The Washington PostDemocracy Dies in Darkness

Marcus Christian on CyberVor and protecting against computer crime

I’ve found the CyberVor stories in the news to be very interesting (crime! computers! Russians!) but haven’t known enough about them to opine. Fortunately, Marcus Christian — an extremely experienced former federal prosecutor who is now a colleague of mine at Mayer Brown LLP — has been following the story closely and was good enough to pass along this analysis.

* * *

Cybercrime is big business. According to a June 2014 study by the Center for Strategic and International Studies and McAfee, the annual economic cost of cybercrime is $475 billion and growing. The growth in costs result in part from the increasing productivity of cybercriminals.

Last month, Alex Holden, a cybercrime researcher, reported that a Russian cyber gang has built a database of 4.5 billion stolen Internet credentials. According to Holden, the records constituted the largest known assembly of stolen online credentials and included 1.2 billion user name and password combinations and more than 542 unique million e-mail addresses.

The reported size of the CyberVor database has caused great concern among the gang’s victims, who include approximately one-sixth of the world’s nearly 3 billion Internet users and a significant number of businesses from around the world. But the CyberVor gang’s victims should not be the only people and organizations concerned. The most important information that Holden provided was not simply about the size of the gang’s database; it was how the men built their database and what that means for cybersecurity. CyberVor’s actions in building its database underscored (1) the power of the black market for obtaining stolen data and the tools, techniques and services to steal data and commit other cybercrimes; (2) the danger of ignoring vulnerabilities; and (3) the need to develop and maintain strategic alliances.

Holden described the group behind the illicit database as consisting of fewer than 12 Russian men in their 20s. Calling the group the “CyberVor” gang (a name that he created by adding the Russian word for thief to “cyber”), Holden said the members began working together in 2011 as amateur spammers. The CyberVor gang started its database by buying an unspecified number of credentials through the black market. This April, Holden believes, the group either obtained the tools and techniques or services from another organization to accelerate the group’s collection of credentials dramatically.

The group began using a botnet, which is essentially an army of unsuspecting users’ computers infected with malicious programming. Once infected, a botnet computer becomes a bot that follows a botmaster’s commands. In this instance, either the CyberVor gang or an external botmaster instructed each botnet computer to examine every Web site it visited for vulnerability to Structured Query Language (SQL) injections, a well-known hacking technique used to obtain the contents of a database.

Although the size of the botnet has not been disclosed, it flagged more than 400,000 vulnerable sites for the gang to exploit. In the words of Alex Holden, the CyberVor gang “conducted possibly the largest security audit ever.” Later, the gang extracted an unknown number of username and password credentials, which it added to its database.

The black market was essential in the CyberVor gang’s development as a criminal enterprise. It began its cybercrime activities by purchasing databases of stolen Internet credentials from the black market. It then found customers for its spam services through the black market. Later, the group returned to the black market to enlist a botnet to search for SQL injection vulnerabilities, which have been exploited for more than a decade.

Nothing in Holden’s description of the group indicated that its members possess high-level computer hacking skills; but the black market allowed the men to purchase or hire the expertise they needed to execute their large-scale hacks. In a report released this year, the Rand Corp. explained that the cyber black market operates similarly to a traditional market in that participants use various channels to communicate, place their orders and get products.

The report added that the black market enables many criminals to make more money that they did trafficking drugs. By lowering the barriers to engaging in cybercrime and by enabling cybercriminals to make higher profits, the black market has helped fuel the steady increase in the number of cybercriminals.

All other things being equal, more cybercriminals will commit more cybercrimes. Some businesses have ignored cybercrime trends, instead clinging to unrealistic hopes that they will beat the odds. For example, among businesses with fewer than 25 employees, only 19 percent in a global survey conducted by Kaspersky Laboratories identified IT strategy as one of their top strategic concerns. The businesses’ leaders believed that they were “too small” to care about cyberattacks “that may never happen.” Contrary to that opinion, the CyberVor gang “did not differentiate between small or large sites . . . they targeted every site that their victims’ [infected computers] visited.”

As noted above, Holden described the gang’s approach as an “audit” of the Internet for SQL injection vulnerabilities. Without more information about the size of the botnet, the number of total sites visited out of the Internet’s almost 1 billion sites, or the total number of Web sites that are vulnerable to the exploit, it is impossible to evaluate how much the botnet search resembled an audit.

Nevertheless, the days when malware could take six months to find a vulnerable port have passed. The CyberVor gang’s ability to identify more than 400,000 vulnerable sites and steal hundreds of millions of credentials from them in a short time sends an unmistakable message to businesses. The probability that criminals will not find and exploit a weakness is virtually zero.

When addressing difficult criminal trends, such as international drug trafficking and violent crime, elected and appointed officials often admit that America cannot arrest its way out of the problem. Holden’s report about the CyberVor gang reinforces that point.

Although the group broke the laws of an untold number of nations, its members reside in Russia, a country that does not extradite alleged criminals to other countries. Even if Russia were to send the CyberVor gang’s members to face prosecution abroad, other cybercriminals would take their place. After the organization behind the online market was charged in a RICO (Racketeer Influenced Corrupt Organization) indictment in 2012 for trafficking in counterfeit identification documents, stolen bank account information and stolen credit account information, other groups quickly replaced it.

This does not mean that law enforcement agencies lack a critical role in fighting cybercrime or that businesses must face threats on their own. To the contrary, law enforcement agencies must assume broader roles and bear greater burdens. Law enforcement agencies must work vigorously to understand and analyze cybercrime threats and trends and to investigate and solve crimes.

Businesses must assess and address their technological and human vulnerabilities vigilantly. But they also should collaborate with their peers, outside counsel and law enforcement agencies. Among other things, such cooperation enables businesses to identify current threats, track critical developments and learn best practices. Cooperation also allows entities to forge relationships that will be vital in responding to crises. Moreover, working with industry groups can enable companies to pool resources and communicate regularly with policymakers to advocate for needed laws, including legislation to reduce cybercrime mitigation costs and to make cybercrime less profitable for organized crime groups. Individual businesses cannot afford to face cybercriminals alone.

Nor can they afford to ignore the central lesson from the news about the CyberVor gang: audit you own security before cybercriminals do it for you. The days of living by the old adage that “it is better to be lucky than good” are over. In today’s world, where groups from all over launch damaging cyberattacks every day, it is much more helpful to heed the advice of military leaders: “The more you sweat in peace, the less you bleed in war.”