Kitabı oku: «Digital transformation for chiefs and owners. Volume 3. Cybersecurity», sayfa 2

Chapter 4. What happens in the Industry

Attacks on corporations and organizations are becoming increasingly like planned military operations – attacks on both equipment and people. Therefore, we already know about phishing, exploiting vulnerabilities and so on. However, in addition, there are specialized companies that are developing tools to penetrate various information systems. This is particularly the case in countries where such work is not restricted by legislation. That is, in principle, it is not an illegal business, and given the current situation, many countries are likely to turn a blind eye to it altogether.

Public administration and organizations

State organizations now, in 2022—2023, are undergoing a real combat baptism. In 2022, the number of successful attacks on government agencies increased in every quarter. Government agencies faced the highest number of incidents among any organization. They accounted for 17% of the total number of successful attacks (in 2021 this figure was 15%). In total, in 2022 PT recorded 403 incidents with state organizations, which is 25% more than in 2021.

The main way of attack is social engineering. The target of attacks is data. And this is understandable, because automation and digitalization into the state. Control is well under way. This means that public authorities are beginning to generate big data: taxes, medical information, biometrics, etc. Medical data are of special interest to hackers, including for the purposes of social engineering, increasing the effectiveness of phishing attacks.

The most popular types of malware were cryptographers (56%) and programs for remote control (29%). Additionally, the share of attacks on web resources is constantly growing – in 2020 there were 14%, by the end of 2022 – 41%.

Additionally, government structures are under attack not only in our country.

Example 1

In mid-October 2021, the hacker gained access to the Argentine government’s database, which contains information on all citizens’ identity cards. As a result, on the black-market data and ID-cards of the entire population of Argentina, that is, more than 45 million citizens were put on sale. Moreover, as a confirmation of the data, the hacker disclosed information about 44 known personalities, including the President of the country.

Example 2

Police Department of the US capital Washington. There was a massive leak of internal information after the attack of the extortion program. Thousands of confidential documents were published in the darkwebe (a segment of the Internet that is hidden from ordinary users, where people sell forged documents, weapons, drugs, and hackers orders). Hundreds of police files, informants and intelligence reports from other government agencies, including the FBI and the Secret Service, were also discovered.

Example 3

The hackers’ data encryption attack caused the collapse of the IT infrastructure of three hospitals in the United States, disrupted several routine surgeries, disrupted patient intake, and stole 1.5 TB of personal data, including medical records. The group received a $1.8 million ransom for decrypting the stolen information. A cyber-attack of extortionists on one of the main hospitals of Barcelona (Clinic de Barcelona) resulted in damage to the IT infrastructure of the clinic and forced to cancel 150 urgent operations and up to 3000 patient examinations (according to the Associated Press).

Example 4

Another interesting case was November 2022. At one of the forums in the darkeven there was a report about the hacking of the infrastructure of the Federal Tax Service of Russia. Hackers claimed to have downloaded 800 GB of confidential information. No official comments from the agency were received. The evidence included references to several projects, which according to hackers were taken from the NRF database. “It only took us a week to get into the IRS network, and only three people were involved in the hack. In fact, we have already captured several dozen state structures of this level. However, there is no need to claim them yet,” said the hackers in the message.

At the same time, another curious case with FTS occurred in 2019. Then it was possible to access two databases. The first contained more than 14 million data on people, and the second – 6 million. They included names, addresses, passport numbers, residence data, telephone numbers, TIN numbers, names of employers and information on taxes paid.

Example 5

An extortion attack on a Costa Rican government facility in April 2022. A group of extortionists, Conti, attacked Costa Rican institutions and demanded a $20 million ransom. Due to the inaccessibility of most of the country’s IT infrastructure, a state of emergency was declared, and later the attacked public sector was joined by Costa Rican health care, whose institutions were attacked by the Hive group.

Example 6

Burlington City, Canada, was the target of a phishing attack in which $503,000 was transferred to a cybercriminal rather than a real service provider.

Industry and energy

The industry is increasingly attracting cybercriminals: the number of attacks in 2021 exceeds the results of 2017 by more than 7 times. Additionally, in 2022, about 10 percent of all successful attacks came from industry. At the same time, industrial companies, in fact, are not ready to withstand complex attacks and malware. Thus, 95% of companies either do not protect their automated process control systems (ACS TP) special solutions, or do so partially. Additionally, a systematic approach to cybersecurity management, such as vulnerability management and software component upgrades, is also lacking in 93 percent of cases. This is in view of the fact that the damage from stopping business processes can be catastrophic, including with damage and destruction of equipment, man-made disasters. Companies are easier to follow hackers and pay ransom quietly.

What saves us now is that it is simply unprofitable for intruders to study technological parameters, to understand exactly what to change, because you can simply encrypt or steal confidential data. In my view, that is a key deterrent.

The general trend is also maintained here – the attacks are becoming more complex:

– using Malicious Software (71% Successful Attacks)

– social engineering (about 50%)

– exploitation of software vulnerabilities (41%).

Malware itself was distributed through IT equipment (49% of cases) and mail (43%). Interruptions to technological and business processes occurred in 47 per cent of cases. Additionally, mainly because of data encryption and data deletion software (vampers). During 2022, the share of ciphers increased from 53% in the first quarter to 80% in the third. The share of waxers reached 7% (in 2021 it was 1—2%).

The increasing share of vulnerability exploitation in attacks suggests that these methods are economically feasible, which already indicates a low level of protection in industry. And it was in software and hardware products designed for industry that the most dangerous vulnerabilities were discovered and corrected in 2021.

Industrialists and power engineers like and are aware of all risks, but the specificity of the industry does not allow to conduct full-scale exercises with the development of practical scenarios and the identification of unacceptable events. Therefore, there are now emerging cyber-test sites where you can use virtual or augmented environments without the risk of breaking processes and equipment, conducting any exercises and assessing the consequences. One such example is the Standoff event organized by PT.

In general, in 2021, the interests of hackers in Russia by branches of industry were distributed as follows:

– 31% aerospace industry;

– 23% of public organizations;

– 23% of IT-company;

– 15% Military Industrial Complex;

– 8% fuel and energy complex.

As for PT statistics, in their projects from the first half of 2020 to the second half of 2021 they managed to implement 87% of unacceptable events.

Finance

The financial sector is one of those who feel relatively well. The proportion of attacks on these organizations from the total number of attacks decreases from year to year. And most interestingly, there are no new groups seeking to withdraw money from banks. The reason for this is the maturity of the industry and the efforts of the Central Bank: regulations, investments in IT infrastructure and software, established information exchange. And this is understandable, if you steal money, you can see it here and now.

Organizations are attacked again through social engineering (47%) and the use of malware (downloaders, spyware, trojans, encryptors.

Theft of confidential information and stopping of key business processes (53% and 41% of cases respectively) were typical targets of bank attacks. Embezzlement was 6% successful.

Financial institutions are now under attack with the aim of:

– obtaining a better exchange rate;

– obtaining confidential information about the user and its use in other attacks by means of social engineering;

– increase system load and failures in users’ private offices.

In addition, there are still unsafe implementations of fast payment systems.

As a result, banks introduce all new security technologies:

– tighten the checks of KYC (mandatory verification of personal data of the client), including the development of services for checking documents (video calls with document recognition, downloading photos of documents, database checks, social activity assessment) to understand whether a real person is hiding behind an account;

– introduce machine learning systems to speed up, simplify and improve customer information retrieval, identify and block suspicious transactions.

As a result, the number of standard web vulnerabilities decreases, but the number of logical vulnerabilities, on the contrary, increases. And in many ways this is due to the development of ecosystems: the creation of more and more complex integrations, microservices, the introduction of voice assistants and chat bots.

However, there are two negative factors that allow PT specialists to find vulnerabilities in each organization that allow them to penetrate the internal IT infrastructure. First, security patches released by software developers are often ignored by the IT services of organizations and are not installed. Second, there is always a possibility of a vulnerability, which is still unknown to developers, but it was discovered by researchers of intruders. Such vulnerabilities are called “zero-bottom vulnerabilities”. Additionally, these factors are the key to getting the hacker inside the infrastructure, so you need to learn how to spot them in time.

In total, PT specialists were able to penetrate the internal network of organizations in 86% of cases. PT researchers also gained full control over the infrastructure and implemented unacceptable events: access to bank-critical systems, ARMA treasurers, money exchange servers. In total, PT experts managed to implement more than 70% of unacceptable events in each financial institution.

As a result, the extortionists will continue their attacks on the banks. So far, these attacks are easier to execute and cumulatively bring more profit than attempts to withdraw a large amount of money from accounts. However, now one of the main targets of hackers will be the clients of banks that use online banking. According to the Central Bank of Russia, in 2020, 75% of adults used online banking. Therefore, hackers will continue to develop the direction of compromising banking applications. Additionally, the techniques of social engineering will remain in use.

The main method is phishing – it accounts for 60% of attacks. Hackers were happy to borrow on other people’s names, foreign companies that now need to repay these loans.

As a result, if it was previously profitable to attack companies with the aim of stealing money from accounts, the work done by the regulator, and the development of protection systems reduce the attractiveness of financial companies, need too high competence and technical equipment. However, industry is the opposite. There hackers are just interested in data about clients, internal users and any information that relates to trade secrets.

Again, this leads to an increase in attacks on confidential data (from 12% to 20%). Personal data (32%), accounting data (20%) and medical information (9%) are also popular.

In general, 14% of attacks were directed at ordinary people, and 88% of attacks were through social engineering. Additionally, the ultimate goal in 66% of the cases – accounting and personal data.

Closing the chapter, I will give some more examples of the most resonant attacks of 2022 on organizations from the commercial sector:

– Lapsus$ group has hacked a number of large IT companies. It was first attacked by Okta, which develops solutions for account and access management, including multi-factor authentication support. Nvidia’s GPU developer was then attacked, resulting in the theft of 1 TB of data, including video card driver source code and software signing certificates. The stolen Nvidia certificates were used to distribute malware. In March, criminals were able to hack Microsoft and Samsung by stealing the source code of some products.

– The Swiss airline company Swissport, which operates at 310 airports in 50 countries, has been attacked by an extortion program. The attack caused numerous flight delays and a 1.6 TB data leak.

– The attack on the telecommunications operator Vodafone in Portugal caused disruptions in service throughout the country, including in the operation of the 4G and 5G networks. Vodafone Portugal serves more than 4 million cellular subscribers.

– In October, a cyber-attack on Supeo, an IT service provider for the largest Danish railway company, stopped trains for several hours. Supeo provides a solution that machinists use to access critical information – work data on tracks and speed limits. During the attack, the provider shut down its servers, causing the application to malfunction, and the drivers were forced to stop the trains. After the restoration of train traffic, the next day did not go on schedule.

– In March, Toyota suspended 14 factories in Japan for a day due to a cyber-attack on Kojima Industries, a component supplier. The cyber-attack also affected other Japanese car manufacturers – Hino and Daihatsu Motors.

– In the second quarter, a major attack occurred on three Iranian steel mills, disrupting technological processes, and in one of the factories, the attackers managed to bring down a liquid iron bucket and cause a fire.

Chapter 5. About Technology

Cloud computing

One of the most sought-after technologies for digitalization and digital transformation are cloud computing, storage and services. Accordingly, the focus in the IS organization is increasingly shifting to the responsibility of providers. Here you need to look from two angles:

– major cloud service and infrastructure providers;

– local startups and small providers.

As for the first, everything is fine here: the major providers realize that they will attack, and therefore will take measures. Forewarned means armed. Additionally, in general, cloud services of large providers are developed on the principle of “all enemies around”, plus they have competent specialists in IS. Such centralization also allows fewer professionals to protect more data.

However, relative to startups and small providers are getting sadder. They don’t have the resources, and they’re likely to lose most of their money clients. The same applies to local data centers and IT services that develop within industrial companies. They are generally unable to provide the necessary level of protection. Or, as they said earlier, they just begin to go into a blind defense, and for business loses all sense of such cloud services, they are simply impossible to use. At the same time, the number of malware for Linux is growing.

The fact that almost 40% of all vulnerabilities identified and closed in 2021 with the help of PT researchers have a high level of danger also makes you wonder. Most importantly, 12.5% of all vulnerabilities have been identified in the software designed to provide protection against hacker attacks. Additionally, despite all the current situation and sanctions, the guys from PT comply with the responsible disclosure policy regarding the found vulnerabilities, i.e. inform the developers about all found vulnerabilities before they are published in the public domain.

Mobile applications

The second area that is developing along with digitalization is mobile applications: for customers and loyalty programs, for employees, mobile handlers, fixation of dangerous events, public services. Any larger organization has its own application.

At the same time, according to PT, the most popular vulnerability of mobile applications is storing user data in an open (or easily reversible) form. There was also a situation where important data was stored in public directories. Additionally, the overall share of deficiencies associated with unsafe data storage was more than 33% of all vulnerabilities found. That is, what hackers are interested in, and is one of the most frequent problems.

Experts of PT in 2022 conducted a study of 25 pairs of applications (Android – iOS). Almost everyone had problems with data storage. One of the key reasons is the excessive confidence of developers in system protection mechanisms at the level of the operating system, ignoring multi-level protection.

The largest share of vulnerabilities (14%) was in the public storage of user data. The second place was divided by vulnerabilities related to checking the integrity of applications and storing confidential information in the code (9%).

Additionally, almost every application has at least one of the following flaws:

– no detection of operating system hacking (root on Android and jailbreak on iOS);

– lack of integrity control of executable files;

– no obfuscation (code entanglement).

Android and iOS: who is safer?

Android apps have always been considered a good target for hackers: open system, wide options, easy to leave a hole in the app. With iOS it has always been the other way around: developers have little opportunity to make a mistake and leave the unnecessary “doors” open. Additionally, there was a paradigm – we buy for TOPs devices on iOS, and they are protected. However, now there is a change in this trend. Google is increasingly restricting applications, forcing developers to specify the necessary functionality. Additionally, according to recent news, Android 14 will completely block the ability to install legacy apps. And both through the application store and through self-downloading installation files. In iOS, by contrast, new ways of interacting with the operating system and with each other are becoming available to applications. In general, the boundary between platforms is blurred, and using iOS devices for TOPs in the hope of absolute security becomes too risky an undertaking.

There again, social engineering

The key problem is the development of fake apps, external clones of official banks, stores and special applications. The removal of many companies’ mobile apps from official Android and iOS stores contributed to this, forcing users to search for them on other platforms and activate the installation from unknown sources on the devices themselves. The attackers take advantage of this: create fake clones, place them on various sites, collect the necessary data and then launch attacks on people and organizations, including by breaking into private offices.

Additionally, given that most people use personal gadgets for work tasks, we get another variation on the attack on the supply chain – the company can attack through employees and randomly and purposefully.

One practical example is the installation of SSL certificates. When connecting to an untrusted Wi-Fi network, the user is shown a fake captive portal and offered to install an SSL certificate on the device. After that, the attacker can intercept all traffic from the user’s smartphone.