‘NotPetya’ and ‘WannaCry’ cyberattacks on international government infrastructure and organisations a wake-up call
Following the ‘NotPetya’ and ‘WannaCry’ cyberattacks on the UK’s National Health Service, as well as the recent hacking of thousands of UK parliamentary email accounts, Security News Desk Sub Editor, Francesca Seden shines a spotlight on the growing cyber threats to global critical infrastructure from terrorists and hackers and explores how further attacks might be mitigated in the future.
It is arguable that cybercrime is the single biggest threat to the national security of nations and their critical infrastructure. As well as the attacks on hospital infrastructure, such as the ‘WannaCry’ outbreak on the UK’s NHS, Australian and US hospitals and other organisations, there have been numerous attacks on US state departments in recent years, including two on the US National Security Agency. Since then there has been a further ransomware attack, thought to be much more damaging and sophisticated, which targeted firms all over the world including UK agency WPP, Danish shipping and transport firm Maersk, food company Mondelez, and US legal firm DLA Piper.
And then there was also the hacking of 9,000 email accounts of MPs and their staff in the UK. The Russian government was thought to be responsible for this, along with its reported interference in the US presidential elections. All of these expose the serious vulnerabilities of global critical systems and government organisations, and show that cybercrime is now a serious threat not only to critical infrastructure but to western democracy itself.
The scale of the problem of malware and ransomware on which this feature will primarily focus is highlighted in part in a report by phishing threat management specialist, PhishMe which found 246 new families of ransomware in 2016, compared to just 29 in 2015. It also found that 97 per cent of phishing emails contained crypto ransomware.
On that particular and growing threat, Vectra Networks EMEA Director Matt Walmsley (pictured below right) says the “continued commercial development and professionalisation of the malware economy should be of great concern to policymakers and organisations.”
He comments that easy and often free access to malware code on the dark web continues to lower the barriers of entry to bad actors pursuing monetary or political gain.
“Command and control ransomware has emerged as one of the most popular and insidious forms of ransomware,” he continues. “This is primarily due to the disruption it can cause and its straightforward and profitable monetisation. More than ever we are seeing it used in attacks across the business community, taking advantage of ill-defended enterprises and holding precious assets to ransom in return for crippling sums.”
Duo Security Principal Security Strategist Wendy Nather (pictured below left) adds that another of the most significant cyber threats could arise from geopolitical conflicts being carried out between nation states, with businesses and other organisations caught in the middle.
“We have already seen the fallout from DDoS (Distributed Denial of Service) attacks against internet infrastructure,” she notes, “and we already know about the theft of trade secrets and corporate espionage. But if you put those together, you could have disabling attacks which are intended to cause financial losses and damage as a proxy for those nation states attacking one another directly.”
So the threats are numerous and complex, but understanding how cyberattacks can be mitigated and protected against must begin with exploring those areas of infrastructure which make the most tempting targets and those that are most vulnerable.
Those who carried out the ‘WannaCry’ attack (now thought to be North Korean), succeeded because the legacy Microsoft system, Windows XP, wasn’t sophisticated enough to contain and protect against the threat.
IBM UK & Ireland Security Strategy Risk and Compliance Lead, Luke Kenny (pictured below right), says that the most desirable targets are those with legacy infrastructure that is now connected, or digital industrial control systems which are typically found within the energy sector. He says that these types of systems need to operate 24/7 so any disruption can incur huge costs.
“The ‘WannaCry’ attack is an example of the type of damage that can be caused to any system of a mission-critical nature when specific vulnerabilities exist within that system due to legacy infrastructure,” he adds.
So the NHS was both a highly vulnerable target due its legacy infrastructure, and a highly desirable target because of the very valuable patient data contained within the system, and according to RepKnight CEO Tim Haynes, there were warning signs that “something as big as ‘WannaCry’ was going to happen”.
“The opportunity simply needed to be there,” he says. “Everyone knows that the NSA ‘cyber weapons’ toolset [where ‘WannaCry’ originated] is out in the wild now. Cisco and other big vendors have been patching their systems to prevent a compromise – and Microsoft released a patch and some mitigation advice in March 2017 for its Server Message Block (SMB), which was the vector used in the ‘WannaCry’ attack.
“As for why the warning signs weren’t acted upon, the NHS is a hugely financially constrained organisation. Justifying spending more on cybersecurity at the expense of patient care is a very tough choice to make – but it’s something that the NHS now can’t afford to ignore.”
Indeed, following the NHS attack, the Government was criticised for failing to invest in the IT infrastructure and Prime Minister Theresa May has pledged to invest more heavily in cyber protection.
But since then there have also been a number of questions surrounding this latest email hack of parliamentary email accounts, mostly focused on the strength of passwords and why proper procedures were not in place to ensure passwords were as strong as they could have been.
Kroll Managing Director, Cybersecurity & Investigations, Andrew Beckett, commented: “The attack launched against the British parliament reinforced the need for careful audit of the implementation of security policies and procedures and the need for a digital devil’s advocate to question the decisions being taken and their implementation. The perpetrators used a fairly unsophisticated brute force attack which attempted to guess the passwords of the 9000 MPs, Peers, and parliamentary aides and assorted other staff who use the system. The parliamentary authorities tell us that the fact that less than 100 accounts (about one per cent) were compromised was because the compromised users didn’t follow the security policies regarding passwords put in place for their protection and the protection of other users.
“What is less clear is why such lax security controls were allowed and why it wasn’t picked up during routine security testing of the system.”
“In the case of Friday’s attack against the Parliamentary Systems, we are told that policies were in place requiring robust passwords but it’s not clear why the accreditor and regular security checks hadn’t identified that the password policy was being flouted by some users. There are numerous ways of technically enforcing strong passwords and any Chief Information Security Officer in a corporate environment would be checking this as a matter of routine. If it turns out that personal information relating to users or worse, constituents has been compromised by the breach, we can expect the Information Commissioners Office to be taking a close look at why this failure wasn’t picked up earlier.”
Vectra Networks’ Matt Walmsley adds that the “chronic talent shortage” facing the cybersecurity industry is similarly difficult to ignore.
“The sector is starved of new talent entering the workforce,” he comments, “with demand set to exceed supply by a third in the next two years. There is an abundance of entry-level security jobs yet not enough talent to fill them. Even if a tier-one position is filled and training invested, higher salaries and more senior roles mean they are typically poached before the end of their first year. The situation will not change any time soon and will impinge on the ability of organisations to nurture crucial deeper data skills and security experience.”
The government is taking steps to rectify the problem however. The establishment of the National Cybersecurity Centre is just one example of an organisation that aims to educate and advise organisations as to how to approach cyber security.
“However,” adds IBM’s Kenny, “it’s clear that addressing the skills gap within the cybersecurity industry is something that all governments should be heavily invested in supporting. Ultimately, investment in skills, education and the growth of cybersecurity positions within government and public-private partnerships will help protect Critical National Infrastructure (CNI).”
Across Europe, the introduction of new data protection legislation (GDPR), which comes into force next year is “already going a long way to make organisations and governments sit up”, says RepKnight’s Haynes.
“The fact that organisations could now face fines of €20 million or four per cent of annual turnover, whichever is greater, for data protection breaches means that companies are taking cybersecurity threats far more seriously.
“Basic mitigation is quite easy by implementing and enforcing a patch management strategy to ensure operating systems, applications, software, hardware and firmware are up to date,” he adds.
However, he goes on to say that there are areas of cybersecurity that organisations still neglect, for example the security of their third-party suppliers. Third parties will likely have access to their client’s networks, and therefore offer a way in for cybercriminals should security not be up to scratch. The infamous Target attack, for example, was executed via their HVAC contractor who had back-end access to Target for invoicing, he says.
Finally, also addressing the question of what more governments and organisations should be doing to prevent against cybercrime, Duo Security’s Nather has a pertinent analogy.
“Unfortunately,” she comments, “in many ways getting breached is what it takes. I often call this “cheeseburger risk management” — where you decide that you’re going to keep eating cheeseburgers until your first heart attack, and then you’re going to stop. Many top leaders still take this approach, either because they don’t really believe the breach will happen, or because they can’t afford enough security (it’s amazing how high your risk tolerance can get when you have no budget).
“For governments, it’s imperative that they also practice good security hygiene. This means, among other things, implementing two-factor authentication, preferably not email-based, and ensuring the software on devices is updated before granting access to critical applications.
“This is not easy, given all the restrictions in the public sector, but it has become table stakes for all organisations.”
Coping with Russia
Defence Secretary Michael Fallon (pictured right), speaking at The Institute for the Study of War and Strategy at St Andrews University in February, on the threat that Russia is thought to pose to Western states, particularly in the areas of cybercrime, and “weaponising misinformation”.
Today we see a country that in weaponising misinformation has created what we might now see as the post-truth age.
Part of our response is for NATO and the West to do more to tackle the false reality promoted through Soviet-style misinformation. Whatever else we do on deterrence and dialogue, we must counter Putin’s Pravda with a faster truth.
The Office of the Director of National Intelligence found that Russia targeted the US Presidential election and that its “intelligence services conducted cyber operations against targets associated with the 2016 US presidential election, including targets associated with both major US political parties.”
Then there is the use of cyber weaponry to disrupt critical infrastructure and disable democratic machinery.
France knows this. In April 2015 TV5Monde was taken off air by a group calling itself the Cyber Caliphate. French investigators suggested the Kremlin was behind the cyber-attack.
Months later Germany was targeted too. Its lower house of parliament’s network was shut down by a hacker group which the Federal Office for the Protection of the Constitution (BfV) claimed was “steered by the Russian state.”
Alliance members are strengthening their capability, collectively and individually, to resist any form of attack. The UK is playing its part by almost doubling our investment on defensive and offensive cyber capability to £1.9 billion.
Above all it means accepting that we need to commit our forces to defend other nations. Public support for NATO requires political leadership; it places a duty on us to keep making the case for the Alliance and to keep explaining its obligations.