Nov 14, 2019

The myth of the sophisticated hacker

Illustration: Aïda Amer/Axios

On Tuesday, the U.K.'s Labour Party became the latest in a decade-long line of victims to claim they were targeted by a "sophisticated" cyberattack that wasn't, actually, very sophisticated.

The big picture: It's the latest lexical stretch for an adjective that's widely used in reports of cybersecurity incidents — and widely loathed by researchers as a result. If everything is sophisticated, nothing is sophisticated.

Driving the news: Labour ultimately faced what's known as a denial of service attack, a way of overwhelming servers with a ton of traffic. It's a digital blunt force attack — harmful, yes, but hardly sophisticated. Labour was not alone.

In the last year or so, victims blamed "sophisticated" hackers for breaches at the Australian Parliament; a hamburger chain; a bank; another bank; yet more banks and universities in Australia, the U.S. and UK; a 1,200-student high school; newspapers; Amnesty International; WhatsApp users; a medical center; an electronics supplier; an embassy; and a community college, among others.

Be smart: Some of those hackers were, in fact, sophisticated. Others weren't. But overusing the word dilutes its meaning.

The sophisticate who cried wolf: For network defenders trying to follow what's going on across the industry, it's important to know when actual sophisticated hackers emerge. "There's a boy who cried wolf situation," said Dylan Owen, senior manager for cyber services at Raytheon.

Sophistication's siren song: As soon as a breach is announced, companies are on the defensive, left to justify to users, investors and employees how data that was supposed to be kept secret suddenly wasn't.

  • "No one is going to say they were breached by average hackers," said Chris Scott of IBM's X-Force IRIS incident response team.
  • Sophisticated often gets used as a synonym for "our organization shouldn't be blamed for missing this."

But, but, but: Sophistication isn't the only way to breach even high-tech defenses. Persistence is just as powerful as technical acumen.

  • "We see relatively simple attacks able to get by good defenses all the time," said Owen.
  • Some of the most effective hacking groups in history — including all but the most recent of Iran's efforts in hacking — were not considered particularly technically skilled.

When experts say "sophistication," they use it very differently from average people.

  • For experts, a sophisticated attack is one that's layered, bespoke and studied — one that cleverly and efficiently achieves its goals. It can refer to work before or after a breach, how an attacker maneuvers inside a network, speed or stealth.
  • For the public, sophistication sounds like someone is simply using unbeatable technology, one part wizardry and another part ninjutsu.

Those aren't the same thing. Just consider the first steps in hacking a computer.

  • The most sophisticated attackers almost always start with methods the public doesn't think of as sophisticated. The U.S., China and Russia — the most advanced hackers in the world — typically start an attack with phishing or exploiting security flaws vendors have already released a patch for.
  • Even so-called zero-days, previously undiscovered vulnerabilities that can't yet be patched, are not always the sign of a sophisticated attacker. "You can have a group that uses a lot of zero-days that isn't technically skilled, just willing to spend a lot of money to purchase them from the black market," said Ben Read of FireEye.

The bottom line: Unless the hackers are known to wear cufflinks, you can usually take "sophisticated" with a grain of salt.

Go deeper:

Go deeper

Hacker offers $100,000 for leaks of corporate secrets

Phineas Fisher, a pseudonymous hacktivist famous for leaks from high-profile companies, is offering $100,000 for other hackers to steal and leak controversial corporate documents, Motherboard reports.

Why it matters: Hacktivism — hacking for some perceived public benefit — trailed off in recent years as more hackers chose to monetize their skill sets through thievery and ransom schemes. This offer could reincentivize civic-minded computer crime.

Go deeperArrowNov 18, 2019

Microsoft: Iranian hacker group homing in on industrial systems

llustration: Aïda Amer/Axios

A hacker group believed to carry out some of the Iranian government's destructive attacks is focusing on makers of industrial control systems, according to a presentation a Microsoft employee will give at Thursday's CyberWarCon detailed in a new Wired article.

Why it matters: The group, nicknamed APT 33, Refined Kitten and Elfin, has been known to use malware to damage computer systems in the past, leading the Microsoft researcher presenting the talk on Thursday, Ned Moran, to speculate that the hackers may be laying the groundwork for future destructive attacks on industrial systems.

Go deeperArrowNov 20, 2019

Disney+ accounts hacked, likely due to password reuse

Photo: SOPA Images/Getty Images

Hacked Disney+ accounts showed up for sale on dark web criminal markets almost immediately after Disney's new streaming service went live, reported ZDNet.

The big picture: The hijacking of account credentials no doubt came as a shock to the affected users, who suddenly found their passwords changed and their accounts inaccessible. But it's a commonplace occurrence in a world where many users reuse passwords from one service to another.

Go deeperArrowNov 19, 2019