February 28, 2016 – For someone at the forefront of the fight against cybercrime, Michael Brown is not shy of admitting there is a long way to go. Within the first five minutes of our meeting, the president and CEO of global internet security firm Symantec says there are at least 80 million cyber attacks per year — 400 every minute — but as many as 70 percent of them go undetected.
That is despite efforts by Symantec and its rivals to crack down on a crime that has been estimated to cost the global economy $445 billion every year, according to the US-based Center for Strategic and International Studies (CSIS).
Attackers are based all across the world but there is a concentration in Eastern Europe, Russia and China.
A photo of the 17-year-old alleged Target credit card hacker
Brown claims as much as 50 percent of attacks globally are accredited to an organisation called the Russian Business Network, an anonymous group Symantec says it is monitoring closely.
That is larger than the illegal drug trade and its significance is reflected in Symantec’s operations. Headquartered in California but with offices around the world including in the UAE, Riyadh, Jeddah, Qatar and Kuwait, Symantec has more than 11,000 employees working to identify risks, monitor attacks and create security programmes to protect consumers. It had a turnover of $4bn in 2014, the most recent full-year figure.
In an interview with Arabian Business in Dubai, Brown says the scale and severity of attacks is intensifying and explains why Gulf-based organisations are increasingly vulnerable as hackers, or ‘bad actors’ as they are known in the industry, become more sophisticated.
“Most of the threats are motivated by greed,” he says. “More and more of our lives are stored digitally and that information is highly valuable, be it credit card details or information about our identity. The bad guys have figured out how to inflict more damage economically by accessing that information.
“For one, the sophistication of the attacks is increasing. The number of basic spam attacks has gone down as they are easy to spot as emails with a malicious code embedded.
“Instead, hackers are using advanced social engineering to put together highly realistic emails. For example, a message sent to a company chief financial officer purporting to be from one of his staff, requesting he transfer tens of millions of dollars to a client firm elsewhere.”
This form of attack is known as ‘spearfishing’, Brown says.
“However, perhaps more dangerously, we are also seeing increasing levels of sophistication about how hacking can cause material damage in the real world. Vital information about how the world works is stored digitally, so folks can use that to start affecting physical assets and the way they function — disrupting critical infrastructure like power plants.”
An example of this is a malware attack in 2014 by Eastern European collective Dragonfly. It compromised more than 1,000 energy companies across 84 countries in North America and Europe, including energy grid operators and industrial equipment providers. Symantec said at the time that it suspected the group’s primary goal was espionage.
Brown is talking about career hackers, not a handful of morally flexible tech whiz -kids operating from their garages.
“It is increasingly possible to make a living from hacking,” he explains.
“We like to think it’s just a few bad actors but we are increasingly seeing larger and more sophisticated organizations with business models and even customer service numbers victims can call to find out what they must do to stop an attack.”
This often involves paying off a criminal organization in the same way you might resolve a kidnapping. “Attacks using a type of software called Ransomware have increased by more than 100 percent in the past 12 months,” Brown claims. “The agents use the malware to run ‘campaigns’ that essentially take over your machine and send you a message threatening to block access to all of your data unless you pay a certain amount of money.
“If you haven’t backed up your system lately and have no security software in place, there’s nothing you can do.
These criminals are clever — they have a proper business model and have worked out how much they can charge to maximise the number of people who feel it’s worthwhile to pay.
“The campaigns run for a couple of months until there’s enough security software out there to recognise them, and then they move to a new campaign, which is just a variation of what went before.”
Such attacks are more continuous in nature than they are episodic, he says. “It’s all about the economics, and making sure it pays.” One campaign, called Cryptolocker, netted hundreds of millions of dollars for criminal organizations during the two months in which it ran.
Other such sophisticated attacks look for access into a company or government’s network and spend a substantial amount of time undetected in there, seeping up information before they are discovered.
A case in point was the breach of a reported $5.5m worth of data at Sony Pictures in 2014. This was a state-sponsored attack by North Korea-based hacker group Guardians of Peace, Brown says, noting that the tell-tale sign was a blue screen that showed up with the group’s logo.
“This was the end of the attack, not the beginning — the hackers already had all the information they wanted.”
Guardians of Peace leaked nearly 100 terabytes of employee data, it was claimed at the time, including information about unreleased movies, unpublished scripts, executive salaries and internal emails. Brown points out that today’s cyber attacks can last up to 200 days before the security firms pick it up — more than enough time for hackers to infiltrate private networks and seize reams of confidential information. The CSIS claims the damage to businesses as a result of the loss of intellectual property from hacking could be in the region of $160bn per year.