Perspectives

Cyber attacks: Separating the facts from Hollywood fiction

By Bernard Farrugia

Cyber-attacks or hacking events have become such a common occurrence, that we have almost become oblivious to them. The leaked CIA documents posted on WikiLeaks, the 32 million account passwords hacked on Yahoo and the hacked email servers at Mossack Fonseca, responsible for the Panama Papers debacle, all hit the headlines at some point in time. Although the sophistication required to perform such attacks has been decreasing, mainly due to the readily available tools over the internet, such hacking attempts still require a high technical skill as well as a patient and inquisitive mindset. With the possible exception of one TV series Mr. Robot (a story about a young anti-social computer hacker who takes on a large corporate bank aptly referred to in the show as Evil Corp), this is mostly portrayed inaccurately in movies and TV shows, as described below.

Every successful hack includes the following steps:

  • Reconnaissance
  • Gaining access
  • Maintaining access
  • Covering tracks

Reconnaissance

Without careful gathering of information about a potential target, failure is almost certain. The types of reconnaissance include passive or active. Passive can be as simple as identifying the time employees enter and exit the building. The main feature of passive reconnaissance is not to alert the target or arouse suspicions.

Reconnaissance is often carried out in front of a computer through Internet searches and examining freely available information on the target’s website. I am sure that most of you have Googled yourself to find out how much information about you is on the internet. This process is generally referred to as information gathering. Social engineering (i.e. using deception to manipulate individuals to divulging confidential or personal information) and dumpster diving (as the terms suggests, checking rubbish bins for useful information) are also considered passive information-gathering methods. An example of the latter would be the film Argo when the revolutionaries reassemble photographs that were shredded before the Embassy takeover, which lead them to learn that some of the Embassy personnel have escaped.

Active reconnaissance, referred to also as the scanning stage, is the part where hackers test the security of networks and systems and scan for potential vulnerabilities, using specific tools and their programming skills. This process is often referred to ‘doorknob rattling’. Activity on the target’s network is created.  If the intended target has monitoring controls in place, it may be possible to identify such activity as suspicious. In such instances, hackers would normally time such requests to reduce the risk that suspicion is aroused.

Gaining access

This is the part where the real hack takes place. The vulnerabilities exposed during the reconnaissance phase are now exploited to gain access to the target system. A hacker can attack the target system using multiple attack vectors, especially if the target system has a defence in depth approach to security. They can attack the target directly by finding weaknesses in the system and breaching the outer defences or attack it from within with the help of some social engineering. Mr. Robot’s second season highlights the use of the USB Rubber Ducky, a real programmable hacking tool which works by masquerading as a keyboard and is used to recover passwords in the target computer’s memory. In such instances, USBs that are unchecked could also have malware installed to create backdoors to a remote server. By doing so, you would have given access to the attacker from the outside to the target’s computer.

The part that is sped up in most movies is the active reconnaissance and gaining of access stages. Think of Felicity Smoak (Arrow) and Cisco Ramon (The Flash), the search and subsequent access to seemingly impenetrable systems are bypassed with ease within each episode. Or in the movie Swordfish, where Stanley Jobson (played by Hugh Jackman) meets Gabriel Shear (played by John Travolta) and is put on the spot to crack a secure government server within a minute while simultaneously held at gunpoint. None of these could be further from the truth.

Maintaining access

Once hackers have gained access to a target system, they want to ensure that they can maintain such access. Maintaining this connection, while using stealth to cover their tracks, ensures the possibility of future exploitation and attacks. Again, this is where Hollywood and the real world diverge. You may remember in the movie Skyfall, Q (played by Ben Whishaw) attempts to decrypt Silva's laptop, but inadvertently gives the laptop access to the MI6 systems, allowing Silva (played by Javier Bardem) to escape from MI6 custody. Unrealistically, this all happens in a matter of seconds.  

The hacker may also try to harden the system to ensure that other hackers would not be able to do the same. Once the hacker owns the system, they would then try to pivot from one system to another using techniques such as gaining information about the user’s activities through keystroke monitoring and impersonating users with captured session tokens. The ultimate goals include causing damage to the system, stealing information and/or performing fraudulent transactions.

Covering tracks

Once hackers have achieved their ultimate aim, they would need to ensure they “exit” the system without a trace. This is to avoid detection by security personnel and subsequent legal action. The idea is to ensure that all log files of any activities are removed. This includes anti-malware, personal firewalls and intrusion detection system (IDS) solutions. Privilege escalation needs to be performed for this to be carried out properly.

In conclusion, the whole hacking process can be a lengthy, research centric process, which could be mundane at times. Most movies and series never show this. Hollywood wants to create suspense and fast action, in order to secure the attention of the audience.  However, if a level of interest has been generated on how the hacking process has been perpetrated, this could create a level of awareness not previously perceived by the viewer. This would certainly be a positive start in the right direction towards a better understanding.  

Did you find this useful?