Political sabotage and rampant ransomware ruled cybercrime in 2016

They carried out multi-million dollar bank heists, sought to influence the elections of foreign governments, and fashioned powerful armies out of electronic devices spread across millions of unsuspecting households. And they accomplished it all by (mostly) relying on a rudimentary attack vector—email.

Released on Wednesday, Symantec’s “Internet Security Threat Report” describes an unprecedented year of cyber villainy—from the massive internet outages caused by the Mirai botnet to the acts of political sabotage that mired the U.S. election. In its 22nd annual report, the California-based antivirus software maker describes a “targeted attack landscape” that shifted “considerably” over the past year: Economic espionage, a chief concern in years past, has taken a back seat to politically subversive cyberattacks, Symantec says. And while the year saw a notable dip in attacks geared toward the theft of trade secrets, there was a marked influx of sabotage abnormally overt and political.

“The ongoing conflict in Ukraine, the U.S. election, and the Olympics were all affected by campaigns designed to steal and leak data in order to influence public opinion, create an atmosphere of distrust, and possibly influence political outcomes,” the report says, assessing that such politically bent operations are likely to flourish going forward, given their triumphs over the last year.

“In previous years, when we talked about the big targeted attacks, especially nation-state, we were talking about cyber espionage,” says Kevin Haley, director of Symantec security response. “This year, we’re talking about sabotage. We’re talking about subversion.” Borrowing from the maxim of a 19th-century Prussian general, Haley puts the burgeoning trend in a nutshell: “Cyberattacks is politics by other means.”

These conspicuous acts of sabotage have taken many forms. In 2015, for instance, the Ukrainian energy sector was struck by a highly destructive Trojan known as Disakil (aka “KillDisk”), linked by some researchers to power outages in the country. A Linux-based variant of the malware that struck last year included new ransomware capabilities, leaving files encrypted and inaccessible until the owners paid out roughly $210,000 in bitcoin. According to the security firm TeleBots, Ukrainian financial firms were the primary target.

Malware known as Shamoon—first used against the Saudi Arabian energy sector in 2012, according to Symantec—resurfaced in November 2016 and delivered a “disk-wiping payload.” The virus also reportedly defaced infected systems with a photograph of Alan Kurdi, the three-year-old Syrian refugee of Kurdish descent whose dead body was photographed after washing up on a Turkish beach. The attackers believed responsible are linked to a wide range of cyberattacks across the Middle East predominantly targeting energy and financial sectors, as well as governmental entities.

Easily the most high-profile act of political sabotage in 2016 was the infiltration of the Democratic National Committee, an attack that U.S. intelligence has attributed with high confidence to hacking groups affiliated with Russian intelligence and security services. The attacks were described by FBI Director James Comey last month as particularly “noisy,” meaning the intruders lacked any regard for stealth. “It was almost as if they didn’t care that we knew what they were doing,” Comey said.

“Given the proven potential for sowing discord and confusion,” Symantec predicts, “there is a strong likelihood that these tactics may be used again in a bid to destabilize other countries.”

One of the advanced persistent threats tied to the DNC attack (known widely as APT28 or “Fancy Bear”) has additionally been tagged with an attack on the World Anti-Doping Agency, a group founded by the International Olympic Committee, which has accused the Russian government of an “institutional conspiracy” to dose star athletes with banned, performance-enhancing drugs ahead of global competitions. The stolen records—leaked by APT28 in September—included the personal data of 29 mainly American, British and German athletes, including tennis stars Venus and Serena Williams. (One of the athletes was Russian.)

Conversely, Symantec found evidence of a marked decline in economic espionage operations between the U.S. and China, attributed largely to a 2015 agreement signed by President Barack Obama and President Xi Jinping of China, in which the leaders agreed that neither country should condone the “cyber-enabled theft of intellectual property.” Infections by malware attributed to cyberespionage groups (which Symantec believes are China-based) dropped “considerably” after the agreement was signed, the report says—a trend that continued at year’s end. Ahead of the U.S.–China agreement, Symantec observed that “Buckeye”—a China-based cyberespionage group, also tracked as APT3—had substantially shifted its focus from U.S. organizations to targets in Hong Kong.

In the realm of financial heists, what Symantec calls a “new breed of attacker,” has taken to robbing the banks directly rather than targeting individual bank customers, “sometimes attempting to steal millions of dollars in a single attack,” it says.

“Gangs such as Carbanak have led the way, demonstrating the potential of this approach by pulling off a string of attacks against U.S. banks.

 

“During 2016, two other outfits upped the ante by launching even more ambitious attacks. The Banswift group managed to steal US$81 million from Bangladesh’s central bank by exploiting weaknesses in the bank’s security to infiltrate its network and steal its SWIFT credentials, allowing them to make the fraudulent transactions.

 

“Another group, known as Odinaff, was also found to be mounting sophisticated attacks against banks and other financial institutions. It too appeared to be using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions carried out by the group.”

Both the use of ransomware and the payoffs demanded of its targets are on the rise. Last year, the average ransom demand was $1,077, up more than 266 percent from the previous year’s average. Symantec observed a 36 percent increase in ransomware infections, totaling roughly 463,000. In some cases, the company said, “organizations can be overwhelmed by the sheer volume of ransomware-laden emails they receive.”

“Due to its prevalence and destructiveness, ransomware remained the most dangerous cybercrime threat facing consumers and businesses in 2016,” the report says.

In the underground markets, ransomware toolkits can fetch up to $1,800, the report says, and they are often sold as “Crimeware-as-a-Service,” referring to organized crime rings that provide on-demand malware and distributed denial-of-service (DDoS) attacks. Email remains the “weapon of choice” for ransomware gangs—as is true of cyberespionage groups—that employ spam botnets-for-hire, which can pump out “hundreds of thousands of malicious emails daily.”

Symantec notes that 34 percent of victims will pay the ransom, according to research by the Norton Cyber Security Insight team, a figure that rises to 64 percent in the United States. This provides some indication, Symantec says, as to why Americans are so heavily targeted. “Willingness to pay the ransom has to be a major reason for the increase in ransom demands,” the report concludes.

Read the full report at Symantec.

Dell Cameron

Dell Cameron

Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.