Destructive and False Flag Cyberattacks to Escalate

  /     /     /  
Publicated : 22/11/2024   Category : security

Destructive and False Flag Cyberattacks to Escalate


Rising geopolitical tensions between the US and Russia, Iran, and others are the perfect recipe for nastier nation-state cyberattacks.


Olympic Destroyer. NotPetya. Bad Rabbit. OilRig. These disruptive and in most cases destructive cyberattacks were just the beginning.
Geopolitical tensions typically map with an uptick in nation-state cyberattacks, and security experts are gearing up for more aggressive and damaging attacks to ensue against the US and its allies in the near-term, including crafted false flag operations that follow the strategy of the 
recent Olympic Destroyer attack
on the 2018 Winter Olympics network.
As US political discord escalates with Russia, Iran, North Korea, and even China, there will be expected cyberattack responses, but those attacks may not all entail the traditional, stealthy cyber espionage. Experts say the Trump administrations recent sanctions and deportation of Russian diplomats residing in the US will likely precipitate more aggressive responses in the form of Russian hacking operations. And some of those could be crafted to appear as the handiwork of other nation-state actors.
A shift in Russias M.O. against the US infamously began in 2016 with
the hacks
of the Democratic National Committee (DNC), Democratic Congressional Campaign Committee (DCCC), and Hillary Clinton campaign manager John Podestas email account, all of which were punctuated with data dumps via WikiLeaks, DC Leaks, and
Guccifer 2.0
.
US companies Merck and Federal Express were believed to be collateral damage from the NotPetya attack Russia forged last year against Ukrainian targets, posing as a ransomware attack but instead wiping data from hard drives at infected sites. But such attacks may well become more direct in the near future, experts believe.
Security experts worry that Russia will continue to ratchet up more aggressive cyberattacks against the US - likely posing as other nations and attack groups for plausible deniability - especially given the success of recent destructive attack campaigns like NotPetya. Not to mention the successful chaos caused by Russias election-meddling operation during the 2016 US presidential election.
That doesnt mean Russia or any other nation-state could or would cause a massive power grid outage in the US, however. Instead, US financial services and transportation networks could be next in line for disruption via nation-state actors, experts say.
Vikram Thakur, senior manager on Symantecs security response team, says Olympic Destroyer scratched the surface for cloak-and-dagger attacks. We think the future is going to get even more complicated with actors relying more and more on false flags, in some cases, throwing another group [under] the bus from an attribution standpoint.
To say the waters are muddied would be such an understatement, he says. Not only are some nations teaming up outside of cyber, but others are happy to pilfer from one anothers cyber domains as well: Were aware of groups happy to steal others information and sit on their command and control server. Were aware of false flag operations.
But Tom Kellermann, chief cybersecurity officer at Carbon Black, expects more nefarious activity out of Russia, and possibly from Iran and North Korea, against the US. He expects some regimes to team up in the long term to target the US and other Western allies/NATO in cyberspace. For example, the nomination of CIA director Mike Pompeo – who has criticized the Iran nuclear deal – as the new US Secretary of State to replace Rex Tillerson, could spark online retaliation from Iran, he says.
Youre going to see a dramatic escalation of Iranian cyberattacks against US infrastructure that follow White House and State Department rhetoric, he says. Iran already has dramatically improved its cyberattack capabilities, he says, and he believes its learning from Russias tactics. Theyre all using the same playbook now, he says, with similar kill chain methods in their attacks and payloads.
Kellermann says he believes Russia is providing North Korea and Iran with the technologies and tactics to advance their attacks. It may not be direct coordination, but theres some element of technology transfer from Russia to those nations, he maintains.
The Iranian OilRig attackers, for instance, have advanced in their ability to mask lateral movement within a targeted organization, he notes, and they have adopted methods similar to Russias Fancy Bear group, including an AppLocker bypass exploit, indirect code execution, and the increasingly popular file-less malware method where legitimate system tools are used against victims rather than custom malware.
This move away from custom malware to so-called file-less malware also complicates attribution and helps embolden false-flag operations. [Custom malware] was one of the primary methods for identifying certain groups in the past. Without that, it becomes difficult to determine who the perpetrator might be, Symantecs Thakur says.
That doesnt mean attribution is dead. Its becoming a lot more challenging. But in the end they are still humans and even if they write scripts in PowerShell or JavaScript or PHP, at the end of the day they will reuse code and are lazy. That helps us identify them, he says.
North Koreas Hidden Cobra, believed to be behind the sophisticated attacks bank members of the SWIFT network, also is maturing fast. The M.O. they use against the financial sector reminds me of the M.O. of Russian cybercriminals, says Kellermann. Their custom Trojan development aside, they employed similar communications methods, including a custom binary protocol to beacon back to the C2 servers over TCP port 8080, 8088, and their use of SSL, he says, as well as when they overwrote the ServiceDLL in the Windows registry.
Thakur says his team at Symantec hasnt seen much cooperation among different nations to date. Multiple hacking teams from a particular nation, such as Iran, will work in tandem in an attack campaign, splitting up different stages of the attack. I dont think different countries are going to collaborate on malware or on different active campaigns. Most are very nationalistic, or have ambitions for intellectual property theft, he says.
One high-profile exception, of course, was Stuxnet. Although neither the US nor Israeli governments ever took credit for the hack that sabotaged uranium centrifuges in Iran, experts who studied the attacks pointed to fingerprints from both nations intelligence agencies.
CrowdStrike vice president of intelligence Adam Meyers says he hasnt seen much overlap of nation-state groups working together, but points to nations such as Iran modeling some of their techniques after Russian ones. Take Irans initial dabbling with destructive attacks via the Shamoon campaign, which hit a couple of targets.
It was a shot across the bow, Meyers says. But starting in 2016, Iran waged a series of destructive cyberattacks targeting the Saudi government and infrastructure and business, he notes. That was for maximum impact and psychological impact on the people of Saudi Arabia, he says. Its what Russia has been doing against Ukraine for seven years.
Meyers believes the issue is more about Irans cyberweapon capability improving and maturing – likely inspired by Russias.
Symantecs Thakur says the likelihood of the number of destructive cyberattacks against the US and others increasing in the coming months is more realistic now than ever. Its more about the motivation by threat actors working on behalf of certain countries that will reach the threshold where they would more often cause destruction to someones network, he says. There are a lot of factions. Its fair to assume some might get more reckless.
But that doesnt mean widespread critical infrastructure damage. That doomsday scenario isnt fair. Its extremely unlikely we would face a situation of a widescale blackout across the country, Thakur says. If anything, there are small pockets of the country that dont have the redundancy or rollover, who might be at elevated risk of cyberattacks and some kinetic threat, he says.
Even with the recent confirmation by the federal government that
Russias DragonFly
 hacking team is well embedded in US power companies and other industrial networks, theres a silver lining, he says. Today our infrastructure in the US is in a much better place than a year ago security-wise, he says.
In the runup to a possible meeting between Kim Jong-Un and Donald Trump, meantime, North Korean hacking teams will likely escalate their attacks. They want to get intel around the US strategy, notes CrowdStrikes Meyers. And leading up to those meetings, there is increasing pressure on the US government and POTUS to maintain a hard line on sanctions against North Korea … So [North Korea] may step up their criminal operations, especially on the lucrative cryptocurrency mining attacks, he says.
Related Content: 
Russian APT Compromised Cisco Router in Energy Sector Attacks
Nation-State Hackers Adopt Russian Maskirovka Strategy
Chafer Uses Open Source Tools to Target Irans Enemies
Shamoon Data-Wiping Malware Now Comes with Ransomware Option
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda 
here
. Register with Promo Code DR200 and save $200.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Destructive and False Flag Cyberattacks to Escalate