“It’s not just even the loss of data. Increasingly, we are worried about the corruption of data. Think about the harm someone could do by an intrusion at a blood bank and changing blood types, an intrusion at a financial institution and changing just a few digits in the holdings of an institution.”
FBI Director, James Comey, March, 2017
“Weaponized data is the next threat vector challenging all of us in cybersecurity.”
Chris Young, speaking on corruption of data at 2017 RSA conference
Yes, it should be obvious that serious problems could result if hackers gain control of a database and then alter it to suit their needs. For example, at the same RSA conference mentioned above, TrapX Security showed how medical devices were infected with malware. The company set up fake medical devices, such as MRI and CT scanners, on hospital networks to see if they would be attacked. They were. TrapX subsequently found malware on multiple devices “including an x-ray printer, an oncology unit’s MRI scanner, a surgical center’s blood gas analyzer and a health care provider’s PACS-picture archiving and communication system”. These devices could be used as a way to enter a hospital’s network and steal medical records. Such records could be sold on the deep web for a healthy profit. But they could also be used to get drugs, medical equipment, or healthcare. There is enough data in a medical record to completely take over someone’s identity and use it to apply for credit cards and other services. Stolen credit card information will only last until the owner of the card learns about it. Medical record information lasts forever. This is why hackers can sell one medical record for $50 but the data for one credit card can only bring in 25 cents.
But it’s not only money that’s the problem. These compromised medical machines can be manipulated to give inaccurate or deadly results. It’s unlikely that these hackers want to kill people, but they could do so or do so inadvertently. That being the case, such compromised medical devices could be held for ransom, which would be another way for hackers to monetize these attacks.
And it’s not just medical data that can be corrupted. Hackers can corrupt GPS data to perform a number of nefarious actions. At the lowest level, hackers learned how to spoof GPS data to play Pokemon Go and pretend they were in exotic places when they were not. At the highest level, GPS manipulation can bring down a country’s power grid. This is because power grids depend on GPS signals to synchronize power output within a grid. Spoofing the data could cause sections of the grid to burn out which, in turn, could bring down large sections of the grid. Such spoofing has already been done by North Korea. “North Korea jammed GPS signals in South Korea numerous times for periods that lasted between 4 and 16 days, disrupting GPS receivers in many cell towers in addition to over one thousand aircraft and hundreds of ships.”
There are devices that can produce false GPS signals which can trick GPS-dependent machinery into doing things that they normally would not do. Imagine what could happen to self-driving, GPS-dependent cars if these signals could be altered.
Then there are the hacks that could alter financial data to make monetary gains. A number of trading companies have been hacked and the data they held was either stolen or manipulated to make millions of dollars on stock markets around the globe. At Fast Track Holdings in Hong Kong, for example, “somebody hacked into its brokerage account on the afternoon of September 23 (2016) using a valid user ID and password. Within 18 minutes, the intruder had emptied the account by spending HK$38 million to buy 49 million shares of thinly traded Pa Shun Pharmaceutical, according to Fast Track.”
In December of last year, it was reported that “Chinese traders hacked into the computer systems of U.S. law firms that handle mergers, then used the data for insider trading that generated more than $4 million.” Online brokers are constantly targeted. Sometimes, like in the attack on Scottrade which compromised 4.6 million users, they succeed.
Other forms of data corruption attacks have met with frequent success, such as those involving students hacking into school computers to change grades and alter schedules. In an attack at Kennesaw State University, the hacker managed to change his and some other students’ grades but failed to disable or alter the automatic messaging that informed the professor of the change, which led to the attacker’s arrest. The sad truth is that it is no longer unusual to see schools reporting such grade-changing hacking. Moreover, you can find hackers online who advertise that they can change the grades of students in any school or university. What we don’t know is how many hacks have succeeded and have not been noticed. I have yet to see anyone hacking a university to give themselves a fake degree, but this is not necessary as fake degrees from every Ivy League college are available for purchase in the deep web.
There is a demand in the deep web community for hackers who can break into police databases and change criminal records. This has reportedly been done in at least one instance. In this case, a hacker supposedly broke into police records related to the Orlando terrorist attack and attempted to change evidence to influence the investigation. “The FBI has detected some strange activity on the transcript. A hacker has been tracked from a Muslim region of Indonesia. He has tried to edit and remove all major key points.” Whether this really happened or not is difficult to confirm; however, the possibility of such data altering hacks is valid.
Other motives for altering data can involve companies or countries trying to undermine each other to gain a competitive edge. Altering production parameters could result in a company producing a defective product, for example. The Stuxnet malware altered the operating parameters of Iran’s centrifuges and destroyed them by making them spin out of control.
Intercepting and altering news feeds can create chaos and undermine journalistic credibility. It could get to the point where there is a general loss of confidence in anything we hear reported. Fake news has caused the stock market to plunge before and will probably do so again. If those making the fake news knew that it would cause such a reaction, they could profit from it.
Comey’s quote cited at the beginning of this post should be taken seriously because, in the past, Comey has often hinted at things that he already knows. In other words, data manipulation by hackers is already going on. The problem is that it is much harder to detect than something like theft. Expect to hear stories about such hacks making the news in the near future.