NSA: Cyber Attacks Are Becoming More Sophisticated, Aggressive, and Disruptive

Foreign hackers combine malware, cyber techniques used by other adversaries

An IT researchers shows on a giant screen a computer infected by a ransomware
An IT researchers shows on a giant screen a computer infected by a ransomware / Getty Images
November 16, 2017

Cyber attacks by foreign nations and criminals against both government and private sector networks are increasing in both sophistication and scale, a senior National Security Agency official said Wednesday.

Jonathan L. Darby, deputy chief of NSA's cybersecurity operations group, said in a speech that recent cyber attacks against Ukraine's power grid, malware strikes in Saudi Arabia, the Equifax data breach, and global ransomware attacks are the latest examples of the kind of attacks that are growing more dangerous and that will increase in the future.

"I expect the trend lines to continue. We're going to continue to see attacks all around the world," Darby told a conference sponsored by the State Department's Overseas Security Advisory Council.

"Cyber adversaries today are becoming more sophisticated in how they operate," he added.

Despite increased sophistication of attacks, "the tried and true method for how to get into networks is still very effective," Darby said.

One of the most effective methods is the use of spear-phishing email attacks involving fraudulent emails seemingly sent from known users that contain links used by hackers to gain access to target networks.

"And some poor sap clicks on a link that's embedded in there, and lo and behold that sender, that adversary is in that network," Darby said.

"It's simple, it's effective. I'm still astounded that people fall for that the oldest trick in the book, but it works."

Once inside a network, foreign nation-state hackers and criminals can steal data or set up conditions for conducting destructive attacks against the networks in the future, such as during a conflict or crisis.

In addition to cyber criminals seeking to steal money, Darby identified "the Big Four" nation-state cyber threats: Russia, China, North Korea, and Iran.

"Russia [is] very aggressive, showing a display of force in the cyber arena," he said. "China sees cyber as a tool to gain national security advantage and economic advantage."

Iran is focused on using cyber attacks to react to international events and has shown a tendency toward destructive cyber attacks.

For North Korea, cyber capabilities are "tool in their arsenal" that is used to react to world events, he said.

"So the new normal today in cyber is we're seeing an increasing frequency of attacks, we're seeing increasing aggressiveness of these attacks, and increasing disruptive cyber operations," Darby said.

One new trend is what NSA calls "repurposing and weaponizing" cyber capabilities that are in what is termed "the wild."

"Some adversary may use a particular technique or an exploit, malware to target a particular company or government entity," he said. "Well, another adversary may see that, grab hold of that and say 'I want to use that for my purposes and I want to combine it with these other techniques, or malwares or exploits,' and really repurpose and combine and use them in ways the originator of that exploit never intended it to be used."

Darby said NSA has noticed a growing prevalence of the reuse of cyber tools.

He declined to comment when asked if NSA was hacked and its cyber tools used by foreign hackers. However, he said NSA monitors closely the use of cyber tools by foreign hackers and criminals.

NSA and private security firms also have seen a new technique involving long-term "social engineering"—basically intelligence recruitment of people with access to computer networks—in a bid to gain access to networks targeted by foreign states or criminals.

Defending against that technique requires better monitoring networks, Darby said.

Another trend in cyber attacks is the ability of hackers to steal user credentials—user names and passwords—to get into networks. The use of stolen user identification has made it difficult to spot hackers because the credentials make them appear legitimate.

"So this environment we're in today, it's scary," Darby said. "I mean you stand back and say 'holy cow' how are we going to deal with this.' Our world is networked and our assets are in that network and now have to protect those. This sounds way hard."

Darby urged security officials and administrators to collaborate more in sharing threat data and security practices designed to prevent cyber attacks. NSA is working to provide more unclassified information to private companies, he said.

"I live in a top secret environment largely, but I know that keeping that information in a top secret environment is basically useless for defensive purposes," he said.

Also, more needs to be done to prepare for responding to major cyber attacks through drills and practice. "It's no fun learning on the fly when you're under cyber attack," he said.

Another problem has been responding to the hundreds of thousands of security alerts triggered by intrusion detection software.

"The reality is we're drowning in these alerts," Darby said.

The solution is to prioritize information and networks that are being protected.

Darby said to prevent being victimized by hackers, network administrators should "do the basics."

"Harden your networks, endpoints, and services using the best practices that are available out there," he said.

Published under: Cyber Security , NSA