FireEye: The face of hacking is changing – and it's getting uglier
Sabre-rattling is moving on from the traditional miscreants, say infosec bods
Cyberattacks from Russia have increased because of sanctions related to the Ukraine while assaults from Iran have dropped over recent months, thanks to the recent Iran nuclear deal.
David DeWalt, FireEye chief exec, said these changes show how the diplomatic landscape affects what is happening in cyberspace even though the overall trend is towards increased attacks. From tracking 50 or so offensive hacker groups three years ago, FireEye is now monitoring 350 groups who are busy “stealing, disrupting and spying,” according to DeWalt.
State-backed hackers in Russia work closely with cybercrime elements, such as the remnants of the notorious Russian Business Network, and have been been particularly active in targeting US retailers such as Target as well as equity and hedge funds over the last two years or so.
Attacks targeting credentials and log-in details, as well as assaults targeting supply chains rather than targeted organisations directly, are becoming more commonplace. Energy, government and aerospace are the industry verticals most on the front line but most industry sectors are affected to a lesser or greater extent, according to FireEye.
The security firm estimates that the median time for firms to detect attacks is 205 days, or around seven months. It takes around a month (32 days) to respond to attacks. DeWalt said major breaches such as eBay, Adobe and, more recently, the US government’s Office of Personnel Management leak are making the security situation worse.
In particular, FireEye has seen data harvested from a recent breach of the Sabre airline reservation system abused in follow-up attacks.
“Credential stealing or using credentials to carry out further attacks is the arms race we’re in with attackers,” DeWalt told El Reg, and ID dumps create “huge problems downstream,” he added.
Stolen IDs and software vulnerabilities are hackers’ two main tricks. The two were brought together over recent months in successful attacks that planted backdoored operating systems onto Cisco routers. These attacks were carried off remotely and used to redirect packets, according to DeWalt.
El Reg caught up with DeWalt during a FireEye briefing to regional press in Madrid. From being an also-ran two years back, Spain has become the third biggest target of APTs – advanced persistent threats – in the EMEA region over recent months. Israel (the largest target) and Saudi Arabia are both more attacked than organisations in Germany and the UK, according to FireEye’s stats. The reason for Spain’s prominence isn’t clear, even to FireEye’s marketing team. ®
Updated to Add
We should note that airline-data service Sabre, widely believed to have been attacked by hackers lately, has stated merely that it is investigating a "cyber security incident" and that it is "not aware that this incident has compromised sensitive protected information".
Since publication of this story, FireEye representatives have been in touch with the following statement in relation to the Sabre attack:
FireEye has no evidence that Sabre was breached, therefore we have no knowledge about this incident or data harvesting
We offered them the chance to retract this or give more detail but they stood by it.
[It's always possible that FireEye really does have no knowledge of data harvesting at all, though it would hardly do them credit. The security firm assures us that its operatives have no evidence that Sabre in particular was breached, and no special knowledge regarding the cyber incident referred to by Sabre.
None of which, of course, means that they haven't come across data from Sabre being used in follow-on attacks. -Ed]