Where Are We and Where Are We Going 2: Classifying the Attackers

Moving on with the keynote, Mikko Hypponen singles out three major groups of cyber attackers, and elaborates in detail on money-motivated criminals proper.

The three main sources of cyber attacks

The three main sources of cyber attacks

And I strongly believe that if we want to have any hope at all in defending against these attacks, we first have to understand the enemy, or the enemies. We have to understand who’s doing these attacks. We have to understand what they want, and we have to understand why they’re doing these attacks, because we have completely different attackers. So the way I like to group different attackers is based on their motives, like what makes them tick. And that brings us 3 main groups, and yes, there are some other fringe groups, but the big split is between criminals, hacktivists and governments.

I did a study on, for example, the level of skill of extremists, like terrorist groups, real terrorists like Al-Qaeda and guys like that. I researched this earlier this year, and as a result of that research I’m not including them here; they potentially could be the fourth group, but not yet. Their skills are in the hands of very few individuals with those groups, and they’re really of no danger at this very moment as far as I can see from cyber terrorism. But eventually it could become the fourth group, and of course we have some smaller groups as well. But the big split is, first of all, criminals, the biggest group, the most likely one to hit you; second of all, hacktivists; third of all, governments.

So what’s the motive? Well, for criminals it’s very easy – it’s money. And everybody understands that as a motive. Money makes the world go around; money makes people do whatever; and if you can’t become rich by writing viruses, well, somebody’s gonna do it, right? And many people are doing it. And this is what makes hacktivists different. Movements like Anonymous – they are not doing their attacks to become rich. They are not looking for money. That’s the difference. They want to do something else – they want to send a message, they want to protest, or they just do it for the lulz.

And we have cases where hacktivists were breaking into places trying to send a message or trying to protest, and then they stumble upon something valuable, and then they become greedy, and then they start stealing for their own benefit. In that case we simply move them from the group of hacktivists to the group of criminals: now they’ve just became criminals, they’re no longer hacktivists.

And companies get targeted because they do stupid stuff. Most of the cases where organizations and governments have been targeted with Low Orbit Ion Cannon attacks, or targeted with hacks by movements like Anonymous, they were basically asking for it. Let me give just one example. Let’s compare Sony to Apple. I already gave nice words about Apple and I’m not an Apple fanboy by any means, but let’s compare what happened when George Hotz hacked Sony and when Comex hacked Apple; and here I don’t mean hacked into, I mean hacked systems built by them. George Hotz wanted to run his own programs on his very own PlayStation 3, so he rooted his PS3 so he could run his own program. What did Sony do? Sony sued him. What happened? People got angry for a very good reason, and as an end result Sony was hacked, the last time I looked, 37 times, right? And then the very same thing: Comex wanted to run his own programs on his own iPhone, so he jailbroke his iPhone. What did Apple do? They didn’t sue him; instead, they hired him. Comex is now working for Apple. Good move, Apple has not been hacked 37 times – instead, Comex is now on their payroll, which means he’s no longer making new versions of his jailbreaks and he’s now inside Apple telling the Apple people how to fix these things, how to make it harder to break the security models of Apple. Good move!

Companies get targeted because they do stupid stuff.

And then we have the third group, the governments, which is completely different. Now you can see how it’s hopeless to even try to defend against these attacks with the same models, because we have completely different attackers, completely different motives. The things you do to try to secure your systems against a criminal attacker are completely different from the ones you try to do if you want to defend against the governmental attacker. Plus, criminals want to target pretty much anybody, they just want money. Governments are not gonna target you unless you’re interesting. The Flame virus is not gonna hit you if you are a normal private citizen, it’s not gonna hit your company if you’re a local pizza place. You don’t have to worry about Stuxnet or Flame ever, because you’re not interesting.

You do have to worry about them if you are a government employee for a Middle Eastern government or if you work for the nuclear program of Iran. That’s completely different.

Cyber criminals

Cyber criminals

So let me give you a couple of examples of what’s happening in the criminal world. The mechanisms these guys use to make money – well, we started from the botnets which were used to send spam, then we got into credit card theft, most of these stolen with keyloggers from infected Windows computers, then we got into banking Trojans which will inject extra transactions from an infected Windows computer while you’re doing banking. And I keep repeating Windows because almost all of these are Windows computer issues.

That’s Mr. Ivan Maksakov in the white jacket (photo on the top) in the courthouse of a small city in Southeastern Russia with 2 of his partners in crime after running denial-of-service networks with botnets they’ve built to ask for ransom from companies whose websites they were taking down. Here is one of the guys behind the Koobface worm against Facebook platform (see image in the middle). This is the man named Igor (the bottom image), arrested a couple of months ago in Moscow for running the Carberp operation.

Vladimir Tsastsin – the notorious Estonian black hat entrepreneur

Vladimir Tsastsin – the notorious Estonian black hat entrepreneur

And this is Vladimir Tsastsin from the city of Tartu in Estonia. Tartu is the second largest city in Estonia. We first noticed Vladimir when he was running this company in around 2005-2006. He was running a domain registrar called “EstDomains” and a hosting company called “Esthost”, and an Internet operator. And this was a criminal Internet operator run by criminals for the criminals.

So he was, for example, providing bulletproof hosting and domain registration services where, if you were a criminal and you needed to have a website, for example, to have exploits to own people, or you wanted to have a website so that you could sell stolen credit cards and bank accounts – you know, criminal stuff, then you would register your domain and you would host with Vladimir.

And he would guarantee that you will stay online. If there were complaints about your website sent by CERTs, or sent by security companies, or even by authorities, he wouldn’t shut you down, he would only increase your billing, right? So the more stuff you did, the more you generated complaints, the more you had to pay. But if you kept paying, you stayed online. Very clever. He ended up selling around 265,000 domain names, which were basically all sold to online criminals. Actually, if you will look at Estonian newspapers of that time, this was one of the top 100 fastest growing IT companies in Estonia, and number 1 company on the list is the company called “Rove Digital OU” which is run by Vladimir. It’s really easy to grow really fast if your business is cybercrime.

Operation Ghost Click terminating DNSChanger propagation

Operation Ghost Click terminating DNSChanger propagation

But this did end when in December this bus parked outside of the street address Lau 6, Tartu, in Estonia, which was the headquarters for Rove company Vladimir was running. This bus is the forensics bus of the central criminal police of Estonia, and this is the Estonian police carrying out a router, which was the router for the operation we now know as “DNSChanger”, aka “Operation Ghost Click”. This is the reason why in 2 and a half weeks on the 9th of July about 100,000 computers around the world will go dark because the DNSChanger, the DNS infrastructure will be shut down because of the FBI court order which has kept them running the operation even after this operation was shut down. The court order will expire and the DNS network for these infected machines will shut down. It’s right now being run by Paul Vixie from ISC. He’s going to switch off the router, and these machines will go offline.

Another example I wanted to highlight is that there is quite a bit of these guys operating surprisingly out in the open. Yes, sure, some of them go to the deep web, to DOT Onion sites in the TOR network, or to IP2 Web, or to Free Net, but many of them are in completely open forums, in IRCs, in web chats and in YouTube. And here’s this one guy called Gwapo. Let me run a video that he has on his site: “Hello hackers, I am promoting Gwapo’s professional DDoS service. We are here to provide you a cheap professional DDoS service. We have been running this service on hack forums for months and serving a few huge companies outside of hack forums. We DDoS huge companies’ websites to small personal websites, to private game servers. Our prices are based on how huge and protected the website or server is. We are open through short to long-term jobs as we are capable of handling the jobs for days, weeks and months.”

So if you’re interested in the service of shutting down somebody else’s website, the URL is DDoSservice.com. And I found this channel had, like, 4 videos, a couple of these ads, and then there was this one video where Gwapo himself, as far as we can tell, is counting his proceeds from his criminal online operations. And those are hundred dollar bills. So it looks like a lot of money, but we have to remember that the value of the U.S. dollar has been going down, so, actually, it isn’t that much. It’s like 50 Euros, I think…

Read previous: Mikko Hypponen: Where Are We and Where Are We Going?
Read next: Where Are We and Where Are We Going 3: Ransom Trojans

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: