Stratfor cyberattack adds an exclamation point to ‘Year of the Hack’
The 'hack and extract' attack on the strategic think tank Stratfor will only contribute to the public and media awareness of cybercrime that has grown throughout 2011.
Don’t be too surprised if historians look back at 2011 and dub it “The Year of the Hack.” If so, it won't likely be due to raw numbers of computer networks infiltrated or websites defaced, but rather the fact that cyberspies, criminals, and hacktivists finally registered as a major threat in the public mind and with news media.
In the attack, which the hackers said was carried out by the group Anonymous but was later disavowed by others claiming to speak for the hacktivist group, Statfor’s confidential client list was stolen, as were thousands of the clients’ credit card numbers. Some clients reported fraudulent charges on their accounts.
It’s difficult to determine if the overall number of cyberincidents in 2011 was more or less significant than previous years since the severity of such attacks is so subjective and information so limited, cyberexperts say.
Yet the sheer volume of high-profile incidents covered heavily by news media outlets seemed significant to several analysts while at the same time a large number of hacks were quite sophisticated and alarming from a national security perspective.
“There seems to have been a rather noticeable increase in attention given to hacking by news media and a corresponding increase in the public interest and awareness of such hacks,” says Patrick Underwood, a University of Washington researcher on online communities, including Anonymous.
At least 58 highly-publicized hacking attacks occurred in 2011 with victim organizations around the world ranging from law enforcement agencies, Fortune 500 companies, and governments to defense agencies and military contractors, according to a Monitor tally compiled from lists drawn up by the Center for Strategic Studies, The Hacker News, and a George Mason University study.
“I would call it the ‘Great Awakening,’ when people finally realized the extent of the problem,” writes James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington in an e-mail interview.
While some highly reported hacks were ultimately deemed relatively trivial – briefly knocking the public website of the Central Intelligence Agency out of commission, for instance – such attacks were still part of a 2011 wave that showed many major government institutions seemingly quite vulnerable.
The targets included computer networks belonging to at least six law enforcement organizations, including police departments in Arizona, Austria, Germany, Italy, and Spain, as well as FBI partner Infraguard. All were hacked and had data stolen or made vulnerable. So were networks of other civilian government agencies in Britain, Canada, the US, Syria, Tunisia, Turkey, Egypt, France, and Zimbabwe.
At least two dozen major corporations were hit, from Apple, Sony, Citigroup, PBS, and Research in Motion to Google. Media outlets like NBC, FOX, and PBS were hit, too. Organizations like the European Union’s carbon trading market and the Hong Kong Stock Exchange were hacked by cybercriminals, while the International Monetary Fund was hit by cyberspies looking for a leg up on global negotiations. The goal of a hack of the US Chamber of Commerce seemed to be to glean tidbits of information that might help the hackers target and infiltrate US companies.
Now add to the hyped attacks a number of far more serious cyberespionage infiltrations of strategically important US companies, such as RSA, a major security vendor, and Lockheed Martin, a key defense contractor, experts note. Defense ministries in Australia, the US, Japan, Norway, and NATO were hacked too. Oak Ridge National Laboratory, which houses many US nuclear secrets, was broken into as well.
“Hacking has become a normal business practice for some countries, because there are no penalties and no consequences for bad behavior,” Mr. Lewis notes. “This is a golden age for espionage.”
Despite the existence of a global cybersecurity industry whose cumulative worth is estimated to be $80 billion, the advantage is clearly with attackers. The modern Internet was created for scientists and researchers to share information without security features. Commercial enterprises and governments latched on and soared – but have never made their users accountable or identifiable. There are many ways to mask computer access. The result: near total anonymity for sophisticated hackers.
“Our global interconnectedness and digitization of information has contributed heavily to our never-ending security woes,” writes John Bumgarner, chief technology officer for the US Cyber Consequences Unit, a nonprofit cyberwarfare think tank says in an e-mail interview. “Nation-state actors, transnational cyberfundamentalists, and cybercriminals operate nearly unopposed in cyberspace.”
Traditional cyberdefenses need to be greatly improved, because attackers in the coming years will not only increase the stealthiness and virulent nature of their wares, but also improve on precision targeting that will be difficult to counter, he writes.
“Anything inside or attached (wired or wirelessly) to a computer, mobile device, gaming system, or Internet-enabled television can and will be targeted in the future,” he notes.
Lack of international cybersecurity cooperation among nations, including even those with well-established treaties, is a major problem, cybersecurity experts say. Another factor feeding the fire: key technology vendors that don’t collaborate enough among themselves.
But it’s critical infrastructures, such as electrical utilities, that need the most attention, including rethinking engineering specifications of key components – including generators – to reduce unintentional and intentional incidents from impacting not only their business operations, but also national security, these cyber securityexperts say.
Shell engineers in Doha admitted publicly the tremendous damage cyberattacks could do if a hacker were able to access the computerized systems that control the opening and closing of release valves.
“You can imagine what happens,” said Ludolf Luehmann, an IT manager at Shell Europe told the World Petroleum Congress in Doha in December. “It will cost lives and it will cost production, it will cost money, cause fires and cause loss of containment, environmental damage – huge, huge damage.”
That sort of comment indicates that big companies that have long seen cybersecurity as a “cost center” with few benefits may now be starting to move more swiftly to secure their systems, some experts say.
The Doha statement is “huge,” writes Allan Paller, research director for the Sans Institute, a computer security education organization in Bethesda, Md in an e-mail. “Those companies used to pretend there was no cyber problem. Now they are acting, jointly to fix it – at scale.”