Cyberspies Can Destroy, Corrupt Data as Easily as They Snoop
Instances of cyber-espionage have been well documented throughout the world — hackers sneaking behind network barriers have stolen huge amounts of intellectual property from the private and public sectors alike. However, these intruders also have the capability to permanently erase data, said Richard Bejtlich, chief security officer for Mandiant, a Washington, D.C.-based cybersecurity company.
“Whenever you hear someone say, ‘Don’t worry, it’s just espionage.’ [It’s important to realize that] espionage easily can escalate to destruction. It’s just the prerogative of the intruder,” Bejtlich said at the Center for National Policy, a Washington, D.C.-based think tank.
Once a hacker has breached a network, he has the ability to steal, spy or destroy data, he said.
“If we were to break into the network here and I just snooped around, I would have the same ability … to destroy everything that’s there. So it’s just a question of intent at that point,” said Bejtlich.
Another issue Bejtlich highlighted was the corruption or manipulation of data, which he called a “middle ground” between espionage and destruction.
“In some ways, it’s the toughest one to identify because most companies don’t necessarily know what the data should be,” he said.
In February, Mandiant released a report that blamed Unit 61398 of China’s People’s Liberation Army for numerous cyber-intrusions. The unit, which is based in Shanghai, curtailed its activities after the report’s initial release, but it recently picked up where it left off, said Bejtlich.
Unit 61398 has stolen hundreds of terabytes of data from at least 141 organizations, the majority of which are based in English-speaking countries. It is possible that the unit employs hundreds of operators, the report said. In total, Mandiant is tracking 24 separate known hacking groups.
There is already evidence of cyber-attacks causing damage, said Emilian Papadopoulos, chief of staff at Good Harbor, a Washington, D.C.-based cybersecurity risk management company.
“I think we’re hitting on a trend that we’re starting to observe across the board, particularly from espionage or theft of information to disruption or damage,” said Papadopoulos. “We saw the Shamoon virus attack against Saudi Aramco, which wiped out data of 30,000 computer terminals. … Thankfully, that didn’t jump from the corporate network over to the actual … oil production and operation network. If it had, that would have been potentially devastating.”
Shamoon was a 2012 cyber-attack on Saudi Aramco, the state-run Saudi Arabian oil company. It is widely believed Iran launched the attack.