The Interface of Cyber-Attacks: Solving The Cyber Rubik's Cube
The rising frequency of cyber-attacks in 2016 and 2017 has prompted a refocus on the reach of online criminal activity. The extensively reported hacking into the Democratic National Convention server in the run up to the 2016 US elections exemplifies an attack where a political actor was targeted. Yet, the private sector has also been severely impacted, evidenced by the recent WannaCry and NotPeya ransomware attacks The relative low cost and ease of launching such attacks partially explains this increasing trend. Far-reaching attacks over the last six months have been variously branded cyber-crime, cyber-terrorism and cyber warfare. While these types of attacks are distinguished by different motivations, their characteristics overlap in some areas making it difficult to determine the source of attacks. To compound this mitigation measures seem to be behind the curve, particularly in light of a lack of effective legislation or cooperation between states. This begs the question – how have cyber-attacks impacted companies and states, and what is being done to prevent and mitigate such attacks?
CyberCrime
WannaCry
Launched on 12 May 2017, the WannaCry ransomware was carried out using stolen tools from a previous US National Security Agency (NSA) cyber-attack, and infected over 200,000 computers in 150 countries. The attack was halted within hours. Yet, its targets were wide ranging and included a US delivery and logistic company, a French car manufacturer, and Russia’s Ministry of Internal Affairs. The virus targeted a vulnerability in Microsoft’s Windows security system framework. Once infecting one system within an organisation, it self-distributed across computers, demanding a USD 300 ransom payment per computer. Investigations by Britain’s Government Communications Headquarters (GCHQ) and the NSA later found that the attack showed links to North Korea’s infamous hacking group, Lazarus. While it is estimated that the hackers earned only USD 50,000 in ransoms, approximately USD 4 billion was lost by businesses internationally as a result of disruptions associated with the system lockdowns.
NotPetya
NotPetya’s etymology is rooted in the March 2016 Petya ransomware virus. The Petya attack was known for infecting the Master Boot Record of PCs. Named after a Russian electromagnetic pulse weapon used in the 1995 GoldenEye movie, Petya was able to affect the sequencing of information of saved files, and demanded USD 300 to release stolen information. Consequently, when a ransomware virus showing similar traits emerged on 27 June 2017, it was labelled NotPetya. NotPetya gained administrator access on a machine and then leveraged that power to commandeer other computers on the network. Essentially, NotPetya took advantage of the fact that many organisations employ flat networks in which an administrator on one endpoint can control other machines, or access domain admin credentials present in memory, until total control over the Windows network is achieved. However, unlike Petya, NotPetya was not just a system lockdown, it was also a wiper, destroying all data on the host system. Ukrainian officials subsequently blamed Russia, although no official statement has been released in this regard. At face value, the attacks may be branded as criminal attacks, given that the perpetrators behind Wannacry and NotPetya demanded ransoms. However, there are indications that these attacks were carried out for political purposes. This underscores the nexus between criminal and political motivations driving cyber-attacks.
The first reported victims were in Ukraine and included private and state banking systems, the main international airport and the Kyiv metro system. One of Russia’s main energy distributors was also significantly affected. Additional victims extended across 64 other countries. Initial reports have estimated that USD 9,000 in ransom was collected by the hackers. On 4 July 2017, the hackers behind NotPetya demanded USD 250,000 in exchange for the encryption key.
MeDoc, a Ukrainian tax and accounting software firm, was first believed to have been behind the attack following a post on their website stating: “Attention! Our server made a virus attack!”
The first reported victims were in Ukraine and included private and state banking systems, the main international airport and the Kyiv metro system.
Cyber Terrorism and Warfare
Public institutions have also fallen victim to cyberattacks. Whether attacks are carried out by cyberterrorists aiming to inspire fear, or state proxies intending to influence foreign governments through cyberwarfare, there has been a noticeable uptick in cyber-attacks targeting state agencies, political parties and governments.
For example, just under 90 email accounts were hacked in a “sustained and determined” cyberattack targeting the UK parliament on 23 June 2017. The hack blocked Members of Parliament accessing their emails as the server halted activity as a security measure. This follows the online trading of an estimated 9,000 government officials’ security credentials earlier in the day, discovered on Russian-speaking websites. While investigations are underway, it is believed that the Russian government was behind the attack. Nevertheless, proving government involvement in cyber-attacks is particularly difficult.
France has also been impacted in recent months. Two dozen fake Facebook accounts were allegedly created by Russian intelligence agents to spy on now President Emmanuel Macron during his presidential election campaign. Macron’s emails were also reportedly hacked by Russia just days before the election. Although some believed that the email hacking in France would mark the end of Macron’s campaign, French constitutional laws prevented the hack from being publically reported before the vote.
Mitigation Measures
Despite a worrying a worrying increase in cyberattacks globally, international regulations and legislation to address the threat are far from robust. For example, although the 2001 Convention on Cybercrime is ratified by 52 states, it does not directly address cyber-terrorism.
Efforts by individual states and regional blocs in Europe and North America to tackle increasing cyber-attacks have also fallen short. In the US, recent developments do not bode well for an improved government response to the threat of cyber-attacks. While the US and Japan have ramped up efforts to coordinate on cyber security in response to an increasingly hostile North Korea, there have been reports that the Trump administration is seeking to subsume the current Office of the Coordination for Cyber Issues under the Bureau of Economic and Business Affairs. This move follows President Trump’s reversal on an initial statement proposing the creation of a joint cyber taskforce with Russia. Commentators were quick to note the irony of Trump’s plan amid allegations of Russian cyber interference in the US elections. These developments suggest that the Trump administration is not prioritising cyber security. Further attacks are therefore likely to target the US as a result of reduced capacity and resources for cyber security.
Across the Atlantic, European governments and businesses face a similar dilemma. Private companies can only implement security measures to a certain degree before varying types of cyber-attacks outgrow private policies. Furthermore, with the upcoming September 2017 German federal election, European states are preparing for a potential data breach similar to the hack against Macron. In a June 2017 press release, the European Commission announced an additional EUR 10.8 million in funding to 14 member states to strengthen a Computer Security Response Team. This would feed into the European Cyber Crime Centre, which assisted victims during the WannaCry attack. In addition, the Commission has suggested implementing legislation to grant greater electronic access across borders between cooperating states, mirroring counter-terrorism measures. These solutions are currently at the proposal stage and are unlikely to prevent further attacks over the short term at least.
Given that state efforts to prevent cyberattacks remain piecemeal, further iterations of attacks like Wannacry, Petya/NotPetya, as well as attacks against state institutions are expected. Cyber-attacks do not adhere to state boundaries, meaning that an international response is required. Without a clear, coordinated approach for addressing cyber-attacks, consequences to businesses and states could become just as complicated and entangled as the estimated 43 quintillion possible Rubik’s Cube combinations.