Last year was a “seminal year” for nation-state-backed cyberattacks from American adversaries, a top Department of Homeland Security official said Wednesday, adding that companies may need U.S. government support to cope with such advanced threats.
“We’ve known for years that there are primarily four nation-state actors that are most active in the cybersecurity space, but push really came to shove” in 2017, Christopher Krebs said Wednesday, referring to China, Iran, North Korea, and Russia.
American companies can handle most cyberthreats through their own security investments, but a “military-grade level of investment” is needed to cope with nation-state hackers, Krebs, DHS’s top infrastructure security official, said at a conference in Washington, D.C.
Experts say it is very difficult for a company of any size to cope with advanced and well-resourced hackers, but DHS is trying to make the fight less lopsided by providing companies with threat intelligence and risk assessments. Further, basic practices like software patching can make hackers’ lives harder. The goal is resilience rather than preventing a cyberattack altogether.
In his remarks, Krebs cited attacks involving the WannaCry ransomware and NotPetya wiper malware as among last year’s biggest attacks. U.S. officials blamed North Korea for WannaCry and Russia for NotPetya.
The damage from both attacks was widespread, and the implications for internet security are still being felt. WannaCry struck more than 300,000 computers in 150 countries. NotPetya infected accounting software in Ukraine and spread to dozens of countries while disrupting pharmaceutical and shipping companies.
A year after NotPetya, some analysts worry that companies haven’t heeded key lessons from the attack.
Its code downloaded credentials from a system’s memory, allowing the attack to spread laterally through an organization, explained Charles Carmakal, vice president at cybersecurity company Mandiant. A “vast majority” of organizations are still highly susceptible to that technique today, he added.
“If somebody wanted to conduct that attack today, they could take down a very large portion of corporations out there [through] almost the exact attack,” Carmakal said at a recent press briefing.
NotPetya exploited a flaw in the SMB protocol, a vulnerability that Microsoft released a patch for months before the attack. But as Nate Warfield of Microsoft’s Security Response Center pointed out Tuesday, there are roughly 936,000 SMB servers online that don’t require authentication, including 54,000 running Windows, indicating a ripe attack surface for a NotPetya-style virus.
Meanwhile, analysts say Ukraine continues to be a testing ground for Russian hackers.
According to the chief of Ukraine’s cyber police, Russian hackers have planted malware at a range of Ukrainian companies, potentially laying the groundwork for a new large and coordinated attack, Reuters reported Tuesday.
After his remarks Wednesday, Krebs would not comment on what DHS is doing to help Ukrainian officials respond to any new Russian hacking operation. After a December 2015 cyberattack on the Ukrainian electric grid in which suspected Russian hackers cut power for 225,000 people, DHS sent a team of industrial control systems experts to Ukraine to study the attack’s forensics.