Research and impairment: cybercriminals as stirrers of new malicious cyber capabilities | ISPI
Salta al contenuto principale

Form di ricerca

  • ISTITUTO
  • PALAZZO CLERICI
  • MEDMED

  • login
  • EN
  • IT
Home
  • ISTITUTO
  • PALAZZO CLERICI
  • MEDMED
  • Home
  • RICERCA
    • OSSERVATORI
    • Asia
    • Cybersecurity
    • Europa e Governance Globale
    • Geoeconomia
    • Medio Oriente e Nord Africa
    • Radicalizzazione e Terrorismo Internazionale
    • Russia, Caucaso e Asia Centrale
    • Infrastrutture
    • PROGRAMMI
    • Africa
    • America Latina
    • Global Cities
    • Migrazioni
    • Relazioni transatlantiche
    • Religioni e relazioni internazionali
    • Sicurezza energetica
    • DataLab
  • ISPI SCHOOL
  • PUBBLICAZIONI
  • EVENTI
  • PER IMPRESE
    • cosa facciamo
    • Incontri su invito
    • Conferenze di scenario
    • Executive Education
    • Future Leaders Program
    • I Nostri Soci
  • ANALISTI

  • Home
  • RICERCA
    • OSSERVATORI
    • Asia
    • Cybersecurity
    • Europa e Governance Globale
    • Geoeconomia
    • Medio Oriente e Nord Africa
    • Radicalizzazione e Terrorismo Internazionale
    • Russia, Caucaso e Asia Centrale
    • Infrastrutture
    • PROGRAMMI
    • Africa
    • America Latina
    • Global Cities
    • Migrazioni
    • Relazioni transatlantiche
    • Religioni e relazioni internazionali
    • Sicurezza energetica
    • DataLab
  • ISPI SCHOOL
  • PUBBLICAZIONI
  • EVENTI
  • PER IMPRESE
    • cosa facciamo
    • Incontri su invito
    • Conferenze di scenario
    • Executive Education
    • Future Leaders Program
    • I Nostri Soci
  • ANALISTI
Commentary

Research and impairment: cybercriminals as stirrers of new malicious cyber capabilities

Giorgio Mosca
16 luglio 2018

We may not agree on how and why technology has become the driving force behind human development. Many could even deny its supremacy versus philosophy, economy, mathematics or psychology, but no one can deny that the impact of technology is well evident, particularly if we consider the exponential development of ICT in the last 50 years. In fact, if we follow the viewpoint smartly expressed by the Italian philosopher and Oxford’s professor Luciano Floridi in his book The Fourth Revolution, we must say that one particular and very wide set of technologies labeled as ICT (Information and Communication Technologies) have been the foremost enabler of human development, since it is only through the capability to record and transmit knowledge to future generations that humanity has been able to assert its dominance in the world  [1]. In his book, Floridi leads us on a path describing the evolution of humanity from ‘history’, where society has the capability of recording and transmitting information, to "hyper-history", where society depends on its capability to process and use information, concluding that all modern civilizations in developed countries are hyper-historical societies and adding a very important corollary, i.e. that only hyper-historical societies can be harmed by cyberattacks and, therefore, by cybercrimes.

Activities aimed at obtaining undeserved benefits or utilities through the application of violent and/or illegal methods, a.k.a. crimes, have always been part of the history of humanity. Though many crimes have a personal or social nature, the majority are performed by structured groups - what we call organized crime - and have some sort of economic rationale, aiming at extracting “value” from victims. When the management of economic and business operations started relying on digital technologies – vis-à-vis analog ones – criminal environments, which operate under the motto “follow the money”, opened new avenues to pursue their aims in cyberspace. They adapted to the rapid change that has taken over the field, creating ad hoc technological solutions, required to achieve criminal objectives.

The most evident example of this behavior took place in 2017, when cyber-threat researchers observed a very particular situation. After a steep rise in ransomware attacks and some very significant events related to this class of malware ("WannaCry" has made the front pages of newspapers for several days in all major countries) the end of 2017 saw the sudden emergence of new criminal activities with the creation of botnets [2] whose goal is not, as often happened in the past, to launch DDoS [3] or other types of attacks, but to create "coin-mining networks". While cybercriminals, in the last years, opted for ransomware as the major source of returns, the increased value of cryptocurrencies (Bitcoin, Monero, etc.) has in fact prompted cybercriminals to start creating brand new money instead of stealing it. Symantec’s Internet Security Threat Report (ISTR) [4] describes an increase of 34.000% in coin-mining activity from January to December 2017, with millions of infected computers and hundred thousands of dollars in cryptocurrency [5] generated. While coin-mining is not, in fact, stealing money directly from the victims of the attack, it is anyhow a costly and disruptive activity: infected machines will reduce execution speed on regular tasks because they will be busy processing coin-mining software and will increase their energy consumption and components’ wear since they will constantly run at full capacity to perform the illegal code. Coin mining is also an easier to distribute type of attack and can infect any machine (the basic version can run in any browser) thus being able to leverage a much wider base than other types of malware and creating more widespread effects and damages.

This example shows that few things actually stimulate human ingenuity – though, in this case, criminal ingenuity - as the possibility to obtain quick gains. Therefore many ideas for developing malwares or illicitly using vulnerabilities are originating in the cybercrime domain. Unfortunately, developments in cyberspace very rarely remain confined in one area, since it is so easy to copy and use good (or bad) ideas and codes. For example, last year untargeted ransomware (“untargeted” because the cybercrime goal is, obviously, to obtain the widest possible reach of its money-making activities) was used as a decoy to cover other types of attacks, as in the case of Petya/NotPetya. This was a ransomware code based on the same exploit used by WannaCry, but the encryption key used to cipher the disk was unrecoverable, making it a disk wiper, and the vector used for dissemination was the most used Ukrainian tax and accounting software, making it a targeted attack.

"Cybercrime" obviously allows for some degree of plausible deniability that can be useful to muddy the cyber waters when actors prefer to bury actions under layers of doubts. Just to go on with the same example, following in the footsteps of Petya/NotPetya, a new ransomware (dubbed BadRabbit) was recently spread through a dissemination vector targeting only Russian computers. Many thought that compromising the supply chain of the Russian version of a very popular software was, in fact, an act of retaliation. However, BadRabbit was a full-fledged ransomware, allowing payment and recovery of the encryption key. Hence, even though the software generated high disruption, the hypothesis that its spread was an act of retaliation was thinly supported by evidence.

The examples above clearly show that:

·         there is a high degree of overlap between techniques used by criminals and other malicious actors;

·         there is a certain degree of uncertainty / overlap between the two groups, partly because state actors and targeted attack groups (both more interested in espionage or sabotage than in straight money raising) like to muddy the waters regarding this issue;

·         there is a clear indication that crime is a collateral activity for many cyber actors and contributes not only to building technical innovations, but also new "business models";

If we focus a little on what we could call “criminal cyber business models” the innovation in this field is again significant for many different reasons.

At the beginning of the Internet era, crime quickly discovered the value of e-commerce and started applying this approach to the cyber world. The general public in fact discovered the dark web when news were published about the e-commerce activities ongoing in that domain, where it was, and still is, possible to find drugs, weapons, contraband, forgeries, stolen goods, chemicals and other illicit materials. "Silk Road" was probably the first mention of a dark web site that reached the public opinion.

The second step for criminal innovation of business models was to start selling not illicit goods, but illicit software, making it possible for almost everyone to find different types of malware - at different prices according to their uniqueness and value – applicable to any criminal scheme, from small to large. As an example, SpyEye, a large financial fraud (estimated to exceed $1 billion, in the US alone) discovered and prosecuted by the US DoJ in 2013, was based on a malware toolkit developed by a Russian computer scientist, sold on a Russian dark web site and bought by an Algerian who used it to create a botnet collecting financial data (access to accounts, credit cards, etc.) from more than 50 million computers.

The third step was the shift to a service based model, delivering "crime as-a-Service" platforms and software, allowing criminals to manage their operations in a cloud-like approach, mimicking the “sharing economy” in which the service provider does not need to own the assets required to carry on its business. According to dark web sources, for instance, the cost to hire a botnet to deliver 1 hour of DDoS attack amounts to less than $20.

The last step (until now, at least) has been to start selling not the malware, but the outcomes of the malware, i.e. financial data, credit cards numbers, credentials to many types of accounts, up to full stolen identities. This market is flourishing and it is frightful to discover that credentials to log into bank accounts are priced at a percentage of the value of the account itself, or that credit cards’ data can be bought starting from $0.50 up to $100 according to the country, type, level, amount of details available for each card.

Once again, cyberspace demonstrates its pervasiveness. It is truly the mirror of the physical world in which we all live and we cannot consider strange that all the types of human behaviors that we find in the real world have their cyber counterpart.

The good news is that, from a technical viewpoint, the approach to fighting cybercrime is very similar to the approach to fighting any other malicious activity in the cyberspace: vulnerabilities and attack vectors are shared across different groups and when security providers stay abreast of technical evolutions in the malware, they can protect their clients from different kind of actors. Obviously, awareness, training and the “human factor” play, as usual in the cyber context, a significant role in protecting assets and data.

From the viewpoint of security agencies, instead, the situation is much more complicated. Cybercrime is a truly global phenomenon (see, for example, the above mentioned SpyEye botnet). Therefore, discovering and prosecuting criminals requires a long time, undercover activities, cooperation among different states and agencies: this is not easily obtained and, in some cases, could also be “softly” discouraged because of contaminations and plausible deniability, as discussed above.

To conclude, implementing cyber security and creating cyber awareness are the two most important priorities to protect against cybercriminals: they represent the highest possibility to be rapidly effective against threats that are often untargeted and less sophisticated than targeted attacks or APTs [6]. If these are the priorities, the collaboration between the public and private sector and the role of security providers such as Leonardo in delivering cybersecurity tools, services and training must be, once again, considered particularly relevant in the global fight against cybercrime.

[1] Luciano Floridi, "The Fourth Revolution, How the Infosphere is reshaping the world", Oxford Press, 2014 ("La Quarta Rivoluzione, Come l’infosfera sta trasformando il mondo", Cortina, 2017).

[2] "Botnets" are networks of infected computers performing some tasks for the malicious organization controlling the infection

[3] "DDoS – Distributed Denial of Service" is an attack aimed at disrupting the capability of a digital asset to perform its main task by saturating its networking and/or computing capabilities through a flooding of legitimate requests.

[4] Internet Security Threat Report, n.23, April 2018, Symantec Corporation.

[5] Generally "Monero" crytpcurrency has been targeted since it is easier to mine than Bitcoin and it is fully anonymous. The value of Monero currency in 2017 raised from $12 in January to $321 in December.

[6] Advanced Persistent Threat (APT) is sophisticated form of attack capable of infecting an organization’s networks and computers for a long period of time, slowly collecting data, performing a progressive expansion across the network itself and slowly exfiltrating data or staying quiescent until a massive exfiltration or other action is required.

Contenuti correlati: 
Cybercrime as a threat to international security

Ti potrebbero interessare anche:

Data: A New Geopolitical Battleground
Luigi Martino
ISPI Associate Research Fellow
Governing Cyberspace: Geopolitics and the Role of Diplomacy
Luigi Martino
ISPI Associate Research Fellow, Centre on Cybersecurity & University of Florence
The Great Rectification of China's Cyberspace
Rogier Creemers
University of Leiden
Ucraina ad alta tensione
Big Tech: Nuove regole, nuovi signori?
Andrea Renda
CEPS
North Korea’s Cyber Capabilities and Strategy
Elisabeth I-Mi Suh
German Council on Foreign Relations (DGAP)

Tags

cybersecurity
Versione stampabile

AUTHOR

Giorgio Mosca
Leonardo and Confindustria Digitale

SEGUICI E RICEVI LE NOSTRE NEWS

Iscriviti alla newsletter Scopri ISPI su Telegram

Chi siamo - Lavora con noi - Analisti - Contatti - Ufficio stampa - Privacy

ISPI (Istituto per gli Studi di Politica Internazionale) - Palazzo Clerici (Via Clerici 5 - 20121 Milano) - P.IVA IT02141980157