By Lari Luoma, Check Point Software, Cyber Security Evangelist.
According to recent reports by Check Point Research and HP, nation-state cyber attacks are on the rise. While governments have always maintained cyber espionage operations, what is new is that now state-backed actors attack organizations to steal business information, plant ransomware or to disrupt critical infrastructure, like power grids and the food industry.
In the past, cyber attack motivation was largely financial, but today geopolitics plays an outsized role.
Geopolitics, critical infrastructure and cyber security
In April and May of 2022, hackers launched a ransomware attack on Costa Rica that targeted nearly 30 government institutions in the country, including the Ministry of Finance, the Ministry of Labor, the Ministry of Science, the National Meteorological Institute, and the Fund for Social Development and the Fund for Family Allowances. Eventually, criminals threatened to oust the country’s legal government if it didn’t pay $10 million in ransom.
As a consequence of the attack, the government had to shut down computer systems used to declare taxes and other control, and those used for management of imports and exports, causing $30 million in losses per day. The attack also forced the Costa Rican Social Security Fund to turn off its critical systems, impacting on the government’s ability to pay social welfare and other benefits. Additionally, about 16,000 government workers had problems with salary payments and about 3,000 of them did not get any pay at all. Eventually, the President of Costa Rica declared a state of emergency.
Costa Rica was attacked by two Russian criminal groups called Conti and Hive. It is unclear as to how different these groups are, as it turned out that many Conti members had moved to Hive after Conti announced its full support for Russia’s war against Ukraine. The attack on Costa Rica is possibly the most significant ransomware attack to date.
Besides ransomware attacks, there are also other types of dangerous cyber attacks, which have targeted and continue to target critical infrastructure services, such as nuclear power plants or nationwide power grid control systems. These kinds of attacks can have serious consequences that can lead to widespread power outages or accidents. Past examples of these kinds of attacks include the Stuxnet attack on Iranian nuclear facilities and the hack against the Ukrainian power company in 2022 and the Ukrainian power grid hack in 2015.
What is the risk to my organization?
Almost any kind of organization can be at risk of hacks by criminal groups, but due to the latest geopolitical tensions, government entities in certain countries may be at higher risk than usual. The criminals might not be after your money or your data specifically, but might be using your environment as an intermediate hop on their way to a more lucrative target. Criminals might also be interested in stealing the Personally Identifiable Information (PII) of your employees or customers or credit card numbers.
In general, criminals in the cyber underworld have business models and specializations in the same way that traditional businesses do. For cyber criminals, in a malware-as-a-service business model, the criminal organization that develops the malware does not necessarily carry out the attacks itself, but “franchises” the code to other criminals. When a franchisee uses the malware to carry out attacks, the developer organization gets a percentage of their profit. The developer organization also often provides technical support for their product and can be involved in the ransom negotiation process.
Getting access to victims’ systems is often the most time-consuming and difficult phase of a cyber attack. For that reason, there are some crime groups who are specialized in break-ins. Such groups are called Initial Access Brokers (IAB).
IABs are always looking for new breaches that they could exploit or servers with remote desktop access that they could use for initial access into the target organization. Once the IAB has broken into the system, they sell the access to other criminals who can use it for sending spam, planting ransomware, carrying out distributed denial of service attacks or other attack types.
One interesting Initial Access Broker was called Exotic Lily, which worked together with a Russian ransomware gang Conti (Conti group dispersed in May 2022 and its members moved to other crime groups). Exotic Lily’s main tactic to gain access to its victims’ networks was to create a trust relationship using social media, such as LinkedIn. Exotic Lily operators created authentic-looking social media profiles and AI-generated images of human faces. Eventually, they shared a malicious payload with their victim using a file share service, such as Google Drive or Microsoft OneDrive, which is how the victims became infected.
Ten low-cost methods to lower your risk of becoming a cyber attack target.
1. Make a plan and procedures. Create an emergency plan and incident response procedures. Make it easy for your employees to report any issues or suspicious behavior, emails or applications.
2. Do not share too much information on your website or blog. Before cyber criminals attack, they typically create a profile of their victims by using any publicly available information. Do not share information about your organizational structure or individual employees’ names, phone numbers or email addresses.
3. Evaluate your contractors. Require the same security practices from your contractors that you would from your employees. Evaluating is more than just requesting for them to sign the NDA. It is making sure that they meet the same security standards that the rest of your organization is held to.
4. Do not throw away anything that could be used to gain PII. It might sound far-fetched, but there have been cases where attackers have masqueraded as a cleaning company or garbage collectors and have gained access to company or customer information through un-shredded documents. Always shred documents that might have any value to an attacker before discarding them.
5. Implement least privilege policy. Each employee should only have access and privileges that are enough for them to do their work. This applies to physical security as well. When people leave the company or move to a different position, remove or change their access.
6. Educate your users about the dangers of social media and how to spot a social engineering attack.“Cat phishing” is not only an online dating phenomenon, but very much used among cyber criminals as well. Cat phishing means that the other party that you are engaged with is not who they say they are.
7. Decommission all unused systems. Nothing is worse than the forgotten Windows XP with remote desktop connection in the network. These are exactly the type of machines that attackers will scan first and use to compromise your network.
8. Create regular backups. This is of course a no-brainer. You should always make regular backups of your critical data. However, you should also make sure that you store the backups in a separate and secured segment of your network. This will increase your chances of keeping your backup data valid even if you are hit by a ransomware attack.
9. Change all default passwords in systems. Even if you have patched the system to the latest patch level, it won’t help if the adversary can log in with a default password. Always change the default passwords and enable dual factor authentication. Make sure to also implement these changes for internal applications and servers.
10. Train your staff. Make sure that everyone in your organization is trained and knows how to work in case of suspicious activity or a cyber attack. This means everyone from the cleaning staff to the CEO. Attackers will find the weakest link in your organization and will use it for their own gain.
Ten more technical methods to lower your risk of becoming a target of a cyber attack.
1. Patch your servers and applications. Make sure that you always install the latest vendor recommended software patches on your servers and applications. This applies to your cloud environment as well.
2. Secure network devices and wireless connections. As important as it is to patch servers and applications, it is also important to patch your network devices and to enable strong security on your Wi-Fi and other network access points.
3. Use multi-factor authentication (MFA) for all services, even for the internal ones. MFA will greatly improve your security. When a user tries to access a system, there will be a second level of authentication that arrives in the form of a text or push notification. Use this for your internal services as well. This limits an attacker’s ability to move from one system to another in case they manage to break in.
4. Segment your network. Segment your network by placing security controls in segment borders. This will limit lateral movement within your network.
5. Block external links from emails. Most attacks start with phishing, where an attacker tries to lure users to divulge sensitive information. Most commonly, phishing emails contain clickable links. By disabling the links, the users can’t click and get infected.
6. Scan email attachments and downloaded documents for zero days and block macros. One of the most common ways for malware to enter the organization is through the use of email attachments. Scan the attachments for zero days in an effective sandbox system to make sure they are clean. The most prevalent malware today, Emotet, initially infects computers by utilizing macros in Microsoft Excel or Word. Emotet is a very dangerous malware that is used to deliver other malware, such as ransomware, or to open backdoors into the system that make it easy for hackers to access the system later. You can also use a solution that will automatically remove the macros and/or turn documents into a PDF format before delivering them to the recipient.
7. Block outgoing connections to well-known command and control servers. Malware does not work, or at least its capabilities are limited, if it cannot get instructions from the attacker. In order to get these instructions, the compromised clients have to access Command and Control centers that the attacker has set up for the purpose of controlling the botnets. If you block this connectivity, you also limit the malware’s ability to function.
8. Implement effective endpoint security. Use a full endpoint security suite to protect your endpoints. If your suite includes anti-ransomware, even better.
9. Also protect your mobile devices. If mobile devices have any access to your internal network, they should be secured as well. This ensures that users do not have apps that try to steal information or other malware present in their mobile devices.
10. Establish a Security Operations Center or Managed Detection and Response (MDR). This is a continuous and real-time layer of defense that will hunt and report threats 24 hours a day.
During the last 18 months, cyber criminals have attacked independent states (Costa Rica and Peru), caused a shutdown of an oil pipe in US East Coast, halted production of the world’s largest meat processing company, and attacked numerous smaller targets. What is common among all of these attacks is that they have been carried out by nation-state backed criminal organizations whose motivation is not only money, but also acquiring reputations and showing off that they can do anything that they want to.
Most of the government and critical infrastructure sector attacks are initiated by email and if users do not click links or open attachments they are not certain about, the risk of getting hacked drops significantly. While you can never totally eliminate the risk of becoming a target, you can reduce it by taking the steps in this article. The first ten methods are low cost and not particularly complex.
In addition, if you also remove old and unnecessary services from the network and patch your servers and applications, you have come a long way in protecting against the attacks.
For more from Lari Luoma, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.