The greatest threat posed by Internet hackers is no longer the quick crash-and-grab of valuable documents, Dmitri Alperovitch told the Maryland Cyber Council on March 17.

The co-founder and chief technology officer of CrowdStrike, the company that investigated the Russian hacking of the Democratic National Committee during the 2016 presidential election, said today’s cyber attackers are more likely to be agents of foreign governments who burrow their way undetected into sensitive websites for months.

They have developed ways to appear as legitimate administrators of the sites they infiltrate, Alperovitch said, and traditional defenses such as firewalls and anti-virus technologies are no longer effective against them.

Russian agents had been gathering intelligence inside DNC computers for nine months before the information was made public through WikiLeaks, he said, calling 2016 the “year of the nation-state breach.”

“Nation-states realize they can use this [hacking] not just for traditional espionage critical to national security, but also for economic espionage and for influence operations like the presidential election.”

Along with the Russians, China, North Korea and Iran are the most active nations involved in cyber espionage, he said.

The focus on prevention alone—building defenses around a computer system—has been “overemphasized,” Alperovitch said. He compared the approach to a security guard on the outside watching the door and waiting for the alarm to go off, while criminals already have disabled the alarms and are busy stealing everything inside.

But sophisticated foreign military and intelligence services do leave telltale signs that they have entered, he said.  After spending years developing techniques to get inside a computer, infiltrators don’t just abandon their tools. They use them again and again. That’s what makes it possible to identify the attackers.

When questioned about how CrowdStrike knew that it was Russian intelligence services behind the DNC break-in, Alperovitch explained that his investigators had seen the signs—that could be traced back to the mid-2000s—of similar attacks aimed at all kinds of U.S. government networks, the White House, State Department, Joint Chiefs of Staff and financial companies.

“We had worked a lot of these investigations and, as a result, we had gathered a lot of information on what kinds of tools they used,” he said.  “So, when we saw another intrusion, it was easy to map it back to things we had already seen and determine with a great deal of confidence that this was Russian intelligence services.”

Eventually, every intruder makes a mistake that can be detected and traced, Alperovitch said.

By example, he cited the investigation into a Chinese nation-state operation that targeted an American satellite communications defense contractor. CrowdStrike identified the malware used for entry.  Then, looking at similarities from other attacks, it found one case from the mid-2000s in which a domain was registered to a real person who had mistakenly used a real email address.

“We started looking at this person,” Alperovitch said.  “We found out he was a millennial working for the Chinese military.  He had a photo album on the web. One [image] was [of] a satellite dish outside of an office.

“Using Google Earth, we found the location in Shanghai, a military installation with guarded gates. We got the address from satellite reconnaissance and, through open sources literature in the Communist Party’s handbooks, we found that the location was the headquarters of the Liberation Army office responsible for satellite intelligence. That linked it right back to the victim.”

Alperovitch even had a picture of the hacker.

He said that he expects a significant increase in nation-state attempts to infiltrate U.S. computer systems.

For instance, though the Chinese reached an agreement with President Obama not to attack American commercial interests, Alperovitch said that could change quickly if President Trump launches a trade war.  The Chinese go for volume and every military unit has a cyber program, he added.

Also, Iran has stepped up its game. It has improved its cyber capabilities since its nuclear program was attacked by the Stuxnet virus in 2010. Iran has been launching “wiper attacks” on Saudi Arabia, which it sees as a competitor in the Middle East and a puppet of the United States, and has destroyed as many as 35,000 computers there by using malware to wipe out hard drives.

Russia has highly capable intelligence services that not only want to interfere with American elections, but also are looking to steal information in the financial, oil and gas, and pharmaceutical sectors to compensate for the Western sanctions that block legitimate means of obtaining information valuable to its economy.

And many people were shocked when CrowdStrike identified North Korea as the source of the Sony-Corporation attack because they thought of it as a backward country with starving people, Alperovitch said.  But North Korea is focusing its limited resources on its cyber offensive capability as well as its nuclear weapons program, and if tensions increase, it may launch attacks on the United States.

Of course, nation-state attacks are not the only threat. Alperovitch reminded that criminal adversaries are still as capable as nation-states when it comes to stealing hundreds of millions of dollars.  Criminal groups have developed “ransomware” that can shut down a computer system until a company pays a hefty ransom, usually in untraceable bitcoins, to get the system working again.

The news isn’t all bleak, he said. Microsoft has developed better software to stop attacks, and cloud-storage systems are far more secure than almost anything a small or medium-sized company can produce.

But, he added, most companies should assume the worst.

“There are only two types of organizations,” Alperovitch said. “Those who know they have been hacked and those who don’t know they already have been hacked.  The DNC didn’t know they had been hacked and called us in. Sure enough, we found the problem.”