Hacker Versus Hacker

Spy vs Spy

Image courtesy of Bing/Fotalia

Hacker Versus Hacker
| published December 31, 2014 |

By R. Alan Clanton
Thursday Review editor

When it comes to the questions swirling around cyber-security, is turnabout fair play? And what constitutes war when it comes to computers? These are questions at the forefront of a new—sometimes backchannel—conversation between law enforcement and private companies now that some of those firms which have been the victims of hacking seek revenge by attacking the hackers.

The FBI and other law enforcement agencies—as well as some private security firms—acknowledge that large companies may be employing their own super-hackers in an attempt to go beyond merely tracing and tracking recent cyber-security disruptions and data theft. Some large companies may be attempting to turn the tide through intense data disruptions of their own in an effort to punish hackers and discourage others from repeating such heists. Still other firms may be seeking to recover stolen data from cyber-thieves, or at least engage in detailed detective work to find out what information has been stolen.

The massive cyber-attack on Sony Pictures is merely the latest in a series of high-profile, sometimes costly computer assaults on North American companies. Many of these attacks have been traced to computers and servers overseas, often in Asia, sometimes in Russia. Within the last 13 months alone, at least ten major cyber-attacks have made front page news, and few Americans have been unscathed by the blowback or the consequences.

In December 2013, retail giant Target revealed that its credit card system had been breached, and the debit and credit card data of some 70 million customers was stolen, along with other personal information. Less than a month later, both Neiman-Marcus and Michael’s reported experiencing similar cyber-attacks. Early in 2014, Home Depot’s digital walls were breached—at least twice—in less than 60 days, and the full impact of that data theft has yet to be fully understood. Banking giant JPMorgan Chase & Company was attacked, and the data of millions of its customers stolen by what most law enforcement officials suggest was a criminal syndicate inside Russia. In the spring we learned Chinese hackers were responsible for the theft of the personal information of 4.5 million of patients who had medical treatment at any one of more than 200 hospitals owned or managed by Community Health Systems, the second-largest for-profit hospital chain in the U.S. And months ago we learned that Hilton Hotels was the victim of a massive attack in which the Hilton Rewards points of hundreds of thousands of guests were stolen, along with email addresses and cell phone numbers.

Despite their often headline-grabbing power, most of these attacks were what computer analysts and cyber security experts consider garden variety: the hackers were in search of any information which could be immediately sold on the ever-growing digital black market—credit card and debit card numbers, social security numbers, email addresses, bank accounts. The hackers typically work for criminal syndicates, who resell the data for a few cents on the dollar.

But the massive, sustained attack on Sony Pictures Entertainment—which the FBI and the White House have officially pinned on North Korea—represents a paradigm shift in our understanding of how and why hackers operate. The Sony attack, which the FBI and the White House blame largely on North Korea (but which other computer experts and cyber-security sleuths think may have been the work of other mercenary hackers, possibly in league with North Korea), was one of the most disruptive in history. The hackers took over the computer system, crashed the email platforms, stole tens of thousands of electronic files including spreadsheets and financial records, swiped personnel files, and offloaded more than ten thousand emails between top executives. The cyber thieves also pilfered digital copies of at least six major motion pictures, two of which had not yet been released to the public. Copies of films were immediately offloaded on file sharing sites worldwide.

President Obama and the White House promised a proportional response. Days later, North Korea suffered through a widespread internet shutdown which lasted for nearly two days. When asked by the media, no government agency—not the FBI, not the CIA, not the NSA, not the Pentagon—would acknowledge that they knew anything about North Korea’s prolonged internet outage, which some experts suggest affected nearly all the computers north of the 38th Parallel.

Major U.S. companies have been in a state of shellshock after witnessing the meltdown at Sony Pictures. Members of Congress have characterized the whole affair as “a wake-up call,” and many top cyber-security experts and firms have said that the Sony event proves what they have worried about all along—that a major assault on a U.S. company could bring horrific results. The question is no longer theoretical: what would happen if a similar attack took place on the North American air traffic control system, or the U.S. power grid, or either Verizon or AT&T. What if a similar attack were to penetrate the firewalls of the Federal Reserve System or a major bank?

In fact, the JPMorgan Chase cyber-attack was just such a breach. Initially, investigators—both public and private—blamed that attack on Russian criminals, or perhaps Russian hackers in league with cyber-officials in Moscow. But some in the FBI and within the banking community have pointed the finger at Iran. Malware and code used in the JPMorgan Chase cyber-attack bore a striking resemblance to similar malware and coding used by Iran in the past, and the breadcrumbs left behind in the aftermath suggested to a few computer analysts that Iran had waged the attack in retaliation for U.S. sanctions and U.S.-led efforts to defang Iran’s nuclear ambitions. Weeks (or months) after the JPMorgan cyber-attack, someone in the United States—surely with the highest level of cyber skill imaginable—successfully disabled the servers and wiped clean the hard drives thought to have been at the center of the Iranian attack on JPMorgan Chase.

Coincidence? Hardly, say computer experts and security analysts familiar with both the original attack and what appears to have been the revenge hacking.

In the wake of a thousand questions from a thousand reporters in the U.S. and abroad, the FBI launched its own investigation into who authorized the counter-attack. Rumors have persisted that folks at the top of JPMorgan gave at least tacit approval for such a counter-strike, and that the bank may have enlisted the best white-hat hackers money could buy at the time.

But is it legal, or ethical, for major companies to engage in what they might see as proportional responses to cyber-attack? Technically and legally, the answer is no. The Federal government views such counter-offensives—even within the digital realm—both as acts of aggression and as foreign policy initiatives, things which neither private citizens nor private companies are allowed to engage in, at least not without the blessing of the U.S. government. And cyber-security analysts worry that an arms race might ensue, with attack and counter-attacks resulting in massive outages, shutdowns and an ocean of stolen or destroyed data.

JPMorgan Chase has steadfastly denied any involvement in the cyber-attacks on Iran—highly targeted assaults which apparently took out the exact servers and computers believed responsible for the theft of JPMorgan Chase data and information. But those denials, and the FBI’s obliqueness in explaining how Iran’s file servers were shut down, dodge the reality: first-rate cyber-geeks in the U.S. located, and disabled, the Iranian hardware.

U.S. Representative Michael McCaul (R-Texas) told Bloomberg Businessweek that companies are frustrated and often left without clear answers. In some cases, McCaul says, corporations may see little alternative but to engage in digital vigilantism to end the costly assaults.

“It’s a kind of Wild West right now,” McCaul told Bloomberg, and companies are making their moves “without getting permission” of law enforcement or the Feds.

Both the New York Times and the Washington Post experienced cyber-attacks back in the summer of 2013, sustained and formidable assaults which effectively shut down the newspapers’ websites and streaming news services. Using evidence found among the malware and code used in the attack, investigators at the time traced the breach to the so-called Syrian Electronic Army, a group of super-hackers in the employ of Syrian President Bashar al-Assad. The Times website was shut down for more than 20 hours, and efforts to fully restore its service tool several days.

During the filming and preparation of a segment of the news show 60 Minutes, a lengthy piece on cyber-security and international criminal hackers, the CBS computer system came under direct attack. According to some in law enforcement, that attack was later traced tentatively to hackers in Russia and in the Ukraine. But both the New York Times and the CBS cyber-assaults showed just how easily hackers can disrupt businesses.

The final cost of the Sony Pictures hacking may never be fully known, and the repercussions and ripples are unfolding in scores of ways never imagined within the business world. Sony is under legal assault in California courts by former and current employees; the plaintiffs say that Sony Pictures had inadequate security to protect and lock personnel data—social security numbers, home addresses, medical records, even cell numbers—now floating freely on the internet. Vendors and contractors for Sony Pictures may also take legal action to recover lost revenue from private files and confidential agreements now available for anyone to see. Actors, directors, and others with a vested interest in the percentages and royalties which movies pay—as negotiated in advance—may also feel empowered to take legal action to recover lost income. Huge pay disparities were exposed in the spreadsheets which track the salaries of actors and actresses, a revelation which may yet produce legal shockwaves and direct action by the Screen Actors Guild.

So much information was being repeated in the media, that Sony’s high-powered attorney David Boies sent out a form letter to hundreds of news outlets demanding that the press cease and desist with any further dissemination and discussion of stolen emails and files.

Some computer and cyber-security analysts worry that counter-attacks by companies and firms will only encourage a rapid, uncontrolled escalation in the digital wars. North Korea blamed its massive internet outage on the United States, and the stony silence emanating from the White House, the FBI and the CIA may indicate complicity in the counter-attack—or, as some have suggested, genuine surprise that North American-based hackers took on the job in an ad hoc response.

After the White House and the FBI publicly pinned the blame for the Sony Pictures attack on North Korea and its special military unit trained for cyber-disruptions, many computer experts in the U.S., including some retired military and CIA personnel, said that North Korea possesses neither the technology nor the expertise to have launched such a sophisticated and prolonged attack. In their view, North Korea could have only accomplished such a feat with the help of mercenary super-hackers in China, Russia, Taiwan or Singapore (or some combination of all four). Others have suggested that North Korea, despite all its bluster and bullying, did not pull off the heist at all, and that the job was the work of a group of mega-hackers operating in multiple countries. Sony Pictures data breach was followed weeks later by a three-day shutdown of several popular Sony online gaming platforms, but experts believe that the game attack was the apparent result of an unrelated group of hackers.

In the meantime, the question remains an open one in the wake of the Sony Pictures digital meltdown. Analysts fear the day when a determined group or rogue country set sights on a more serious cyber assault. The Sony Pictures attack may ultimately cost the company tens of millions in lost revenue, lawsuits and legal action, and other costs, but it was not life-threatening nor was it a risk to public safety. The bigger fear—both among the corporate world and among law enforcement—is what will happen when the next major attack takes out a key component of infrastructure, banking, air traffic, or a power plant.

Related Thursday Review articles:

Sony Pictures Cyber-Attack Worse Than First Thought; R. Alan Clanton; Thursday Review; December 7, 2014.

Hackers Seek Your Hilton Rewards; Thursday Review staff; November 7, 2014.