News: Nation-State Cyber-Attack Tools Enter Black Market, With Rise In Ransomware As A Service
Cyber-attacks are on the rise globally, accelerated further after the pandemic forced the world into a remote workforce and a digitized ecosystem. In India, cyber-attacks have doubled in the past three years, according to University of Surrey research, with enterprises the most common target of these attacks.
Air India experienced a devastating cyber-attack in February, with 4.5 million customers having their data compromised, prompting the enterprise to encourage all of its customers to change their passwords. In January, Indian payment provider Juspay experienced a data breach, with 35 million customers having their data, including card information and fingerprint scans, released on the dark web for anyone to buy.
India is ranked among the top-3 most frequently attacked company for years, according to our own Cyber Readiness Report 2020/2021. With 1.15 billion phones and 700 million internet users, India exposes a vulnerable and large user base and plenty of surfaces for cyber-attacks to take off.
One of the most well-known cyber-attacks was the WannaCry attack, a worldwide ransomware cyber-attack occurring in May 2017 using the WannaCry cryptoworm. This attack targeted computers running Microsoft Windows, encrypting data and extorting money out of victims with ransom threats. This attack used the EternalBlue exploit to gain access, an exploit developed by the U.S. National Security Agency (NSA) and leaked by a hacker group called the Shadow Brokers, a name referencing a character in the video game series Mass Effect. The SolarWinds supply chain attack from May was also launched by nation-state attackers, with threat actors accessing Orion users’ networks with a trojan hiding in software updates.
So, why should businesses care about ransomware attacks, especially when most attacks seem to be against public sectors? Simply because, while the attacks on public sector get vast coverage and close attention, truth is, there are many more attacks on SMEs – successful ones at that, but those are simply not as visible, so they’re not making the news. Research shows: small businesses are a ripe target for attackers – with 71% of ransomware attacks occurring on small businesses. Attackers do not discriminate in the end who they attack, with all targets being a potential asset and income source, regardless of scale. Businesses also store large amounts of sensitive and personal data about clients and employees, which is potentially useful information for any attacker looking to scope out future targets.
Ransomware as a Service (RaaS) groups coordinate supply chain attacks, with the operators of the Maze RaaS using data extortion as a tactic to pressure their victims into paying ransoms, netting an estimated $75 million from their victims, according to a report by security firm Analyst1. These attacks not only hurt the victims directly but also inspires tactics for fringe groups of cyber terrorists to deploy in future attacks. Research and consulting company Gartner, Inc, predicts that in 2024, cyber-attacks will be so damaging to critical infrastructure that a member of the G20 could retaliate with a declared physical attack.
Cyber-attacks don’t just target companies for financial gain, there’s a myriad of different motives behind cyber-attacks, each as troubling as the last. Nation-state attacks might be launched as an attempt to gain tactical espionage and military information, for example. Cyber-attacks are also utilized in efforts to spread disinformation and influence public opinion or government decisions. This means cyber-attacks aren’t always high-tech and utilizing state-of-the-art technology, but can be as easy as posting misinformation on social media and using social engineering to spread misdirection as far as possible, into the reaches of the Indian public.
In the summer of 2010, a computer worm named Stuxnet struck, destroying 2,000 centrifuges in an Iranian nuclear facility and crippling the entire plant. This worm was in development since at least 2005, and was the first time malware was documented to spy and subvert enterprise systems. India was harder than most countries, with a study of Stuxnet composed by Symantec reporting that India hosted more than 8% of computers infected with the worm.
This begs the question: what are businesses to do? No business is safe, no matter the size, so this is a problem that haunts every business owner connected to the internet. Hiring professionals is one of the best-proven ways to mitigate attacks and reduce any destruction caused by potential cyber-attacks. Professionals can be anything from full-time cybersecurity experts to penetration testers and ethical hackers, to part-time security consultants.
Still, there are steps every business owner and even the general public can take to reduce risk of cyber-attacks and any potential damage. Using virtual private networks (VPNs) to secure data, for example, is a step anyone can take, from businesses to personal devices. Multi-factor authorization, which requires any password-secured login to be validated with a secondary device, is another important implementation that could prevent potential phishing and account compromise.
Gartner predicts that having organizations adopt a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90% by 2024. Mesh architecture forces enterprises to build perimeter security measures around every individual user and access point, with Gartner predicting cybersecurity mesh will “support more than half of all IAM requests, enabling a more explicit, mobile and adoptive unified access management model” by 2025.
Decrypting and encrypting all traffic, and deploying data loss prevention tools and intrusion prevention systems can also block enterprises from potential attacks. Zero-trust security measures, which require all users – even those with high authorizations and merit—are required to be periodically and consistently authenticated, is also a recommended approach to mitigating security risks and preventing internal cyber attacks.
Training employees in basic cybersecurity measures as well can drastically reduce instances of cyber-attacks and the amount of data compromised. One famous example of employee preparation saving a business is the story of Rick Rescorla, during the infamous 9/11 attacks in New York City in 2001. As the director of security for the financial services Morgan Stanley, located in the World Trade Center, he began security evaluations and preparations for a potential plane attack as early as 1990. He was successfully able to evacuate over 2,700 Morgan Stanley from the south tower shortly after the north tower was struck.
Employee training involves teaching your employees to recognize phishing attacks, creating strong passwords, and being cautious about what data they entrust with whom. Especially with the pandemic encouraging a large surge of remote work, cybersecurity training for employees is more important than ever. Cybersecurity experts are available for hire to train employees, with annual refresher courses encouraged as the landscape of cyber-attacks is constantly changing. Conducting drills as well is another way to keep employees alert on their toes, with fake phishing attempts or fake social engineering attacks being a couple of examples. It’s in your best interest is to prioritize:
- Regular cybersecurity and password training for all your employees – especially those working remotely.
- Vulnerability assessments & patch management
- Zero-trust approach for all users
- Adopting mesh-architecture
- Threat-agnostic anti-malware capabilities
Nation-state cyber-attacks are on the rise, and delaying implementation of cybersecurity protocols only invites inevitable attacks. It’s time for every business everywhere to get serious about cybersecurity and prepare for the worst, and there are the resources available out there for everyone, so no more excuses—get safe!