There’s a natural inclination for people at the end of each year to look back, take stock and try to draw some grand meaning or life lessons out of the events of the past 12 months. This is a particularly risky and difficult thing to do in the security industry, given its inherent unpredictability and chaotic nature. That doesn’t stop people from doing it, mind you, it just makes the process more difficult and often more humorous. The weird thing about 2012, though, is that it turned out to be one of those years that may well end up marking a turning point for consumers, enterprises and governments around the world.
The biggest shift in 2012 was the emergence of state-sponsored malware and targeted attacks as major factors. The idea of governments developing and deploying highly sophisticated malware is far from new. Such attacks have been going on for years, but they’ve mainly stayed out of the limelight. Security researchers and intelligence analysts have seen many of these attacks, targeting both enterprises and government agencies, but they were almost never discussed openly and were not something that showed up on the front page of a national newspaper.
That all changed in 2010 with the discovery of the Stuxnet worm, which targeted the nuclear enrichment facility at Natanz in Iran. That attack made international news and started conversations in Washington, London and around the world about who deployed the worm and about the propriety of using such malware to go after the assets of foreign governments, regardless of their political alignment.
That conversation grew louder and more contentious in 2012 with the emergence of a number of new cyberweapons, including Flame, Gauss, Mini-Flame and Shamoon. Researchers believe that several of these tools are connected and may have been written by the same team and use some of the same code and modules. For the most part, these tools have been designed to steal sensitive data, conduct surveillance on victim networks and give the attackers a hidden presence on those systems. Shamoon was the exception to this rule, wiping data from target systems and rendering many of them useless.
Shamoon’s destructive tendencies confused researchers for a while, as there doesn’t seem to be much upside in destroying the data on machines that you’re targeting. That is, of course, unless the attackers had no interest in stealing any of the data on the target network and simply wanted to make a statement by trashing the systems instead and causing major headaches for the security team on the other end. And that’s what ended up happening, at least to the one major known target, oil giant Saudi Aramco. The attack on Aramco destroyed data on more than 30,000 machines and took the company weeks to recover from.
The kind of targeted attacks in which cyberweapons such as Flame and Shamoon are used are relatively rare and almost exclusively hit major corporate or government networks. But that doesn’t mean that they don’t have consequences for consumers, as well. Attackers routinely go after banks, ISPs and other companies and those attacks can have major repercussions for consumers. There has been a series of high-powered and highly disruptive DDoS attacks against several major banks over the last few months, some of which have taken banks’ sites offline for hours at a time.
The attacks have reached the point where the Office of the Comptroller of the Currency is warning banks about the campaign and recommending that they look at their risk-management plans to ensure that they have quality mitigations in place. The major banks, of course, have layers of defenses in place, but that only goes so far against a determined attacker, as many other enterprises are finding out these days.
The question now is what 2013 has in store. It’s no reach to say that there will be more Stuxnet or Flame-style attacks in the coming year. It’s as sure a bet as there is, the kind of lock that Vegas bettors dream about. A five-star lock. The attacks are going on all the time, 24 hours a day, on sensitive networks around the world. Attackers are vacuuming up data by the terabyte and handing it over to their bosses or backers and then moving on to the next assignment.
What’s far less certain is how many of these attacks will come to light. Researchers hit the jackpot in 2012 with several juicy new cyberweapons to sink their teeth into and they made a lot of headway in understanding the methods and techniques of these types of attackers. But that knowledge and intelligence has a limited shelf life. Attackers shift tactics often, responding to changes in defensive methods or advances in research. Attacks that are going on right now and may be discovered weeks or months down the road could include components that have never been seen before. The hash collision developed by the attackers behind Flame is a perfect example.
So 2013 likely will look a lot like 2012, only more so. More sophisticated attacks, more novel techniques and more targets. Whether those attacks bubble up to the surface remains to be seen, but if they do, expect to see the rhetoric and hand-wringing ratchet up a few notches. It’s the natural progression. If we learned anything in 2012, it’s that attacks only get better.