Crypto Brief Expert Alex Creswell He led an operational division at GCHQ and served in the Cabinet Office, managing the analyst team (the Joint Intelligence Organization) providing daily briefings and strategic assessments to the British Prime Minister for the National Security Council.
Expert perspective – On February 17, 2021, the Department of Justice and the FBI finally brought charges against three North Koreans from Lazarus, the group supported by the North Korean state that launched the 2017 WannaCry attack. This was a reminder of the extent of the cyber and defensive attack – it has been since the outbreak of the ransomware attack in The corporate world, resulting in crippling companies and hospitals.
The Wannacry event showed business leaders that they can become collateral damage in the nation-state cyber shootout. With the malware spreading across the globe, it almost certainly cost lives by delaying healthcare and has surely incurred billions of dollars in business interruption, infecting more than 200,000 computer systems worldwide. But the direct damage inflicted was only a fraction of the subsequent losses from criminal hacker groups that launched Wannacry-inspired cat copy attacks, over the next five years.
Today, these criminal hacker groups are sophisticated, and WannaCry looks like a blunt tool. In today’s world, nearly 20 criminal groups use the internet to inflict heavy business losses on private sector companies in the United States on a monthly basis. Its members operate overwhelmingly from Russia, Belarus and Ukraine. Together, they form a very lucrative ransomware and electronic extortion industry.
This is an interconnected society where supply chains and operators operate in specialized silos. The designers of the stealth suite design malware exploits to sell to other hackers. Reach brokers secure bridgeheads in victims’ corporate IT systems. Auction sites sell access points and snooping tools to exploit. Negotiators stand up to the victims in ransomware and online extortion plays. It’s safe to say that very few participants who specialize in this industry will willingly change their career path. They took risks, gaining recognition from their peers, and thrilled in dropping victims of big corporations, earning amounts that no other job at their sites could offer.
But the flow of play is not going to the criminals, at least not in the United States. The 2020 cybersecurity industry metrics clearly show that for US companies generating more than $ 50 million annually, the incidence and severity of ransomware and extortion attacks are stable. It is even declining in some sectors of the industry. The fourth quarter of 2020 saw a decline in activity across the board. Commentators put this into a number of factors.
First, there is no doubt that the largest US companies are now building better and more professional technology fences. At the same time, the superior scalability tools that provide the bulk of corporate cloud-based platforms are investing more aggressively in threat monitoring. Among them, Microsoft, AWS, Apple and Google employ over 20,000 employees in the digital security arena. They know that flaws in their cloud platform defenses can lead to a catastrophic loss of trust and bleeding for customers, so they make sure that it is extremely difficult for criminals to penetrate cloud-based services and remain undetected once they enter. They are employing the talent, including previous government talent, that they need to achieve this. Another major factor in the low incidence is the coordinated removal of the malware infrastructure by national cyber agencies. Trickbot, a widely used malware tool sold to attackers by the developers of the criminal hacking group, has been severely disrupted by what appears to be several organizations working collectively ahead of the US elections in November 2020. Finally, some commentators see a political drive behind the decline in cyber attacks. In the United States in the last quarter of 2020. And they see that the Kremlin, which provides what is called in Russian “a ceiling” (protection) for cybercriminals, has thwarted new attacks on American targets, considering that the current time is not the right time to antagonize the next Biden administration.
Then, in the past few months, just as the general trend in cyber breaches has turned positive, two major events have changed the accounts. In late November 2020, (Sunburst – Solar Winds) and again in February 2021 (Hafnium – Microsoft Exchange) American companies were forced to wake up to the discovery of two cyber attacks from government actor teams, one Russian and one Chinese. In fact, although the national security impact of these two cyber events was significant, in reality the direct commercial impact was very limited.
The two campaigns touched more than 60,000 companies across the United States, forcing C-Suites to focus on the potential threat of business disruption. But, although it did sound a wake-up call for all US companies and affected companies whose software was used as a vector (Solar Winds, Microsoft), the final financial losses for the majority of US corporate casualties were relatively low. . This may be in part because US government agencies and the central trade players involved have clearly stated that they are determined to shut down any party that attempts to exploit these violations. CISA and USIC moved quickly to attribute the attacks and provide treatment guidance. FireEye, Microsoft, and others have done a great job correcting vulnerabilities and mitigating the threat.
So why do private companies still care about state-sponsored cyber interventions when the impact is so limited?
Here are some of the more alarming future trends to look out for.
First, we should expect cyber criminals to emulate the cutting-edge technologies that state teams have demonstrated in their recently exposed campaigns. Over time, just as it happened with WannaCry, criminals will reuse a version of the intrusion techniques used by government agencies. Expect them to focus increasingly on link points in the digital landscape such as Managed Service Providers (MSPs), and to make greater use of supply chain attacks. We expect that the more sophisticated cybercriminals will be more determined to target humans as the weakest link in the corporate environment. They will get better at designing phishing emails to deceive certain company decision makers, and if the award is big enough, they will take a straightforward human-to-human approach to company employees.
This week, a Russian citizen pleaded guilty in a US court to traveling to the United States and offered a $ 1 million bribe to a Tesla employee to enable malware to be installed on the Tesla Reno’s intranet.
As I said at the beginning of this article, criminal hackers in Russia, Ukraine and Belarus are unlikely to choose to change their profession even if the height of the fences surrounding the company increases. They will simply adapt to new technologies and switch to new, more vulnerable targets and markets. It is worth noting that the incidence and severity of ransomware and cyber-extortion attacks in continental Europe has increased sharply during the fourth quarter of 2020 and the first quarter of 2021. European companies have less robust cyber defenses than the United States, and the political risks of Russian and Chinese hackers are also reduced. . In 2021, an escalation of attacks in Europe appears to replace the loss of US cybercriminals’ revenue a fair bet.
Read more expert-based national security insights, analysis, and insights at Cipher Brief