You are here: Home » International » News » Technology
Business Standard

Hackers find 'Ideal testing ground' for attacks: developing countries

While US firms employ multiple security products as defensive measures, companies elsewhere do not

Sheera Frenkel | NYT 

In the eye of the AI storm

The attack had the hallmarks of something researchers had dreaded for years: malicious software using artificial intelligence that could lead to a new digital arms race in which AI-driven defences battled AI-driven offences while humans watched from the sidelines.

But what was not as widely predicted was that one of the earliest instances of that sort of malware was found in India, not in a sophisticated British banking system or a government network in the United States.

Security researchers are increasingly looking in countries outside the West to discover the newest, most creative and potentially most dangerous types of cyber attacks being deployed.

As developing economies rush to go online, they provide a fertile testing ground for hackers trying their skills in an environment where they can evade detection before deploying them against a company or state that has more advanced defences.

The cyber attack in India used malware that could learn as it was spreading, and altered its methods to stay in the system for as long as possible. Those were “early indicators” of AI, according to the company Darktrace. Essentially, the malware could figure out its surroundings and mimic the behaviour of the system’s users, though Darktrace said the firm had found the program before it could do any damage.

“India is a place where newer AI attacks might be seen for the first time, simply because it is an ideal testing ground for those sorts of attacks,” said Nicole Eagan, the chief executive of Darktrace.

At times, these attacks are simply targeting more susceptible victims. While companies in the United States will often employ half a dozen security firms’ products as defensive measures, a similar company elsewhere may have just one line of defence — if any.

In the case of attacks carried out by a nation-state, companies in the United States can hope to receive a warning or assistance from the federal government, while companies elsewhere will often be left to fend for themselves.

Cyber security experts now speculate that a February 2016 attack on the central bank of Bangladesh, believed to have been carried out by hackers linked to North Korea, was a precursor to similar attacks on banks in Vietnam and Ecuador.

That hackers managed to steal $81 million from the Bangladesh Bank generated headlines because of the size of the heist. But what interested experts was that attackers had taken advantage of a previously unexplored weakness in the bank’s computers by undermining its accounts on Swift, the money transfer system that banks use to move billions of dollars among themselves each day.

It was an unprecedented form of cyber attack. But since then, the cyber security firm Symantec has found the method used against banks in 31 countries.

The malware discovered by Darktrace researchers stopped short of being a full-fledged AI-driven piece of software. It did, however, learn while it was in the system, trying to copy the actions of the network in order to blend in.

“What was concerning was that this attack, once it got into the network, used AI techniques, like trying to learn the behaviors of employees on the network, to remain undetected for as long as possible,” Ms Eagan said. She said she saw a future in which countries raced against one another to hire people skilled in developing complex algorithms that could be used to run such malware.

Ms Eagan’s company, which has headquarters in Cambridge, England, and San Francisco, has increasingly found incidents in India since it expanded there.

As other cyber security companies enter Southeast Asia, Africa and other parts of the world where they have not had much presence, they will continue to discover new types of malware being tested in those markets, said Allan Liska, a senior threat intelligence analyst at Recorded Future, a cyber security firm based in Somerville, Mass.

“For several years, Taiwan and South Korea have been proven testing grounds for some of the more advanced groups in China,” Mr Liska said. “Those countries have high-speed internet, widespread internet penetration and not a lot of security infrastructure in place.”

He added: “We see a pattern among the attackers. They test something, make improvements, and then six weeks later test again before launching it at their true targets.”

As internet use has expanded in Africa, Mr Liska said, his company has noticed an increase in so-called spear-attacks in which hackers appear to be testing their skills in English- and French-speaking African countries. Spear employs messages that appear innocuous but contain dangerous malware. They are one of the most popular forms of cyber attacks, though they largely depend on the attackers’ ability to hone a message that can fool a victim into opening a link or attachment.

He said that in the spear-tests his company had found, attackers appeared to be testing their language, but did not include the actual malware in the link, what he described as the payload.

“They save that payload for when they are going to actually launch their attack in whatever French- or English-speaking country they are after,” Mr Liska said.

Countries across Southeast Asia and the Middle East that have come online over the last decade have been tempting targets for hackers, said Chris Rock, an Australian security researcher and chief executive of the firm Kustodian.

“They are a testing ground for different kinds of environments,” he said. “For hackers, they can be low-hanging fruit.”

Doing tests in a country that presumably has fewer defences is a double-edged sword, Mr Rock said. On one hand, attackers can hone their skills. On the other hand, they risk being discovered. Once a cyber security firm has the signature of an attack, it can build defences against it, and spread those defences among its clients.

Mr Rock said that if one target “has, actually, installed a good defence and you get caught, then you have wasted your time.”

First Published: Wed, July 05 2017. 12:08 IST
RECOMMENDED FOR YOU