How Hackers Plan Attacks and Hide Their Tracks

Travel Destination: North Sea Coast Of Germany
WENNINGSTEDT, GERMANY - JULY 19: Incoming waves wash away footprints left by visitors in the sand along a beach on Sylt Island on July 19, 2016 near Wenningstedt, Germany. Sylt Island, with its long stretches of sand beaches and its protected dune landscapes, is among the most popular holiday destinations, especially for wealthy visitors, along Germany's North Sea coast. Many Germans, unsettled by the recent terror attacks in countries like France and Turkey, are choosing to vacation in Germany this summer. (Photo by Sean Gallup/Getty Images)
Sean Gallup—Getty Images

Oftentimes, priority no. 1 for a hacker preparing to launch a cyberattack is finding a suitable launchpad. The goal: to obfuscate the origin of an attack.

To mask themselves, attackers generally compromise computer servers and networks operated by other organizations. These nodes then serve as unwitting springboards for further electronic assaults.

“The important thing is to recognize how an attacker works,” Oren Falkowitz, co-founder and CEO of Area 1 Security, a cybersecurity startup based in Redwood City, Calif., tells Fortune. “Consistently, what they’re doing is setting up shadow infrastructure—what we describe as relays or proxies.”

Get Data Sheet, Fortune’s technology newsletter.

The vast majority of cyberattacks use spoofed email messages or bogus websites to try to dupe unsuspecting employees into downloading malicious software or giving up login credentials. Such ploys are designed to trick their victims—but they don’t go very far when the booby-trapped messages arrive from addresses handled by known bad actors. That tends to raise an alarm.

So the attackers disguise themselves, burrowing into seemingly innocuous networks. Computer security experts call this approach a “stepping stone attack,” given all the intermediary hops involved.

“They want to have a mechanism to hide their activity, and to make their attacks and traffic blend with general network behavior,” Falkowitz, an NSA alum, says.

See also: Can three ex-NSA snoops stop the worst hacks before they start?

That’s where Area 1 comes in. The company installs sensors on compromised machines—with their owners’ permission—in order to surveil adversaries’ traffic, gather intelligence, and funnel that information to cybersecurity companies that can then better preempt attacks.

Area 1 shared a copy of a new report with Fortune that describes several incidents drawn from real-life experiences demonstrating hackers’ tactics. Below are four archetypal ways that attackers attempt to conceal their digital tracks, according to the report.

  1. Through small businesses

In one illustrative example, foreign nation state-backed hackers took over outdated Windows 2003 servers run by a saddle-maker, moved laterally onto other servers, and used those to send spear-phishing emails to more than a hundred targets, including contractors of the U.S. Department of Defense.

“People think only large ISPs like Verizon and Google provide the only infrastructure for attackers to leverage,” Falkowitz says. “These attacks can come from anywhere.”

(By the way, here’s a good example of a welding shop used as an attack intermediary in this New York Times story about Area 1 from earlier this year.)

2. Through public schools

Earlier this year, attackers exploited a vulnerable web application on public school servers and broke into them. After bouncing around the networks and installing backdoors, the gang used the school’s computers to launch even more attacks. “Just another example of machines that are typically unprotected and appear innocuous,” Falkowitz says.

3. Through social clubs

In this case, frequenters of a certain watering hole got hit with, well, a “watering hole attack.” Having breached the network, the attackers were able to distribute malware to anyone who connected to the club’s Wi-Fi.

“They lured users into a space where they’re prone to go to for social reasons,” Falkowitz says. Hackers then piggybacked into their corporate networks later on. Falkowitz says Area 1 has seen less than a dozen of these kinds of attacks in the wild, so to speak.

4. Through SCADA facilities

Earlier this year, an unnamed industrial equipment manufacturer fell victim to a hacking. After absconding with oodles of data, the attackers recycled their access into the network as part of a “supply chain attack,” sending emails to targets at other companies since people are likelier to open emails from supposedly trusted sources, like their business relations.

Falkowitz says Area 1 has seen “somewhere between 50 and 80 machines at different organizations” targeted this way.

The upshot? Attackers will use whatever computing resources they can lay their hands on, so long as it will cloak their activities and offer a staging ground for their next attack.

Subscribe to Well Adjusted, our newsletter full of simple strategies to work smarter and live better, from the Fortune Well team. Sign up today.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward