​There are no hackers - there are only spies

By Eric O' Neill, Carbon Black

In December 2015, I opened a letter from the (US) Office of Personnel Management. The OPM oversees healthcare and insurance programs, administers retirement and benefit services, and assists federal agencies in hiring new employees and providing federal investigative services for background checks.

This means that the OPM probably has a file on anyone who has ever been a federal employee or applied for a federal job. Mine included my social security number, address, date and place of birth, residency, educational and employment history, foreign travel history and information about immediate family and personal acquaintances.

All of this was stolen in a devious and sophisticated breach. I would learn later that China had first hacked OPM in 2012, and that it had taken OPM and the US Computer Emergency Readiness team (US-CERT) three years to identify the attack and put a stop to it.

All the while Chinese spies used OPM's servers like a public library.  Just think of the countless breaches of information that have plagued the United States since even before I opened my OPM letter; each worse than the last, and each pushing the boundaries of how we define a mega breach.

On a Saturday morning in March 2016, John Podesta, chair of the Hillary Clinton for President Campaign, received an email from the Gmail Team imploring him to change his password. He or one of his staff clicked a link that transported Podesta to a fake website mocked up to look like the Google Gmail password-security page.

He entered his current username and password and then the new password he chose. Within moments, Russian cyber spies started cataloguing his emails. Alexsey Lukashev, the Russian military officer who sent the spear phishing email, and 11 other Russian spies also compromised dozens of other computers and staffers at the DCCC and DNC.

Democrats wrung their hands as over 80,000 private emails and confidential memoranda appeared on WikiLeaks like revenants, resurrected to destroy the party.

In May 2017, North Korea started a pandemic. Bright-red screens popped up on more than 200,000 infected computers worldwide, with a mocking message demanding users pay $300 in Bitcoin before a countdown timer expired and all their data disappeared forever.

More than 150 countries desperately fought the attack, but resistance was futile. The malware leapt across borders at the speed of thought, worming its way through businesses and government agencies, wreaking havoc in banks and universities, shutting down airports and bringing hospitals to a standstill. To add insult to injury, the code North Korea used to start the world's first cyber pandemic was stolen from the NSA.

In January 2019, I numbly typed old email addresses into www.haveibeenpwned.com, a clearinghouse created by security researcher Troy Hunt where a victim can check whether they have been 'owned' by a cyber-attacker or spy.

An unknown attacker had posted 772,904,991 email addresses and over 21 million unique passwords to an online hacking forum, and I needed to know whether mine was among them.

For a short period, the overwhelming treasure trove of user accounts and passwords - keys to all of our email secrets, our private calendars and online histories - squatted on a popular cloud service. The folder, called Collection #1, contained over 12,000 files and weighed a hefty 87 gigabytes, all stolen from nearly 2,000 leaked databases.

Read more: ​China Chip hack shines spotlight on hardware and supply-chain risk

Hunt's database flagged one of my old email accounts. I hope I will never see tens of thousands of my emails published beside Podesta's on WikiLeaks.

Hollywood would have us believe that hackers work alone, striking from dark basements and cold warehouses in Eastern Europe, penetrating servers with magic codes that knife through defences like little silver cyber ninjas. Others in our government paint a similar picture, conjuring an overweight man in his 20s sitting in a basement (probably his mother's), hammering away at a computer while pounding energy drinks and munching on bags of Fritos.

These representations are dangerously misleading. The hackers of yore are gone. Most of them have joined tech companies to help find and fix vulnerabilities in networks and systems, what's known as 'white hat' hacking.

Those who remain aren't lone-wolf anarchists. They're spies: intelligence service experts trained to use traditional spy craft to recruit individuals at targeted organisations and steal their access to information. These spies are sophisticated, devious, and well funded-and they're behind all of the major security breaches we've experienced this century.

We once filed documents in towering cabinets, coded and organised by secretaries who held the keys to the kingdom. Spies would loiter in bars outside of government buildings, waiting with a friendly ear for evening alcoholics looking to complain about the boss or bureaucracy. They would search out highly placed individuals who had a secret they wanted buried, those who had lost faith in America or those in financial distress who needed fast cash to make ends meet.

After long recruitment periods that involved sham friendships, bribes and often threats, these marks became the perfect inside men to extract the paper that held the secrets. But, as businesses and government agencies began to trade the file cabinets for computer systems and servers, cell phones and laptops, thumb drives and cloud based computing, spies had to evolve.

Unfortunately, other countries are gaining ground in this fight. As a young FBI operative, I went undercover to help catch Robert Phillip Hanssen, a 25-year veteran of the FBI who had been selling secrets to the Russians for decades. He was the worst mole in US history-and the first to take advantage of holes in the country's cybersecurity infrastructure.

Hanssen and I spent a lot of time together during the case, and he often pontificated about what he called Hanssen's Law: 'the spy is in the worst possible place.' That is, spies will seek out the secrets that will do the most damage in order to sell them for the most money.

February 19 this year marked the eighteenth anniversary of Hanssen's arrest.  In the years since, I've thought long and hard about those words.  The truth is that the spies are still in the worst possible place-it's just that the worst possible place has expanded beyond reckoning.

Modern connectivity in communications has made government data both plentiful and accessible. And it's affecting us as individuals, too: our desperate need to share online and accumulate clicks and likes has opened the door to identity theft and social engineering.

Twenty years ago, Russian spymasters meticulously recruited moles like Hanssen and sent them into secure buildings to extract secrets written on paper and saved on floppy disks. Today those spies send spear phishing emails laced with infiltrating malware from comfortable desks in Moscow.

Over the past two decades, Russia, China, North Korea and Iran have all made a massive investment in cyber espionage. A February 2018 report by the Council of Economic Advisers to the White House pegged the cost of cyber attacks to the US Economy between $US57 and $109 billion in 2016[1].  Each year the losses grow.
Our traditional, defensive approaches to cyber security that rely on protecting a perimeter are outdated and expensive - and useless against modern, targeted cyber attacks of the kind that affected the DNC.

We need a different playbook. Just as spies once took lessons from hackers, cyber professionals must become expert spy hunters. Humans, aided by the best technology and big data analytics streamed from a secure cloud, must actively detect threats across a broad environment of employees and devices.

We much touch every endpoint - each device that accesses private data - into a secure vault that sounds an alarm at every threat. We must arm our new spy hunters with the ability to understand the attacker, discover their flaws and vulnerabilities, actively seek them out, and neutralise them when they attack.

Security is an exhausting journey that defies even a momentary lapse of guard. Only by hunting the cyber spies will we be able to create a world safe from cyberattacks. Only then can we defeat Hanssen's Law.

Eric O'Neill is a former FBI counterintelligence operative. Currently he is the National Security Strategist for Carbon Black and the Founding Partner of The Georgetown Group.

Tags Carbon Blackhackers

Show Comments