In our previous annual discussion on German cyber security trends, we noted that exploitation of the COVID-19 pandemic was having a huge impact on the country's IT networks, with ransomware and phishing attacks being some of the most prevalent.
This year, problems from the pandemic take aback seat as the war in Ukraine snatches headlines, although ransomware remains the greatest cyber threat facing German companies.
In this article:
Ransomware has been the top cyber threat for quite a few years now, but changes to how attackers are performing these attacks (and who's involved) is driving scale much more effectively than before.
Once, if a ransomware gang wanted to attack someone's business they would need to develop their own malware, reconnoiter the system, hack into it, extract the ransom and cover their tracks as best as possible. This left a lot of footprints in the target system, making it easier for law enforcement to sniff out the culprits and stop them.
However, over the past few years (and notably in 2022) groups started splintering. Now, the different parts of an attack may all be performed by different outsourced entities, who specialize in a unique area of the ransomware hacking process. This helps cyber criminals evade law enforcement, and the German Federal Office for Information Security's (BSI) stated that it believes this is the driving factor in ransomware's increasing scale.
Overall, this phenomenon is called 'Cybercrime-as-a-Service', and some of its components include:
Learn more: What is ransomware? How it works + what to do
To date, there have been no major cyberattacks in Germany as a result of the Russian war of aggression in Ukraine, but smaller incidents have been occurring with relative frequency. Collateral damage is also a risk.
At first, the war caused little more than social media trolling and waves of propaganda - dangerous in its own right, but not a significant threat for the private sector. But, as the war has drawn on, local organizations have begun to come under direct attack (or suffer collateral damage from) hacktivists.
What is a 'hacktivist'? Hacktivism is what it says it is. A hacktivist is someone who attacks a company or government entity for political or social activism. In some cases, hacktivists have been known to vandalize websites and Wikipedia pages. In more extreme cases, they've sought to steal data and disrupt services.
Hacktivism in Germany
Russia-aligned hacker groups have been a problem in Germany for many years, but now pro-Ukrainian factions are also growing as a collateral threat - mostly for organizations with any connection to Russia (or who may be connected to a service provider with Russia links).
In one case noted by the BSI, a German distributor of mineral oil (with a Russian parent company) was attacked and compromised by hacker group Anonymous. The group managed to exfiltrate a sizable amount of company data, causing the servers to be entirely shut down. Confusion ensued about who should (or even could) get them up and running again due to European sanctions against Russian businesses.
In another instance, a satellite service used by the wind power sector across Europe was attacked and taken offline. This hit5,800 wind energy systems, affecting German, French and Irish customers.
Zero-day exploits have been around for a longtime, but in its July 2021 - July 2022 report, the European Union Agency for Cybersecurity (ENISA) found these attacks had reached an all-time high. Indeed, state-sponsored actors were targeting not only critical vulnerabilities in major software and appliances (Microsoft, Atlassian, Fortinet) but also small-office technology (like home routers) too.
What is a zero-day exploit? The exploitation of a critical security flaw that has, to that point, gone undiscovered by the software's developers.
Why are zero-day exploits increasing?
One possible reason is that it's simply getting harder for attackers to hit target networks through other means, as German cyber security has matured over time. If an attacker can't get into a network through more typical means, they are forced to dedicate their resources to uncovering potential software exploits that haven't been patched yet.
Another explanation is that it's a by product of the world's increasing reliance on the digital supply chain. More companies are using more software products than ever before, and a very small number of organizations provide software services to a very large number of organizations. Exploiting weaknesses in a software service can enable a cyber attacker to gain access to all of its customers.
Learn more: Should German businesses care about the SolarWinds hack?
Supply chain attacks are also growing infrequency, becoming a favored target for criminal groups. To put it in numbers, in 2022, Anchore noted that 62% of organizations had been impacted by this type of attack (6% had been impacted 'significantly').
SolarWinds was a major example of a supply chain compromise, as was the Log4j vulnerability.
What is a supply chain attack? The compromising of a popular software supplier in order to gain access to its customers (or fellow suppliers).
Why is this trend growing?
As we mentioned before, companies in Germany and around the world are becoming increasingly digitally connected. There are a great many organizations now connected to very few by way of their software products (think about how many computers utilize Microsoft products). By attacking the single supplier, attackers can often gain access to thousands, if not tens or hundreds of thousands, of other networks.
To quote ENISA, "...an increase in cyber defenses becomes fruitless if attackers have pathways directly into organizations via compromises of third-party relationships."
Changes are being made at the government level to broadly improve cyber security across organizations, address security in the supply chain, and to oblige entities to take greater self-protection measures. The NIS2 Directive is an example from the EU, and Executive Order 14028 is an example from the US.
Learn more: Are you reviewing your third parties for security risks?
In 2022, the BSI detected 116.6 million new malware variants, slightly less than in 2021 (144 million). That's nearly320,000 per day.
Having a good data backup strategy can mitigate some of the harm of a ransomware attack. In the event that your organization is locked out of its systems due to a breach, being able to recover from a backup may prevent you from having to pay up. Additionally, if any data is destroyed or lost during an attack, you can recover it quickly.
Some top tips to ensure your backup strategy will work effectively include:
All of your devices, from computers and laptops to phones, tablets and smart systems, run on software that will be updated on a regular basis by the developer. This goes for apps, too.
Make sure you keep these systems up to date. Updating to the latest security patch could prevent your company from being attacked via a known software exploit. There isn't much anyone can do about a zero-day exploit (that's the point of them), but you'll be protecting yourself from other known vulnerabilities and from anyone using zero-day exploits after they've already been patched.
If you aren't already using a modern identity and access management policy based on ZeroTrust and the principle of least privilege, now is the time to look into these.
Segmenting your IT network through deliberate, strategic access restrictions could help stop an attacker from getting into the entire thing. Should someone's login credentials find their way into the hands of a criminal, that criminal would only ever have access to what the employee had access to - which, in this case, would be limited.
Thinking about supply chain compromise (also known as vendor risk or third-party risk) ensures that your company has in place a policy that protects it from its own vendors.
It's important that, in your research on potential threats and cyber risks to your business, you always include your software vendors. What risks do they face? Who might try to attack them, and how? Those risks are your risks if your systems are connected.
When negotiating vendor agreements, consider bringing in a security expert to help. They can ask the right questions about your vendor's own cyber security policies, and review the contract for security red flags. This is a process you can also backdate, to ensure you give your existing vendors the same scrutiny.
Finally, when downloading any new software patch, test it first in an isolated environment. Check for security weaknesses, errors, vulnerabilities or red flags, then roll it out to the rest of the business when you're satisfied that it's safe.
As noted above, cyber criminals know to target people - low levels of cyber awareness create huge vulnerabilities that a skilled attacker can exploit with relative ease.
It's vitally important that you raise cyber skills and awareness across your business, top to bottom. No staff member should be left out of this training, including the highest-tier executives and the lowest-tier entry-level interns. If someone has access to, or may one day touch, a device connected to the company's IT network, they should receive some degree of cyber security training.
Learn more: How exposed is your business to human error?
Cyber security is a lot to think about -attackers really will try to come at you from all sides. But you don't have to figure everything out yourself, especially if you're struggling to hire the right digital talent for the job.
Here at dig8ital, we can handle all aspects of cyber security, from planning through to implementation and review. Contact us for a free maturity consultation and we'll chat to you about your unique needs.