No conformes con robar secretos, los\u00a0ciberatacantes\u00a0extranjeros que apuntan a la base industrial de defensa de EE UU se vuelven cada vez m\u00e1s beligerantes cuando los equipos de respuesta a incidentes los encuentran, act\u00faan agresivamente y a veces, recurren a ataques destructivos cuando se les presiona, seg\u00fan el Jefe de Estrategia de Ciberseguridad de Vmware, Tom Kellermann. El adversario ahora no solo quiere robar secretos nacionales. El adversario quiere usar la identidad del contratista de defensa y luego atacar a las agencias gubernamentales.<\/p>\n
WASHINGTON: Not content to just steal secrets, foreign threat actors targeting the defense industrial base are increasingly becoming more belligerent when encountered by incident response teams, actively engaging cyber defenders and sometimes turning to destructive attacks when pressed, according to VMware Head of Cybersecurity Strategy Tom Kellermann.<\/p>\n
\u201cThe game has changed,\u201d Kellermann told Breaking Defense in a recent interview. \u201cThe adversary now doesn\u2019t just want to break into defense contractor x and steal national secrets. The adversary wants to break into defense contractor x and then use their digital transformation to attack government agencies.\u201d<\/p>\n
VMware, usually viewed as an IT infrastructure company best known for its cloud computing and virtualization tech, counts federal government agencies, NATO countries, and Five Eyes partners among its cybersecurity clients. It\u2019s one of the original 15 companies in the Cybersecurity and Infrastructure Security Agency\u2019s new\u00a0Joint Cyber Defense Collaborative, or JCDC<\/a>.<\/p>\n VMware recently released its latest\u00a0Global Incident Response Threat Report<\/a>, wherein the company says more than 100 industry respondents polled reported experiencing \u201cintegrity and destructive attacks\u201d 51% of the time, while two-thirds of respondents report these types of attacks 81% of the time.<\/p>\n Likewise, Kellermann said that while it hasn\u2019t happened at a \u201csystematic, scalable level,\u201d his team has seen a \u201csurge in destructive attacks, [data] wipers being deployed on systems, ransomware NotPetya<\/a>-style, where they\u2019re not asking for ransom. They\u2019re trying to cripple the systems and attack the integrity of data itself.\u201d<\/p>\n In particular, Kellermann noted a \u201cspike\u201d in the manipulation of timestamps, which VMware calls a \u201cChronos attack\u201d and has been observing more frequently. He said there\u2019s also been a \u201csurge\u201d in \u201ccounter-incident response,\u201d wherein adversaries are \u201creally fighting back and engaging defenders in a bid to stay on systems.\u201d<\/p>\n Kellermann said he believed the developments are \u201cdirectly in line with geopolitical tensions\u201d between the US and other Western countries on one side and Russia and Belarus on the other. Last week, cybersecurity company Mandiant\u00a0revealed \u201chigh confidence\u201d in a link<\/a>\u00a0between the Belarus government and the multi-year, ongoing \u201cGhostwriter\u201d cyberespionage and information operations campaign.<\/p>\n Kellermann also said the \u201cunprecedented level of tension\u201d between the US and Russia is \u201cbubbling over into cyberspace\u201d via more aggressive campaigns by threat actors such as\u00a0NOBELIUM<\/a>, the threat group linked to Russia and the one suspected behind the SolarWinds attack. But Kellermann said NOBELIUM\u2019s other operations are potentially \u201c100 times more significant than SolarWinds in that it\u2019s attempting to commandeer technology infrastructure and the digital transformation of the US government through partners and then using those footprints to then attack the government itself.\u201d<\/p>\n Kellermann added that the escalation of cyberattacks against the defense industrial base \u201cis compounded by the fact that the Chinese have been very active.\u201d But, he said, \u201cthe Chinese don\u2019t leverage destructive attacks like the Russians.\u201d<\/p>\n And Kellermann did suggest there are signs that the Russians and Chinese are increasing collaboration on cyber operations.<\/p>\n \u201cThe\u00a0Shanghai Cooperation [Organization]<\/a>\u00a0goes far beyond economic cooperation between Russia and China, as evidenced by joint military maneuvers,\u201d Kellermann said. \u201cAnd those joint military maneuvers are not limited to the physical landscape of the world. The nature of what we\u2019re facing here is quite significant.\u201d<\/p>\n Kellermann\u2019s comments to Breaking Defense came one day before the former director of CISA Chris Krebs\u00a0warned an industry audience<\/a>\u00a0of the current \u201cscary environment.\u201d Krebs said many countries have \u201cdestructive\u201d cyber capabilities and that, in his view, it\u2019s just a matter of time before someone leverages those capabilities against US infrastructure. Such an attack, were it to ever materialize, would be viewed by US officials as a major escalation.<\/p>\n VMware\u2019s cybersecurity expertise grew when it acquired US company Carbon Black in August 2019, which is when Kellermann joined VMware. Carbon Black\u2019s tech was developed in the National Security Agency\u2019s storied Office of Tailored Access Operations, which is the NSA\u2019s offensive intelligence arm.<\/p>\n Kellermann told Breaking Defense the destructive attacks and attacks on data integrity are \u201cnot happening at a systemic, scalable level, but they\u2019re happening as you see this escalation to more punitive retribution by these threat actors, not all of which are part of the intelligence services, by the way, of these countries.\u201d<\/p>\n Kellermann said this necessitates defense industrial base companies adopting active defense techniques that include, according to the VMware report, \u201ca spectrum of activity that ranges from deception technology to hacking back.\u201d\u00a0Congress introduced legislation<\/a>\u00a0this summer that would require the Department of Homeland Security to study allowing some companies to hack back and then develop policy recommendations.<\/p>\n Kellermann said neither he nor VMware advocate for companies hacking back, but rather urge companies to look at other active defense techniques, such as deception networks and microsharding data.<\/p>\n