Over the past year, Mandiant responded to incidents where attackers destroyed critical business systems, leaked confidential data, held companies for ransom, and taunted executives. Some attackers were motivated by money, some claimed to be retaliating for political purposes, and others simply wanted to cause embarrassment.
The idea of a cyber-attack that is intended to disrupt business operations is no longer a farfetched scenario. This past year has shown disruptive attacks have a real effect on organizations large and small. Some of these attacks were purposely carried out in public, and involved leaking data or broadcasting ransom demands in an attempt to embarrass or damage the victims in some way. Conversely, we have seen cases where the attackers tried to remain private. These instances often involved a monetary ransom demand to prevent the release of stolen data.
This past year we saw an increasing number of what can be considered “disruptive” attacks, both in Canada and internationally. While almost all successful attacks are disruptive on some level, these attacks were meant to bring attention to the attack or to the attacker’s cause. This is opposed to the traditional “low and slow” techniques typically employed to maintain access on corporate networks and steal data without being detected.
These attacks resulted in a public release of confidential data and, consequently, embarrassment and reputational damage. In some cases, companies lost the capability to function as a business due to the crippling loss of critical systems. Side effects included executive resignations, costly ransoms, and expensive system rebuilds.
Traditional targeted attacks are carried out over time, with the attacker usually taking steps to hide their malicious activity and remain undetected in the victim environment. This is true regardless of what is being targeted, be it trade secrets, intellectual property, customer records, payment information, or other sensitive data. With disruptive attacks, the attackers take steps to draw attention to their malicious activity or the information they have stolen.
Disruptive attacks are likely to become an increasing trend given the high impact and low cost. Disruptive cyber capabilities are sometimes referred to as “asymmetric,” in that they can cause a significant and disproportionate amount of damage without requiring attackers to possess large amounts of resources or technical sophistication.
Being held for ransom
Over the past year, we’ve assisted an increasing number of clients in dealing with digital blackmail schemes. These typically involved attackers threatening to publicly release stolen data unless the demand for large payments from the victim was met. The ransom demand often came in the form of a decentralized digital currency such as Bitcoin.
In all cases we worked, with one notable exception, the value of the ransom demand was commensurate with the value of the stolen data. This helped ensure that companies would pay the ransom. If the ransom amount is too large, the attacker is likely to never be paid. In one notable exception, the ransom demand was inexplicably low, despite the attacker seeming to know the true value of the stolen data. This instance came under scrutiny by the victim company and law enforcement because an ulterior motive was suspected.
Most of the ransom cases we responded to followed a common approach. The attacker sent an email to a company executive indicating that some amount of sensitive data was stolen and will be released publicly on a certain date unless a ransom payment is made.
In these cases, the deadline never allowed enough time for a proper investigation to be conducted. Rather, we focused on trying to determine whether the attacker’s claims were credible or not. In some cases we were able to prove that data loss actually occurred, and in other cases we were not able to prove data loss before the deadline.
The obvious next question is whether or not a victim organization should pay the ransom. Each scenario is unique and needs to be approached differently. As such, there is no direct answer we can provide. Even if a victim organization pays the ransom, there is always a chance the attacker will release the data anyway.
In one case, an individual claimed to have access to thousands of customer records from one of our clients. The individual provided personal information for a few customers as proof, and threatened to publish the rest of the stolen data if a ransom was not paid. Throughout the investigation, the individual allowed multiple ransom deadlines to slip. We suspected that an employee may have been involved, so we analyzed that employee’s system and found evidence that suggested involvement. The company and law enforcement interviewed the employee, and the staffer confessed that they were behind the ransom attempt. The employee was fired, the ransom was not paid, and no customer data was publicly released.
Although not typically the result of targeted intrusions, we would be remiss if we didn’t mention commodity ransomware such as CryptoLocker, which has impacted tens of thousands of organizations and individuals. Mandiant has received hundreds of calls from organizations and individuals whose files were encrypted with numerous ransomware variants. These ransomware threats demonstrate the significant material impact that can occur in an automated, non-targeted manner.
Destroying critical systems
We’ve investigated multiple incidents where attackers wiped critical business systems and, in some cases, forced companies to rely on paper and telephone-based processes for days or weeks as they recovered their systems and data. We have even seen attackers wipe system backup infrastructure in an effort to keep victims offline longer.
Most threat actors that we investigated over the years had the system-level privileges and access to destroy our clients’ technology environments and shut down business operations, but instead, they covertly stole credit card data, personal information, and intellectual property.
Other threat actors are motivated to overtly disrupt business operations and cause embarrassment to their victims. The sophistication and capabilities of disruptive threat actors ranges from possible amateurs to suspected nation states. Here are some examples of the system wiping techniques that we’ve observed being used by attackers.
Publishing sensitive company data on the Internet
We have worked with a number of clients whose sensitive company data was published on the Internet. In some cases, this was done because a ransom demand had not been met. In other cases, it was done simply to embarrass the organization.
Threat actors commonly leverage popular sharing platforms such as Pastebin to publish their “manifesto.” They may dump sensitive corporate information such as company emails, employee information, compromised credentials, and database dumps directly on the site, or include links to download the data from other file sharing sites.
Threat actors may also leverage photo-sharing websites to publish screen captures, thus proving they had access to our client’s environment. These sites have formal abuse reporting processes and many of our clients have been able to get unauthorized content taken down quickly. Knowing that reputable content sharing sites take down content quickly, threat actors will also use other platforms such as ThePirateBay, other BitTorrent trackers and peer-to-peer websites.
Threat actors also sometimes reach out to the media in an attempt to increase public visibility and maximize the victim’s embarrassment before the content is taken down.
Attempting to deceive
Despite the bold nature of disruptive threat actors, they actually don’t want their true identity to be known out of fear of retribution or criminal charges.
In one case, a threat actor indicated he was from Russia and communicated in the Russian language. Our linguists analyzed the quality of the language in multiple communications with the attacker. We assessed the quality of the language to be poor since there were instances of literal translations of English technical terms to Russian that would be obvious to a Russian speaker. The poor translation and other technical evidence observed during the investigation led us to believe that it was likely the threat actor used language translation software when communicating in Russian.
Another case involved an attacker who claimed to be unable to speak the English language, but it soon became apparent that the actor was an educated English speaker. The attacker had initially been communicating through some type of automatic translation software, but they ended up switching to natural English at times when convenient.
Lessons learned from investigating disruptive breaches
Responding to disruptive breaches is challenging, and not easy to plan for given the dynamic nature of these attacks and the attackers. Unlike breaches where a containment plan may be able to stop an attacker from stealing more information, in these disruptive instances the damage may have already been done by the time the attacker contacts the victim organization. Therefore, a different response to these incidents is required. We’ve outlined ten lessons from our incident response engagements that may help organizations deal with disruptive attacks:
Disruptive attacks were once considered an implausible worst-case scenario for many companies and were typically not planned for by executives. Put simply, no one previously expected to have half the workforce lose access to their computers within a short amount of time. However, public events over the last few years have altered the notion of what comprises a worst-case scenario. As we’ve seen over the past year, disruptive attacks have become a legitimate issue and businesses will have to begin planning and preparing accordingly. The best-case scenario when experiencing a disruptive attack is that you are well prepared and able to minimize the damage.
Posted by Marcus Troiano, written by Mandiant.
Marcus R. Troiano
Senior Cybersecurity Consultant
Mobile: +1 647-885-0714