Hackers have the advantage in cyber arms race, security expert tells Computing

Red October hackers worked as if they were in a nine-to-five job, says BAE Systems Detica head of cyber security Tom Burton

The world is involved in a cyber arms race in which professional hackers and cyber criminals are on the front foot.

That's the message of Tom Burton, head of cyber security services for BAE Systems Detica, in an interview with Computing at the defence and security company's central London nerve centre.

"The bad guys have all of the advantages," he said. "They have all the advantages in that the technology is out there to use, the technology enables them to prosecute attacks with very low risk of detection and minimal risk of identification."

Burton added that even if cyber criminals can be tracked down, more often than not they're in far-away places, which means prosecution is out of the question. "Even if they are identified, they're often operating in parts of the world where we've got absolutely no means of going after them.

"So it is an arms race and our threat intelligence teams do a lot of work here in understanding that," he said.

Earlier this year, researchers discovered a form of malware, called Red October, which has been used to steal information from diplomatic, government and scientific computer networks across the globe for more than five years.

BAE Systems Detica conducted an investigation into Red October and found the malware to be highly sophisticated, with those behind it working in a professional manner.

"It had a really advanced code base. This was not just some 16 year old in his parents' shed, the level of sophistication in this bore all the hallmarks of a heavily resourced organisation. It had all the symptoms of probably being Russian in origin," claimed Burton.

Using sophisticated data and cyber security tools, BAE Systems Detica's security team looked into the infrastructure behind the malware, making the discovery that at its point of origin, the cyber criminals building it were acting in a way that suggested that, at least for some, it amounted to a job.

"One of the first things we found was the infrastructure that was being used, the domains, were only being registered Monday to Friday - absolutely nothing happened on a Saturday or Sunday.

"Also, the compilations from the file creations of the malware only happened Monday to Friday, absolutely nothing happened on a Saturday or Sunday," Burton told Computing.

"We then looked at the date-time stamp, superimposed over Moscow time, and we found that actually it's not just a Monday to Friday job, it was pretty much a nine to five job with a little bit of the compilation hanging about until six or seven o'clock."

Computing was shown data that illustrated when the most Red October activity was occurring, with output beginning around 9am before spiking at 11am, suggesting the cyber criminals behind it were conforming to regular working hours.

"I'd interpret from that they do a bit of work then hit compile before heading for a cup of coffee and a chat about 11. This is a profession! Not necessarily an ethical profession, but it is a profession with an awful lot of people involved in it," he said.