State Sponsored Hackers - How do Apple and Google know who the attackers are?

Cloud providers such as Apple, Google and Microsoft issue warnings about state-sponsored hacking when they detect certain patterns, such as the nature of the tools used and scale of the attacks
Many governments are believed to have massive armies of hackers at their disposal
Many governments are believed to have massive armies of hackers at their disposal

Apple Inc has refused to disclose further details about what prompted its systems to issue  warnings of state-sponsored hacking to Indian political leaders such as Mahua Moitra, Priyanka Chaturvedi and Shashi Tharoor to prevent such attackers from avoiding such triggers in the future.

While this may be the first time such warnings have hit the headlines in India, many users in India have been receiving such alerts in the past, and not just from Apple, but also other cloud providers like Google.

What are 'state-sponsored groups' and how are they identified?

The first question that comes to mind when reading about such warnings is what are 'state-sponsored' groups, and how can Apple, Google or Microsoft know that an attacker is indeed 'state-sponsored'.

Broadly, state-sponsored is used to mean government agencies, including intelligence agencies and police departments. However, they also include third party hackers and off-book, clandestine groups and companies hired by governments to hack into the accounts of activists, opposition leaders and other private citizens. Governments hire such external agencies when they know that their actions are not strictly legal and want deniabillity.

Cloud providers try to identify if an attack is coming from state-sponsored groups by analysing several factors, the most important of which the scale and degree of sophistication involved in the attempt.

While attempts to break into peoples' phones and computers are routinely made by individual hackers, government agencies and private companies employed by governments bring in far more resources to the game.

This plays a very important role in triggering such warnings. In other words, if an attack has been launched using resources that are hard for an individual to muster -- for example, it involves hundreds of computers working in parallel to guess your password -- it is a high candidate for being flagged as a state-sponsored attack.

There are also several other factors that used to determine if the attack is coming from a government agency or not, such as the IP addresses and locations of the computers that are being used to launch the attack.

IP addresses, which are like telephone numbers for the computers and phones connected to the internet, can always be traced back to the organization to whom it was allocated by Internet Corporation for Assigned Names and Numbers or ICANN -- the global body that manages internet resources.

Besides IP addresses, cloud providers can also geolocate the source of the attack, and if they notice that the attack is coming from locations that are known staging grounds for state-sponsored cyber operations, they issue warnings to users.

However, it should be noted that most sophisticated organizations do not use their own IP addresses or computers to launch attacks.

Instead, they rely on so-called botnets -- a network of computers owned by private citizens and companies that they have gained unauthorized access to by taking advantage of their vulnerabilities, such as operating systems that are not properly updated.

Nevertheless, it is still possible to get clues from source IP addresses as to who is behind an attack.

Similarly, if it's a phishing attack -- an attack in which malware-laden emails are sent to the target to entice him or her to click on a dangerous attachment or external link -- the cloud providers check the domains from which the emails are sent. They are always monitoring cybercriminal infrastructure and can detect when users are being specifically targeted by state-sponsored phishing.

Triggers of 'state-sponsored hacking' can also be triggered simply by what are called "reconnaissance efforts".

These include attempts at account scraping, enumeration attacks, and password spraying. State actors will often perform reconnaissance on accounts before attempting to compromise them.

One of the key giveaways of state-sponsored attacks is that they often resort to what are called 'brute-force' tactics involving a lot of computers and computing power. Invidual hackers typically use very targeted methods that involve a high degree of algorithmic sophistication and often rely on what is called 'social engineering'.

As such, state-sponsored groups are known to employ methods that include large volumes of data uploads and/or downloads, rapid maximum password guesses, querying forgotten password endpoints, and aggressive and repeated failed logins.

Another clear sign of a state-sponsored group being behind an attack lies in the toolkit or software being used.

Many penetration tools -- such as the infamous Pegasus software that was allegedly purchased by India -- are extremely difficult and costly to acquire. As a result, when these cloud providers detect spyware, malware, and hacking tools known to be used by state-sponsored groups, they issues such warning to the target.

It should also be noted that these warnings are sent automatically by cloud systems based on such triggers and do not disclose the identity of the country or government behind the suspected attack. Asked about the methodology behind the identification, Apple, for example, has said that such attacks cannot be detected using a static set of rules as they evolve over time, and that the intelligence signals used to detect them are often "imperfect and incomplete".

How to thwart state-sponsored attacks

If a user receives a warning about potential nation-state targeting from their provider, they can take certain measures to reduce the chances of penetration.

The first and basic step is to enable multi-factor authentication, such as using SMS or an authenticator app.

However, it should be noted that if the device on which the second authentication is to take place -- such as the user's mobile phone -- is already compromised, activating 2fa will not yield much benefit. For example, most apps on a user's smartphone have permission to read all the text messages received on the device. Hence, if the user has installed an app that has a connection to the government or agency that is trying to access his or her account, the agency can get the 2fa password or OTP using this app.

For this reason, he or she must immediately check all the permissions given to third-party apps and revoke any permission that is not strictly required and even clear out apps that are not necessary or in use.

The second step to carry out is to change account passwords immediately, making the new ones unique, strong, and not reused anywhere else. This thwarts unauthorized access if credentials were already stolen.

In addition, the user must increase his or her threat perception and review his or her account activity by going into login history to look for any anomalous or suspicious logins.

He or she must also watch out diligently for phishing attempts via email, text, phone call which state actors often employ to steal credentials and gain entry, and be on high alert.

They can also install trusted anti-malware software or scanners. However, it should be noted that miscreants often push malware to their targets by packaging them as antivirus software. Hence, users must only use known and trusted antivirus software from the original source, rather than third-party app stores and websites.

While warning notifications related to state-sponsored groups can sound scary, proper precautions can help greatly improve account security and thwart any further malicious activity.

Related Stories

No stories found.

The New Indian Express