> Using that reading, which may be mistaken, I concluded that it is non-targeted.
That's a wrong reading. The attackers were specifically targeting Coinbase employees although there were some instances where people with the same name and working in the same field (but not for Coinbase) got emails as well. The reason they say engineers clicked on a phishing link only on June 17 is precisely because it was a quality attack. The emails where personalized, written by literate English speaker and didn't contain any attachments or links at all initially. They only sent a link to an exploit after exchanging a few emails, confirming target's identity and establishing trusted relationship.
> Given the cost of these attacks it is massively profitable at this stage to continue upping the ante.
Sure, that's the general trend. But cost of the attacks also rises due to software becoming more security-aware. Just the fact that all major browsers and Windows 10 have auto-updates enabled by default (and hard to disable) has basically killed exploit kits, although that was a booming market less than a decade ago. Legitimate security job openings have exploded as well (including remote positions) with the HR focus shifting from costly certifications to practical skills, which gives would-be-hackers more possibilities to choose lighter hat to wear. Bug bounties are a thing now meaning people have new monetization opportunities for the vulns they discover. Twitter community has matured and there are more than 365 security conferences a year held globally, meaning angsty teens have so many more ways to establish their street creds besides dark corners of IRC and anonymous imageboards.
Your simplistic analysis ignores all these factors. It's like completely ignoring logistics, supply chain and risk management in real world, if you are one of these MBA types.
> allocate ~$10M and cause ~$10B in damages
Sure. Just like you can cause massive damages by causing forest fire in dry season with just a box of matches. In the context of our discussion such estimations are non-productive as 1) they ignore other costs and risks that attackers need to account for; and 2) ability to cause massive damage does not necessarily translate into ability to extract similarly massive profits from the situation.
> they could hack every ship (...)
The examples that follow are laughable. You clearly know nothing about these systems. That's like being afraid that someone will hack your laptop and give you cancer by manipulating display refresh rate. There certainly are problems with industrial control systems and critical infrastructure, but they are much more nuanced than the Hollywood-type hacking you predict. And no exploit is worth more than ~1M$ (apart from military thingies), because 1) there are always multiple ways to enter and as a result is the same attackers usually choose the path of the lowest resistance); 2) at that price you can buy an insider that will just run your stuff directly or plug an LTE-enabled rPI into the network. And for the vast majority of modern real-world attacks exploit is the most trivial/easiest/cheapest part. So well protected systems are designed in such a way that even malicious sysadmin would be able to do only so much damage before getting noticed and expelled from the network.
That's a wrong reading. The attackers were specifically targeting Coinbase employees although there were some instances where people with the same name and working in the same field (but not for Coinbase) got emails as well. The reason they say engineers clicked on a phishing link only on June 17 is precisely because it was a quality attack. The emails where personalized, written by literate English speaker and didn't contain any attachments or links at all initially. They only sent a link to an exploit after exchanging a few emails, confirming target's identity and establishing trusted relationship.
> Given the cost of these attacks it is massively profitable at this stage to continue upping the ante.
Sure, that's the general trend. But cost of the attacks also rises due to software becoming more security-aware. Just the fact that all major browsers and Windows 10 have auto-updates enabled by default (and hard to disable) has basically killed exploit kits, although that was a booming market less than a decade ago. Legitimate security job openings have exploded as well (including remote positions) with the HR focus shifting from costly certifications to practical skills, which gives would-be-hackers more possibilities to choose lighter hat to wear. Bug bounties are a thing now meaning people have new monetization opportunities for the vulns they discover. Twitter community has matured and there are more than 365 security conferences a year held globally, meaning angsty teens have so many more ways to establish their street creds besides dark corners of IRC and anonymous imageboards.
Your simplistic analysis ignores all these factors. It's like completely ignoring logistics, supply chain and risk management in real world, if you are one of these MBA types.
> allocate ~$10M and cause ~$10B in damages
Sure. Just like you can cause massive damages by causing forest fire in dry season with just a box of matches. In the context of our discussion such estimations are non-productive as 1) they ignore other costs and risks that attackers need to account for; and 2) ability to cause massive damage does not necessarily translate into ability to extract similarly massive profits from the situation.
> they could hack every ship (...)
The examples that follow are laughable. You clearly know nothing about these systems. That's like being afraid that someone will hack your laptop and give you cancer by manipulating display refresh rate. There certainly are problems with industrial control systems and critical infrastructure, but they are much more nuanced than the Hollywood-type hacking you predict. And no exploit is worth more than ~1M$ (apart from military thingies), because 1) there are always multiple ways to enter and as a result is the same attackers usually choose the path of the lowest resistance); 2) at that price you can buy an insider that will just run your stuff directly or plug an LTE-enabled rPI into the network. And for the vast majority of modern real-world attacks exploit is the most trivial/easiest/cheapest part. So well protected systems are designed in such a way that even malicious sysadmin would be able to do only so much damage before getting noticed and expelled from the network.