The COVID-19 pandemic has shown us how flexible cyber attackers can be when it comes to taking advantage of new events. With so many companies moving to new digital-first strategies this year (i.e. remote working), they've inadvertently opened themselves to a range of new attack vectors that criminals have been quick to exploit.
In its Die Lage der IT-Sicherheit in Deutschland 2020 report, the German Federal Office for Information Security (BSI) noted that it had observed a number of campaigns seeking to take advantage of the fear and confusion around COVID-19, including phishing and malware campaigns, CEO fraud, and scams. The BSI went on to say that it believed the fears, worries and insecurities of such a global event may have increased the chances of success of such attacks.
Read more: "How to respond to a cyber breach"
2020 brought with it a rise in attacks coming from nation states. Microsoft's Digital Defence Report found that nation states were proving to be more sophisticated and better trained than independent attackers, and were willing to "play the long game" in order to avoid detection.
However, nation-backed attackers do not always attack foreign government resources. Indeed, the top most at-threat sectors were NGOs, professional services, government, international organizations, IT firms and higher education.
Microsoft also noted that attackers were using major events to gain an advantage (e.g. COVID-19), and that their techniques included reconnaissance, credential harvesting, malware and VPN exploits.
Case Study: SolarWinds
The 2020 SolarWinds hack has proven to the world just how insidious and damaging a state-backed attack can be on both public and private sector companies.
In December 2020, cybersecurity company FireEye disclosed that it had been hacked, and traced the intrusion back to an IT management platform known as Orion, built by SolarWinds. From here, the true extent of the hack began to take shape.
Unbeknownst to SolarWinds, a compromised Orion update handed out malware dubbed SUNBURST to 18,000 global customers (about 80% in the US), over 200 of which have, at time of writing, since been found to have been hacked. Microsoft is one such Orion customer, which put out a statement noting that its cloud services had been hit by SUNBURST and Azure users were being warned to lock their systems down.
The malware, which is highly suspected to have come from a Russia-backed group, was also found in the US Department of Energy's National Nuclear Security Administration systems. Hackers are reported to have used a malicious computer code that has been linked to Russia's FSB security service, however investigations remain ongoing.
In Germany, customers included Siemens, Deutsche Telekom and Gillette Germany.
Later that month, the combined forces of FireEye, Microsoft and web domain host GoDaddy supposedly found and hit the SUNBURST killswitch. While this will make it far more difficult for hackers to use existing backdoors installed as a part of SUNBURST, it will not prevent them from utilising any other backdoors since installed in secret. Customers are being advised to comb through their systems and look for problems rather than rely solely on the latest Orion patch for protection.
Two other strains of malware were also discovered as being involved in the hack, dubbed Suspot and Teardrop.
The perimeter of the SolarWinds hack is still being discovered at time of writing, as companies scramble to find out who has been hacked, to what extent, and what files have gone missing. But as you can see, with just one highly sophisticated hack of one widely global company, tens of thousands of systems were put at risk.
SUNBURST is not the only piece of malware potentially floating around Germany.
In 2020, the BSI noted that 117.4 million new malware variants had been discovered, compared to 2019's 114 million. That's an average of about 322,000 new variants per day.
While SUNBURST took the headlines, the BSI noted that for most of 2020 the program known as Emotet was the dominant threat. Attackers have moved from using Emotet in a targeted manner on specific targets, to large-scale, widespread attacks. Emotet is regarded a significant threat because it contains software for spying on information, sending spam, installing further malware (i.e. Ryuk ransomware), and it has worm and bot functionality - essentially, it's an all-in-one package that can exploit systems on its own, install new malware, and open the door for further hacks.
It may feel like a hopeless task, fending off increasingly sophisticated threats in an equally difficult economic environment, but there's still a lot you can do to prepare your company for whatever 2021 has in store.
One of a company's biggest vulnerabilities - no matter how much it invests in cyber security initiatives and the latest tools - will always be its staff. As we're seeing, cyber criminals knowingly target individuals in order to manipulate them into clicking on dangerous links, or falling for complex scams.
To try to mitigate this potential risk area, you need to promote cyber awareness throughout the organization. Invest in training programs that talk about how to spot malicious emails, how to properly use a VPN, and other online safety tricks.
Don't just use training as a box-ticking initiative. Really take the time to engage your people and ensure that they take on board the lessons. Build cyber awareness into your onboarding process and promote it up and down the company. Only then can you start to feel more confident that your people know what to look for and how to stay safe.
Experts are still sorting through the rubble of the SolarWinds hack, but it teaches us a valuable lesson. Your own cyber processes aren't the only thing that leave you vulnerable to attack - vendors, partners, consultants, anyone with access to your business and especially anyone whose own systems are connected to yours (i.e. Microsoft) could pose a problem to your security. If they themselves are hacked, they could open a backdoor into your systems as well.
It's going to be tough, but one of the best things your security teams can do right now is go right back to the basics. Start totally from zero, re-examining and rebuilding each layer of your security architecture from the ground up. Take your time at each stage to ensure that you are checking every possible threat vector, and updating any processes or systems as needed to tighten up your perimeter.
If you feel there are issues with your partners and vendors, there may not be much you can do about it - but you can still try. Open up negotiations, make security a key part of your contract renewal, offer your advice if you think it will help them patch their systems. If they refuse, you may need to be willing to walk away in order to protect yourselves and your customers.
We know that ransomware attacks are a common problem in Germany, and investing in backups is one way to potentially circumvent this issue - not to mention the fact that they are an incredibly valuable disaster recovery tool in general.
When you back your systems up regularly and an attacker seizes control, demanding money in return for access to be returned, knowing you can simply get around the attacker and regain control via a trusted backup could take the pressure off deciding whether to pay or not.
Of course, you will also have to couple this process with a complete scan of your organization to figure out how the attacker got access in the first place. For this, we recommend returning to our point above about starting from zero.
Cyber security is, quite frankly, highly complicated. Due to the increasing sophistication of threats, keeping up with the latest news is a full-time job in and of itself - let alone implementing the changes.
But in today's modern era, organizations can't afford to neglect their security. If you need help, we're here for you. Our team of experts have experience across the security spectrum and a wide range of business sectors, putting us in a perfect position to be able to assist you.
To learn more about what we might be able to do for your unique needs, get in touch with us for a no-obligation free maturity consultation, where we'll talk about your situation and discuss how we can help you out.