Hyppönen claims we’re in a new era where the ‘fog of cyberwar’ is preventing us from knowing who is attacking who, as North Korea becomes likely suspect for bank heists
“There are different theories on who is behind this. One theory looks at the technical evidence,” he told a keynote audience at Infosec 2016 in London.
“I’m not saying North Korea did the SWIFT attack, but North Korea did the SWIFT attack.”
It was May when security firm Symantec announced it had traced the worldwide bout of bank cyber heists to North Korea, following a piece of code that had also been found in the December 2014 Sony Pictures hack.
That hack was originally pinned on North Korea after the NSA had admitted the organisation had infiltrated North Korean networks and had been watching the attack unfold the whole time.
The clue in question is an encryption key that serves the purpose of allowing the attackers to be notified of their attacks progress.
“We’ve seen this before once, back in December 2014, in a completely unrelated attack, in a completely unrelated piece of malware that used the same key,” said Hyppönen.
“There’s a criminal link between these two attacks. Sony Pictures was a target of a major hack after they announced a movie making fun of the dictator of North Korea.
“The attacker was unusually aggressive. They leaked whole email histories of every single employee. As soon as this started happening, the US government announced it was North Korea. How could they possibly know?” he said.
It was the New York Times that broke the story of the NSA already having infiltrated North Korea networks prior to the Sony Pictures hack.
“What I am saying is that this [Sony] attack shared the same, secret key with the attack link to SWIFT.
“The attackers actually tried wiring over $900 million, by any measure that’s a lot of money. It’s getting close to a billion. That’s big money for governments in trouble, especially a government in trouble like North Korea’s,” Hyppönen said.
The security expert, who has worked at security firm F-Secure for 25 years, said that North Korea may be trying to make up for its economic deficits.
“Do you know what the annual budget is of the whole country of North Korea? It’s a little less than $4 billion. So is this North Korea trying to fix its budget deficit by stealing from the rest of the world? Well maybe it is,” he said.
“What we know for certain is that this is the first time in history that we have seen a nation state attack which is not done for espionage, spying or sabotage, but which is actually done for stealing money. And for that, it’s completely unique. We’ve never seen this before.”
Hyppönen likened the current state of cyberwar to the nuclear arms race, but with one major difference, no one knows who is doing the cyberwarfare.
“So the world around us is changing. I use the term ‘fog of cyberwar’. Now of course, attacks like the SWIFT attacks aren’t war. But we have recent examples of attacks that are much closer to real cyberwar,” Hyppönen said, illustrating the Ukraine power plant attacks by Russia last year.
“The fog of cyberwar comes from us not knowing the capabilities of other countries. We just got out of the previous arms race. We just got out of the cold war, just out of the nuclear arms race. We’re not really worried daily about the risk of nuclear war anymore. But we’ve gone headlong into the next arms race, the cyber arms race. The nuclear arms race was all about deterrence. It was about knowing who has nuclear weapons. We don’t have that information for cyberarms. Cyberarms are invisible.
“We don’t know who has what. This the fog of the cyberwar. What is the offensive cyber capability of Brazil? What about Vietnam or Australia? That’s the fog of the cyberwar. Cyberarms are the perfect weapons. They are cheap, effective, and they are deniable. That’s a great combination,” said Hyppönen.