In an ArsTechnica article from November 18th, 2020 reports were made of the fact that exploits were used to target companies specifically, done on behalf of a group sponsored by a nation-state. Some of these exploits included using Zerologon to give admin access to new user accounts on Windows Servers.
How These Exploits Work
Because of the way that Windows Servers authenticate using something called NetLogon, attackers were able to make use of an exploit that allowed them to include a set of zeroes that tricked NetLogon into authenticating the user’s logon as an admin. And instead of using this power to target government agencies specifically, they engaged in a campaign of corporate sabotage, data breaches and information theft.
This was specifically done for economic reasons not personal in nature. This is important information to know because According to the New York Times in Oct of 2020, a state-backed group who was responsible for hacking local and federal computer systems relating to elections (a clear example of something an enemy state would have an interest in) also was responsible for a string of hacks that targeted both nuclear power plants and general energy grids, and energy plants in particular through their Wi-Fi systems.
While they have not yet acted on what they have infected, they have in fact infected a large number of power grids, with the malicious code sitting deep inside the systems of these grids. While their intentions were not stated, in previous attacks that were similar to this one in 2017, they actually did shut down plants. At the time the stated assumed reason was economic sabotage, but it may have been a test run that laid the groundwork for the current state of affairs, where infections on power grids are endemic and at any time could potentially be pushed forward all at once.
And that is almost scarier than if their main reason to attempt these attacks was to simply economically slow us down or cause chaos. The idea that a potential huge attack could be in the wings, simply waiting for us to cross them before it becomes activated. In the future, cyber security will be not just a private issue, but a public one as an infected phone could infect a government employee’s phone, and ultimately lead to a point of failure.
Another commonality in the last few years is that there have been widespread breaches in user account data from major websites and companies. These include passwords, usernames, emails, and other personal identifiable information, or PII. Some of these attacks have also included information such as credit card data, financial reports, bank account information, Social Security numbers, and answers to personal questions.
The most widespread attacks have taken place on internet-based services in companies. This includes things such as forums, online shops, crypto exchanges, blogs, and other sites that are likely to have minimal security or at least be unlikely to be prepared for a targeted cyber attack. What this means is that if you have a password that you use on almost every site, at this point it is almost a guarantee that some site you have used in the past has been hacked.
The ubiquity of these attacks have at this point affected hundreds billions of accounts, and many people multiple times. In general, people assume that the attacks and subsequent release of information that accompanies these hacks only happens to websites of ill-repute. And it is true that how these lists get shared are generally released either in the form of anonymous social media or file sharing dumps on torrent websites, or through specific selling of the information to buyers normally found through the dark web, but just because the sharing is done through means that are less than above board, does not mean that the websites themselves weren’t modern, updated websites that were considered trustworthy.
Any Company Can be a Target
For example, Adobe, Spotify, eBay, Equifax, Marriott, LinkedIn and more have been targeted in recent years, generally stealing some or all of the related customer information. Obviously the stories that have stuck with the public consciousness tend to include events such as the attacks that happened on Billy Madison, an infamous site for cheaters, or a different attack that happened on the website “Adult Friend Finder.”
There is a sense from reporting on these and stories like these that this was always going to be the ultimate result from using a website that may have a less than stellar reputation in the eyes of many. But the reality is that every website is equally susceptible, for example, Yahoo, which had nearly 3 billion users’ data leaked, was a website at one point used by almost everyone, and was one of the most widely used email services. Some of that information was gained through exploits in software that the company used, which while not totally out of their hands, is something that could happen to anyone.
But where these companies could have done more is to ensure that they were training their employees so that their 5000 employees do not represent 5000 potential points of failure in their cybersecurity plan. Courses need to be held for anyone with access to secure databases and non-public networks. In some cases, separate personal and work devices will be the best option going forward. As well, yearly updates and best courses of actions should be planned so these attacks do not happen again, something many of these companies could not survive.