Breached

“This … is … bad.”

The chief information officer at Liberty Global, Veenod Kurup, mouthed those words, mostly to himself, as he saw the Guy Fawkes mask of Anonymous appear in the YouTube video.

It was bad enough that there was an outage in the system, and a big one. Hundreds of thousands of homes and counting — eventually 2.2 million, or nearly two of every three of Liberty’s Netherlands broadband subscribers — were now essentially unplugged.

Worse, the cause wasn’t a late summer storm or a lightning strike, but something far more devious: a breach in the company’s cyber defenses through an overwhelming distributed denial-of-service (DDoS) attack on company servers.

Transfixed by the video, Kurup and other executives realized the unfolding tech nightmare was getting worse. It appeared to be the sinister work of Anonymous, the infamous global Internet vigilante group known for ferocious attacks.

The Liberty executives listened in disbelief in their offices near Amsterdam as the eerie synthesizer-distorted voice on the screen explained how the next attacks would be even harsher. The target: Liberty Global’s newly acquired Ziggo operations in the Netherlands.

The audio ended with a version of the group’s signature coda: “We are Anonymous. We are legion. We do not forget. We do not forgive. F---k your bad services. Expect us.”

When it ended, the room fell silent for a second.

Over the ensuing 72 hours of August 2015, a bizarre chain of events would leave Liberty executives flummoxed, and forever wary. The crisis would embroil an eclectic set of characters, including frazzled cable engineers, detectives with the Dutch Police’s High-Tech Crime Unit, cyber gumshoes at the National Cyber Security Centre, the digital vigilante group known as Anonymous, copycat hackers looking for Internet glory and the true perpetrators, who briefly evaded authorities despite their crude methods.

In bringing down Liberty Global’s Ziggo network, the criminals and the manhunt to capture them yielded some crucial lessons for the many media companies — indeed, any major industrial concern — that will inevitably confront this insidious peril of the Internet Age: that they will be victimized by a hacker or attacker hell-bent on stealing data, demanding money or bringing the system down.

Hacking is big business, and it’s getting bigger. Cybercrime inflicts annual costs to the global economy exceeding $400 billion, according to a study by the Center for Strategic and International Studies, sponsored by cybersecurity firm McAfee. Costs could reach up to $2.1 trillion globally by 2019, according to Juniper Research. Other estimates put the figure at a mind-boggling $6 trillion within five years, including lost productivity, fraud and post-attack disruption.

Cable operators and other ISPs rarely speak about cybercrime for fear of inadvertently revealing network vulnerabilities, but given the widespread, mostly unauthorized revelations about the Netherlands cyberattack, Liberty executives agreed to share limited details to clarify the episode.

Sometimes a breach occurs for all the wrong reasons. A company can do all the right things, create the best safeguards and vigorously review security, but may overlook a tiny flaw in the system.

Liberty’s network, like that of many ISPs, is attacked constantly in a variety of ways (see chart), but the attempts are kept at bay with increasingly sophisticated safeguards. Though outages at big ISPs from hackers are rare, the odds continue to grow in the hackers’ favor as digital commerce and cloud computing thrive. Wireless operations are, in many ways, even more vulnerable.

Evolving prevention and detection strategies are as elaborate as they are endless: “honeypots,” for example, are computer systems set up to act as a decoy to lure cyber-attackers and study their methods. Liberty had long ago implemented a holistic approach to security beyond just firewalls, with a 24-hour monitoring team in a global security operations center. Highly trained executives followed a thoughtful crisis-management process. Recent upgrades had already reduced malware infection rates by 25% since January 2015. With a comprehensive plan backed by best practices, the network security team was comfortable the company could withstand most cyber attacks.

THE ATTACK BEGINS

But last summer, a rupture suddenly and quietly appeared in the front lines. And like all successful attacks, the intruders caught the fortress completely by surprise. It was as if the cable giant had built reinforced steel walls with spotlights and guard dogs in front of the house and then left a window open in the new annex out back.

Around 9:30 pm on Tuesday, Aug. 18, Liberty technicians got word that Ziggo, an incumbent cable operator acquired by Liberty months earlier, was reporting outages.

Ziggo had only just begun the process of integrating its system into Liberty’s, but no matter: Liberty owned them now and complaints were lighting up call centers by the thousands. In just hours, hundreds of thousands of customers would be without broadband services.

Ziggo and Liberty engineers quickly huddled on a conference call to determine the cause of the outage. More often than not, the problem can be traced to an equipment failure. Not this time. Within an hour, the engineers, because of the mushrooming volume of outages, quickly realized Ziggo was under a distributed denial of service (DDOS) attack. This was a Priority 1 incident.

Liberty Global’s chief technology officer, Balan Nair, knew reaction time was critical. “The key to solving all this is a function of how quickly you react initially and how good your team is,” he said. “Up and down the ladder, everyone was taking this very seriously. They were burning the midnight oil on this.”

A distributed denial-of-service attack typically floods a company’s network by inundating it with connection requests, leaving the targeted server overwhelmed, a lot like Lucy at the chocolate factory, frozen by its inability to keep pace with commands. Often the culprit is using an army of hijacked Web browsers or malware-infected computers, or botnets. According to a report by TrendMicro Research, $150 can buy a week-long DDoS attack on the black market.

Indeed, DDOS attacks are common — Liberty, like many cable operators, fends off up to 10 Gigabits of DDOS attacks — per day. This particular attack targeted DNS servers, which redirect domain names to correct IP addresses. Social media chatter about the outage began building — for those that could still get online.

Social media, in fact, supplied the first clues to identifying the perpetrator. Several groups began to claim credit via Twitter. Then came the YouTube video. As it played against a still photo of a Guy Fawkes mask, the synthesized voice began its threat:

“We, Anonymous, have a message to company Ziggo … now we’re going to hold Ziggo offline for a few days because Ziggo offers bad service. This is the last warning. We are Anonymous. We not forgive. We do not forget. F---k your bad services. We are Legion. Expect us.”

Recalls Kurup: “That shook us to the bone.”

The nature of a DDOS attack is that it ebbs and flows, and by 5 a.m. on Aug. 19, several hours after the first thrust, the attack seemed to ebb with the countermeasures of Ziggo and Liberty engineers. Liberty executives breathed a moment of relief: Customers could be back online when they awoke.

The DDOS attack had not been so unique or complex, so why had the network become so suddenly vulnerable?

While the tech teams were puzzled at first, they soon realized the cause. Despite defenses that Liberty Global had in place, the firewalls in front of newly acquired Ziggo’s DNS servers had not been set up according to Liberty Global standards, and had collapsed. Firewalls prevent routine unauthorized access, but not the kind of voluminous attacks of the sort that targeted Ziggo.

Moreover, the attackers had caught Liberty at its weakest moment — in the middle of migrating an entire network. As the DDoS attack ebbed, Liberty and Ziggo engineers were left chewing on a tough question: how to instantly migrate Ziggo’s network into Liberty’s — usually a months-long task with tests, changes and documentation required — in one day.

The engineers hatched an audacious scheme. Senior managers, confident the team could execute, approved the plan instantly.

“They said, ‘You know what you need to do — do it,’ ” said Kick Fronenbroek, a senior security specialist for Liberty Global.

At some point on the second day, another threatening YouTube video surfaced. This one was more specific, and raised questions about the attacker’s true identity. Posted by someone ominously dubbed “AnonNazi,” it featured a crudely drawn, green, animated, hooded character with a synthesized voice, emblazoned with a banner with swastika icons.

The voice claimed full credit for the earlier attack, dismissing Anonymous. “Some other people are claiming it was Anonymous, but it was not. We attacked the DNS service because of the bad service that Ziggo provides …” AnonNazi boasted.

His next utterances were pointed.

“Because of bad service we want you to pay all of the customers all of their money back for about one week. If you don’t accept this, we will continue with more powerful attacks,” the voice threatened. “You have been warned.”

The question burning on everyone’s mind: if this wasn’t the real Anonymous, who in the hell had just brought down service to nearly 2 million homes? Executives at Ziggo and Liberty were baffled.

Around 4 p.m. on that second day, Aug. 19 — after the first attack, and before the migration of the network — there was another, more ferocious assault using a different entry method.

Again, consumers and businesses across the country were digitally stranded with no broadband service. In just 24 hours, the national network had absorbed two unprecedented cyberattacks. “We had outages before, but this is the first big one we had,” Kurup said. “Nothing like it before.”

That roughly 2 million customers were without broadband (TV service worked fine) was enough. But the self-proclaimed attackers, AnonNazi, took to social media to pour salt in the wound: Liberty stood helpless — for the moment — as a second wave of digital torpedoes directed by the same hackers penetrated the bulkheads.

“We now understand the weakness, but we also see that the system is allowing it to happen,” Kurup said. “We knew we could fix this problem.”

The crisis was escalating. On YouTube, Ziggo was threatened with new attacks. At the same time, the attackers announced a new target, KPN, a Dutch telecommunications company.

The Dutch Ministry of Security and Justice called the attack “serious,” and Liberty executives called in the High-Tech Crime Unit of the Dutch Police Services Agency.

A growing team of technicians were tackling the DDOS attack, and by the evening on the second day, had counteracted the menace of the incoming traffic. The traffic issue was becoming more manageable.

By about 3 a.m. on Aug. 20 — about 50 hours into the attacks — engineers had redirected the flow of traffic, essentially by offloading it to island data centers.

Working around the clock, the teams had finally migrated the network and successfully updated defenses. All mitigation steps in Liberty’s elaborate security protocol were in place. Engineers at Ziggo and Liberty were content for the moment. The back window was shut.

Although the attackers had managed to inflict inconvenience, the company had reason to be proud of how it battled back. Its fast reaction preserved customers’ data and privacy, and minimized downtime for countless business and residential subscribers. An endto- end security plan made the attack manageable. And the incident left Liberty’s security team with invaluable battlefield experience.

As Liberty stated in its annual report, “the overload impacted 2.2 million customers, yet within 24 hours, our teams were moving 130,000 customers per hour to more resilient infrastructure. Two days later, full service was restored.”

Liberty now was intent on winning the war. Fearing further attacks as a result of the threats hurled over YouTube, Liberty didn’t just drop the matter, as many corporate hacking victims do. The company pressed a criminal investigation, beginning a cat and mouse game to track down the culprits, while bracing for more attacks.

But a strange thing happened — nothing.

Much to the bewilderment (and relief) of executives, no large-scale DDoS hacking attempts were detected in the system. The threatened deadline came and went. Ironically, the hacker’s inaction provided a major clue.

Serious hackers, not to mention ransomware, vow a certain time for an attack — and stick to it. That this code was not honored virtually confirmed suspicions that Anonymous wasn’t behind the attack.

A subsequent Twitter post by AnonOps, which claims to have ties to the actual group, echoed many social-media commenters: “DDoS on #Ziggo is not an #Anonymous operation.”

HACKER VS. HACKER

Then the manhunt took a bizarre turn for investigators: the groups claiming credit for the attack began to insult and threaten one another on social media.

Some dismissed the poster AnonNazi as a pretender. Another self-proclaimed hacker, AnonymousScruggs, claimed credit for the attacks on Ziggo.

“They were having turf wars,” said John Fokker, who, with Ton Maas led the digital team for the High Tech Crime Unit of the Dutch National Police. “Most [professional hackers] are discreet about how they approach the company. They don’t have a beef on Twitter.”

Days later, on Aug. 26, a video narrated by the synthesized voice of a faint image, hooded and tinted purple, and posted by “Code Red,” drew Liberty’s attention:

The hackers began to “dox” one another, an attack wherein all of a target’s personal documents (email addresses, phone numbers and bank accounts) are released on the Internet. On the Twitter account of AnonNazi, a post read simply, “This account has been compromised by @BOEFII.”

Said another post by @BOEFII under a story about the attack on a media website in the Netherlands:

“I would like to thank everyone who participated in helping me to dox every single person from Anon_Nazi. They are destroyed and they will never cause any harm to Ziggo again.”

Had a bunch of glory-hungry hackers claiming credit for the same crime just turned on one another — outing each other in the process?

Top engineers at Liberty were left scratching their heads.

In addition to the police, Liberty called in digital detectives from the National Cyber Security Centre, which collects data and advises organizations on security, and a rapid response team from Deloitte, which focused more on forensics.

Over the next several days, Liberty engineers began turning over discs of data to investigators. Digital detectives scoured social media for clues, conducted interviews and studied logs of interactions between the Liberty/Ziggo servers and outside computers. Investigators searched for patterns and addresses that matched the information they were gathering about the attackers.

As the digital dust settled, Liberty executives reviewed detection and prevention measures all across the Liberty Global footprint. “We had already sanitized the entire system,” said Kurup.

Chasing the digital breadcrumbs, the public claims of credit, and the battle between the hackers, Fokker and Maas moved quickly and made two arrests early on.

Six weeks after the initial attack, on Oct. 7, 2015, Dutch police arrested four minors between 14 and 17 years old and one 21-year-old. The boys come from Berkelland, Lochem, Den Helder, Schoorl and Vinkeveen.

Police seized computers, mobile phones, external hard drives and USB sticks. The young suspects “wanted to show they were capable of having a major effect such as taking down an Internet provider,” the National Prosecutor’s Office said in a statement to Dutch media.

Under Dutch penal code, the suspected hackers face up to two years for the DDoS attack. Because of the extortion threats, they face a maximum of an additional 12 years behind bars. A trial date has not been set, but because of the suspects’ age, leniency will be sought.

Today, the Liberty and Ziggo engineers are sensitive about the incident. “If the same cast of characters had done this anywhere else in our global footprint — Germany, France, Belgium — it wouldn’t have even caused an outage,” said Kurup. “We would have intercepted it. It would have been logged as a routine attack.”

Kurup hopes the apprehension of the hackers, which made big headlines in the Netherlands, deters others. But no matter — the incident has made the entire company more vigilant, and that’s a good thing.

“It’s a constant battle,” Kurup said.

STATE of CYBERSECURITY

500M

Number of accounts that Yahoo said hackers had accessed containing passwords and personal details in 2016.

SOURCE : Yahoo

129%

Increase in DDoS attacks in Q2 2016 vs. Q2 2015

SOURCE : Akamai State of the Internet Security Report, Q2 2016.

45%

Increase in 2015 of detected security incidents over the year before for telecommunications companies.

SOURCE : PWC, The Global State of Information Security Survey 2016. Based on responses of more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security practices from 127 countries.

100M

Number of fake tech-support scams blocked by Symantec in 2015, whereby pop-up error alerts steer victims to an 800 number where “tech- support reps” sell services.

SOURCE : Symantec

39%

Percentage of companies that cited “budget” as the biggest barrier to adopting advanced security processes and technology.

SOURCE : Cisco 2015 Security Capabilities Benchmark Study

54%

Percentage of companies that cited malicious software downloads as the leading cause of internal breaches.

SOURCE : Cisco Systems, Security Risk and Trustworthiness Study

93%

Percentage of cases in which it took attackers “minutes or less” to compromise systems. Organizations, meanwhile, took weeks or more to discover that a breach had even occurred — and it was typically customers or law enforcement that sounded the alarm, not their own security measures.

SOURCE : Verizon 2016 Data Breach Investigations Report

65%

Percentage of respondents who collaborate to improve cybersecurity and reduce cyber-risks, up from 50% in 2013.

SOURCE : PWC The Global State of Information Security Survey 2016, based on responses of more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security practices from 127 countries

HACKING 101: HOW TO GET IN

Cybercrime is any criminal act involving a computer and/or a network. Hacking is the unauthorized access into a computer system. Crimes can take any form, from outright theft of data or funds, damage to a network or harm to a reputation. Increasingly, one of the weakest links in security is the employee. Most attacks on companies involve some sort of malware, a broad term for malicious code, including Trojans, worms and viruses that steal or destroy data, often introduced through emails, downloads or other network weak spots. Some common terms below:

• “Phishing” attempts involve official-looking emails tempting employees to click on a link that can trigger countless malware possibilities. (Spear phishers focus narrowly on a single company or individual.)

Distributed Denial of Service (DDoS) attackers use multiple hijacked computers to push through a huge volume of traffic through the network until it becomes overwhelmed and no longer functions.

Botnets, also known as “zombie armies,” are groups of infected computers controlled by third parties for DDoS attacks or for distributing other malware.

Trojan attacks allow attackers to remotely steal data and manipulate the computer.

Ransomware demands a ransom after blocking access to the computer by encrypting files on the hard drive.

Spyware allows attackers to go undetected on infected computers to track users movements on the Internet, even keystrokes for theft of accounts, etc.

Adware redirects users to unwanted advertising.

SQL injection inserts a nefarious code in a website/’s entry field that allow attackers to manipulate or steal or destroy data.