‘We have a habit of reacting to threats after they occur, rather than preparing for them,’ journalist Kim Zetter tells Black Hat
The information technology industry remains two moves behind attackers subjecting businesses to wave after wave of predictable attacks, investigative journalist Kim Zetter told delegates to Black Hat USA on Thursday (August 11).
Delivering a keynote presentation, Zetter noted that many achievements have been made since the Stuxnet malware hobbled Iranian nuclear centrifuges in 2010.
Stuxnet – considered the world’s first cyber-weapon – highlighted vulnerabilities in industrial control technologies that few had noticed. The attack elevated cybersecurity as a national security concern but the mechanism of the attack “shouldn’t have been a surprise to anyone”, according to Zetter.
The veteran infosec beat reporter said the same pattern was present in the Aurora campaign that hit Google, RSA, and dozens of other companies, a wide-ranging assault that heralded a “new era of massive espionage and supply-chain hacks” in 2010.
Zetter told Black Hat USA: “[Operation Aurora] was a widespread espionage campaign by China that hit 34 companies and targeted source code repositories at Google, Adobe, and Juniper and included one of the first significant supply chain operations targeting the RSA seed repo, the engine for its multifactor authentication system.”
Zetter continued: “Aurora introduced the public to APTs [advanced persistent threats] and the growing capabilities of nation state hackers.
“The security community, which had largely been focused on cybercriminals until then, began to focus more on nation state actors and the sophisticated techniques that made the actions of cybercriminals feel kind of quaint [while] hacking operations became more aggressive and more consequential.”
Wave of destruction
Once again, the growing sophistication of attackers shouldn’t have come as a surprise, according to Zetter.
A lot has changed and improved in cybersecurity in the 12 years since 2010, but despite increased government focus on threats and massive spending, the world is still surprised when “threat actors pivot to new, but often wholly predictable, directions”, she said.
“There are a few things that truly blindside us,” according to Zetter.
“Here’s what someone told me last year after hackers injected a backdoor into the SolarWinds software during the build process. Software makers had all these safety mechanisms for detecting changes to source code in the source code repository, but none protecting the build environment because no one had ever injected malware into the software build process.”
Zetter continued: “Do you spot the pattern? There’s a lack of imagination or a lack of anticipation about the next move that hackers will make.”
She added: “We have a habit of reacting to threats after they occur, rather than preparing for them, or of ignoring voices of reason that warn of impending problems only to scramble into action when they occur.”
Ransomware scam pipeline
Similarly, the growing threat of ransomware and the shift therein to higher profile targets and the size of demands, as exemplified by the attack on Colonial Pipeline last year, was also predictable.
Zetter said: “Colonial Pipeline was a watershed moment, but if anyone was surprised by the attack they shouldn’t have been because it was entirely predictable when Stuxnet was discovered in 2010 – it shone a light on vulnerabilities and critical infrastructure... the security community largely had focused on IT networks until then.”
Colonial Pipeline’s CEO told lawmakers on Capitol Hill months later that although it did have an emergency response plan, that response plan didn’t include ransomware – even though ransomware attackers had been targeting critical infrastructure since 2015.
So, the signs were there if Colonial Pipeline had looked, Zetter said, adding that she didn’t want to beat up on the organization – not least because many critical sector organizations remained just as vulnerable.
Plus ça change
“There’s nothing substantially different today about how hackers run their criminal enterprises. They still organize in underground forums, they still operate as businesses in hierarchical structure, and they still make money – lots of it.
“The main difference is they’ve had more than a decade to perfect their operations and become more professional,” Zetter concluded.
“Now they offer salaried employment to their workers and even paid vacations. But they still bicker.
“They still double-cross one another and they still think law enforcement won’t catch them. And sometimes they’re right about that. So there’s very little that’s new under the sun,” the US cybersecurity reporter concluded.
Zetter’s keynote presentation was entitled 'Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed'.