The lack of dark-web presence or illicit sales of the bulk of data stolen in the Equifax breach is worrying cybersecurity experts who keep waiting to see if the hacked info on millions of Americans will be used in a nation-state attack, a congressional panel heard last week.
Last year’s hack exposed personal information including Social Security, credit card and driver’s license numbers of some 148 million Americans. Rep. Ed Perlmutter (D-Colo.), ranking member of the House Financial Services Subcommittee on Terrorism and Illicit Finance, noted that was just one of 1,579 U.S. data breach incidents in 2017, according to the Identity Theft Resource Center, and the 780,000 records hackers swipe each day.
“Last month, the Council of Economic Advisors released a report estimating that malicious cyber activity costs the U.S. economy between $57 and $109 billion in 2016. And this cost is expected to climb as more devices become Internet connected,” Chairman Steve Pearce (D-N.M.) said. “Unfortunately, this activity is only becoming more widespread as criminal organizations realize the low cost of entry, the ease of using hacking tools, and the difficulty law enforcement faces trying to apprehend the hackers.”
Lillian Ablon of RAND Corp. told lawmakers that cybercriminals, state-sponsored actors, cyberterrorists and hacktivists are prowling online, and “they tend to seek different types of data and use or monetize that data in different ways.”
“Essentially, all you need is an Internet connection and a device to become part of the cybercrime ecosystem,” she said of the first type. “Participants in these markets range across all skill levels. They are often hierarchies and specialized roles. Administrators at the top, followed by brokers, venders and middlemen. And finally, mules, the moneychangers who use multiple methods to turn the stolen data into money.”
Credit cards stolen from Target in 2013, Ablon noted, “appeared on the black markets within days.”
“Those cards initially fetched anywhere from $20 to $135, depending on the type of card, expiration and limit,” she testified. “But, eventually, they went on clearance for just a few dollars a card. Although prices, in general, range widely, similar products tend to go for similar amounts. And anonymous cryptocurrencies like Bitcoin, among others, are preferred for making transactions.”
Chief MacAfee strategist Joe Bernik said that the practice of “not directly attacking institutions, such as the case with the Equifax attack, represents a vulnerability within the banks.”
“They all depend on Social Security numbers and, therefore, that type of attack has a lasting and devastating impact on the banks, themselves,” he said.
Bernik warned that one method of attack “that is of extreme importance and urgency right now is the use of social media attacks.”
“Social media — the anonymous-nature social media, allows for criminals and our nation states to use it, to manipulate markets,” he said. “I believe and we believe that this type of attack, using social media, will continue to be prevalent and will continue to be devastating against financial markets. Given that you can set up an identification without any kind of verification or authentication requirements.”
Echoing Ablon’s comments about stolen data for sale — “everything from credit card details sold for $50, Amazon accounts sold for $9, passports sold for $62… the prices vary, depending on the markets and the freshness of the data.”
“However, the concern that we have, really more so than the data that is being sold today, is the data that we have not seen sold as of yet. Meaning the Equifax data, which I know everyone is interested in, has not been widely made available in any markets,” Bernik told lawmakers. “It is, therefore, assumed that this data is being collected for other purposes. Potentially for nation-state level attacks. So, that, obviously, the unknown-unknown nature of that type of attack makes it all the more concerning. And we wait and — we are waiting to see what sort of attacks will come from that sort of data that was stolen.”
Nicolas Christin, associate research professor at Carnegie Mellon University, said study of “most of the major online anonymous marketplaces” between 2011 and 2017 yielded four observations: “First, revenue generated by criminals engaged in monetizing data breaches continues to pale in comparison to the potential costs of the remedies,” he said. “…Second, the dark web marketplace ecosystem, as a whole, has shown strong ways against reinforcement takedowns. Shutting down the marketplace has, so far, mostly seemed to result in criminals moving to a different one.”
Third, he said, “80 percent of the revenue is generated by 10 percent of the vendors.”
“A few successful individuals attract relatively large numbers of amateurs that do not profit much, if at all, from the activities. These unsuccessful actors, nevertheless, contribute to the overall problem by making the market for stolen data larger and more complex,” Christin continued. “Fourth, these marketplaces are international in nature. And even when certain actors are identified, jurisdiction issues may complicate prosecution or arrest. These findings indicate that focusing on preventing breaches from happening in the first place is probably more economically efficient than attempting to disrupt retail in these recent channels.”
James Lewis, senior vice president at the Center for Strategic and International Studies, told committee members that estimating the cost of cybercrime “is difficult because data collection is willfully inadequate.”
“Most countries don’t collect statistics on cybercrime. And many victims prefer not to report their losses,” he said. “Our most recent study estimated that cybercrime cost the world between $450 and $600 billion a year, a 20 percent increase in two years. This increase can be explained by the growing sophistication of cybercriminals, by the increase in the number of Internet users and by improvements in the ability of cybercriminals to monetize stolen data.”
Cybercrime continues to grow in part, he explained, because “criminals have become better at monetization, in part because of the availability of cryptocurrencies” and because of the “safe space” of the dark web.
“I was looking at some of these sites this morning, and I found one that offered a money-back guarantee if you bought data from them, stolen data, and it didn’t work… it is a very sophisticated market,” Lewis added.
Another reason for the growth of the cybercrime, he said, is state-sponsored activity, with Russia “a haven for the most advanced cybercriminal groups in the world — the Kremlin sees Russian cybercriminals as a strategic asset.”
North Korea and China are also major players in the cybercrime market, lawmakers heard.
Rep. Carolyn Maloney (D-N.Y.) noted that North Korea pulled $81 million out of Bangladesh for hacked data — “they needed money, they got money.”
“But, in other cases, when a nation-state steals data from a company like Equifax, and then they don’t sell the data on the black market, and it doesn’t seem to appear some other place, it really isn’t clear what their motivations are,” Maloney said. “So, when a nation-state hacks into U.S. companies and steals data but doesn’t sell the data on the black market, why do you think — what is the explanation of why they did it? Are they collecting data for espionage purposes?”
“When it is not being sold, it can be for a variety of reasons,” Christin replied. “Maybe it doesn’t have an economic value but has other types of value, leverage… very simply put, we just don’t necessarily know who is behind every single breach, and what they are using the breach for.”
“When I see a big breach like that and the data doesn’t appear on the market, I usually assume that it is an espionage-related case,” Lewis said.
Ablon added that “aggregating this data can be very valuable for state-sponsored actors.”
“Combining all that information would get some of the most sensitive personal and health information, as well as information about where people travel, to build a comprehensive profile of who to target, who to leverage, how to leverage for future information or for exploitation of espionage purposes,” she said.