Keep your eyes on the prize: Attack vectors are important but don’t ignore attacker goals

29 June 2017

Reporting on intrusions or attacks often dwells on the method that the attackers used to breach the defenses of a particular organization. However, the goals of the attacker are the most relevant to how an organization can protect itself. The goals of attackers reflect the perceived value of the critical assets an organization has to the attackers, which is independent from the value these assets have to the organization.

The table below shows a carefully chosen sample of well-documented attacks on what attackers consider to be high-value or critical assets. It is worth noting the following attacks were performed by a mixture of nation states, mercenaries, nation state proxies, cyber criminals and hacktivists, showing a complex ecosystem. We do not aim to provide definitive attribution here, merely state which are the most likely candidates based on assessments from law enforcement or the wider community.

 

High Value Asset

Sector

Threat Actor

Impact on Target

Examples

Corporate IT infrastructure

All

Cyber criminals, nation-state process, nation states

Availability

Ransomware attacks like WannaCry or the Sony Pictures Entertainment attack deny access to IT resources in order to extort money from the victims and/or cause embarrassment

 

All

Nation states

Confidentiality

Russian-affiliated threat groups broke into a Voting software company in order to use their IT infrastructure to send phishing emails to subsequent targets

Customer (WiFi) Networks

Hospitality

Nation states

Confidentiality

The Darkhotel APT group used hotel networks to target individuals of interest and deploy malware to customer machines through malicious software updates

Cryptographic material

Technology

Cyber criminals, nation states

Confidentiality

DigiNotar’s cryptographic keys were stolen in order to forge certificates for eavesdropping on Internet users in Iran

Database

All

Cyber criminals

Confidentiality, Integrity, Availability

The RansomWeb attack encrypted the victim’s database covertly and when the database and backups were fully encrypted, the encryption keys were removed, the database was inaccessible and ransom demands were made to the victim

Financial transaction systems

Finance

Cyber criminals, nation states

Confidentiality, Integrity

Attackers breached various banks worldwide to send money to mule accounts via the SWIFT network infrastructure

 

Finance

Nation states

Confidentiality

Alleged Equation Group leaks detail the compromise of the SWIFT Service Bureau Eastnets to extract transaction information from their database

Industrial process design and development

Manufacturing, Aerospace, Defence

Freelancers

Confidentiality

Su-Bin stole component design blueprints and flight test data for sale to competing companies

Network infrastructure

Broadcasting

Nation states

Availability

TV5Monde’s routers and switches were corrupted by malicious firmware updates which caused the TV station to cease broadcasting

Non-public information

All

Nation states

Confidentiality

Hackers allegedly from PLA Unit 61398 stole “thousands of e-mails and related attachments that provided detailed information about SolarWorld’s financial position, production capabilities, cost structure, and business strategy”

 

Finance, Legal

Cyber criminals

Confidentiality

Hackers stole non-public press releases about upcoming announcements by public companies concerning earnings, gross margins, revenues, etc. and used this information to conduct trades

Source code

Technology

Freelancers, nation states

Confidentiality

Attackers compromised Yahoo in order to find the source code so they could forge cookies to gain persistent, unauthorized access to user accounts

Payment card information

Retail

Cyber criminals

Confidentiality

Attackers stole 40 million records of payment card information from Target’s Point of Sale (PoS) systems via breaking into a supplier who had access to the Target network

PHI/PII

Healthcare

Cyber criminals

Confidentiality

80 million customer records were stolen from Anthem, this data may be used for espionage and/or financial crime such as filing fraudulent tax returns and issuing of pre-paid debit cards

SCADA systems

Energy

Nation states

Availability

A cyber-attack was performed against a Ukrainian power company’s circuit breakers causing the loss of power to approximately 225,000 customers

Social Media accounts

All

Cyber criminals

Availability

Wired reporter Mat Honan had his various cloud service accounts breached and his devices remotely wiped in order to takeover his social media account

 

All

Nation state proxy

Integrity

The Syrian Electronic Army hijacked the social media accounts of various global companies in order to spread propaganda

A common theme running through the above table is how attackers take the path of least resistance to their goals and in the cases where critical assets were not reachable, used a creative approach to monetize the access that they did have.

Some common themes concerning attacker goals emerge:

  • Attacks are a multi-stage process, each stage helps the attackers get closer to their goal. An organization may be compromised for its own assets or because its assets help an attacker reach its target. Financially-motived cyber criminal actors seek out not only directly monetizable assets like payment card information but also assets which can be sold such as PHI/PII or non-public information.
  • Sectors such as finance and defense are well-known targets for attackers, but following on from the multi-stage theme above, other organizations may find themselves as targets as they are on the “flight path” from the attacker to the intended target, for example, in the case of supply chain compromise.
  • While theft is very common (confidentiality violations), attacks on availability, such as extortion via ransomware, and attacks on integrity, such as source code manipulation, do also occur. Attackers have a diverse set of actions in their portfolio and may use any of them against a particular target.

By understanding the goals of the attackers, defenders can understand which of their assets need to be safeguarded. Any breach investigation or incident response should attempt, where possible, to understand the goals of the attackers in order to gain insight on how attackers are targeting an organization’s assets.

Recent attacks like the Nyetna outbreak highlight the difficulty of certainty around attacker goals as there may be deliberate attempts by the attacker to obscure their true goals, in such cases the different plausible attacker goals must be considered.

We recently wrote a blog on five ways security engineering can help to protect these assets