Digging Deeper...

Cyber hackers will be a menace to U.S. economic and national security for the foreseeable future. Ransomware attacks could be a daily occurrence in five years, warned Army General Paul Nakasone, director of the National Security Agency, at a conference earlier this month in Washington, D.C. That’s why he and his top brass at the U.S. Cyber Command have launched a “surge” operation against ransomware enemies. The strategy is to discover and understand the methods ransomware warriors use so businesses, hospitals, schools, governments and individuals can initiate tactics to pursue, capture and neutralize the hackers. In his remarks at the symposium hosted by cybersecurity firm Mandiant, Gen. Nakasone referred to hacks perpetrated on Colonial Pipeline and JBS last spring that disrupted fuel and food supply chains. “Ransomware,” he declared, “is a national security issue.”  Dennis McLaughlin, McLaughlin Writers LLC – Sources: Sophos Group PLC, Abington, England, “Whitepaper May 2021” (available at www.sophos.com); Mandiant, Alexandria, Virginia; Wall Street Journal, September 7, 9, 2021; Vanson Bourne Research, U.K.; Tom Bienkowski, RSS Feed, May 24, 2021.

Hackers Beware

October is National Cyber Security Awareness Month. It was established in 2004 by the National Cyber Security Division of the Department of Homeland Security and the nonprofit National Cyber Security Alliance.  But, hundreds of corporations, cities, public utilities, hospitals, among other organizations, have been well-acquainted with ransomware attacks for quite some time. And this year’s high profile hacks of Colonial Pipeline and food processing giant JBS made the general population even more aware of damage ransomware causes – especially when it’s their energy needs and food supply in the crosshairs.  

But how do you really measure that level of awareness? Well, you can start with the general ledgers of corporations. Their executives and board of directors have increased spending this year on cybersecurity.  At the same time, companies that provide cybersecurity systems and highly-skilled professionals are seeing a heavy rush of cash from venture capitalists.  Investors have plowed $12.2 billion into worldwide cybersecurity startups and established businesses so far this year, according to Prequin, Inc., a global assets data analyst. That’s over $2 billion more than 2020 as a whole.

Some of the biggest beneficiaries from the influx of investment capital could be the cybersecurity specialists themselves.  Chief information security officers (CISOs), senior-level executives within an organization who are responsible for protecting the company’s  information assets, are earning a median annual salary of $509,000 this year, up from $473,000 in 2020, says executive search firm Heidrick & Struggles  International.  Cyber insurance brokers aren’t doing badly, either. According to management broker Marsh, the year-over-year increase on average U.S. cyber insurance rates in the second quarter rose 56%. Marsh attributes the increase largely to a boom in ransomware attacks on businesses.

More Work To Be Done

Increased investment and budgeting for cybersecurity notwithstanding, there are still challenges facing U.S industry and institutions. Mandiant, based in Alexandria, Virginia, estimates that nearly half a million cyber security jobs remain open. There are not enough trained cybersecurity technicians and experts to fill them. At the same time, as cyber security positions remain unfilled, cyber criminals are honing their own skills and developing advanced, unpredictable hacking tactics, techniques and procedures.  

To keep pace with ransom warriors, U.S. companies and organizations need to implement strategies that involve training their security teams to develop and improve problem-solving and critical thinking aptitudes. Efforts toward that end are underway. Initiatives include a task force formed by the Justice Department and an executive order from President Joe Biden directing federal agencies and contractors to overhaul their cyber defenses. In September, the Treasury Department issued sanctions against a Russian-operated cryptocurrency exchange, which it accused of facilitating ransom payments to cybercriminals. In late September the Biden Team announced the U.S. will convene a summit of 30 nations before year’s end to discuss how international cooperation can mitigate the impact of cybercrime. 

During the Mandiant conference, Deputy National Security Advisor Anne Neuberger explained the upcoming 30-nation summit will focus on setting international norms for cyber activities, financial regulation for cryptocurrencies, law-enforcement partnerships and building resilience against cyberattacks, she said. “One of the things that we really want to accomplish together in cybersecurity,” she said, “is to be fighting different fights in six months [to] a year.” 

A New Kind Of Villain

In order to be fighting a different fight the action has to be proactive. Kellen Dwyer, a former U.S. Department of Justice attorney involved in several cyber and national security activities, said in a Wall Street Journal piece (September 7, 2021), “Whenever the Justice Department has confronted a new and sophisticated criminal threat, it has focused its resources on proactive rather than reactive investigations and reorganized itself accordingly.”   

Dwyer previously served in the Justice Department in several cyber and national security roles. As an assistant U.S. attorney in the Eastern District of Virginia, he obtained a computer hacking indictment against Julian Assange and represented the United States at Assange’s extradition hearings in London. He received the Attorney General’s Award for the trial of a Russian hacker who helped develop malware used in one of the largest data breaches in U.S. history. Kellen also prosecuted Aleksey Burkov, a Russian hacker whose arrest in Israel triggered a high-profile tug-of-war between the U.S. and Russia.

“Proactive investigations,” Dwyer wrote, “start with known or suspected criminals and seek proof of specific crimes they may have committed, as well as intelligence on the criminal apparatus that supports them, such as who supplies them with necessary tools and contraband, how they communicate and how they move their money.”

A successful ransomware attack requires three critical components, according to Kellen Dwyer: 

  • Access to compromised computers

  • Malware to remotely encrypt the victim’s data 

  • Means to receive and launder ransom payments. 

Cybercriminals who specialize in each of these areas abound. And they are apt to convene cybercrime forums that bring all of these elements together. Indeed, ransomware gangs typically don’t breach computer systems themselves. They create the malware needed for such attacks and lease it to low-skilled “affiliates” in exchange for a percentage of the take. 

Contrary to popular stereotype, ransomware attacks are not necessarily committed by lone wolves with exceptional computer savvy. “In reality,” Dwyer says, “most hackers don’t have the technical sophistication to create malicious tools that are essential to their trade.”  They rely on enterprises known as ‘cybercrime-as-a-service’ (CaaS) organizations. The CaaS business model includes malware developers, hackers and shady staffers involved in promoting, selling and distributing hacking tools and services on the dark web. 

The ominously sounding dark web is indeed shadowy, and is part of the internet housing hidden sites that can’t be visited through conventional web browsers. Sites on the dark web use encryption software so visitors and owners can remain anonymous and their locations unknown. It is home to illegal activity such as prohibited drug and gun sales, illicit pornography and stolen credit card and Social Security numbers. 

But for the record, not all that takes place on the dark web is sinister, malevolent or menacing.  Dissidents fearing political prosecution from their government might use the dark web to communicate with each other. For the sake of ultimate privacy, an individual might seek medical advice while remaining unidentified. Journalists might use the dark web to keep sources anonymous. 

Good Guys Take The Gloves Off

Like criminal organizations in the physical world, however, cybercrime organizations can be infiltrated. Law enforcement can learn where an organization meets, how it communicates and where it stores information. It can place undercover agents in the organization or arrest members and persuade them to inform on others. Members of cybercrime organizations who cannot be tied to particular hacks can be targeted for “sting” operations or charged with conspiracy.

An increase in proactive investigations into CasS organizations could cripple the ecosystem that enables ransomware. Indeed, fewer than 10 strains of ransomware were responsible for most of the attacks committed in the past six years, and just five cryptocurrency exchanges received 82% of funds extorted by ransomware, according to blockchain analysis firm Chainalysis Inc.  

Such investigations also could yield valuable intelligence. If investigators arrest malware developers, they are likely to learn about their hacker-clients. If a cryptocurrency exchange that caters to criminals is taken down, investigators will find leads on ransomware gangs that used its services. This sort of intelligence building pays dividends, says Dwyer. “When an attack happens, you know where to look and, ideally, already have gathered evidence on the suspects.”

To pursue a proactive approach, investigators will have to add cyber prosecutors and agents and give them the resources to conduct long-term investigations. They could be organized into “strike forces” focused on particular regions of the world in much the same way the Organized Crime Drug Enforcement Task Forces have prosecutor-led strike forces that conduct intelligence-driven, multi-jurisdiction investigations into priority targets and their affiliate financial networks.

But the real battle for cybersecurity should be fought in the confines of all companies and organizations. Security and business continuity planning should be ingrained in every enterprise’s corporate culture. This planning should include a cyberattack response plan and other “war-gaming” activities. In addition to creating a rapid response plan, reporter Tom Bienkowski in a May 24, 2021, release from RSS Feed says, “It is advisable to conduct extensive employee training to stand as a line of defense against cyberattacks. Good cybersecurity practices must be reinforced across all functions of every organization. Leadership should set an example, demonstrating a commitment to security that sets a tone for the business.”

 

Beware of 10 Types Of Hackers

Hackers are computer savvy people with bad intentions. That’s how India-based JigSaw Academy, a data science institute, sees them. But they’re not all cut from the same cloth – or wear the same hat.  In March 2021, the Academy published an article by cyber data specialist and computer engineer Ajay Sarangam who catalogued ten types of hackers. Here is a synopsis of his profiles: 

  1. White Hat Hackers – known as ‘ethical hackers,’ they are professionals with expertise in cybersecurity who work with governments and organizations to hack their computer systems to discover loopholes and weaknesses, and build better firewalls to lower or eliminate ransomware attacks and other intrusions.

  2. Black Hat Hackers hack into organizations’ networks to steal bank data, funds or sensitive information. They use the stolen resources for their own profit, selling them on the black market or to harass their target for ransoms.

  3. Gray Hat Hackers are not out to rob targets or help people and institutions. They could be considered sport hackers; they enjoy experimenting with systems to find loopholes, crack defenses and have fun. 

  4. Script Kiddies are juvenile amateurs using ‘scripts’ from other hackers. Their motivation is attention. Standard Kiddie Script attacks are Denial of Service (DoS) and Distributed Denial of Service (DDoS), during which they flood an IP address with so much traffic the site collapses. Such attacks might occur on Black Friday shopping websites.

  5. Green Hat Hackers – are learning the ropes of ransomware attacks with the intention of profiting from it; they welcome opportunities to learn from experienced hackers.

  6. Blue Hat Hackers – want to learn the trade not for profit, but rather to gain popularity or settle scores with rivals. 

  7. Red Hat Hackers – focus on stopping black hat hacker attacks. They can be quite ruthless when counteracting black hat malware.

    These seven types of hackers, described above, are broadly referred to in the cybersecurity world, notes Ajay Sarangam. The three types, below, he says, work in different capacities. 

  8. State/Nation Sponsored Hackers – attempt to acquire information about other countries to protect national interests and/or to help ward off aggressive actions.

  9. Hacktivists – target government websites and networks to obtain data in government files for personal or social gain.

  10. Whisleblowers –are individuals working in an organization who attempt to expose the organization’s confidential information possibly because of a personal grudge or to bring to light illegal activities within the organization.

Who Got Hacked, Who Paid, Who’s Next

Earlier this year (in January and February), Sophos Group PLC, a security software and hardware company based in the U.K., commissioned independent British research firm Vanson Bourne to survey 5,400 IT decision makers across 30 countries to learn more about their actual encounters with hackers and ransomware attacks. And how they dealt with them. Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. 

Here are some key findings that emerged from the survey:

What Industries and Groups Were Targeted in 2020?

Percentage of Respondents 

  • Retail - 44% 

  • Education - 44%

  • Business & professional services - 42%

  • Central government & NDPB - 40%

  • IT, technology & telecoms - 37%

  • Manufacturing & production - 36%

  • Energy, oil/gas & utilities - 36%

  • Healthcare - 34%

  • Local government - 34%

  • Financial services - 34%

  • Media, leisure & entertainment - 32% 

  • Construction & property - 31%

  • Distribution & transport - 25% 

What Industries and Groups Paid Ransom?

Percentage of Respondents 

  • Energy, oil/gas & utilities - 43%

  • Local government - 42%

  • Education - 35%

  • Healthcare - 34%

  • IT, technology & telecoms - 32%

  • Business & professional services - 32%

  • Retail - 32%

  • Construction & property - 28%

  • Financial services - 25%

  • Manufacturing & production - 19%

What Industries and Groups Expect a Ransomware Attack?

Percentage of Respondents  

An average of almost half of the respondents surveyed said they expected or wouldn’t be surprised if their company or organization were with hit with a ransomware attack in the near future. They cited the growing sophistication of hacking technology as the reason for their concern.

  • Manufacturing and production - 60%

  • Healthcare - 55%

  • Central government and NDPB - 54%

  • Construction and property - 51%

  • Energy, oil/gas and utilities - 51%

  • Financial services - 47%

  • Retail - 47%

  • Distribution and transport - 46%

  • Education - 46%

  • IT, technology and telecoms - 46%

  • Local government - 43%

  • Business and professional services - 40%

  • Media, leisure and entertainment - 40%