Jon DiMaggio - The Art of Cyberwarfare: An Investigators Guide to Espionage, Ransomware, and Organized Cybercrime

The Art of Cyberwarfare

An Investigators Guide to Espionage, Ransomware, and Organized Cybercrime

by Jon DiMaggio

THE ART OF CYBERWARFARE. Copyright 2022 by Jon DiMaggio.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

First printing

26 25 24 23 22 1 2 3 4 5 6 7 8 9

ISBN-13: 978-1-17185-0214-7 (print)
ISBN-13: 978-1-17185-0215-4 (ebook)

Publisher: William Pollock
Production Manager: Rachel Monaghan
Production Editor: Katrina Taylor
Developmental Editor: Frances Saux
Cover Illustrator: Rick Reese
Interior Design: Octopod Studios
Technical Reviewer: Chris Sperry
Copyeditor: Kim Wimpsett
Compositor: Jeff Lytle, Happenstance Type-O-Rama
Proofreader: Lisa Devoto Farrell
Indexer: BIM Creatives, LLC

For information on distribution, bulk sales, corporate sales, or translations, please contact No Starch Press, Inc. directly at info@nostarch.com or:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900
www.nostarch.com

Library of Congress Cataloging-in-Publication Data

Names: DiMaggio, Jon, author.
Title: The art of cyberwarfare : an investigator's guide to espionage,
ransomware, and organized cybercrime / Jon DiMaggio.
Description: San Francisco : No Starch Press Inc., 2022. | Includes
bibliographical references and index.
Identifiers: LCCN 2021049772 (print) | LCCN 2021049773 (ebook) | ISBN
9781718502147 (paperback) | ISBN 9781718502154 (ebook)
Subjects: LCSH: Cyber intelligence (Computer security) |
Cyberterrorism--Prevention. | Computer crimes--Prevention. | Cyberspace
operations (Military science)
Classification: LCC QA76.A25 D56 2022 (print) | LCC QA76.A25 (ebook) |
DDC 005.8--dc23/eng/20211105
LC record available at https://lccn.loc.gov/2021049772
LC ebook record available at https://lccn.loc.gov/2021049773

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

About the Author

Jon DiMaggio is the chief security strategist at Analyst1 and has more than 15 years of experience hunting, researching, and writing about advanced cyber threats. As a specialist in enterprise ransomware attacks and nation-state intrusions, including the worlds first ransomware cartel and the infamous Black Vine cyberespionage group, he has exposed the criminal organizations behind major ransomware attacks, aided law enforcement agencies in federal indictments of nation-state attacks, and discussed his work with the New York Times, Bloomberg, Fox, CNN, Reuters, and Wired. You can find Jon speaking about his research at conferences such as RSA and Black Hat.

About the Technical Reviewer

Chris Sperry is a cybersecurity veteran with more than 20 years of experience in the industry, 15 of which he spent honing his craft in cyber-threat intelligence. He has worked with numerous government agencies and Fortune 500 companies to discover, track, and mitigate nation-state and sophisticated cybercriminal actors alike. He is passionate about making the virtual world a safer place by nurturing the next generation of cyber-intelligence practitioners.

ACKNOWLEDGMENTS

I want to thank my children, Anthony, Damian, and Tyson, and my mother, who helped me with my kids over many weekends when I was researching and writing this book. Nico Madden, thank you for helping me to be a better writer! Thank you, Chris Sperry, for your wisdom as my tech editor, and Frances, for your patience and guidance in editing this book. I also would like to thank Katrina Taylor, Jennifer Kelley, and the rest of the team at No Starch Press for their help in reviewing, producing, and marketing this book. Thank you, Bill Pollock, for giving me my shot! I appreciate the opportunity to write and publish this book with No Starch Press. I also want to thank Vikram Thakur, Eric Chien, and Gavin OGorman for your mentorship over the years. You guys truly made me a better researcher and analyst; thank you! Finally, I want to thank Symantecs Attack Investigation Team (AIT) and Analyst1 for encouraging me to pursue my dreams of becoming a published author.

Introduction

In late January 2014, a system administrator at Anthem, at the time one of the worlds largest health insurance providers, made a troubling discovery. The previous night, someone had used their account to execute several queries intended to collect sensitive customer data from Anthem servers. In doing so, the attacker had stolen personally identifiable information (PII) associated with nearly 80 million Anthem patients.

In 2015, cybersecurity vendors Trend Micro and Symantec identified the attacker: dubbed Black Vine, they were believed to originate from a country in southeast Asia.

This might all sound like the events from a good spy novel. But they actually took place. At the time, few people suspected that a cyberattack designed to steal healthcare data could lead to the exposure of U.S. spies. Unfortunately, as Anthem and many other victimized organizations have learned the hard way, militaries and governments are no longer the only targets of nation-state attackers. Nation-states succeed in targeting private-sector companies because the companies either dont believe a foreign government will attack them or simply dont understand how to defend against advanced attackers. These attackers are frequently misidentified as lesser threats, mishandled, or not detected at all. And while automated cyber defenses can identify and protect against most of todays threats, theyre generally inefficient at stopping nation-state attackers when used on their own.

These attacks can have devastating impacts on private firms. Like in the Anthem attack, nation-state espionage often ends with sensitive customer data exposed and intellectual property stolen. Millions or even billions of dollars are lost when an attacker steals an organizations intellectual property. In Anthems case, the total cost due to the breach is unknown; however, a U.S. court ordered Anthem to pay $115 million in 2018. The firm also faced a massive storm of negative publicity and had to notify its customers of the exposure. In addition, the research and development that goes into creating new medical technologies or pharmaceuticals requires great amounts of time and money. If an attacking government steals the resulting intellectual property, it can create the product without spending the same amount of money or time. Not only does this cause an unfair advantage in foreign markets, which benefit from the theft, but in some cases, it puts the originating organization out of business.