Special report: How gangs of cyber pirates are attacking like never before

The White House calls it a “rising national security threat”. The US Justice department has been instructed to treat it as seriously as terrorism. And President Joe Biden is to raise it with Vladimir Putin at a high-stakes summit in Geneva next week.

Ransomware – cyber criminals forcing companies to pay millions for the return of stolen data – has reached heights of greed, audacity and reach unmatched in criminality since the heyday of Somali piracy.

Now, the gangs are posing such a threat to the infrastructure of modern civilisation, including the supply of food, energy and healthcare, that the director of the FBI has compared it to the 9/11 terror attacks.

“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Christopher Wray said in an interview with the Wall Street Journal this week.

Cyber security experts say attacks have mounted rapidly since 2019. Britain’s National Cyber Security Centre says its incident management operation handled more than three times as many ransomware incidents in 2020 as the year before.

And the events of the past few weeks have prompted alarm at the top of Western governments.

Since April, ransomware hackers have targeted Quanta Computer, a Taiwanese firm that supplies Apple; ExaGrid, a US firm that provides backup data storage (ironically, partly as insurance against a ransomware attacks); the Colonial fuel pipeline in the United States; Ireland’s healthcare system, which saw its systems frozen for a full week; New Zealand’s Waikato District Health Board; and France’s Axa insurance group, which had days earlier said it would no longer offer coverage against such attacks because of a French government warning against paying ransoms.

The most recent attack, on May 30, forced the multinational meat supplier JBS to shut down cattle slaughter in Australia and the United States.

Malicious programs that encrypt computers and force the owner to pay a fee to get their data back have been around for years. And from the programming point of view, little has changed.

“Ransomware is just malware – viruses and Trojans like we’ve known before. Nothing remarkable from a technology point of view,” said Charl van der Walt, global head for security research at Orange Cyber Defence. “The innovation is in the crime part, not the cyber part.”

Van der Walt identifies three shifts that have contributed to today’s crisis. The first was the emergence of Bitcoin and other cryptocurrencies in 2012, which suddenly provided a secure way of monetising large sums without using international bank transfer and credit card systems that could easily be traced or shut down.

That fuelled the rise of what hackers call “big game hunting” – targeting major firms, freezing their entire data systems, and demanding hundreds of thousands or even millions of dollars in ransom.

The second shift came around 2019, when a criminal group called Maze added a second threat: if payment was not prompt, they warned one victim, they would no only withhold the decryption key but leak hundreds of gigabytes of sensitive commercial data on to the internet.

This double extortion was designed to defeat companies who had conscientiously kept off-line backups of their data, and it was a feature of all the recent high-profile attacks.

The hackers who targeted Ireland’s health system last month eventually handed over the decryption tool for free – but warned patient data would still be leaked if a cash settlement was forthcoming.

The third shift was the evolution of opportunistic criminality into a sophisticated industry employing multiple highly skilled specialists.

Again, the parallel with Somali piracy is striking, says van der Walt.

A typical operation today will see an “operator” build code and infrastructure for an attack, then hire affiliates to carry it out in exchange for a share in the profits.

The affiliates in turn might turn to “initial access brokers” – hackers who specialise in gaining access to the systems of potential targets and auctioning that access to the highest bidder. Others specialise in laundering the proceeds.

Paul Chichester, the NCSC director of operations, urges companies and individuals to make themselves hard targets.

“It is vital that preventative measures are put in place, including additional security around sensitive data and up-to-date offline back-ups,” he said.

Others have urged a war on cryptocurrency that would emulate the crackdown on payments via the international banking system which destroyed the Russia-based Viagra-spamming empires in the late 2000s.

Paul Weaver, a security researcher at International Computer Science Institute in Berkeley, argued in a blog last month that such payment interdiction also proved effective against an earlier ransomware epidemic in 2012 and 2013.

Russian hacking incidents

July 2015
Email accounts belonging to Islam TV, a UK-based station, are accessed. The UK’s National Cyber Security Centre (NCSC) says it has “high confidence that the GRU was almost certainly responsible”.

June-July 2016
The United States’ Democratic National Committee (DNC) is hacked, and its documents were published online. The UK’s NSCS says it believes Russian intelligence services are responsible.

November 2016
Election systems in all 50 US states are targeted by Russia, in a hack that was undetected by the states and federal officials at the time.

June 2017
On the day of the 2017 General Election, Russian hackers use fake Microsoft Word documents to break into the computers of people working in the UK energy industry.

August 2017
A number of medical files of international athletes are released after the World Anti-Doping Agency (Wada) is hacked. The NCSC says that Russia’s GRU was almost certainly responsible.

October 2017
Home and small business routers worldwide are infected with malware. The UK Government says the infection could have allowed attackers to control infected devices.

March 2018
The US government releases a report that accuses Russia of a hacking campaign to infiltrate the United States’ “critical infrastructure”: power plants, nuclear generators, and water facilities.

March 2018
Russia’s GRU carries out an attempted “spearfishing” attack on the Foreign Office, the UK Government says, but is repelled.

April 2018
The Ministry of Defence’s Porton Down laboratory targeted in the wake of the Skripal poisoning in Salisbury. The facility is used to analyse samples from the incident.

October 2018
The GRU is again accused of carrying out a swathe of attacks in the UK and abroad on political institutions, financial systems, transport networks and the media.

November 2019
Jeremy Corbyn brandishes hacked documents from the UK Government as part of Labour’s election campaign. A statement released by Dominic Raab, the Foreign Secretary, yesterday accused “Russian actors” of amplifying the documents.

The British government officially takes a strong line against paying cyber ransoms. There is evidence that could eventually defeat the market, but others are sceptical.

Experience of dealing with real life kidnappers suggests payments will occur under the table even if officially banned when victims have no other choice.

In the end, it is a diplomatic problem.

Almost all the prominent groups involved in the recent surge of attacks are run by native Russian speakers and based in the former Soviet Union. The other major source of ransomware activity is North Korea, but Russian speakers have dominated the recent wave of large scale attacks.

Biden has been careful to say there was no evidence the Russia government was behind the recent spate of attacks.

But many Western cyber security experts and officials assume the gangs enjoy some level of protection – or at least indifference – from the Russian state. And Biden is expected to raise the issue directly with Vladimir Putin at their summit in Geneva on June 16.

Source: Read Full Article