Eugene Kaspersky Duqu 2
Eugene Kaspersky, on stage at DLD 2013 where he called cyber weapons cleaner but much worse than traditional weapons. Mikko Hypponen/Twitter

Businesses and governments who have developed cyber espionage tools have turned to use them for business advantage.

Stephen Bonner, partner in the information protection and business resilience at KPMG, told IT Security Guru that once a rogue nation or business has built a cyber espionage tool, it becomes so low cost and cost effective to use it for other things.

"We've seen this with hostile bids for access to something, such as an oil reserve. Certainly most nations are involved in this. If you are doing a deal, they will break in, see what your bid is so they can price it and bid $1 more. That has been going on for quite a while in hostile environments," he said.

"What is fascinating is now those teams are so used to doing that, so they will break in to see what they have shared is accurate. It has become part of due diligence to hack in and check as there is no cost to it. It doesn't cost anything, it's very high value and you don't get caught."

Highly skilled

Bonner said that as these operators are so used to using the tool, people stop asking questions and starting thinking why they would not use it?

He said: "That's the start; the other thing is in an environment of highly skilled and motivated individuals, such as financial services, it is more effective than making your environment better. They think that if they launch a massive DDoS against the competition, [the competition] cannot compete so they win the deal."

Commenting, Jeffrey Carr, founder and CEO of Taia Global, told IT Security Guru that he agreed with this assessment.

"I can't provide proof, but I've had off-the-record conversations with individuals who have acknowledged that this has happened with joint ventures between China and other nation's companies," he said.

"And China is certainly not unique in that role. So this isn't new, this is the new twist on yesterday's industrial espionage."

Rogue insiders

Bonner said that most of the thinking at the moment is about being a victim of these attacks, but more needs to be done on making sure you are not the perpetrator of these attacks:

"Now clearly these are not sanctioned at the board level as a legitimate business plan, but look at the rogue individuals who are bringing who are bringing a grudge against companies and the bosses, given how easily it is to do cyber attacks, why isn't there a concern that your rogue insiders are using that capability from inside your organisation?"

TK Keanini, CTO of Lancope, said that people in security are coming to realise two important changes: firstly that infiltration is so easy that it is a given, that most attackers show up at the network access point with already stolen credentials and just login as that user.

Secondly, post infiltration the game changes to remaining hidden and this is where we have to change the dynamic.

Advanced threat

"These attackers know that the security folks are watching the traditional security infrastructure like firewalls, intrusion detection systems, but as I said before, this advanced threat knows how to operate without showing up on the security radar," he said.

"This problem he is addressing exists because very few people have implemented telemetry on their networks and until they do, it is just too easy for this threat to go undetected. Until you change the economics for them, it will continue to be an unfair advantage for those wishing to have superior knowledge at the time of negotiation."

Dan Raywood is editor of IT Security Guru.

IT Security Guru