Tinker Tailor Hacker Spy | A Critical Analysis Of The Equifax Breach
Some men like to watch the world burn, I would be lying if I said that I wasn’t one of them. Lets be honest, we all like to watch the flames sometimes.
Disclaimer: This is an opinion piece and follow up on my previous article.
Let us go out of bounds now together.
Equifax was a slap in the face, not just to our intelligence and cybersecurity communities, but also to our civil society and democracy.
The current narrative surrounding the event undermines the seriousness of the Equifax breach, I think its better we try to properly understand the real world risks we are dealing and the obvious consequences of this breach.
Tip Of The Iceberg
We can disregard those darknet operators extorting Equifax, we can disregard the purported size of the data breach and the stated source of the breach.
Its clear to me that the word of Equifax cannot be trusted on many fronts and that the public narrative is a mocking laugh meant to misguide us.
The psyops campaign taunting security researchers and investigators is a smokescreen, the Equifax data has not yet appeared on the darknet for sale anywhere other than this website, its unlikely that it ever will.
The Breach Story
Lets conduct a thought experiment and follow the public narrative, lets assume the breach point was a vulnerability in Apache Struts.
The narrative asks us to believe that an Apache Struts vulnerability (CVE-2017–5638 disclosed in March) was responsible, despite it being a known vulnerability that allowed remote code execution on file upload.
It asks us to believe that the security team at Equifax were asleep at the wheel and not patching their web applications against known vulnerabilities.
I understand that updating complex web applications is complex, but this narrative is far too convenient, it invites us to think of them as fools and we want to believe it because we are all human, but it stinks.
Most of you, when you hear your stack has a remote code execution vulnerability, will drop everything and fix it, maybe even bring your app offline, or at the very least monitor like crazy, watching for an exploit.
The sec team behind the largest source of financial intel on the US, Canadian & UK populations are not fools, even if the narrative suggests as much.
That team is savvy enough to know state sponsored actors wanted their data.
As if to confirm their foolishness, somebody changed the admin password on their Argentine admin portal to ‘admin’, further cementing the narrative.
I find it strange that the first accurate report on the breach, one later confirmed by Equifax, was from equity analyst Baird Research who seemed to know exactly what went down on the day of the notification.
An equity analyst more informed on the breach than the netsec space?
Subsequent Analysis — An investment analysis of the breach nor the official statements reveal anything, the phrase ‘not known’ is heavily leaned upon and we only have Equifax confirmation that the vulnerability was responsible.
Most cybersecurity commentators focused on Equifax are in accord with this narrative and official sources are not challenging it, something I find incredible considering the weak foundation underpinning the narrative.
The Narrative Is A Smokescreen
Being a critical engineer, I am obliged to challenge the narrative and conduct a thought experiment to highlight a hypothetical perspective.
In our thought experiment the public narrative surrounding the breach is untrue, the publicly stated belief that this is criminal activity is false and the fallout from the breach is much more serious than anyone is letting on.
What is not being revealed is that these data breaches are much more coordinated and interconnected than we are being led to believe and they are being initiated by state sponsored actors from a country we shall not name.
The Equifax breach is connected with the breach at OPM.gov and the stolen Equifax data helps validate the OPM data. When you pool those two stolen data sets together with the biodata from the Anthem breach, you have a highly valuable source of intelligence on the intel/gov/def community.
What do these three breaches have in common?
They were all conducted by the same actors and the stolen data has never been seen for sale on the darknet markets, despite its very obvious value.
The stolen datasets are being used for something else.
Continuing The Thought Experiment
It would be a mistake to focus on the short term and the immediate consequences when the long term impact has yet to reveal itself.
If our thought experiment rests on solid ground then a financial crime spree run by cyber criminals in the short term is the least of our worries. These breaches dramatically boost the intelligence capabilities and operations of our adversaries in lots of very important and fundamental ways.
- Enriched HUMINT Capabilities — The data sets allow those holding it to profile US intelligence and federal government personnel, making credible assumptions about suspected operatives using their backstory.
- Enriched Counter Intelligence Capabilities- The biodata set from the Anthem breach in particular is highly useful for validating existing classified holdings in support of counter-intelligence operations.
- Enriched Second Tier Intelligence — These data sets are rich sources of second tier intelligence, highly valuable to those with a target centric approach to target analysis and threat analysis.
- Enriched OSINT Capabilities — These data sets can be pooled with OSINT resources to create incredibly detailed pictures on a huge chunk of the American population, highly useful in social operations.
What Is The Long Term Fallout?
Given these enriched capabilities, state sponsored operators could be highly effective in their works against us for the next decade, these data sets are rich with information that is highly useful to their campaigns and efforts.
Corporate Phishing- This data can be leveraged in phishing attacks against corporate targets, making it really easy to spoof emails and calls to organizations running critical access accounts. They make it really easy to impersonate you and socially engineer their way into your organization.
Individual Mark Manipulation- This data can help identify potential marks, working at important institutions, who may be suffering from financial distress, making them vulnerable to manipulation and blackmail.
Credible Personas- This data helps an actor establish credible sets of personas for use during their operations. They can use these personas to set up credible fronts on social media, avoiding KYC when opening operational bank accounts, renting properties and vehicles in your name.
Black Op Financing- Any time the team holding the data needs to raise funds for an operation, they can selectively turn segments of their data into currency, treating it as a cash machine and using it to fund operations.
Threat To Democracy & Civil Society
The breaches by which these data sets were obtained and their high level use can be used to undermine our most important democratic, financial, political and civil institutions, destroying the confidence our citizens have in them.
We have only just begun to get to grips with the foundations of our civil society being eroded by highly targeted divisive political propaganda and we are only just beginning to see the destabilization of our democracy at play.
Government employees, high ranking corporate officials and political figures aside, these data breaches leave the rest of us individually vulnerable to highly targeted social campaigns, something we have already seen.
When you combine these data sets with the last five years worth of data, IP theft and understand that they are collectively being leveraged against us, it would be difficult not to view this activity as an act of war on our society.
