Where are the Cyber Threats coming from?

BusinessCyber Security | 24 June, 2019 by Eddie Paterson

“The new hyperconnected digital era will create an impression of stability, security and reliability. However, it will prove to be an illusion that is shattered by new vulnerabilities, relentless attacks and disruptive cyber threats” – so starts the Threat Horizon 2021 report by the Information Security Forum. It’s grim reading. Today’s cyber criminals are well funded and organised, use highly targeted techniques and have easy access to a sophisticated portfolio of attack tools and kits on the dark web.

The impact of cybercrime in the UK is estimated to cost roughly $30bn per year, say The National Cyber Security Centre (NCSC) with around 60 ‘high-level’ cyber-attacks on the UK a month, many of which threaten national security. The UK 2019 Cyber Security Breaches survey reports 31% of micro / small businesses and 60% of medium sized business suffered a cyber breach in the last 12 months with an average cost of £3,650 and £9,270 respectively. Further, 60% say their organization is at extreme or moderate risk to cyber-attack.

In this article we aim to help you understand the scope and scale of the attack threats.

Who’s behind the attacks and what are their motivations

According to a study by Verizon, 69% of data breaches were perpetrated by outsiders, 34% by internal staff, 2% involved partners and a further 5% involved multiple parties. However, these figures don’t include an additional 50,000 botnet related breaches. According to the Verizon study the two biggest groups of threat actors are organised crime (35%) and state affiliated operations (25%). While a United Nations study says 80% of attacks are orchestrated by highly skilled criminal rings with access to shared data, tools, and expertise.
Not surprisingly, the prime motivation for attacks is financial, but breaches with a strategic advantage as the end goal are well-represented, with one-quarter of the breaches associated with espionage.

Cybercrime has evolved to be transnational in nature, working in the borderless world of cyberspace.

State-Sponsored Attacks

We are all finally becoming aware of the cyber warfare activities of nation states – very timely given the USA’s cyber-attack on Iran’s weapons systems. We’ve all heard of the alleged tampering in the 2016 US elections by the Russians and more recently the security risk of using Chinese Huawei technology in our 5G infrastructure. But data breaches at Target, United Airlines, Blue Cross and Blue Shield have also been linked to Russia, while theft of key technology across major US Department of Defense contractors such as Lockheed Martin and US government laboratories have been linked to China. Here at home, the NCSC holds the Kremlin responsible for several attempts to disrupt UK infrastructure.
Without doubt the Chinese, Russian and American intelligence services have by far the strongest capabilities, but North Korea and Iran also have significant arsenals. Computer security firm McAfee has predicted that: “Nation-state cyber warfare will become an equalizer, shifting the balance of power in many international relationships just as nuclear weapons did starting in the 1950s. Small countries will be able to build or buy a good cyber team to take on a larger country. In fact, cyberwarfare skills have already become part of the international political toolkit, with both offensive and defensive capabilities.”

Why does this matter to commercial enterprises? Well, unfortunately we get caught in the crossfire. When the US targeted Fujitsu / Siemens servers a few years ago used by the Iranians in their nuclear facilities, many other organisations using the same servers got hit. When the Russians targeted Ukrainian banks with a cyber-attack, other users of the same software were also compromised. As another recent example the US Cyber Command warned just last month of an unnamed foreign country’s attempt to spread malware through the exploitation of a vulnerability in Microsoft Outlook.

Cyber Criminals – structured like legitimate businesses

Many cyber-criminal organisations are structured and act just like legitimate organisations – they have a CEO and board and follow the market with new products and services. Not surprisingly they follow volume – hence products like Windows and Office 365 are good targets with cloud infrastructure and IoT devices becoming the new gold mine. Cyber criminals have collaborated together for a number of years, but in recent times this collaboration has grown significantly. This close working relationship has enabled them to develop efficiencies in their products and services. Cyber-attack products and services are now available from Amazon-like online sites selling ransomware, trojans, website attacks and even “malware-as-a-service”. These increasingly powerful brands will drive more sophisticated cryptocurrency mining, rapid exploitation of new vulnerabilities, and increases in mobile malware, stolen credit cards and credentials. It gets more convoluted and involved as some cyber-criminal organisations not only sell services to nation states but act as proxies for them on occasion.

What type of attacks should we prepare for?

Phishing gets more sophisticated

This most common of attack vectors is becoming more sophisticated as end users become more aware of the threat. Machine learning and artificial intelligence is being used to rapidly create and distribute convincing fake messages. Phishing emails are now appearing that include a video – not just a simple Word document or PDF. When run, the video invokes a script that decides whether to launch a ransomware or cryptocurrency mining attack. We’ve seen highly sophisticated phishing attacks develop against specific industry sectors, most recently luxury services that includes yacht brokers, executive housekeeping and staffing providers, and some that offer various services to high-net-worth clients. Phishing attacks are expected to continue to be a prime delivery vehicle for many types of malware.

Ransomware Attacks Evolve

Ransomware attacks cost organisations billions of Pounds each year as victims either choose to pay to have their files released or suffer the cost of a painful recovery. Although there have not been many headline grabbing ransomware stories in the last few months, this form of malware continues to grow in sophistication. “Product” life cycles have shortened as the bad guys try to stay on step ahead of detection and capture. Delivery methods have also evolved both towards higher level of automation and manually managed very targeted attacks. Security experts believe that as organisations increase their security preparedness, the bad guys will start targeting high net-worth individuals.

Supply Chains are a vulnerability

Supply chains include the partners, contractors and suppliers you work with to deliver your products and services. Both state-sponsored and financially motivated supply chain attacks are expected to increase in coming years. As organizations increase their own security preparedness, the bad guys start to target the organisations you work with to find a way into your systems. For example, the cyber-espionage group, Dragonfly, targets European and US companies in the energy sector via their supply chains In their latest campaign, Dragonfly successfully “trojanised” legitimate industrial control system (ICS) software. Last year, seven significant software supply chain events were made public.

It’s raining in the cloud

Cloud services are not inherently more insecure than other forms of processing and storage. But as more and more data and workloads are moved to the cloud, it becomes an irresistible target. Accordingly, there has been an uptick in the number of cloud related security incidents. The success of Office 365 has led it to become a target by specially created malware. For example, the botnet KnockKnock targeted system accounts that typically do not have multi-factor authentication.

Internet of Things – ripe for attack

The number and range of connected devices is growing exponentially with 31 billion forecast by 2020. The Internet of Things (IoT) includes a vast range of devices, including of course laptops and tablets, but also routers, webcams, household appliances, smart watches, medical devices, manufacturing equipment, vehicles and home security systems. Naturally, this massive growth has made IoT devices an attractive target for the bad guys, and unfortunately many devices and their networks do not have adequate security. Once controlled by hackers, IoT devices can be used to create havoc, overload networks or lock down essential equipment for financial gain.

Cryptojacking – hijacked mining

The rise of Bitcoin and other cryptocurrencies has been blamed in part for the rise in ransomware attacks, but now it’s causing another cybersecurity headache. Cryptojacking. involves cyber criminals hijacking home or work computers to “mine” for cryptocurrency. Because mining for cryptocurrency requires immense amounts of computer processing power, hackers can make money by secretly piggybacking on someone else’s systems. Cryptojacking has become popular with the bad guys as its less risky and offers more rewards than conducting ransomware attacks. For a business, a cryptocurrency attack may not be a devastating as ransomware but can cause serious performance issues and costly downtime.

Cyber Security – a National Strategy

The Government recognised cyber security as a major threat to the UK a number of years ago and established the National Cyber Security Centre (NCSC, a part of GCHQ) in 2016 together with a five-year National Cyber Security Strategy. This commits the Government to invest £1.5 billion in order to defend critical national infrastructure and deter cyber-criminal activity.
The NCSC provides a hub of world-class expertise for businesses and individuals, as well as rapid response to major incidents. The NCSC includes the cyber section of the Centre for the Protection of National Infrastructure (CPNI) and works with the EU to deliver a well-rehearsed plan in case of a large scale cross-border cyber incident or crisis.

The continued growth of our interconnected world only means that the risk of cyber security breaches and attacks will increase. Yet only around 30% of businesses have conducted a cyber risk assessment in the last 12 months. Have you?

References and sources used in this article:

Cyber Security Breaches Survey 2019
GCHQ / National Cyber Security Centre
National Crime Agency
Information Security Forum
University of San Diego
Fireeye.com
Symantec Internet Security Threat Report 2019
Verizon 2019 Data Breach Investigation Report
McAfee Labs 2019 Threat Predictions Report

Cookie	Type	Duration	Description
_abck	1	11 months 29 days 23 hours 59 minutes	This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
bm_sz	1	3 hours 59 minutes	This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
IDE	1	1 years 23 days 23 hours 59 minutes	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	1	5 months 29 days 23 hours 59 minutes	This cookie is used to a profile based on user's interest and display personalized ads to the users.
VISITOR_INFO1_LIVE	1	5 months 26 days 23 hours 59 minutes	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Type	Duration	Description
_ga	1	1 years 11 months 28 days 23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
GPS	1	29 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
vuid	1	1 years 11 months 28 days 23 hours 59 minutes	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.