You might have heard that every device that connects to the Internet has a unique public IP address. Does that mean that your device can figure out where information over the Internet is coming from? If this were true, you wouldn’t have to worry about hackers exploiting the Internet, but that is not the case.

You might even have used some of the tricks used by hackers yourself, while streaming Netflix Japan for watching your favorite anime while sitting in the U.S. Or accessing Google from China. The interconnected nature of the Internet in combination with open protocols makes it extremely hard to pin point the source of traffic, if someone wanted to conceal the source.

For example, when you look up my website on the Internet Corporation for Assigned Names and Numbers (ICANN), you see that it is registered with Google domains, but there’s not too much information you can glean from it that traces back to me. Of course in this case it is pretty obvious given the website contains my first and last names, however someone could have claimed the website domain before hand, and maybe impersonated me to a certain degree, if they so desired.

Hackers could also create a fake website with a name similar to a legit website visited by large numbers of people, e.g. “faecbook.com” instead of “”facebook.com,” known as typosquatting. People might unknowingly enter their personal information into this website (ignoring the advice of their browser), effectively handing out their username and password directly to hackers.

And this website might not be easily trackable to the hackers themselves. Although it might draw the suspicions of web hosting companies like Google or GoDaddy if someone were to create a website with a name that seeks to mislead users.

Apart from a website domain that is passively collecting data, email domains can also be used for phishing purposes. This is an example from a Chinese state hacking group, seeking to impersonate the CEO of a cybersecurity company Mandiant. Notice that this email is coming from a seemingly legitimate email name, but the domain name (rocketmail.com) is different from the company domain.

Larger hacking groups use multiple such domains as a part of large scale hacking infrastructures. Sometimes, such hacking groups manage to conceal their activities for months or years, and are referred to as advanced persistent threats, or APTs.

Using Domain Services for IP theft

In a remarkable example, a Chinese APT also known as APT1 stole hundreds of terabytes of intellectual property from 141 companies over nearly 7 years. The attacks on organizations start with spear phishing emails like the one above, containing a malicious .zip attachment. Downloading the zip file installs a malicious backdoor, that communicates with servers, outside the target’s network. Through this backdoor, the hackers were able to send massive amounts of data to servers.

The locations of these servers were obfuscated by APT1s use of multiple hops through intermediary systems, which were in turn compromised 3rd party servers. APT1 compromised and used thousands of systems with more than 800 distinct IP addresses. Using their massive infrastructure, they were able to make it appear as though attacks originated from almost any country.

In addition, to manage these thousands of systems, they employed hundreds of fake domains they created, with names like “hugesoft.org” that sound legitimate at first glance.

The Intellectual Property theft is having huge societal consequences. In 2014, the U.S. charged 5 Chinese hackers for cyber espionage. The victims of the IP theft mentioned included electrical energy and solar companies Westinghouse and SolarWorld, and U.S. steel. Quantifying the impacts of these thefts is hard. The U.S. indictment mentions:

“In some cases, it alleges, the conspirators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen. In other cases, it alleges, the conspirators also stole sensitive, internal communications that would provide a competitor, or an adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.”

You can see that it is hard to directly link U.S. company losses and Chinese company gains with the IP theft attributed to APT1 hacker activities. Let’s review the evidence attributing China backed APT1 to the decade long IP theft.

There are several pieces of evidence that squarely point to APT1 originating from China, and backed by China. First, multiple locations can be traced back to a small area in Shanghai known as the Pudong New Area from phone numbers used to register email accounts, IP address locations, and self-identified locations. Second, the targeted industries were part of China’s 12th 5 year plan.

Third, the specific building from which the activities of APT1 seemed to originate, coincide with a unit belonging to the armed forces of China (People’s Liberation Army) — PLA Unit 61398. Mandiant concluded two likely possibilities: either a secret Chinese organization is conducting an espionage campaign right outside PLA Unit 61398, or APT1 is Unit 61398.

While this evidence is quite convincing, there’s always the outlandish possibility due to the decentralized and spread out nature of the Internet that another hacker was engaging in all these activities and making China take the blame for it. Historically, this is what makes it hard to impose sanctions and ensure compliance from nation states engaging in cyber warfare.

This is not to say that the U.S. does not also engage in cyber warfare. The Stuxnet attack that damaged Iran’s nuclear capabilities is commonly thought to have originated from a joint U.S., Israel collaboration.

A bot army of IOT devices

Apart from attacks that take advantage of web domain services in obfuscating connections from their computer networks to targets, there are other devices that can be controlled over the Internet. APT1 took control of thousands of 3rd party computers all across the world so that they could conceal the origin of the attack by routing through these 3rd party computers, making it appear like the incoming traffic was from another country.

But in 2016, it came to light that millions of insecure devices were compromised as part of large-scale attacks that would knock web sites offline. These insecure devices included cameras, digital video recorders, and routers, often with default passwords that had not been changed.

Once compromised, devices would become part of a large group of bots, known as the Mirai botnet — that would target certain servers and bombard them with requests. Due to the large number of requests, these servers would get overloaded and be unable to receive other legitimate requests. This type of attack is known as a Distributed Denial of Service (DDOS) attack.

The insecure passwords and devices compromised by the Mirai botnet were published in a paper.

Mirai bots would scan the IPv4 address space randomly for devices that run standard Internet protocols. Then they would attempt to login using the above dictionary of IoT credentials. Once successful, the bots would send the victim IP address and credentials to a report server, which infects the new device with a malware. Infected devices would again scan for new victims, as well as accept DDOS commands from another server.

What was the motivation behind these attacks? In 2017, one of the Mirai victims, a famous cybersecurity journalist Brian Krebs disclosed who he thought was the author of the Mirai botnet code, and their motivations. It was then 20 year old Paras Jha, who would later plead guilty in the courts.

Paras Jha was actually the owner of a DDOS mitigation company, ProTraf Solutions, and a student at Rutgers University. Mirai was originally being used by ProTraf Solutions to bombard Minecraft servers, and offer DDoS protection services to the same servers. Minecraft is a best selling video game, and servers are quite profitable.

Often, competitors are bombarded by DDOS attacks in an effort to get clients to switch servers. Jha was making money in the middle of all of this. In addition, the reason Mirai impacted so many other servers was because Jha was selling Mirai as a DDOS service for $5k a week, and Mirai clients wanted to take down a lot more than Minecraft servers, including Liberia’s internet infrastructure, Krebs’ website on cybersecurity, and a large Domain Name System provider, Dyn — resulting in major internet services being taken down across the U.S.

Apart from the Mirai attack, such insecurities in large numbers of IoT devices illustrates future concerns such as using cameras for extortion in ransomware, using routers in phishing schemes, and more.

Hiding in plain sight on Twitter and GitHub

In 2015, the perpetrators behind the now famous SolarWinds attacks (APT29), were honing their supply chain skills by taking advantage of commonly used websites: Twitter and GitHub. They did this through 5 key steps:

1. The malware known as Hammertoss is installed on the target’s computer. This can be through a variety of ways, for example through phishing email as I discussed in the case of APT1. Hammertoss contains an algorithm to visit a certain Twitter handle e.g. “1abBob52b,” which would have the URL: “https://www.twitter.com/1abBob52b”.
2. APT29 would use the same algorithm to generate a new Twitter account corresponding to that handle. Next, APT29 tweets a URL and a hashtag as below from the Twitter account recently made.
3. Hammertoss visits the Twitter handle, and the website in the tweet which is often a GitHub URL or a compromised website. Hammertoss then downloads an image from the URL which is encrypted.
4. To decrypt the image, Hammertoss uses the information from after the hashtag. In this case, 101 means that the hidden data is offset 101 bytes into the image, and the characters to be used for decryption are “docto”.
5. The encrypted data in the image might include information such as executing commands to upload victim information onto cloud storage systems, along with the login credentials. The entire cycle would repeat the next day, with the algorithm generating a different Twitter handle each time.

This malware is incredibly hard to detect because of it’s footprint in communicating with otherwise standard public websites that employees might routinely visit: Twitter, GitHub, and cloud storage services. This is quite an ingenious set of methods, taking advantage of interdependent vulnerabilities in interconnected systems.

There’s a remarkable parallel with the SolarWinds attacks (now also attributed to the same hacking group, APT29) during which hackers took advantage of vendor relationships and security vulnerabilities to infiltrate multiple governmental organizations and Fortune 500 companies through the commonly used SolarWinds Orion platform.

Conclusions

I’ve shown 3 ways that hackers take advantage of the Internet for carrying out their goals.

1. Domain services. APT1 (attributed to the Chinese government) carried on a decade long cyber espionage campaign where they stole hundreds of terabytes of intellectual property from multiple U.S. companies. This was enabled through thousands of IP address, hundreds of fake domains, and phishing emails from seemingly legitimate origins.
2. Insecure IOT devices. Originally intended to target Minecraft servers, the Mirai botnet was the creation of a 20 year old student from Rutgers, that created an army of millions of devices that overloaded their targets with requests as part of DDoS attacks.
3. Hiding in plain sight by storing malicious information on legitimate public websites such as Twitter and GitHub. APT29 (attributed to Russia and the hacking group behind the recent SolarWinds attacks) was able to hide codes that told malware to execute specific commands such as uploading data to cloud servers, by storing such commands on Twitter and GitHub accounts created by the APT29 hacking group. As a consequence, this was quite hard to detect as most of these communications resembled the normal activities of employees.

Recent supply chain cyber attacks have illustrated that attacks that take advantage of interconnected systems and insecure blind spots between system architectures are becoming more popular, and having larger consequences.

Multiple organizations can be impacted by a single software breach of a commonly used vendor, due to downstream impacts. This is of even more concern with the rise in connected technologies that are intertwined with the critical functions of society.

For example, a large-scale hack of Internet connected vehicles would have physical transportation impacts beyond compromised vehicle computer networks (see my research article on this).

5G promises to revolutionize IoT by being able to handle many more connected devices, and ensure much faster communications. However, this also means that critical societal functions (e.g. transportation) will get increasingly reliant on connecting with the Internet.

Consequently, it is inevitable that the hacking surface area exposed will increase — there will be more vulnerable devices, and more types of vulnerabilities will show up in the new types of devices being developed for 5G. At the same time, due to increasing interdependence, the effects of large-scale hacks will be felt more deeply, due to the downstream effects.

If we have learnt anything from the recent Colonial Pipeline ransomwares, it is that U.S. energy infrastructures (as well as other critical infrastructures) are vulnerable to downstream impacts from cyber-attacks. I’m hopeful that building resilience to cyber-attacks enabled by a holistic understanding of the complex interdependencies between multiple organizations and public infrastructures will be at the frontier of cybersecurity in the coming decade.