How #tweets become #weapons: Security #expert sees #hacker “tells” in the #data

It’s not often representatives from three of the most powerful media technology companies in the world appear together, but that is exactly what happened last week in Washington, D.C. Executives from Facebook, Google and Twitter were called to testify before the U.S. Congress about the spread of disinformation during the 2016 presidential election by Russian operatives.

All three companies were grilled by elected officials about “fake news,” the ability of someone outside the United States to create and post false stories seen by social media’s vast audience. In his testimony before Congress, Colin Stretch, Facebook’s general counsel, disclosed that as many as 126 million U.S. users may have read Russian disinformation.

A number of government and private cybersecurity experts are growing concerned about the weaponization of social media and search sites, where threat actors can gather vast amounts of information and use that to hack into systems, spread chaos in the form of false content, or recruit new volunteers for terrorist activity. This reality has opened a new chapter in cybercrime known as influence operations, which includes disseminating propaganda to gain a competitive advantage over an opponent.

“Facebook is more relevant than the United Nations, and WikiLeaks has more information pulsating out of it than a CIA analyst,” said James Scott (pictured), co-founder and senior fellow at the Institute for Critical Infrastructure Technology.

Scott stopped by theCUBE, SiliconANGLE’s mobile livestreaming studio, and spoke with co-hosts John Furrier (@furrier) and Dave Vellante (@dvellante) during the CyberConnect event in New York City. They discussed how various nation states, such as Russia and China, conduct hacking operations; a secretive alliance of countries formed to combat threats; growing use of social media by terrorists; and ICIT’s own work inside the U.S. intelligence community. (* Disclosure below.)

This week theCUBE features James Scott as our Guest of the Week.

Nation states target network executives
The evolving cyber landscape is now a potent mix of external and internal threats. Nation state hacking is growing in scope and the current rage is to mine an endless trove of metadata from social media and search sites to target critical infrastructure executives.

Russia is especially adept at this approach, using stealth and sophistication to craft a seemingly innocuous contact with a highly-credentialed IT executive who will unwittingly open the wrong document or access a poisoned link to let threat actors into a network.

“Their hacking is just like their espionage; it’s like playing chess,” Scott said. “They’re really good at making pawns feel like they’re kings on the chessboard.”

China’s hacking technique is not as sophisticated, with frequent reuse of the same payload (computer code that executes malicious activity), according to Scott. Entry into a network is often not because of an elegantly-designed attack, but rather due to a basic lack of proper security. “The Chinese hacking style is more smash and grab,” Scott said.

China helps North Korea
There is a mercenary element to China’s hacking, however, that makes the country’s espionage impact more extensive. Scott and other security experts have found that Chinese nation-state hackers will offer their services elsewhere, providing their expertise to other countries, such as North Korea.

“[North Korea] has people who consider themselves hackers, but they’re not code writers,” Scott explained. “The Chinese People’s Liberation Army will hack for the nation state during the day, but they’ll moonlight at night to North Korea.”

To combat the growing influence of nation-state hacking, the U.S. participates in a secretive arrangement called the Five Eyes Intelligence Alliance. The other participant countries are Canada, the United Kingdom, Australia and New Zealand. The coalition predates the internet, and its existence became more widely known after publication of the Edward Snowden documents that referred frequently to information gathered by the five nations.

“Five Eyes is important because we share the signals intelligence [SIGINT],” said Scott, a reference to intercepting information generated through various forms of electronic communications.

Terrorist groups thrive in social media
Nation-state hacking is not the only threat keeping security experts awake at night. Well-organized and funded terrorist groups are now exploiting social media and search metadata to further their cause inside the U.S. The scale of social media use by terrorists gained some clarity this year, when Twitter revealed that it had suspended 299,000 accounts linked to terrorism in just the first half of 2017 alone.

Two groups beginning to draw more attention are the United Cyber Caliphate and Antifa. Cyber Caliphate is considered to be the hacking arm of ISIS, and investigations by security researchers to-date have shown that the group’s exploit capabilities are low. But that could soon change.

“The next big thing that we have to look at is the Cyber Caliphate,” Scott said. “Their influence operations domestically are extremely strong.”

Antifa is an anti-fascist activist group inside the U.S., and social media provides a fairly simple mechanism for connection with other organizations to share common ideologies. Groups conducting influence operations in the U.S., such as Cyber Caliphate, can connect with Antifa members through a hashtag, show them tools and practices on a dark web forum, and galvanize them into disastrous action.

“This guy who was never Muslim now is going under the ISIS moniker, and he acts, he drives over people in New York,” Scott said. “Antifa is a domestic terrorist organization. It’s shocking that the FBI is not taking this more seriously.”

The online world has now evolved into an environment where the very media tools most people take for granted, such as Facebook pages or Twitter posts, are becoming weapons in the arsenal of nation states and terrorists. Organizations such as ICIT are talking with U.S. intelligence agencies about the threat, but that often requires showing them how easy it has become to sow the seeds of chaos online.

“We’ve been asked repeatedly by the intelligence community since the elections last year to explain this new propaganda,” Scott said. “I will go into one of the silos in the National Security Agency and explain what’s happening, and they’ll turn around one of their computers and have me show them how to do it.”