Cipher Brief expert Alex Cresswell led an operations division of the GCHQ and served in the Cabinet Office, leading the team of analysts (the Joint Intelligence Organization) that provides the British Prime Minister’s daily briefing and strategic assessments for the NSC.
EXPERT PERSPECTIVE – On February 17, 2021, the DOJ and the FBI finally filed charges against three North Koreans from Lazarus, the North Korean state-backed group that launched the 2017 Wannacry attack. This was a reminder of how far the offensive ended. cyber and defensive ever since the ransomware attack exploded in the corporate world, paralyzing companies and hospitals.
The Wannacry event showed business leaders that they could become collateral damage in the crossfire of nation states. As the malware spread around the world, it almost certainly cost lives due to the delay in healthcare and has certainly suffered billions of dollars in business interruption losses, infecting more than 200,000 computer systems around the world. world. But the direct damage inflicted was only a fraction of the subsequent losses by criminal hacker groups that launched Wannacry-inspired copy-cat attacks over the next 5 years.
Today, those criminal hacker groups are sophisticated, and Wannacry seems like a straightforward tool. In today’s world, nearly 20 criminal groups are using cyber to inflict heavy commercial losses on US private sector companies on a monthly basis. Overwhelmingly, their members operate from Russia, Belarus and Ukraine. And together, they form a highly profitable ransomware and cyber extortion industry.
This is an interdependent community where supply chains and operators work in specialized silos. Intrusion set designers create malware exploits to sell to other hackers. Access brokers protect the bridgeheads in victims’ corporate IT systems. Auction websites sell those entry points and the intrusion tools to exploit them. Negotiators confront victims with ransomware and cyber extortion games. It is safe to say that very few participants who specialize in this field would ever willingly change their career path. They took risks to gain their experience, earned recognition from their peers, experienced the thrill of taking down major corporate casualties, and pocketed sums that no other job in their position could offer.
But the flow of the game doesn’t all go in the direction of the criminals, at least not in the United States. The 2020 cybersecurity industry metrics clearly show that for US companies with revenues of more than $ 50 million annually, the incidence and severity of ransomware and cyber extortion attacks are on edge. In some industrial sectors, it is even decreasing. The fourth quarter of 2020 saw a decline in activity across the board. Commentators attribute this to a number of factors.
The first is that there is no doubt that large US companies are now building better and more professionally monitored technical perimeter fences. At the same time, the hyper-scalers that provide most enterprise cloud platforms are investing much more heavily in threat monitoring. Among them, Microsoft, AWS, Apple and Google employ more than 20,000 digital security employees. They know that flaws in their cloud platforms’ defenses could lead to catastrophic loss of trust and customer bleeding, so they are making sure it is very difficult for criminals to breach cloud-based services and go undetected once a day. indoor. And they’re hiring the talent, including those from the former government, they need to achieve this. Another key factor in decreasing incidence is the coordinated removal of the malware infrastructure by national cyber agencies. Trickbot, a popular malware tool sold to attackers by developers of criminal intrusion sets, was heavily disrupted by what appeared to be multiple organizations working together ahead of the November 2020 US election. Finally, some commentators see a political factor behind the decline in cyber attacks in the United States in the last quarter of 2020. They believe that the Kremlin, which provides what in Russian is called a “roof” (protection) for cybercriminals on its territory, has discouraged new attacks on targets Americans, calculating that now is not the time to antagonize an upcoming Biden administration.
Then, in recent months, just as the general trend in cyber breaches was turning positive, two major events changed the calculation. At the end of November 2020, (Sunburst – Solar Winds) and again in February 2021, (Hafnium – Microsoft Exchange), they forced US companies to wake up to the discovery of two cyber attacks by teams of state actors, one Russian and one Chinese. In fact, while the national security impact of these two cyber events was significant, the direct commercial impact was actually quite limited.
The two campaigns touched over 60,000 companies in the United States, forcing C-Suites to focus on the potential threat of business disruption. But, while they were a wake-up call for the entire American company and impacted companies whose software was used as a carrier (Solar Winds, Microsoft), the underlying financial losses for most US corporate casualties were relatively low. This may have been in part due to the fact that government agencies and US commercial actors involved centrally have made it clear that they are determined to shut down any party attempting to exploit these breaches. CISA and USIC moved quickly to attribute the attacks and provide corrective guidance. FireEye, Microsoft, and others have done a great job of fixing the vulnerabilities and mitigating the threat.
So why should private companies still worry about state-sponsored cyber intrusions when the impact is so limited?
Here are some more worrying future trends to watch out for.
First, we should expect cybercriminals to emulate the high-end techniques demonstrated by state teams in their newly discovered campaigns. Over time, just as was the case with Wannacry, criminals will re-propose a version of the intrusion techniques used by state actors. Expect them to increasingly focus on hubs in the digital landscape such as Managed Service Providers (MSPs) and make greater use of supply chain attacks. And expect sophisticated cybercriminals to be more determined to target humans as the weakest links in corporate perimeters. They will become better at personalizing phishing emails to fool particular business decision makers, and if the reward is big enough, they will make direct human-to-human approaches to company staff.
This week, a Russian citizen pleaded guilty in a U.S. court of traveling to the U.S. and offering a $ 1 million bribe to a Tesla employee for allowing malware to be installed on the internal network of Tesla’s factory. Reno.
As I said at the beginning of this article, hackers in Russia, Ukraine, and Belarus are unlikely to opt for a career change even as the height of corporate perimeter fences increases. They will simply adapt to new techniques and move on to new targets and more vulnerable markets. Interestingly, the incidence and severity of ransomware and cyber extortion attacks in continental Europe increased significantly in the fourth quarter of 2020 and the first quarter of 2021. European companies have less robust cyber defenses than the United States and the political risk for Russian and Chinese hackers has decreased. In 2021, a wave of attacks in Europe to replace the lost revenue of cybercrime in the United States seems like a fair bet.
Read more expert-led national security insights, analyzes and perspectives in The Cipher Brief