not your usual cybercrime suspect
16 May 2018
The 2018 Global Threat Intelligence Report (GTIR) was released last month which brought up some intriguing data.
TEISS caught up with one of the researchers behind the report, Jon Heimerl, Manager of the Threat Intelligence Communication Team at NTT Security for deeper analysis.
By way of background, NTT Security analysed data from over 6.1 trillion logs and 150 million attacks for the GTIR, highlighting global and regional threat and attack trends based on log, event, attack, incident and vulnerability data from NTT Group operating companies.
The report showed that the United States, China, France, Germany and…the Netherlands, ranked among the top attack source countries globally. The fact that the Netherlands was on the list came as a surprise.
The Netherlands – not the typical cybercrime suspect
Jon explained that the reason behind this is because Netherlands has great internet infrastructure, with diverse Internet Service Providers (ISPs) and hosting providers. Cybercriminals wanting to use those services can do so easily, by compromising systems, or buying valid services from a provider who is not especially careful about to whom they sell, he explains.
“These services can be paid for with valid credit cards, or with stolen cards if the use is potentially short term. Obtaining such server access allows the attackers to host exploit kits, botnets and other tools on modern infrastructure in a central location, which may also be closer to the potential victim,” he says.
Jon continues: “The attacker can usually expect better bandwidth and a more reliable service if they are only a few kilometres from their victim than they can if they are thousands of kilometres away.”
Also, Jon says, some companies filter on geography. “If “Company A” never does business with Russia, they might block all traffic from Russian IP addresses. But, if the attacker is using a server in the Netherlands, that allows them to use resources local to the target and maximize the use of great bandwidth and modern servers, while obfuscating their trail, regardless of where the cybercriminal is actually physical sitting,” he says.
Also of interest: What You Should Consider When Deploying New Technologies
Russia not in the top 10 cyber attack source countries
Another interesting find that defied expectations was that Russia did not appear higher than tenth as a source of nefarious activity.
Russia is interesting, Jon says, as everyone knows they are active on the internet. “But, like many attackers, Russian sources go out of their way to hide their activity, better than many other sources,” he states.
“Using an alternate source of attack (or many alternate sources of attack) is one way to bypass geographic filtering. It is also a way to disrupt the process used to profile and identify attackers and attacks. In other words, definitive attribution becomes much more difficult, and can be important, since knowing who is attacking you may help you plan your best response,” Jon explains.
Jon describes the scenario: “If my company is under attack from one source (say, an ISP in Netherlands), I might recognize that as a common IP address range associated with hostile activity from a specific attacker. But the attacker knows that, so they also want to hide who they are to make it more difficult to identify them.
“So the next time they will attack from a different IP address in Netherlands, or from an IP address in Norway, Germany or the United States. The more information a company has about who is attacking them, the better they will be able to defend themselves,” Jon explains.
He continues: “If the company can see all attacks over the past two weeks were from a single IP address range, they can probably identify that as a single campaign from a single attacker.
“If those same attacks appear to originate from 23 different IP addresses from seven countries, it may be harder for the victim to recognize patterns, helping to mark who the attacker is and what they are doing,” he adds.
Also of interest: Inside the London Cyber Innovation Centre
Cyber attribution disguise
Russian sources have historically been very good at distributing their attack sources from non-Russian sites, Jon explains. Something which the world saw at the opening ceremonies of the Olympic Games in South Korea earlier this year.
There were strong indications that the attacks had originated from North Korea – but they were actually Russian hackers trying to disguise themselves as North Korean.
“That means Russian cyberattacks will sometimes show up as attacks from Russia, but will also appear to be from Netherlands, France, Germany and the United States,” Jon says.
He continues: “On the other hand, comparatively fewer cybercriminals are using compromised systems or buying services from within Russia, and attacking out from those Russian systems. This is not to say it never happens, but the volumes of attackers proxying out of non-Russia countries is far larger.”
For more on this topic, Jon-Louis Heimerl’s blog is worth a read.
To learn more about the trends identified, follow the link to download the NTT Security 2018 GTIR