Nation State Script Kiddies

The news at the moment reads more and more like an Ian Fleming novel. Just today the NCA and U.S law enforcement released a joint statement, outlining a systemic attack on national and private infrastructure. This, I have been informed, is not the norm. The joint statement shows just how serious an attack this is.

The official release warns that “Network device vendors, ISPs, public sector organisations, private sector corporations and small-office/home-office customers should read the alert”. So that’s everyone out of the frying pan then. The official Alert is TA18-106A, and really everyone should read it. Since 2015, signs of large scale exploitation have been investigated by a joint task force from the U.S and UK. Personally, this is not the time or place to talk about the deep-seated reasons for this attack, most people watch the news and will have a rough idea of the recent history. What we should be talking about is the type of attack, how people have reacted, and what people should have been doing/done differently.

Firstly, this is not the most technical of attacks. Stuxnet it is not. It is sort of looking like Vladimir is a bit of a script kiddie. The indicators of compromise linked to the attack point to weak/non-existent, or out-dated security protocols being exploited en masse. The attackers have exploited these weaknesses too:

  • “Identify vulnerable devices;
  • Extract device configurations;
  • Map internal network architectures;
  • Harvest login credentials;
  • Masquerade as privileged users;
  • Modify:
    • device firmware,
    • operating systems,
    • configurations; and
  • Copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.

Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router.”

Now, there is an argument that after the first “attack” everything does get a little bit more technical, but the most worrying statement of the whole alert, sums up why that’s a pointless argument.

“Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities:”

The alert then goes on to list; default passwords and settings, legacy and unsecure protocols, and unpatched systems. If people took note of that one sentence and hardened against those vulnerabilities, I wouldn’t have a job, and drive-by attacks like this would be very, very rare.

On a regular basis I get told “we have been hit by a zero-day attack, it’s a nation state from China”. It’s normally a very old piece of malware that talks to a C&C IP in China, not the Chinese government. By definition, zero days are rare, hard to alert on, and used in very specific attacks. Yes, they have been used a lot in the past by governments, who have the money and time to work them out. However, companies shouldn’t be thinking/worrying about them until they have the basics covered. This current attack perfectly encapsulates the need to cover the basics, and if you think back to all the recent big attacks, none have been overly clever, and many have been preventable. No matter how removed from the geopolitical threat you and your company are, you could end up spending big to clean up something that was easily avoidable. Ironically, that clean-up process takes away your resources that could be used to threat hunt for more sophisticated, (dare I say it), zero-day attacks.

The alert has all the information needed to harden a network, but it may be too late. So, consider a compromise assessment if you detect the signs of a network breach. Carry out regular 3rd party, and internal penetration tests, and FIX what you find during the tests. Don’t file the results away and tick an audit box, use the data. Set up network monitoring and get familiar with what normal traffic looks like on your network. That way when Mr Putin or “somebody sitting on their bed that weighs 400 pounds” does breach your network, you can spot it easily. Get your policy in order. An incident response plan is a must, and a wider incident response frame work will do wonders to your response time. Lots of people will never know if they have been breached, and more will find out when it’s too late. But I’ll bet my house that every one of those people could have stopped the attack.

To get in touch with our Incident Response team or for more information, contact [email protected]


2018-04-17T14:03:24+00:00April 17th, 2018|
SecureLink UK