<! –
it will be combined in the content ->
Hacking has become a professional since the late '90s, and a side effect is the need for a descriptive list of the terms of the hackers used here. The list is at the end of this piece, in simple English. This means that the main nations see the weapons of cyber war as the main components of their military power. This evolution has been in focus in the last decade and one of the most recent operations to discover, the White Company, is typical of national hacker organizations. These clothes are often called APT (Advanced Persistent Threats) and that says it all. The White Company was discovered in the last year (by computer security companies) while quietly trying to enter the Pakistani Air Force networks. White Company has been deliberate, effective and discreet. It was called the "white" company because the group placed an advantage in hiding its operations and its origins. This sort of thing was noted a decade ago when Stuxnet was discovered and attributed to an Israeli state effort that produced a highly elaborate, professional and stealthy malware that caused serious damage to the Iranian nuclear program. Iran has recently been hit by a similar attack but these malware like Stuxnet were even more elaborate, no one took credit and the Iranians prefer not to talk about it.
Another major revelation came in early 2017, when a bit of Internet-based criminal activity made headlines all over the world for reasons that required a little bit. time to emerge, both for the general public and for Internet security professionals. The incident began with the activation of ransomware malware called WannaCry. What made WannaCry so dangerous is that he made use of various features including a hidden (but available) program that tried to spread WannaCry on Microsoft Windows computers with a known vulnerability but that were not updated to remove the vulnerability. This automatic malware spread is called a worm and depends on other computers that are vulnerable to automatic malware installation. With WannaCry, the local PC networks managed by the Microsoft server software were vulnerable and the latest patches were not installed.
What made this news interesting is that the worm depended on the information stolen by the NSA (American National Security Agency) and made public by Wikileaks in early 2017. The NSA tool was called EternalBlue and used a ZDE (Zero Day Exploit ) accumulated by the NSA for possible Cyber War operations. This particular ZDE has exploited a flaw in the Windows network software allowing the EternalBlue program to safely fit into other PCs on the same network infected by the PC (probably through an underwater fishing attack) with WannaCry.
All of this was new for several reasons. First, the attack could have been much more effective than it was apart from a hidden flaw (a kill switch) that was soon discovered and activated due to the efforts of an international White Hat hacker network. Then the accident became even more mysterious. While at least a quarter of a million PCs in 150 countries have been infected by Wannacry and their hard drive content has been encrypted, only about one in a thousand of these PCs paid the ransom of $ 300 (in bitcoins). But those who paid the ransom did not receive decryption information and bitcoin payments (worth almost $ 100,000) were sent to three bitcoin "portfolios" that were not used and that are apparently still being monitored.
Meanwhile, White Hats, network security companies and Intel agencies were examining WannaCry in detail. Computer code and other evidence indicated that this attack was the work of hackers from the North Korean government. The North Koreans do it mainly for money because North Korea is broke and managed by a ruthless dictator. It made no sense for North Korea to unleash Wannacry because most of the victims were in the few countries (China and Russia) that still supported North Korea. These two countries have been hard hit because they are heavily dependent on illegal copies of Windows and other software. Most users of illegal Windows software do not bother to pay for security and other software updates provided by other hackers who provide these paid updates. Microsoft will not update illegal copies of its software. Worse, even if Microsoft regularly releases free updates over the Internet, many users do not immediately apply those updates (because updates sometimes interrupt something else).
Wannacry is one of those mysteries that took some time to understand and that could never be "solved" because there are so many black hat hackers involved, operating at different skill levels and with different objectives. Later it was discovered that WannaCry was used for the first time at the end of April 2017 and maybe even earlier. Based on past experience with malware, we can expect many WannaCry variants to be shown, at least for a few months, until enough users are made aware of the threat and enough Internet security software is updated to recognize and defeating the various tools used by WannaCry. North Korea has never admitted to having created WannaCry, but later they have released improved versions and so far WannaCry has inflicted damage to the victims for over a billion dollars.
There have been many revelations in the last decade. For example, there is North Korea. For a long time they believed they did not exist, North Korean cyberwarriors existed and were not the establishment of South Korean intelligence agencies trying to get more money to upgrade government information warfare defenses. North Korea has had staff working on the Internet since the early years & # 90; and their Mirim College program has quietly trained various engineers and Internet hackers. North Korea has a unit dedicated to Internet-based war and this unit is increasingly active. North Korea is now considered an important player.
What many of these large-scale attacks have in common is the exploitation of human error. Case in point is the continued success of Internet attacks against specific civil, military and governmental individuals who use psychology, rather than just technology. This kind of thing is often done in the form of an official e-mail, with an attached file, sent to a specific military or governmental organization. It's usually an email they did not expect, but from someone who recognizes. This is known in the trade as "spear fishing" (or "phishing"), which is a Cyber War technique that sends official emails to specific people with an attachment that, if opened, secretly installs a program that sends files and information from the PC of the email recipient on the computer of the spear fisherman. In recent years, an increasing number of military, governmental and contractors have received these official e-mails with an attached PDF document and have asked for prompt attention. This is what the White Company used on a broad and detailed scale against Pakistani aviation.
Another recent example of the continued effectiveness of these deceptive techniques can be seen in the repeated use of spearfishing by a group of Syrian-backed Iranian hackers calling themselves the Syrian Electronic Army (SEA) ). This group started out as a small group of hackers loyal to the Assad dictatorship in Syria. SEA used underwater fishing to hack on media sites. Although most media companies have software and personnel rules to stop underwater fishing attacks, there are so many email accounts to attack and you just have to convince a victim to respond so that the SEA can enter (using the data access from the compromised account). Automatic defenses should block the actions of the hacker software that is triggered when the victim clicks on the email attachment, but the hackers continue to find exploitable vulnerabilities to the defenses and these make the defenses vulnerable, at least until the vulnerability it is not detected and patched. The SEA has evolved over the past five years into an important Iranian APT.
China has been a great user of underwater fishing and apparently the Chinese government and independent Chinese hackers have played an important role in the development of new payloads for underwater fishing. This has led China to become the home of almost half of the known APTs. The methods and the source of many underwater fishing attacks have been traced back to China. In 2010, Internet security researchers discovered a China-based espionage group called the Shadow Network, which had hacked PCs used by military and civilian personnel who worked for the Indian military and downloaded huge amounts of data. The examination of viruses and related computer codes indicated that most of this material was created by Chinese language programmers and all the stolen and command data movements returned to servers in China. As China is an ally of the Assad government, the SEA has access to the best underwater fishing tools. The Shadow Network had also violated the PCs used by military and civilian personnel who worked for the Indian armed forces and used enormous amounts of data. This was done through Internet-based attacks against specific military and government officials via "spearfishing" (or "phishing").
The hackers of the Chinese cyber war have become easier to identify because they have become arrogant and careless. Internet security researchers have found identical pieces of code (the readable text that programmers create and then turn into a smaller binary code to use for computers) and techniques to use it in hacking software used against Tibetan independence groups and commercial software sold by some companies in China and known to work for the Chinese army. Similar models were found in the hacker code left behind during attacks on American military and corporate networks. The best hackers hide their tracks better than that. The White Company is a good example.
It has also been noted that Chinese behavior is distinctly different from that found in hacking operations in Eastern Europe. Hackers from Eastern Europe are more disciplined and go like commandos and get out quickly once they have what they are looking for. The Chinese pursue more targets with less able attacks and stay longer than they should. This is how many hackers are tracked in China, often on specific servers known to be owned by Chinese military or government research institutions.
Eastern Europeans have been around longer and most hackers are working for criminal gangs, applying discipline, selecting targets and protecting their hackers from local and foreign police. Hacking groups from Eastern Europe are more difficult to detect (when they are breaking in) and much more difficult to track down. In this way Eastern Europeans pursue more difficult (and profitable) goals. Chinese hackers are a more diverse group. Some work for the government, many others are contractors, and even more are independent that often slip on the dark side and cheat the Chinese. This is prohibited by the government and these hackers are sometimes caught and punished or simply disappear. Chinese hackers are less skilled and disciplined than Eastern Europeans. There are some very, very good Chinese hackers, but often they lack supervision of an adult (or a Ukrainian gangster ready to put a bullet in the head if they do not follow the orders exactly).
For Chinese hackers who behave (they do not commit cybercrimes against Chinese targets), the prizes are great. Big sizes are paid for sensitive military and government data from the West. This encourages some unskilled hackers to take on goals they can not handle. This was seen recently when a group of hackers were captured while trying to enter a security network in the White House (the one that deals with emergency communications with the military and nuclear forces). These amateurs are often caught and prosecuted. But professionals tend not to leave anything behind, but suggestions that can be taken into consideration by the massive use of data mining and pattern analysis.
Glossary of Cyber War terms
APT – Advanced Persistent Threat. This is what is called long-term hacking operations. These are now usually organizations created or supported by the government. Most of those known are Chinese, followed by Russia and Iran. Israel, North Korea and the United States tend to have only one main APT operation and some much smaller ones.
Backdoor – A secret command that will allow anyone with it to use a computer program.
Bitcoin: a "cryptocurrency" or currency based on software, not on physical media (paper and coins). Bitcoin is one of the first and most widely used. There are online markets to buy and sell bitcoins. Anyone can create an online account (a bitcoin wallet) that others can send to bitcoins without knowing who controls (has the password) for the bitcoin wallet. It takes a lot of effort to find out who owns a bitcoin wallet and even governments do not have (yet) the resources to monitor all bitcoin wallets. Apparently the bitcoin wallet owners can be discovered if the owner is not very careful.
Black Hat Hacker: someone who uses their programming skills to create or modify software for criminal purposes.
Computer code: software, a computer application used by the user (or the computer itself) to perform an activity. What most users encounter is "executable code". The "execuatables" does not make sense if you look at it because in a word processor are apparently random figures, letters and symbols. But the "source code" (which a programmer writes) is something that is readable and makes sense based on how much you know about programming.
Cyber War – Attack someone else (or defend it) by computer (usually via the Internet). In peacetime, the cyber war usually involves espionage or, in the case of North Korea, the financing of a failed dictatorship.
Decryption: the process by which special software transforms encrypted computer data (not usable) into its original form. The user sometimes uses a password (decryption key) to make decryption happen.
Encryption: the process by which special software transforms computer data from its original form into something useless until it is reconverted (decrypted). The user sometimes uses a password (encryption key) to encrypt a file or program.
EternalBlue – A bit of malware developed by the NSA that exploits a ZDE in Microsoft's local network software. EternalBlue was stolen and distributed by Wikileaks.
Fishing: sending a message (usually e-mail) to someone who has been attacked by a file that, if opened, secretly installs malware on your computer.
Five Eyes – The countries (Israel, Iran, China, Russia and North Korea) more active in hacking organized for information, development of weapons for cyber warfare or money. The use of the term "Five Eyes" for the source of most APTs is a game on the previous use of Five Eyes to designate the post-World War II alliance of Australia, Canada, New Zealand , Britain and the United States to collect and share electronic intelligence.
Hacker – Programmers who are particularly skilled and eager to create a new code or improve existing material. The term "hack" has been used for centuries to tinker with something.
Illegal software – Software that is protected (games, main applications, operating systems) but has those protections disabled and therefore sold or distributed for free.
Kill switch – A feature (usually kept secret) embedded in software that allows anyone to disable the program (usually via the Internet).
Malware – Software created to do something harmful (usually illegal and secretly).
NSA (American National Security Agency), a post-World War II US government agency for the creation of new secret codes (cryptography) and better methods to decode the cryptography used by others. The NSA has become the leading agency for Internet-related matters.
Phishing – See fishing.
Programmer – Someone who can create an app (application). For the most part it's a job, do a little bit (hacker) is a passion.
Source Code – The readable software turned into unreadable but useful "executables" to which users refer to as an app. Programmers create, modify and, when investigating malware, scan the source code.
Ransomware – Malware that secretly encrypts a hard disk and offers the user the decryption key from $ 300 to $ 600 (or more). The relatively low demand ($ 300) was found to be the most profitable (for the black hat) because most victims would prefer to pay that amount, or less, to permanently lose access to their data.
Security software: programs that usually run automatically on the PC to detect malware and manage it. Black caps must continually update their malware to cope with constantly updated security software.
Social Engineering – Take advantage of human nature to get malware on a system. This depends on the attacks on fishing and underwater fishing.
Spearfishing: a fishing operation in which the objectives are carefully chosen and studied before putting the attack together. Although software and user rules are in place to stop underwater fishing attacks, there are so many email accounts to attack and you just have to convince a victim to respond to a fake email with a "vital attachment" that must be "open immediately". Among the preferred targets for these attacks is anyone providing access to something worth stealing through an Internet connection. This often means corporate executives and senior civil servants in the government and in the Internet security industry.
Updates: changes to apps and operating systems that are usually sent and installed automatically these days.
WannaCry – A recently released ransomware app with fishing and a ZDE stolen from the NSA.
White Hat Hacker: someone who uses their programming skills to create or modify software to protect him from Black Hat (criminal programmers).
Wikileaks: an organization that accepts stolen documents and distributes them on the Internet. This organization is doing a public service or a criminal act depending on who is hurt by the leaked software. Most nations consider Wikileaks a criminal group.
ZDE (Zero Day Exploit) – A previously unknown defect in the software that allows the first user to secretly enter other networks and PCs. ZDEs have become very expensive because in the right hands these vulnerabilities / flaws can allow criminals to make a big blow online or just keep secret control over thousands of computers. The ZDEs have also become very expensive and highly perishable munitions for any future cyber war. The most successful hackers use high quality ZDE. Not surprisingly, the ZDEs are hard to find and can be sold on the black (or legitimate) market for hundreds of thousands of dollars. Their value decreases when the publisher becomes aware of the flaw and changes it. But not all users immediately apply the patch, if ever.