Passwords are a weak form of protection and complacency runs high. We might not think that we, as individuals, would be unlucky enough to be targeted by hackers, or that we’re worth hacking at all. But that complacency extends from smartphone-toting citizens right up to government contractors and employees of multinational corporations.
This week, Microsoft said it had seen a surge in activity from a suspected state-sponsored group of hackers, thought to be Iranian, targeting companies in the Middle East working in defence, fossil fuels and maritime transportation. Its strategy? Guessing the passwords of Microsoft Office 365 users. Its success rate? Of more than 250 targets, fewer than 20 systems were compromised. The spoils? Data such as shipping plans, logs and satellite imagery, which, Microsoft says, could assist with Iran’s developing satellite programme.
It wasn’t a sophisticated attack, but it was an effective one. Microsoft says it used a freely available research tool to blast a series of commonly used passwords at vulnerable systems. Known as “password-spraying”, the technique is more about brute force than subtlety, but any large organisation will inevitably have a small number of systems protected by weak passwords, and these provide an incredibly convenient point of entry.
A survey conducted earlier this year by software firm Keeper Security found that more than a third of employees have incorporated their company's name into a new work-related password. The company also reported high usage of family names or birth dates. For state-sponsored hackers with a wealth of tools at their disposal, accounts secured in this way are the lowest of low-hanging fruit.
Such hackers are known as APTs, or “advanced persistent threats”, and security monitoring groups give them codes to match. The North Korean APT38, for example, also known as the Lazarus Group or Zinc, has achieved a number of successful, high-profile attacks – including a crippling one on Sony Pictures – going back as far as 2009. Their aims and strategies are self-evident: they have specific objectives to disrupt, steal or observe – usually for political or economic ends – and crucially they have the skills, time and resources to succeed.
Proving that nation states are behind APTs and their attacks is difficult; the origin of a single cyber attack is hard to detect and responsibility for it is easy to deny. But the label “state-sponsored” can cover a multitude of different involvements - some hacker groups may be tightly integrated within government departments, while others could be third parties to which governments choose to turn a blind eye because their aims happen to align very neatly. The current world leader in hacking is, according to Microsoft, Russia, as it says 58 per cent of attacks from July 2020 to June 2021 originated there, with North Korea second (23 per cent) and Iran third (11 per cent). The US and Ukraine were the most besieged by cyber attacks, receiving 46 per cent and 19 per cent, respectively.
The recent breach of a handful of systems via Microsoft Office would seem, on the face of it, to be a comparatively minor incident. But the past decade has demonstrated the potential that state-sponsored hackers have to wreak havoc. In 2017, the so-called “WannaCry” attack, thought to have originated in North Korea, caused huge disruption to health services in the US and the UK, along with Russian banks and corporations including Nissan. In 2018, hackers in Russia conducted a mass cyber-campaign against home routers and ISPs around the world, with weak passwords again providing them with easy pickings. In 2017, Iran was suspected of a malware attack that caused infrastructure systems in Saudi Arabia to be shut down. Connectivity has brought with it vulnerability.
The coronavirus pandemic has sparked an escalation in nefarious activity, with Google reporting bad actors using “Covid-related themes” to attack US government employees through phishing scams (including posing as fast-food outlets), while Microsoft reported a Russian hacking group called Strontium (APT28) using password-spraying in an attempt to infiltrate medical agencies working on a vaccine.
Crucially, if a weak password gives hackers a foothold, it may be possible for them to gain privileges to access other systems within the organisation. In July, the US government, in response to the rising incidence of malicious cyber activity, offered rewards of up to $10 million for information that would help authorities track down those responsible.
Multimillion-dollar rewards may well help in the fight against these attacks, but Microsoft and Google are also working with companies to prevent something as critical as national security hanging on something as threadbare as a weak password. Microsoft is urging greater use of two-factor authentication (where an extra pass key is required alongside a password) or, more preferably, sign-in methods that don’t use passwords at all. It has recently encouraged wider use of an app, Microsoft Authenticator, which signs in neatly with bolstered security. This week, Google provided 10,000 users deemed at high risk of state-sponsored attacks (activists, journalists, government employees), with free USB security keys to replace their passwords altogether.
Step-ups in security, of course, merely prompt hackers to become more ingenious. Some dispute the validity of the term “cyber warfare”, given that the cyberattacks have neither the scale nor the brutality of actual war. But both sides are mustering all their resources, and the battle – as we are seeing – is undoubtedly real.