Cybersecurity firms are booming thanks to Russian hackers
When the Democratic National Committee discovered in April that its computer networks had been hacked, leaders there did not just alert government intelligence. They called CrowdStrike, a five-year-old cybersecurity firm that makes millions from mercenary work sold with a promise: "We Stop Breaches."
The contractor last month revealed what it had found: Two Russian intelligence groups, code-named Cozy Bear and Fancy Bear, had spearheaded competing hacks over the last year using a barrage of malicious "implants" and "backdoors." CrowdStrike's experts knew the hackers well: They'd also recently infiltrated the White House, State Department and Joint Chiefs of Staff.
Their weapon of choice: The cybersecurity equivalent of "a neighborhood watch program on steroids," said CrowdStrike co-founder George Kurtz. That same offering has helped them turn their young business into a juggernaut, with sales of $100 million this year.
"Our clients now include the crème de la crème of companies," said Kurtz, a former chief technology officer of anti-virus giant McAfee. "From a growth perspective, it's just been explosive."
CrowdStrike is one soldier in a very new kind of army: private cyberdefense contractors. Their skill in fending off and eradicating hacks has become increasingly prized at the top echelons of American business following the crippling attacks on Target, insurance-giant Anthem and Sony Pictures -- the first time a foreign government targeted a U.S. company.
As payback for a movie poking fun at North Korea's supreme leader, state-sponsored hackers stole the studio's employee records, trade secrets and unfinished movies; shared embarrassing internal emails; and wiped thousands of computers and servers.
But the cyberdefense firms are also increasingly being called in to shield quasi-governmental agencies such as the DNC and American think tanks, which the company said are "highly targeted" by hackers aligned with nations such as Russia, China and Iran due to their stables of prominent experts and activists.
For companies such as CrowdStrike, the new age of information warfare -- and the ensuing climate of fear -- has led to a flood of cash. Analysts at research firm Gartner says the security-software market climbed to $22 billion last year, with sales growing by $1 billion for three straight years.
The growing business has also led to fierce competition in the cybersecurity industry, including with companies such as Cylance, ThreatConnect and Palantir. CrowdStrike said it would not share its client list or details of financial performance, but said it now works with three of the world's 10 largest companies and five of the world's 10 largest banks.
Their battlefield was made center stage on Wednesday, when Republican presidential candidate Donald Trump encouraged the Russian government to infiltrate and distribute private emails from his Democratic opponent, Hillary Clinton, a former Secretary of State.
"Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing. I think you will probably be rewarded mightily by our press," Trump said during a news conference. "It gives me no pause. If they have them, they have them," Trump said later, when asked if his comments were inappropriate. "If Russia or China or any other country has those emails, I mean, to be honest with you, I'd love to see them."
Trump's comments came amid an FBI investigation into whether Russian state actors were responsible for stealing emails from inside DNC computers and distributing them ahead of the party's convention, a politically damaging move that forced the resignation of DNC Chairwoman Debbie Wasserman Schultz and could affect the election.
"This has to be the first time that a major presidential candidate has actively encouraged a foreign power to conduct espionage against his political opponent," Clinton's senior policy adviser, Jake Sullivan, said in a statement Wednesday. He added, "This has gone from being a matter of curiosity, and a matter of politics, to being a national security issue."
The DNC first alerted CrowdStrike of their breach in April, and within 24 hours a threat-analyst team installed software on DNC computers to examine the attack. The firm's report tying Russian intelligence to the hack has since been supported by other watchdogs, such as Fidelis Cybersecurity and Mandiant, and discussed as evidence in government officials' intelligence briefings.
CrowdStrike's report detailed the dossiers of the rival intelligence groups -- units of the FSB, Russia's state security agency, and the GRU, its foreign intelligence directorate -- and outlined the malicious code the hackers had implanted, marked by telltale "indicators of compromise." Dmitri Alperovitch, the firm's co-founder, also warned that "attacks against electoral candidates and the parties they represent are likely to continue up until the election in November."
"Our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis," Alperovitch wrote in a "From the Front Lines" report last month, entitled, "Bears in the Midst." "Their tradecraft is superb."
CrowdStrike actively tracks 80 global "threat-actor" groups, including Cozy Bear, that specialize in three tiers of modern cyberattacks: cash-seeking "e-crime," cause-centric "hacktivism"; and nation-state hacks, engineered for political warfare or espionage.
The groups' attacks are often advanced, though many carry fingerprints that can be linked to patterns in previous campaigns. CrowdStrike's main threat-tracking platform, Falcon Host, compares and maps 14 billion events a day into a global graph, using the same style of technology powering a social network like Facebook.
The firm's involvement in the DNC hack began as detective work, but teams there have claimed victory in repelling other attacks. CrowdStrike said last year that its "expert hunters" had successfully blocked a Chinese hacker group, called Hurricane Panda, attempting to blitz an unnamed American technology firm.
But the firms have also attracted criticism over the secrecy of their work. Threat-intelligence companies "have a particularly infuriating habit of being very public with their conclusions, but very secretive about their methods, data, and even malware samples," wrote Matt Tait, the founder of Capital Alpha Security, a U.K.-based consulting firm. That "actively frustrates independent corroboration, and doesn't inspire an enormous amount of confidence in their conclusions."
CrowdStrike's rapid growth has attracted big bets from American tech. The firm last year raised $100 million from an investment led by one of Google's venture-capital arms in the search giant's first cybersecurity deal. In an investment report, CrowdStrike said it had seen a 700 percent year-over-year increase in its deals of $1 million or more.
Companies such as CrowdStrike are also finding themselves increasingly tapped to safeguard the political establishment. Administration officials told The Washington Post that the DNC email dump could warrant raising parts of the electoral process to the level of "critical infrastructure," such as power grids, that receive special protection from cyberattacks.
"America is digitally exposed," Sen. Ben Sasse, R-Neb., said in a statement. "The United States must take serious offensive and defensive actions now."
CyberStrike now employs 440 engineers, threat analysts and other employees across the globe, including in offices in Silicon Valley, London and in the Washington-defense-contractor hub of Crystal City, Virginia. Many, Kurtz said, joined the firm following careers in American or foreign military and intelligence.
Often, the ties between the business and the military are sharply defined. Mandiant, a cybersecurity firm founded by a former Air Force officer, in 2013 linked years of crippling cyberattacks on American companies to a secretive hacking corps in China's military known as Unit 61398. Later that year, the firm was bought for $1 billion by FireEye, whose "Multi-Vector Virtual Execution" technologies last year earned special certifications from the Department of Homeland Security.
Military terminology is rampant in CrowdStrike's business model: Falcon Overwatch, the firm's "24/7 global team of expert adversary hunters," is named after the battlefield tactic of supporting allies by scouting and sniping enemies.
"As a company, we do have a strong mission focus, which is really protecting our customers from the adversary," Kurtz said. "When you have a purpose, which is to fight the bad guy, people take that very seriously."