What were the top trends in cybersecurity in 2016?
Welcome to Threat Intel’s #WednesdayWisdom column, a weekly read to help improve your cybersecurity knowledge and keep you informed on important developments.
2016 was an interesting year in cybersecurity. High-profile interference (allegedly from Russian hackers) in the US election, massive distributed denial of service attacks using Internet of Things (IoT) devices, and costly financial attacks grabbed the headlines.
We take a look at five of the top cybersecurity trends of 2016.
Subversion and high-stakes election interference
The rise of attacks with political, rather than financial, motivations was one of the major trends of 2016.
The hacking of emails of the Democratic National Convention, the governing body of the US Democratic Party, was widely blamed on Russian state actors. The resultant leaked emails were published by Wikileaks with the intention, many believe, of influencing the result of the US presidential election in favor of Donald Trump. There have now been calls for a congressional inquiry into this hacking. However, president-elect Trump is still refusing to accept that Russia was behind these attacks, despite what US intelligence agencies are saying.
Russian hackers were also allegedly behind the hacking of WADA, the World Anti-Doping Agency. A month after the conclusion of the 2016 Summer Olympics, Russian attack group Fancy Bear released confidential information held by WADA about several athletes, including tennis stars the Williams sisters and US gymnast Simone Biles. The information revealed related to Therapeutic Use Exemptions (TUEs) that the athletes had been granted, allowing them to take normally banned drugs if they had a valid medical reason. It is widely believed this hack took place as an attempt to discredit WADA, and deflect attention from the scandal relating to Russian athletes’ use of banned substances.
Zero Days, a documentary about the Stuxnet worm that was used to attack Iran’s nuclear power plants and is widely believed to have been the work of government agencies in the US and Israel, was also released this year. The film gave a wider audience the chance to understand the background to one of the biggest cybersecurity stories of recent times.
Internet of dangerous things
Many predicted that the Internet of Things (IoT) would be one of the big technology areas of 2016, and they have all been proven right. However, few could have predicted that a distributed denial of service (DDoS) attack leveraging IoT devices would have the power to shut down much of the internet.
And yet, this is precisely what did happen in October, when a DDoS attack on domain name system (DNS) provider Dyn brought down websites including Netflix, Twitter, and Spotify.
The DDoS attack was powered by a botnet called Mirai that exposed and exploited the weak security on many IoT devices. Mirai continuously scans for IoT devices that are accessible over the internet and are protected by factory default or hardcoded user names and passwords. Mirai then infects devices with malware that forces them to report to a central control server, turning them into a bot that can be used in DDoS attacks.
The Dyn hack was not actually the first outing for the Mirai botnet. It initially came to attention following a huge DDoS attack on the website of security journalist Brian Krebs in September, which was followed by an even bigger attack on a French hosting company called OVH. The botnet has been implicated in various DDoS attacks since, and its emergence has underlined the poor security on many IoT devices, and the public’s lack of awareness in this area.
The public release of Mirai’s source code at the end of September also increased the threat related to this malware. One variant has already been seen in action, with many more likely to be developed.
Follow the money
While we did see more attacks in the past year that were not motivated by money, there were still some highly sophisticated attacks with financial gain as their primary aim.
The Bangladesh bank hack was a sophisticated attack that took place in February and saw the attackers make off with US$81 million. While this is a significant amount of money, $850 million in attempted transfers were actually stopped before they took place, with a typo in one of the transfer requests raising bank workers’ suspicions.
The attackers carried out the attack by using the SWIFT credentials of Bangladesh Central Bank employees to make dozens of fraudulent transfer requests to the Federal Reserve Bank of New York. They also installed a malware called Banswift on the Bangladesh bank’s systems to help cover their tracks and delay discovery of the attack. Some of the stolen money was subsequently recovered in the Philippines, with $15 million returned to the Bangladesh Central Bank in September.
This wasn’t the only attack targeting banks this year. A Trojan called Odinaff, which primarily targeted financial institutions, was observed throughout 2016. The Trojan targeted victims in a wide range of regions, including the US, Hong Kong, Australia and the UK, Symantec research found.
SWIFT users were also targeted by the group behind Odinaff, though there is not believed to be any link between it and the group behind the Bangladesh attack. It is thought that those behind Odinaff have links to the Carbanak attack group, while those behind the Bangladesh hack are believed to have links to an attack group called Lazarus.
While the ‘simpler’ attacks leveraging IoT devices may be making headlines at the moment, these attacks show that there are still attack groups out there employing highly sophisticated and targeted tactics in order to make ill-gotten gains.
Ransomware tries to make criminals of us all
Ransomware remained a hot topic in cybersecurity in 2016.
The cost of getting data released increased this year — with the average ransom more than doubling between the end of 2015 and August this year. The average ransom demand in August was $679 per computer, compared to an average of $294 at the end of 2015.
The emergence of the Locky and Cerber ransomware families in March was also a significant event in 2016.
There was also a development in tactics used by ransomware attackers this year, with a particularly cruel development seeking to turn victims into criminals. The Popcorn Time ransomware gives victims two options to retrieve their files: pay up or send the ransomware on to your ‘friends’. If two of them download the ransomware on your ‘recommendation’ and subsequently pay up, the ransomware authors will decrypt your files for free.
Although, in that scenario, it is likely your friendship with the people you passed the ransomware on to would be the true price you’d have to pay.
High-ranking executives targeted by spear-phishing
BEC scams, which we have discussed previously in this blog, were a big theme of 2016, with attackers’ methods evolving in an aim to make the scams more effective.
Business Email Compromise (BEC) scams target C-level executives and seek to get them to make fraudulent wire transfers. Symantec research earlier this year indicated that 400 businesses a day are targeted by BEC scams. These scams are highly targeted, with scammers generally having carried out significant research on the business in order to establish who to apply to for a wire transfer.
Symantec research also found that the techniques employed by BEC scammers evolved over the course of the year, with the scammers increasingly employing social-engineering techniques as part of the scam. In June, researchers found that 20 percent of BEC emails made an initial inquiry about the recipient’s availability, while in October, 60 percent of the emails inquired about the recipient’s availability, with only 40 percent requesting a wire transfer straight away.
The growth in BEC scams over the course of 2016 led to the FBI releasing a Public Service Announcement on the subject in June, in which it revealed that there had been a 1,300 percent increase in incidences of BEC scams between January 2015 and June 2016. It also revealed that total reported losses resulting from BEC scams, according to figures from IC3, exceeded $3 billion.
In one notable case, Austrian aerospace space parts maker FACC was hit by a BEC scam that cost it $47 million. However, that wasn’t the only cost to its CEO, Walter Stephan, who was fired following the incident.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.
