Depending on which side of the fence you are on, hacktivism is either a crime or a “weapon of democracy”. According to a poll conducted in April 2016 by market research firm Ipsos, two in three (66 per cent) global citizens believe that online hacktivists should be stopped, while a slim majority (52 per cent) believe that they should “step in when no one else will hold someone accountable”.
Peter Tran, General Manager & Senior Director, Worldwide Advance Cyber Defense Practice, RSA, was in town recently for the annual RSA Conference Abu Dhabi, a gathering of over 1000 senior officials and security professionals from across the Middle East and Africa regions. We caught up with him for his views on hacktivism, as also its impact on the UAE and the Middle East.
Let’s start with your definition of hacktivism, and how it is different from a cyberattack.
Hacktivism, in my experience, is defined by an individual or a loosely tied group of hackers that want to make either a geopolitical statement, or a statement based on a cause they want to gain attention for. But there isn’t a clear delineation. A cyberattack is a cyberattack – it is the intent of the cyberattack that makes it different. When a cyberattack happen, it exposes the vulnerability of the victim in several ways. But a hacktivist would only care about the political statements, and the attention. This is where I would draw the line between hacktivism and some type of financial gain that cybercriminals seek, or a nation state that wants to gain through either corporate espionage, intellectual property theft or being able to disrupt a target and destroy data.
So would you call Stuxnet – the attack on Iran’s nuclear programme – a cyberattack or hacktivism?
Stuxnet would be classified as a destructive cyberattack by a nation state. It just happened that the by-product of this attack could potentially make a broader nation state geopolitical statement, but the intent of Stuxnet was not hacktivism.
On that point, do you believe hacktivism is currently dominated and sponsored by nation states?
In the past, hacktivism was not dominated by nation states. But the lines are starting to blur. Nation states might use the underground or hackers for hire, since they may not want attribution.
Isn’t it the responsibility of nations to persecute hackers operating from their soil against other nations?
This is a global challenge. The prosecution of cyberattackers is a difficult proposition, since cyberattacks cross physical and geopolitical boundaries, and are launched over the worldwide web. So attribution becomes very difficult. Globally, countries are being very cautious of definitively calling out and definitively attributing and investigating specific actors, because it is so loosely tied. For them, the number one priority is to defend against these attacks.
Is there a stereotypical hacktivist? Any demographics more likely to be drawn to hacktivism?
The hacker profile no longer falls under a hacker demographics. In the early 1980s, when hacking was very early stage and you hacked telephones to make long distance calls, you could make a correlation between that and a typical hacker. But now you have a huge age range – a high school student could be a sophisticated hacker and we wouldn’t even know because the tools are so easily available. Or you could have a 35-40 year old hacker sitting somewhere in Asia or in the UK, and we wouldn’t even know.
So we have to be very careful about hacker attribution. You want to focus on the techniques they are using. You want to focus on the types of behaviour that are occurring based on the attacks, and not necessarily the hacker profile itself. Also, you can have machine to machine attacks or have a programme that is written by an individual to launch such attacks. It is not necessarily a human sitting behind a terminal and clicking on a keyboard anymore.
What about the romantic notion that hacktivism is about taking on corrupt governments and corporates, by exposing secrets and releasing classified data?
Hacktivism initially started for making statements, very large statements. But exposing corruption or releasing data to the public wouldn’t fall under the classic definition of hacktivism. That falls under several different categories – where there is attack on data, when there is unauthorised exposure, that crosses the line and goes beyond making a political statement.
So would defacing a website fall under hacktivism?
Defacing a website is like spray painting something on the wall. The only difference is, here you are doing it online. This would be a classic traditional technique of hacktivists.
Perhaps the most famous – and notorious – hacktivist group is Anonymous. How big is their influence?
Anonymous has gained their notoriety as the most commonly known example of hacktivists. Are they the only hacktivist group? They certainly are not, but they are the ones that tend to be the model of what the public would view as hacktivism. They are the de facto model. And the danger here is that, because Anonymous is a loosely associated group, anybody can claim that they are affiliated to it.
Hacktivism is apparently becoming popular because it is cheap and easy to do with off shelf tools.
What you are referring is called cybercrime as a service or hacking as a service. and what is becoming quite sophisticated is the number of tools that are being sold on the dark web as a service. There is a business model around hacking as a service, and it is a large business model that is profitable for both for the developers of the tools and its users. This makes it quite easy for an unsophisticated actor to buy a tool anywhere from $8 to $100 – just like you would buy a software package commercially – and launch a cyberattack.
Ransomware, for example, has experienced a 165 per cent growth quarter over quarter since 2014, while the profitability of individuals selling ransomware as a service is over 1400 per cent return on investment. And they are sharing these profits quiet generously, giving incentives for cybercriminals to buy the tool and share the profits as they spread the malicious code via the tool. So if an individual can spread malicious code to 150,000 devices, they can get paid up to $200,000 to do so. And they can share in the profitability of the malicious code, and they can also get a share by recruiting other criminals – up to 5 per cent of the total profitability.
When you look at the sheer amount of malicious code being developed and being profited from, hacktivism is becoming quite easy and cybercrime is becoming a commodity.
So how has hacktivism evolved over the years?
It has become easier and quicker to launch an attack because hacktivists don’t have to write the tools anymore. They can go and buy them, and then they can attack individuals, group or government agencies. So we are seeing scale, speed and more visibility. I can attack because I can. And I can do it fast. And i can do it over and over again. And the probability of being caught is becoming more difficult because the tools are getting much more sophisticated and easy to use.
In your view, which attack so far has had the maximum impact?
On October 21, 2016, the first example of a serious global concern was the attack on domain name system provided by DynDNS, which is based in the US. That was the first attack leveraging IoT, and it was able to shut down Twitter, Netflix, PayPal and others in a matter of hours. That attack lasted roughly eight hours, and underscored the ability of an attacker to be able to leverage only 300,000 devices out of 22.9 billion connected IoT devices. Now if Google – they are also a DNS provider — were taken down even for five minutes, 40 per cent of the Internet will be affected. And in the UAE, it will particularly be of greater concern given its investment into the overall connected infrastructure.
How concerned should the UAE and the Middle East be?
There has been an increase in region-specific attacks, using social engineering techniques that are specific to the region. For example, what’s trending on social media in the region is being used to make it more attractive to send a phishing email or to send malicious code that is very specific to users here, who may think it is a normal email related to what is trending locally in the news. There isn’t lot of data as it is still new, but this is a growing trend in the UAE and in the Middle East.
What are the prime targets in the UAE? Who needs to be extra vigilant?
There are several areas that would be a concern in the UAE and in the region. The UAE has big initiatives under its smart city project – such as healthcare systems, banking, transportation and energy – and these are very critical areas for a smart city. These are all potential targets for hacktivism, to disrupt and make political statements. There are tremendous consequences to disrupting a smart city, and everyday lives of ordinary citizens start to have greater risks as we move into more connected living in the UAE.
Your advice to governments and corporates, especially in the UAE and the Middle East?
My recommendation to governments and corporations would be to not focus on hacktivism as a category. Instead, the focus should be on the type of attack. what the attack looks like or what type of malicious code attackers might be using. Because if you are looking for a specific type of trend in just hacktivism, you are leaving a lot of different blind spots. If hacktivists change their techniques, then you are in trouble.
So using behaviour based analogy and network behaviour analytics, you could gain a sense of when something looks bad. You want to know about it before the attack happens. And that is where alert-based detection or perimeter-based defences are no longer effective. You have to do it from an endpoint-device perspective across the enterprise, across your partners. Particularly in the UAE as you are moving into a wider connected environment, that is more cloud and mobile based.
But with hacking techniques evolving rapidly, is it even possible to stay one step ahead?
When techniques and tactics change, the reactive nature is that you are going to wait for it to happen and when it changes, it changes. The proactive nature would be to see if there is a slight anomaly beyond what is normal in the business context, because of the technique change. If the technique changes, you are going to notice a slight change in your environment. We are looking for that change, however slight it is from normal behaviour to a slightly anomalous behaviour.
What is the state of readiness in the UAE? Are there any gaping holes in its defences against hackers?
What you are seeing in the UAE and in the middle east is general, is that the state of readiness is continually continuing. The interpretation of the current statistics is that data readiness isn’t where the UAE wants it to be. And this is because the UAE has grown so fast in its IT infrastructure and in its overall smart city initiative, that the readiness gap is large now. But by 2017-18, the readiness percentages will increase.
How do you see hacktivism evolve over the next few years?
Hacktivism will start to blend with cybercrimes mainly because of the sheer scale and availability of the tools. You will probably see a rise in general cyberattacks across healthcare and banking and transportation and energy and smart city. These are becoming the new hack surfaces. In the coming years, as a region and as a security industry, we will become very careful about drawing too many discrete lines between it being just hacktivists or just a nation state. If you do that, you become quite myopic.