What the Sands Hack Can Tell Us about Persistent Infosec Threats

We tend to think of cyberspace as a domain where speed is of the essence. Data can be sent round the world in an instant, and response times to digital attacks need to be measured in milliseconds if they are to stand any chance of affording significant protection against the threat. In the wider information space, too, public-relations departments need to be poised to spring in to action to put a corporate narrative back on track if a social-media rebellion threatens to undermine a commercial strategy – “getting ahead of the story” is all part and parcel of the mitigation strategies companies need to have ready to go if the brand is under attack in the Twittersphere.

So news this week about a cyber attack on the websites of the Las Vegas Sands Corporation is particularly interesting, as it appears to question many of our conventional assumptions about speed in an information-security context.

The Sands’ website was attacked on Tuesday, February 11th, with what appears to have been a sophisticated and well-executed hack which not only took down the casino-hotel chain’s home page, but also published names, email addresses, job titles and social security numbers (the US equivalent of Britain’s national insurance numbers) of an unspecified number of Sands employees. The site was made to, literally, fall apart – videos of the hacked page show the corporate graphics collapsing – before the screen switched to a map of the world, showing Sands locations ablaze. The company soon regained control of the public-facing part of the site and removed the anti-Sands material, but, as of this writing (around 5pm GMT on February 13th, two days after the attack) the home page was still down, with an “under maintenance” screen (screen-grab shown above) listing phone numbers for the company’s two Las Vegas properties, two other US locations, and their five properties in the Chinese territory of Macau.

It is going to be difficult to calculate the losses that have been incurred, but Las Vegas hotels have long led the world in sophisticated computer algorithms that carefully calibrate room rates with demand, effectively running an automated and constantly updated discount scheme that is designed to keep hotels at maximal occupancy rates (and therefore to keep a steady flow of business through the on-site casinos). So while a two-day outage would be bad news for any hotelier’s website, for one of the powerhouses of Vegas, it’s going to be worse. Additionally, according to information given to the Las Vegas Review-Journal, the company’s email network was also down, which will have had an obviously disruptive impact on how the business runs internally, never mind how it handles relationships with customers.

So the speed with which the Sands’ IT teams have been able to respond hasn’t been the best; but what is even more interesting is the time lag between the event that appears to have provoked the attack, and the moment that the hack took place. The graphics on that burning-hotel screen also include a photograph of Sands chairman, Sheldon Adelson, alongside Israeli leader Benjamin Netanyahu: and a message on the defaced page refers to a speech Adelson gave in August last year in which he suggested that Israel should consider using a nuclear weapon against Iran. Of course, it could all be a false-flag operation: maybe the hackers are commercially motivated, and were acting in response to more recent comments Adelson has made, about his determination to stamp out online gambling. Posing as pro-Iranian hacktivists would certainly help throw investigators off the scent, at least for a little while. But if the hack can be taken at face value, it asks some discomfiting questions.

The date of the hack may have some significance: February 11th was the 35th anniversary of the day the Iranian Army stood down and the Islamic revolutionaries took control in Tehran. But, even if they’d been thinking about it, it’s unlikely anyone in the Sands’ internal security team would have had reason to feel the company was likely to become a target on that day in particular. Adelson’s comments, ill-judged and intemperate though they clearly were, will likely have caused web security teams to be on guard for just this type of retaliation – but, after six months, you could have forgiven them for thinking that the threat had long since passed.

We’re used to thinking of APTs as being the preserve of state-on-state or state-on-multinational actors trying to acquire strategic information or steal secrets: but the Sands looks like it’s just been hit by an attack that was not only advanced enough to take out a sophisticated and commercially vital website for days, but sufficiently persistent for its instigators to have patiently bided their time. We may find out that the attackers had been inside Sands’ systems for months, working out how to do the most damage possible, and preparing the battlespace to maximise their impact (though it’s also likely that details of the attack may never be made public). The lessons for security professionals around the world are stark, and sobering: never think it’s over, never let your guard down, and if an executive says something daft in public, assume that something really bad will result – even if that day may be months, or even years, down the line.