-related events that have made headlines over the last week.

In February 2014, North Korea began targeting about 140,000 computers throughout several South Korean defense contractor firms and government agencies. The attack was discovered back in February of 2016.

Companies that were not defense contractors were also targeted, such as SK Holdings group and Korean Air Lines, but it appears no data was actually obtained. According to researchers, about 95% of the data obtained in the attack by North Korea was defense related. One of the most coveted pieces of information that was obtained were blueprints for the wings of F-15 fighter jets.

North Korea has denied any involvement concerning cyber-espionage attacks on South Korea. However, evidence obtained from these attacks have been traced back to the North Korean capital Pyongyang.

Two separate hacker groups with ties to the Russian government have infiltrated the network of the Democratic National Committee. The names of both groups have been lovingly named “Cozy Bear” and “Fancy Bear.”

The attacks took place at different times. Cozy Bear first infiltrated the database in the summer of 2015 and was monitoring email and chat communications, while Fancy Bear appeared last April and targeted opposition research files. The Fancy Bear group was able to obtain information held on Donald Trump. Information held on Hillary Clinton and several other GOP political action committees were also targeted.

A Russian-linked cyber-espionage group — known as Sofacy — sent a spear-phishing email to a U.S. government official from a compromised computer belonging to another country’s Ministry of Foreign Affairs. The email had a malicious attachment that, if opened, would have loaded two DLL files on the official’s computer.

One of the files contained a Carberp malware variant of the Sofacy Trojan of which the group’s name is derived. The group has also been called Fancy Bear — which is tied to the Democratic National Committee hack — APT28, Sednit, Pawn Storm, and Strontium.

The good news in this attack is that it was full of mistakes. First of all, the RTF document attached to the email didn’t show any content, which immediately pointed to something being wrong. Also, old IP addresses and C&C server domains were used from past campaigns, which was another flag that this email was malicious.

The Mofang Chinese APT cyber-espionage group has been around since 2012. The group is identified through their ShimRat malware and is unique from other APT groups because they exclusively use social engineering tactics to target computer networks, not exploits. More specifically, the groups’ attack vector of choice is spear phishing.

The bulk of activity displayed from this group has been against the Myanmar government. The group has also been spotted targeting companies in the United States, Canada, Germany, India, and Singapore. Attacks from this group have continued throughout 2015.

On Tuesday, a former Chinese employee from the tech company IBM was charged by U.S. authorities with economic espionage for allegedly stealing source code from the company and handing it to the Chinese government.

Xu Jiaqiang, the defendant, offered the code to undercover U.S. FBI agents posing as tech company officials that were seeking software for their company. Jiaqiang was also intending to provide this source code to the Chinese National Health and Planning Commission where he was previously employed.

Jiaqiang’s indictment also brings with it three counts of economic espionage and three counts of trade secret theft. In total, he faces a maximum of 75 years in prison if convicted of all charges.