Summary of Ben Buchanan’s: The Hacker and the State – Part 3: Destabilization
In 2020, Ben Buchanan published his book “The Hacker and the State – Cyber Attacks and the New Normal of Geopolitics.” In this article, I summarize the third and last part of the book on destabilization. If you are interested in the first two parts on Espionage and Attack, you can read my summarizes here:
When I read this book, I wanted to distill potential learnings for cyber security professionals in the corporate world. In the third part of his book, Ben Buchanan looks at cyber attacks that destabilize societies. He starts with attacks on an essential aspect of democracies: free elections. After briefly mentioning how Russia tried to influence the Ukrain election in 2014 by wiping computers and potentially interfering with the counting, Buchanan discusses in length how Russia influenced the 2016 US election. In this election, Hillary Clinton and Donald Trump competed for the presidency. A real spy story – and if you want to get a good overview of the various steps, the book is a great resource.
What I myself found interesting is that we see a pattern similar to the attacks on electricity companies in Ukraine in part two of the book: The cyberattack – getting into computers, exfiltrating data – is a prerequisite, not the actual attack. Without understanding American society, social networks, and marketing, the attack would not have had such significance. This insight is highly relevant when fighting cyberattacks in the corporate world: There is an actual IT security crisis that the CISO organization and the IT department can and must address. When it comes to business impacts or communications, the business has to step in and contain the impact on the organization, its customers, and suppliers.
Exposure is the name of the next book chapter in this third part of the book. It mainly explains the Shadow Brokers incident. A cyberattack resulted in the exfiltration of a multitude of NSA hacking tools, operations manuals, and other documents in the hands of an attacker. The successful attackers offered the documents to the NSA or other prospective customers against payment. They tried to blackmail the NSA or were hoping for high bids from cyber criminals or other intelligence services. No one seems to have paid, even after it was evident that the tools were excellent and the documents of high quality. Thus, the Shadow Brokers hacker moved from an auction model (the one paying most gets everything) to a subscription business model (if you pay, you get something new every month, but not exclusively) before the group disappeared. It is not clear whether and how much money they made, but, in the end, they release a massive amount of confidential documents and NSA-internal tools for free. This release of tools and documents hid the NSA and the US in several ways:
Following Ben Buchanan, it is not clear who is really behind Shadow Brokers and the technical background of the attack. Probably, the attackers did not attack the NSA itself successfully, but employees or contracts who had many sensible data on private IT infrastructure. From a corporate IT security perspective, I found it interesting that the hack and the follow-up action might have been the collaborative result of intelligence services, cybercriminals, and a security software company, making the actual intentions and the potential implications for other organizations blurry.
In the chapter Theft, Ransom, and Manipulation, Ben Buchanan elaborates on successful and less successful North Korean attempts to fund the state by hacking financial institutions around the globe. Their first big coup was related to the SWIFT system for interbank payments. They did not attack SWIFT itself, but Bangladesh’s central bank’s access to SWIFT. They submitted fraudulent money transfers to various international institutions totaling around 850 Million USD. While many transfers could be prevented, the hackers could withdraw 81 Million USD in the end. Later, another south-east Asian bank could prevent an attack, but the hackers probably stole a total of around 500 Mio USD when attacking cryptocurrency-related companies.
Recommended by LinkedIn
Next, according to Buchanan, the North Koreans started working on a new “business model” – ransomware: infiltrating companies, encrypting their data, demanding a ransom payment, and then helping the victims to decode their encrypted data. . After some initial experimentation and testing in smaller contexts, they added a feature for self-propagation and created a worm building on a vulnerability released by the Shadow Broker hack. Everybody in the security community knows the result of their work: WannaCry. The warm was a technical success, highly infectious and causing immense damage around the globe. However, when looking at the financial gains, WannaCry was a disaster. Nobody paid to get rid of the ransomware, especially since security experts could stop the attack and the first victims made public that paying the ransom did not get them their data back.
WannaCry was in early 2017; the same hackers hit a Taiwanese bank with a focused attack in October of the same year. The underlying pattern is, in my opinion, so crucial that every IT security, fraud, or business risk specialist should understand the pattern. The hackers started a ransomware attack – followed by an attack on the bank’s SWIFT system with fraudulent money transfers. The attackers hoped that the chaos of the ransomware would make the bank not realize the additional SWIFT attack. The hackers tried to transfer around 60 Mio. They succeeded in getting 14 Mio out of the bank, though they failed to collect the money in cash.
In their next major move, the hackers overcame the Achilles verse of their attacks, bank staff getting suspicious due to the high sums they wanted to take out of a bank in cash and failing money transfers due to single misfiled fields in their SWIFT messages. Thus, in summer 2018, they moved to an ATM cashout model. They deeply intruded the IT systems of an Indian bank – and in just two hours, money mules around the world withdraw between 100 and 2000 USD – a total of 11 Million. These withdrawals with forged bank cards bypassed the bank’s standard payment authorization and fraud detection systems because the hackers deeply manipulated the bank’s IT systems. The topping of the cake: fraudulent SWIFT transfers.
These North Korean attacks indicate the level of sophistication money-focussed cyberattacks can take and how devastating the financial loss can be for a single institution.
NotPetya is the focus of the last chapter of the book. It is a showcase for a cyberattack disrupting global businesses, especially interconnected and/or highly centralized IT landscapes. When looking at politics, NotPetya is the story of another Russian attack on Ukraine with worldwide collateral damage. The worm started on Ukrian-related computers before going everywhere without validating whether computers were in this specific country or anywhere else in the rest of the world.
According to Buchanan, the attack exploited vulnerabilities identified by the NSA and leaked as part of the Shadow Brokers incident. The NotPetya hackers got into a software company in the Ukraine that sells widely used tax software. The attackers could manipulate the source code and push the updates to the customers. On attack day, the infected customer machines download malicious code from another web server, then search the local RAM for additional passwords, enabling the worm to make lateral movements to additional servers within the network. The worm jumped from server to server and encrypted the harddisks and files without an option to decrypt them. It hit most companies in Ukraine plus many international companies with business in Ukraine and therefore in need of tax software.
From my side, the implications are very clear. Every company can get under fire if a country starts a big worm-based attack without caring who exactly might be a victim. However, the network setup of companies influenced how easy the worm could spread in this case. Companies synchronizing all their domain controllers were heavily impacted by this kind of attack. For example, the logistic company Maersks would have lost all domain controllers and their configurations worldwide with all backups if there had not been a blackout in Ghana exactly at the attack time.
In his conclusions chapter, Ben Buchanan points out the weakness of cyberattacks for geopolitics. The attackers do not want to be linked to a government. Cyberattacks are difficult or control. Understanding their effectiveness and the damage they cause is challenging to impossible in advance. Plus, launching a cyberattack means burning vulnerabilities and making it impossible to threaten to launch a second, similar attack. However, while cyberattacks might not be the best option for geopolitics, they are used – and companies better prepare before naively getting caught by surprise in the crossfire.
A final remark at the end of the summary of the third and last part of the book. I could only provide a short summary of the book. If you want to read the complete, unfiltered, and much broader story of Ben Buchanan as the author, his book is available, e.g., here: https://www.hup.harvard.edu/catalog.php?isbn=9780674987555