AFIMAC CEO Peter Martin quoted in Financial Times: Hackers blur line between thief and spyMarch 29, 2016
Hackers blur line between thief and spy
By Geoff Dyer and David J Lynch
March 28, 2016
In the world of hacking, one man’s criminal is increasingly another man’s spy.
By indicting seven Iranians on cyber crime charges last week, the US is trying to send a message to foreign governments that it is willing to challenge publicly any attempts to manipulate the computers of important infrastructure. The charges against the Iranians follow a similar groundbreaking indictment in 2014 of five Chinese.
However, there is one big difference in the cases. The Chinese accused of stealing trade secrets from US companies were all soldiers in the People’s Liberation Army: the seven Iranians, on the other hand, work for private computer security companies.
The distinction is an ever more important one for the US authorities. As they try to find tools to deter rival governments from cyber attacks, one of the growing complications is the blurring of lines between nation-states and criminal gangs willing to work as proxies for either governments or even terrorist groups.
“We are increasingly seeing different versions of this blended threat,” says John Carlin, assistant attorney-general for national security, in an interview with the Financial Times. “It is complicated.”
Peter Martin, chief executive of AFIMAC, a corporate security and crisis management firm headquartered in Miami, says that governments are now frequently hiring hackers to do their dirty work both to make it harder for victims to determine who has attacked them and because much of the requisite technical talent resides in the private sector.
Partnerships with independent hackers, he says, gives nation-states “plausible deniability”.
We are increasingly seeing different versions of this blended threat. It is complicated.
The decision to indict the Iranians is part of a new approach by the US authorities to use public naming-and-shaming as a way of deterring certain types of state-sponsored hacking. “We are taking information that used to be treated as an intelligence matter and are looking to see what we can take public,” says Mr. Carlin.
In the past, the government has refrained from publicly attributing blame for fear of creating diplomatic headaches or to avoid compromising intelligence secrets. Now, with the perceived need to better deter future attacks growing, authorities are becoming more assertive.
“This is a signal to nation-states that we are increasingly willing to talk about what we know,” said Rajesh De, former White House official and general counsel for the National Security Agency.
However, while the US authorities are able to trace cyber attacks back to specific computers, in some cases the link with nation-states is not always as direct as it was in the indictment of the five PLA officers.
According to the Department of Justice, the Iranians are accused of launching a “denial of service” attack on dozens of US financial institutions and of hacking the computer system of a small dam in upstate New York. The seven defendants worked for two different companies, Mersad and ITSec Team, both of which sometimes “performed work on behalf of the Iranian government”, the indictment says.
Prosecutors allege that Amin Shokohi, who worked for ITSec, helped build the botnet that engaged in the attack on US banks. In return, he was excused some of his mandatory military service, the indictment claims.
“These botnets are often constructed by criminal groups but once they are constructed they can be used by actors for a variety of purposes ranging from criminal to national security threats,” says Mr. Carlin.
The same blurring of lines between private hackers and governments was apparent in a separate cyber indictment unsealed last week involving three Syrian nationals. The Department of Justice alleges that the three were hackers for the pro-Assad Syrian Electronic Army which has used spear-phishing emails to gain access to the Twitter feeds of media and government organisations. In one instance, the three allegedly sent a tweet from the Associated Press account claiming that a bomb had exploded at the White House and had injured the president, causing a dip in the stock market.
At the same time, however, the indictment alleges that two of the three also operated an “extortion scheme” in the US for “personal profit” where they would threaten to damage computers or delete stolen data from companies in return for payment.
In October last year, the Malaysian authorities — on the request of the US — arrested a well-known hacker who was accused of selling personal information about US military and government personnel to Isis. According to the US authorities, Ardit Ferizi was the head of a Kosovo-based hacking group.
According to Mr. De, who is now a partner at law firm Mayer Brown in Washington, hackers traditionally fell into one of three categories: government-backed, criminal or politically motivated activists. “Clearly, the lines between these lanes have been blurring over time,” he says. “They are far more blurred today than ever before.”