Kaspersky Labs has revealed that hackers are now hacking other attack groups, using their tools and stealing victim data, making more difficult to gather accurate threat intelligence.
Sophisticated threat actors are actively hacking other attack groups in order to steal victim data, borrow tools and techniques and re-use each other’s infrastructure – making accurate threat intelligence ever harder for security researchers, according to Kaspersky Lab’s Global Research and Analysis Team (GReAT).
Accurate threat intelligence relies on identifying the patterns and tools that signpost a particular threat actor. Such knowledge allows researchers to better map different attackers’ goals, targets and behaviours, and to help organisations determine their level of risk. When threat actors start hacking each other and taking over tools, infrastructure and even victims, this model quickly starts to break down.
Kaspersky Lab believes that such attacks are likely to be implemented mainly by nation-state backed groups, targeting foreign or less competent actors. It is important that IT security researchers learn how to spot and interpret the signs of these attacks, so that they can present their intelligence in context.
In a detailed review of the opportunities for such attacks, GReAT researchers identified two main approaches: passive and active. Passive attacks involve intercepting other groups’ data in transit, for example as it moves between victims and command and control servers – and are almost impossible to detect. The active approach involves infiltrating another threat actor’s malicious infrastructure.
There is a greater risk of detection in the active approach, but it also offers more benefits as it allows the attacker to extract information on a regular basis, monitor its target and their victims, and potentially even insert its own implants or mount attacks in the name of its victim. The success of active attacks relies heavily on the target making mistakes in operational security.
GReAT has encountered a number of strange and unexpected artefacts while investigating specific threat actors that suggest such active attacks are already happening in-the-wild.
- Backdoors installed in another entity’s command-and-control (C&C) infrastructure
Installing a backdoor in a hacked network allows attackers to establish persistence inside the operations of another group. Kaspersky Lab researchers have found what appear to be two in-the-wild examples of such backdoors.
One of these was found in 2013, while analysing a server used by NetTraveler, a Chinese-language campaign targeting activists and organisations in Asia. The second one was found in 2014, while investigating a hacked website used by Crouching Yeti (also known as Energetic Bear), a Russian-language threat actor targeting the industrial sector since 2010. The researchers noticed that, for a brief period of time, the panel managing the C&C network was modified with a tag that pointed to a remote IP in China (likely a false flag). The researchers believe this was also a backdoor belonging to another group, although there are no indicators as to who this might be.
- Sharing hacked websites
In 2016, Kaspersky Lab researchers found that a website compromised by the Korean-language DarkHotel also hosted exploit scripts for another targeted attacker, which the team called ScarCruft, a group targeting mainly Russian-, Chinese- and South Korean- organisations. The DarkHotel operation dates from April 2016, while the ScarCruft attacks were implemented a month later, suggesting that ScarCruft may have observed the DarkHotel attacks before launching its own.
Infiltrating a group with an established stake in a certain region or industry sector enables an attacker to reduce costs and improve targeting, benefiting from the specialist expertise of its victim.
Some threat actors share rather than steal victims. This is a risky approach if one of the groups is less advanced and gets caught, as the inevitable forensic analysis that follows will also reveal the other intruders. In November 2014, Kaspersky Lab reported that a server belonging to a research institution in the Middle East, known as the Magnet of Threats, simultaneously hosted implants for the highly sophisticated threat actors Regin and Equation Group (English-language), Turla and ItaDuke (Russian-language), as well as Animal Farm (French-language) and Careto (Spanish). In fact, this server was the starting point for the discovery of the Equation Group.
“Attribution is hard at the best of times as clues are rare and easily manipulated, and now we also have to factor in the impact of threat actors hacking each other. As more groups leverage each other’s toolkits, victims and infrastructure, insert their own implants or adopt the identity of their victim to mount further attacks, where will that leave threat hunters trying to build a clear, accurate picture? Our examples hint that some of this is already happening in-the-wild and threat intelligence researchers will need to pause and adapt their thinking when it comes to analysing the work of advanced threat actors,” said Juan Andres Guerrero-Saade, Principal Security Researcher, Global Research and Analysis Team, Kaspersky Lab.
In order to keep pace with the rapidly evolving threat landscape, Kaspersky Lab advises enterprises to implement a full-scale security platform combined with cutting-edge threat intelligence. Kaspersky Lab’s enterprise security portfolio provides businesses with threat prevention through its next-generation endpoint security suite, detection based on the Kaspersky Anti Targeted Attack platform, and prediction and incident response through its threat intelligence services.
Further details on ways in which threat actors acquire and reuse elements of other groups, including tool repurposing and malware clustering, and their ramifications for threat intelligence can be found in the paper, Walking in your enemy’s shadow: when fourth-party collection becomes attribution hell.
IoT at starting gate
South Africa is already past the Internet of Things (IoT) hype cycle and well into the mainstream, writes MARK WALKER, associate vice president of Sub-Saharan Africa at International Data Corporation (IDC).
Projects and pilots are already becoming a commercial reality, tying neatly into the 2017 IDC prediction that 2018 would be the year when the local market took IoT mainstream. Over the next 12-18 months, it is anticipated that IoT implementations will continue to rise in both scope and popularity. Already 23% are in full deployment with 39% in the pilot phase. The value of IoT has been systematically proven and yet its reputation remains tenuous – more than 5% of companies are reluctant to put their money where the trend is – thanks to the shifting sands of IoT perception and success rate.
There are several reasons behind why IoT implementations are failing. The biggest is that organisations don’t know where to start. They know that IoT is something they can harness today and that it can be used to shift outdated modalities and operations. They are aware of the benefits and the case studies. What they don’t know is how to apply this knowledge to their own journey so their IoT story isn’t one of overbearing complexity and rising costs.
Another stumbling block is perception. Yes, there is the futuristic potential with the talking fridge and intelligent desk, but this is not where the real value lies. Organisations are overlooking the challenges that can be solved by realistic IoT, the banal and the boring solutions that leverage systems to deliver on business priorities. IoT’s potential sits within its ability to get the best out of assets and production efficiencies, solving problems in automation, security, and environment.
In addition to this, there is a lack of clarity around return on investment, uncertainty around the benefits, a lack of executive leadership, and concerns around security and the complexities of regulation. Because IoT is an emerging technology there remains a limited awareness of the true extent of its value proposition and yet 66% of organisations are confident that this value exists.
This percentage poses both a problem and opportunity. On one hand, it showcases the local shift in thinking towards IoT as a technology worth investing into. On the other hand, many companies are seeing the competition invest and leaping blindly in the wrong direction. Stop. IoT is not the same for every business.
It is essential that every company makes its own case for IoT based on its needs and outcomes. Does agriculture have the same challenges as mining? Does one mining company have the same challenges as another? The answer is no. Organisations that want their IoT investment to succeed must reject the idea that they can pick up where another has left off. IoT must be relevant to the business outcome that it needs to achieve. While some use cases may apply to most industries based on specific circumstances, there are different realities and priorities that will demand a different approach and starting point.
Ask – what is the business problem right now and how can technology be leveraged to resolve it?
In the agriculture space, there is a need to improve crop yields and livestock management, improve farm productivity and implement environmental monitoring. In the construction and mining industry, safety and emergency response are a priority alongside workforce and production management. Education shifts the lens towards improving delivery and quality of education, access to advanced learning methods and reducing the costs of learning. Smart cities want to improve traffic and efficiently deliver public services and healthcare is focusing on wellness, reducing hospital admissions and the security of assets and inventory management.
The technology and solutions selected must speak to these specific challenges.
If there are no insights used to create an IoT solution, it’s the equivalent of having the fastest Ferrari on Rivonia Road in peak traffic. It makes a fantastic noise, but it isn’t going to move any faster than the broken-down sedan in the next lane. Everyone will be impressed with the Ferrari, but the amount of power and the size of the investment mean nothing. It’s in the wrong place.
What differentiates the IoT successes is how a company leverages data to deliver meaningful value-added predictions and actions for personalised efficiencies, convenience, and improved industry processes. To move forward the organisation needs to focus on the business outcomes and not just the technology. They need to localise and adapt by applying context to the problem that’s being solved and explore innovation through partnerships and experimentation.
ERP underpins food tracking
The food traceability market is expected to reach almost $20 billion by 2022 as increased consumer awareness, strict governance requirements, and advances in technology are resulting in growing standardisation of the segment, says STUART SCANLON, managing director of epic ERP
Just like any data-driven environment, one of the biggest enablers of this is integrated enterprise resource planning (ERP) solutions.
As the name suggests, traceability is the ability to track something through all stages of production, processing, and distribution. When it comes to the food industry, traceability must also enable stakeholders to identify the source of all food inputs that can include anything from raw materials, additives, ingredients, and packaging.
Considering the wealth of data that all these facets generate, it is hardly surprising that systems and processes need to be put in place to manage, analyse, and provide actionable insights. With traceability enabling corrective measures to be taken (think product recalls), having an efficient system is often the difference between life or death when it comes to public health risks.
Sceptics argue that traceability simply requires an extensive data warehouse to be done correctly, the reality is quite different. Yes, there are standard data records to be managed, but the real value lies in how all these components are tied together.
ERP provides the digital glue to enable this. With each stakeholder audience requiring different aspects of traceability (and compliance), it is essential for the producer, distributor, and every other organisation in the supply chain, to manage this effectively in a standardised manner.
With so many different companies involved in the food cycle, many using their own, proprietary systems, just consider the complexity of trying to manage traceability. Organisations must not only contend with local challenges, but global ones as well as the import and export of food are big business drivers.
So, even though traceability is vital to keep track of everything in this complex cycle, it is also imperative to monitor the ingredients and factories where items are produced. Having expansive solutions that must track the entire process from ‘cradle to grave’ is an imperative. Not only is this vital from a safety perspective, but from cost and reputational management aspects as well. Just think of the recent listeriosis issue in South Africa and the impact it has had on all parties in that supply chain.
Thanks to the increasing digital transformation efforts by companies in the food industry, traceability becomes a more effective process. It is no longer a case of using on-premise solutions that can be compromised but having hosted ones that provide more effective fail-safes.
In a market segment that requires strict compliance and regulatory requirements to be met, cloud-based solutions can provide everyone in the supply chain with a more secure (and tamper-resistant) solution than many of the legacy approaches of old.
This is not to say ERP requires the one or the other. Instead, there needs to be a transition provided between the two scenarios that empowers those in the food supply chain to maximise the insights (and benefits) derived from traceability.
Now, more than ever, traceability is a business priority. Having the correct foundation through effective ERP is essential if a business can manage its growth and meet legislative requirements into the future.