Aggression from foreign entities has always been as diverse in its format, medium and methodology as the contemporary limitations of technology would allow it to be.
The more society and civilisation progressed and evolved, branching out in terms of information sharing and infrastructure along the way, the more tools external malicious entities had at their disposal to express that aggression.
From the first use of cryptography in Ancient Egypt, to the crucial role of code-breaking during World War II, to the age of information technology, alternative forms of warfare inevitably adapt to the times.
This brings us to the current state of things, where states and organisations must proactively defend themselves against cybersecurity war, treating it as a likelihood, not as an outlier.
“Awareness about what is going on around you in the IT world is critical,” former NSA Deputy Training Director Colonel and current National Security and Cybersecurity expert Cedric Leighton said in 2012, explaining that organisations and enterprises must approach cybersecurity war as a serious threat, adding that they must always be aware of trends and developments in cybersecurity warfare against various governments, as well as military and intelligence agencies.
In this article, we will examine how malicious entities exploit times of crisis, particularly with the coronavirus pandemic being followed by a period of prolonged turmoil on the geopolitical stage.
Moreover, we will investigate how organisations can improve their security policies through the correct implementation of the appropriate set of actions to fight against emerging network security threats during the era of cybersecurity warfare.
Malicious entities always see times of crisis through an opportunistic lens. Sensing vulnerability, panic, desperation and lowered defences due to intense emotions and a sudden change in circumstances, they try to seize on any moment where they feel like their chances of a successful attack are increased.
This is also the case in the world of information technology, with acts of cybersecurity war, which can take many forms of attacks, increasing during times of crisis.
This has been noted by a great number of organisations and government agencies, including the Canadian federal government, which recently released an open letter urging citizens and businesses to exercise caution.
“Across the world, we have seen a marked rise in the volume and range of cyber threats”, the open letter said, explaining that a growing number of groups have been targeting small and medium-sized businesses, healthcare organisations, utility organisations and municipalities.
The proliferation of cyber security risks and cyber security breaches during a time of crisis was recently epitomised by the numerous, well-documented incidents that occurred during the coronavirus outbreak.
One of the key reasons for this was that in this particular type of crisis, information technology and the inherent interconnectivity it involves became more crucial to business, education and entertainment than ever before.
Schools sent students at home for distance learning, meetings took place through teleconferencing tools and other online meeting spaces, business documents were stored, shared and worked on using the cloud, going out was replaced by movie and music streaming, while everyday items, including food, clothing and hygiene products, were purchased and ordered online.
This increased the attack surface for malicious actors in a dramatic fashion, particularly since certain users, perhaps due to their age, socioeconomic class or geographical location, had little to no experience in navigating the web and dealing with the threats it brings.
In its annual report, called the Internet Organised Crime Threat Assessment (IOCTA), Europol made note of two key points: firstly, times of crisis do indeed lead to a rise in cybersecurity breaches, but also, they essentially highlight and exacerbate issues that predate the root cause of the crisis itself.
“Although the COVID-19 crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behaviour of criminals should not overshadow the overall threat landscape,” Europol stated, clarifying that in many cases, the pandemic merely magnified previously established problems.
The IOCTA report delved into a number of critical cybersecurity areas that came under the microscope during the coronavirus outbreak, including how different methods and techniques were combined by criminals in order to maximise their effectiveness.
For example, social engineering and phishing attacks were used extensively, particularly due to high amount of anxiety and uncertainty the pandemic induced, with a number of users falling victim to online scammers purportedly selling cures and treatments for the virus.
Additionally, although not a recent development, ransomware attacks have also become a bigger issue over the past two years, growing in both quantity and complexity, resulting in them becoming harder to thwart, identify and defend against.
The IOCTA report noted that advanced versions of malware have become a major threat in the European Union, with malicious actors having conversed some older Trojan viruses, previously used in banking cyberattacks, into modular malware. This allows them to attack a larger number of users, with any successful breaches yielding extracted personal data that can be later sold on for various purposes.
“The coronavirus pandemic has slowed many aspects of our normal lives, but it has unfortunately accelerated online criminal activity,” EU Commissioner for Home Affairs Ylva Johansson has stated.
“Organised crime exploits the vulnerable, be it the newly unemployed, exposed businesses, or, worst of all, children,” she added, explaining that there is an urgent need to further bolster the efforts against organised cyber-criminals.
In addition, two other cybersecurity trends were observed during the pandemic. Firstly, there was an increase in attacks involving SIM card swapping, a form of identity theft that utilises your mobile phone number during the login verification process. This allows attackers to gain access or fully take over user accounts, including social media, personal email, and bank accounts.
SIM card swapping has become such a problem that it has forced telecommunications provider T-Mobile to insert a new security process in place to prevent it, with other carriers like AT&T and Verizon already having put similar cyber security measures in place in recent years.
The rise in cybersecurity threats and data breaches during the coronavirus outbreak was also highlighted by cyber security organizations and others with no direct link to the information technology industry, with the World Health Organisation (WHO) releasing a report that showed that cyber attack incidents had increased by more than 400 per cent.
“Since the start of the COVID-19 pandemic, WHO has seen a dramatic increase in the number of cyber attacks directed at its staff, and email scams targeting the public at large,” the organisation said, noting that in a single week approximately 450 active WHO email addresses and passwords were leaked online, along with thousands belonging to others working on the then-novel coronavirus response.
The organisation said that while its current systems were not put at risk because the data was fairly antiquated by the time of the leak, an older extranet system was ultimately compromised.
“Ensuring the security of health information for Member States and the privacy of users interacting with us a priority for WHO at all times, but also, particularly during the COVID-19 pandemic,” WHO Chief Information Officer Bernardo Mariano said at the time, adding that the organisation was thankful for the support and breach alerts it receives from both Member State countries, as well as companies in the private sector.
Multinational professional services company Deloitte also released a report on the increased number of cybersecurity threats during the pandemic, stressing the emergence of new risks and challenges of cyber security for organisations as they evolve their business models to incorporate remote working and its related operations adjustments.
“Cyber-attackers see the pandemic as an opportunity to step up their criminal activities by exploiting the vulnerability of employees working from home and capitalizing on people’s strong interest in coronavirus-related news (e.g. malicious fake coronavirus related websites),” Deloitte Director in Risk Advisory Cedric Nabe said in an internal article, noting that a crucial consideration for organisations is that the average cost of a successful data breach exploiting an off-site vulnerability can reach as much as can $137,000.
Relatedly, the City of London police, during the first few of the coronavirus outbreak, reported that victims of coronavirus-related attacks lost in excess of £11 million by July 2020, with more than 13,820 reports of coronavirus-related phishing emails being received by that time.
Meanwhile, a study by the Swiss institute gfs-zürich, on behalf of various organisations, including ICTswitzerland and the Information Security Society Switzerland (ISSS), showed that around a million people in Switzerland have been the victims of cyberattacks.
“Cyber security is an issue that must be tackled jointly by the public administration, the private sector and politicians,” director of the Reporting and Analysis Centre for Information Assurance Pascal Lamia said, adding that “to this end, it is important to inform the general public about cyber risks and raise awareness about them”.
Also, the aforementioned report by Deloitte raised an interesting point, where the issue of awareness was contrasted with that of actually implementing best practices and taking the appropriate measures to put that awareness into action.
“Cybersecurity is on the agenda of most executive committee meetings, but should perhaps be given extra attention in view of the growing threats during the pandemic,” Deloitte reported.
In the midst of the second wave of the coronavirus and concerns about a potential third wave, companies should be proactive in addressing the threats, and plan ways of preventing successful cyber attacks rather than responding when they occur,” the company added, explaining that “although prevention measures are important, there is also a need for cyber attack detection, response and recovery capabilities”.
Cyber during war
The aspect of cybesecurity has a dual relationship with the concept of warfare, in that it both becomes even more important during war, strife and conflict, but also, it can be used itself as a form of warfare.
In this subsection, we will explore both how attacks can manifest during such periods, but also how they can become part of a nation’s or nation-sponsored actor’s attack plan to destabilise or otherwise hinder the normal operating activities of a foreign country or organisation.
With global conflict continuing to escalate, cyber attacks increase in number and scale, with victims, however, not necessarily being confined to the people explicitly belonging to any one side in particular.
“The problem is kinetic warfare is almost always accompanied by cyberwarfare,” University of New Haven assistant professor of cybersecurity Vahid Behzadan wrote in March of this year.
“This is something that private citizens may need to be concerned about,” Behzadan added, explaining that while a country may not directly choose to attack critical infrastructure or organisations belonging to a hostile or unfriendly nation, there may be groups or individuals who choose to carry out such cyber attacks out of a sense of perceived duty and loyalty.
Incredibly, the situation can become even more complicated and wide-spanning than that, when third country nationals take up the cause of a country they feel sympathy towards, in essense becoming digital mercenaries in that country’s proverbial cyber army, waging attacks without directly being asked to do so.
“For the first time in history anyone can join a war, so we’re seeing the entire cyber community involved, where many groups and individuals have taken a side,” Check Point Software head of threat intelligence Lotem Finkelstein has stated, noting the increased chaos being observed in the cybersecurity landscape.
Moreover, Clayton LiaBraaten, a senior strategic advisor at Swedish call-blocking company Truecaller said that “the types of scams we can anticipate range from politically oriented robocalls and texts to fake donations and, in general, trying to get people involved in cryptocurrency”.
The fake donations mentioned by LiaBraaten are similar in nature to some of the phishing and social engineering attacks observed during the emergence of the coronavirus outbreak, in that they try to take advantage of a specific topic and how it affects certain individuals on an emotional level.
Furthermore, according to data by Check Point Research (CPR), cyber attacks against a foreign state by another country rose by 196 per cent in the span of three days after an incident took place, while hundreds of thousands of volunteer hackers joined in the effort to try and thwart attacks or launch separate cyber attacks in turn.
“Grassroots volunteers created widespread disruption — graffitiing anti-war messages on media outlets and leaking data from rival hacking operations,” cybersecurity company CyberProof president Yuval Wollman recently told an international news organisation.
“Never have we seen this level of involvement by outside actors unrelated to the conflict,” Wollman added.
There is a plethora of examples of cyber attacks and attempted breaches that serve to act as forms of direct warfare.
Before we delve into some of the cyber attacks with real-world implications, however, it would be useful to examine what exactly can constitute an act of cybersecurity war.
While the line between a traditional, conventionally-motivated cyber attack and an act of cyber warfare can be somewhat blurred, most government agencies consider the potential damage as a determining factor.
In essence, if the cyber attack will cause a significant amount to the operations of the potentially victimised nation, then the cyber attack can be established as a form of warfare.
Cybersecurity war tactics include phishing attacks to disable or disrupt pieces or networks of critical infrastructure, DDoS attacks to disrupt access to certain websites, the illegal extraction or accessing of state or oranisational information, digital espionage that violates national security, ransomware, as well as coordinate propaganda campaigns using digital mediums and platforms.
Further to the above, cyber warfare generally seeks to cause three different category types of consequences on their potential victim, which include destabilisation, sabotage and data theft.
In terms of destabalisation, this may involve an attack on a transportation system, an electrical grid or other form of energy network, financial and banking networks, water supply networks and dams, as well as hospitals and healthcare facilities, among others.
One example of this was the Colonial Pipeline breach in 2021, where hackers took down the largest fuel pipeline in the United States, causing shortages across several states.
“The last thing we wanted was for a threat actor to have active access to a network where there is any possible risk to a pipeline,” cybersecurity firm Mandiant vice president Charles Carmakal said at the time.
Regarding the second type, sabotage, this may involve an attack on a communications system while a real-world attack is taking place, so that the coordination of defensive measures becomes compromised.
Data theft is the most straightforward of the three forms of cyber warfare, which may include holding the data hostage for ransom, viewing critical data related to national security, as well as using classified to create chaos and unrest in the affected country.
Considering the amount of threats touched upon in previous sections of the article, maintaining a reactive stance may end up costing both private and public sector organisations in unimaginably damaging ways.
Boltonshield recommends that all organisations, regardless of size, adopt a heightened security posture and take the necessary proactive measures in order to safeguard their most critical assets, be that infracture, intellectual property, personal data, as well as any combination of these aforementioned items.
Organisations should ensure that multi-factor authentication is enabled for all users that are meant to have remote network access.
“Every CEO and every board should ask their information security team, “Are we at 100 per cent multi-factor authentication across the organization?” If the answer is no, the question is, “How long is it going to take us to get there?””, former director of the Cybersecurity and Infrastructure Security Agency Chris Krebs said in February of this year.
Moreover, software and cloud network controls must be regularly revised and are up to date, while all identified, established and analyzed IT vulnerabilities are addressed.
Beyond the above points mentioned, there are several actions areas that organisations should seek to address.
Here, we will examine six crucial points of concern.
All internet-facing software can provide a pathway for malicious actors to attack your organisation, therefore, all such software must be updated with the most recent security and software patches to eliminate all known vulnerabilities.
This may include the following hardware and software by a number of different vendors:
- CVE-2018-13379 - FortiGate VPNs
- CVE-2019-1653 - Cisco router
- CVE-2019-2725 - Oracle WebLogic Server
- CVE-2019-7609 - Kibana
- CVE-2019-9670 - Zimbra software
- CVE-2019-10149 - Exim Simple Mail Transfer Protocol
- CVE-2019-11510 - Pulse Secure
- CVE-2019-19781 - Citrix
- CVE-2020-0688 - Microsoft Exchange
- CVE-2020-4006 - VMware
- CVE-2020-5902 - F5 Big-IP
- CVE-2020-14882 - Oracle WebLogic
- CVE-2021-26855 - Microsoft Exchange
- CVE-2021-44228 – Log4j2
Organisations should also perform a comprehensive network security audit in order to ensure that any unnecessary ports are locked down.
While any open ports may be the result of deliberate configuration, this is not always the case, since a port may have been openned temporarily to satisfy a specific request and then left open out of negligence.
Alternatively, a port may have been inadvertently openned by an application that interfered with your firewall configuration automatically.
Networks or other information systems may be poorly configured leading to the inadvertent creation of vulnerabilities and other security flaws, potentially exposing you to numerous cybersecurity threats.
In addition, while a network or other system may be technically configured correctly, their software may be out of date, resulting in security patches missing.
Malicious actors will often try to look into what software an organisation utilises in search forfor unpatched systems that will allow them to launch an attack.
Organisations should prevent this from happening by regularly updating all of their systems, both in terms of software and hardware.
Particular focus should placed on your organisation’s endpoint protection clients, who should all be running with the latest updates and security patches.
Your organisation should not limit its cybersecurity review process to solely its internal infrastructure, but it also audit and examine its supply chain for any unwanted risks and unnecessary exposure to outside threats.
This includes a review of the vendors, logistics companies, external suppliers and other companies that you do business with or otherwise rely for your daily operations.
For example, where do the individuals working for these companies have access to? How do they interact with your network? How would you be impacted by these companies becoming compromised themselves? These are just some of the questions that should form part of your review process.
As we have previously mentioned in a dedicated article on cyber attacks, some of which can also be a part of the cybersecurity war, threats to your organisation may come from within the company itself.
Internal threats may be the result of sloppiness and carelessness, as well as current or former employees who wish to deliberately cause damage to your organisation.
Your organisation must instill a security-first mindset in your employees by educating them about best practices and the threats they face online.
You must also ensure that multifactor authentication is enabled, as mentioned above, that passwords are strong, and that phishing remains the most prominent attack vector by malicious actors.
Your organisation must be prepared to act quickly and decisively, with a well-tuned response strategy in place.
Consider what might happen if your email system is unavailable or otherwise compromise.
You must preemptively decide who will be the incident manager during a crisis and that all non-email contacts are up to date.
You must perform a walkthrough of the entire process and reinforce how all relevant and key information for internal teams, customers, and employees will be disseminated in the event of a crisis.
Our experts are always open and available to provide a consultancy and set up efficient threat detection and threat response plan for any corporation, regardless of its industry, size or geographical location.
Defensive strategies include the provision of managed security services, the creation and management of a security operations centre (SOC services), secure cloud hosting, data loss prevention, email security, and mobile device management.
Moreover, offensive strategies (red team cyber security) provided by Boltonshield include standard penetration test, vulnerability assessments, web application testing, mobile application testing, external infrastructure testing, red team testing (where we simulate the role of an enemy or malicious actor), server credentialed checks, internal infrastructure testing, as well as source code reviews.
If you want to get updated about our recent publications about cyber security topics, subscribe to our newsletter.