Global ransomware attacks are increasingly linked to nation states, with the lines between politics and crime often blurring, Europe’s police agency Europol said on Tuesday. Key ransomware attacks include the so-called WannaCry and NotPetya malware, which infected hundreds of thousands of computers around the world in 2017, demanding that users pay ransoms to regain access.”Ransomware retains its dominance,” said Europol’s latest annual report on cybercrime. “In addition to attacks by financially motivated criminals, a significant volume of public reporting increasingly attributes global cyber-attacks to the actions of nation states,” said the agency, based in The Hague. IT security experts commented below.
Ed Williams, Director EMEA, SpiderLabs at Trustwave:
“The annual Internet Organised Crime Threat Assessment from Europol has highlighted the growth in niche, dark-web marketplaces where criminals are trading information, backdoor attack methods and tools to target organisations. It’s not just criminals however that can benefit from tapping into these networks. These marketplaces can also provide organisations with intelligence on the latest tools being deployed by criminals and can alert them to particular chatter around their company or particular assets of interest. As such they can assess their security protocols in response. Scanning the dark web to keep a pulse on current and impending threats is a proactive defence tactic organisations can take to ensure they are one step ahead of the criminals.
This kind of reconnaissance isn’t something to be undertaken lightly. Without experience of the codes of practice within these networks, such intelligence gathering can garner unwanted attention. As the report correctly outlines, accessing this and other dark-web related information needs to be measured and done lawfully.
Whether intelligence is gathered by an in-house security intelligence team, or through an intelligence partner, underground dark-web surveillance should form part of a portfolio of data sources from which to build security systems and procedures. A pan-government, transparent (where possible), initiative to highlight new Tactics, Techniques and Procedures (TTPs) would help the continuous fight against threat actors – cooperation across borders is essential in fighting criminals who have global agendas.”
Rusty Carter, VP of Product Management at Arxan Technologies:
“Europe is ahead of much of the world, both in payment technology but also in attacks. There is no technological reason traditional skimmers should still be effective. The industry and institutions should be looking ahead to move beyond traditional cards and even chip and PIN, to more advanced MFA before authorising payments and withdrawals.
CNP fraud further highlights the need for MFA in transactions. Institutions and issuers will need to build the infrastructure to enable PoS and online merchants, and start requiring it at least initially for high value transactions. These are well known security techniques in other industries and enterprise information security where additional authentication factors and environmental conditions need to be present, such as a secured app for token retrieval by the user, in order to escalate privileges. As users become more accustomed to this for transactions, institutions can lower the thresholds in order to optimise transaction speed and ease with fraud loss.”
Javvad Malik, Security Advocate at AlienVault:
“The report is a good roundup and validation of a lot of findings we and others in the industry have been seeing in terms of overall trends. Collaboration appears to be one of the biggest and most prominent takeaways. Being able to establish trustworthy channels to collaborate and share information and intelligence is vital.
Notable by its omission, there is no mention of the role of bots by organised crime and state to push agendas and misinformation, even though there are increasing industry studies that points to these as being tools in the arsenal of attackers.”
Ross Rustici, Senior Director, Intelligence Services at Cybereason:
The three key standout judgements from this report are primarily related to the law of unintended consequences.
1) “A combination of legislative and technological developments, such as 5G and the redaction of WHOIS, will significantly inhibit suspect attribution and location for law enforcement agencies and security researchers.”
2) “The almost inevitable closure of large, global Darknet marketplaces has led to an increase in the number of smaller vendor shops and secondary markets catering to specific language groups or nationalities.”
3) “New legislation relating to data breaches will likely lead to greater reporting of breaches to law enforcement and increasing cases of cyber-extortion.”
GDPR, while increasing privacy for normal users has also enhanced the criminal’s ability to hide their identity and activity. Additionally, the increased cases of cyber-extortion can be directly linked to the fines laid out in the new law. Despite the best intentions, the EU incidentally increased the profitability and immunity of cyber criminal activity. That is a price they may be willing to pay, but it has a significant negative effect on those attempting to discover and disrupt cyber criminal behavior.
Furthermore, the successful operations against Darknet marketplaces has had a predictable effect of balkanizing the criminal underground. This is always the trade off when it comes to law enforcement action and the successful infiltration of such a rich data source. Taking it offline serves a major temporary disruption, but in the long run creates a larger problem. We are now seeing what that larger problem is. The fracturing of the Darknet has created numerous pockets of illicit activity that break down on language, trust and have tighter access restrictions. This changes the nature of the threat. While large forums allow for a significant number of criminals to free ride on the work of a few, either through the purchase of tools, data, or access, the splintering creates divergent capabilities and insular groups. This is likely to lead to a less numerous but more capable cyber criminal ecosystem.
Andy Norton, Director of Threat Intelligence at Lastline:
“The losses attributed to cybercrime equate to the Gross Domestic Product Contribution of both California and New York. Nation State attacks no longer solely focus on the theft of intellectual property, now they also focus on the loss of operational capability, the theft of Personally Identifiable information and the influence of public opinion. All of these things impact the strength and trust in an economy, a weakened economy promotes isolationism which in turn erodes international alliances. The thousands of seemingly unrelated attacks form a mosaic that spells cyberwar, which we have not woken up to yet.”
Ilia Kolochenko, CEO at High-Tech Bridge:
“The global threat landscape has not faced any revolutionary changes for a while. Even if some attacking techniques replace others, most of them have been known for a long time already. Obviously, one can notice a clear shift in vulnerability exploitation, data exfiltration and security mechanism bypass techniques. But these “operational” changes are mostly caused by growing prevalence of mobile and cloud technologies amid the victims.
The rising predominance of crypto-miners is quite predictable, as millions of previously “worthless” devices (e.g. unpatched routers), can now bring some riskless profit to the attackers.
Sophistication of the malware and attacks will, however, likely be a key trend in the upcoming years. Users become more and more paranoid, and banal spam campaigns will hardly bring any profit to cybercriminals. Therefore, they become more creative, insidious and perfidious. We will probably see an increasing attacks on trusted third parties (e.g. suppliers) to get into the large organizations.”