A masterclass in state-sponsored espionage

Hardly a week goes by without news of another big company falling prey to hackers. These stories bring to mind images of stereotypical hacker-geeks hiding in their parents basement taking down global conglomerates' computer security defences for sport.

This is all nonsense, of course. There is no such thing as a hacker stereotype, and business leaders need to understand this. The notion that hackers are a bunch of disaffected youth who break into corporate systems merely for the challenge or ego is a myth.

It takes sophisticated coordination and resources to pull-off the big hacks. And although in years past, hacking was commonly driven by ego and the chance to show off your skills, financial gain is now at the heart of most.  We know this because law enforcement has tracked a great many cyber-attacks to organised and well-funded criminal syndicates.

But there is another form of hacking that is most definitely on the rise: That of state-sponsored cyber attacks, or as it is better known, plain, old-fashioned espionage.

State-sponsored hacking is a concern to many. Because these are not spotty-faced university students sitting in a share-house trying to prove to their geeky mates how clever they are. Nor are they a sophisticated gang of criminals.

These are extremely well trained and resourced human assets of a national government, who have been turned loose - officially sanctioned to steal commercial IP and state secrets. Or to just cause electronic mayhem.

Regin: The best malware ever made

Just as James Bond has a new gadget for every mission, all hackers have their own weapon of choice. And whether its basement dwellers or state-sponsored elites, the most common is malware. According to a report from Symantec, a new strain of malware called ‘Regin' discovered last year is so sophisticated that it is described as “ground-breaking and almost peerless.”

Regin's level of sophistication and complexity is such that it is like to have taken a team, of very well-resourced software developers many months to build. Based on expert analysis, this is almost certainly the work of a national government.

Cyber-espionage is big, with more than 511 reported incidents last year, according to the annual Verizon Data Breach Report. The actual number is likely much higher, because not many companies are willing to admit they have lost key information. Of the recorded incidents, 87 per cent are attributed to state-affiliated perpetrators.  

In an online world full of malware (and it literally is) it is hard to impress security experts. But Regin is clearly something special. It is highly modular, and can be fitted with code that can recover deleted files, log keystrokes, capture screenshots or steal logs, among other things.

It can commandeer the mouse function, or monitor network traffic, or analyse email databases. It can be configured to collect data and monitor groups (or individuals) on an ongoing basis. This is a powerful piece of software.

While Regin might have taken months of sophisticated labour to develop, actually getting the it onto targeted systems seems easy comparison. Spear-phishing, where targets are sent emails with dubious links that release malware when clicked on, is still an incredibly effective method for releasing rogue code, because it preys on the ignorance of employees.

It is estimated that sending a mere 20-30 phishing emails is enough for a hacker to gain access into a server.

Given how powerful and sophisticated Regin appears to be,, it is quite unsettling to learn that it took eight years to discover the malware. What's even more scary is that it is hard to know exactly how many strains of equally dangerous malware are still floating around undetected, including versions that go beyond spying on governments.

One thing we can be sure of is that using malware as a method of stealing data whether it be state secrets, or the sensitive information of employees and customers will continue to rise in 2015. Confidential and sensitive data is an easily traded commodity with a high black-market value, and malware has become the tool which offers the highest rate of return for stealing this data from any computer globally.

And even in the case where malware like Regin is found and neutralised, new strains can be cooked up to avoid detection again.

Defending against such attacks requires equally sophisticated thinking and robust data security measures. But it also requires common sense, like training employees to ensure they are aware of the threat of phishing attacks, or using unauthorised USB drives and other devices on corporate systems.

If a million-dollar security system is like a state-of-the-art digital lock on your front door, then employee negligence is like the large doggie door that sits underneath it.

Whether you're a large or small business, the 2 most basic steps you can take to reduce your exposure to malware are:

a)  Keep all software up to date and apply new patches immediately. Malware is normally built to exploit outdated and unpatched software versions containing vulnerabilities.

b) Find and secure any unnecessary confidential or sensitive data you're storing such as credit card information or customer and employee details, and securely delete anything you don't need to store. Its hard for malware to steal data that isn't there.

There's no silver bullet in security, but these basic steps offer a big leap forward in reducing your chances of suffering data loss resulting from malware. Because contrary to popular belief, large multi-national organisations aren't always the target; any size business whose defenses are down for even a moment can become the next data breach victim.

Stephen Cavey is an Australian security professional and the co-founder and director of business development at Ground Labs.