German businesses are revolutionizing their systems and joining the digital supply chain, but this brings with it a corresponding increase in risk of cyber attack.
As we learned in our previous article "10 known cyber espionage groups and how to protect yourself", there are a great number of advanced persistent threat (APT) groups out there looking to spy on or harm companies both public and private.
But what are the most common attack vectors that these groups, and others like them, are using? And how do you harden your systems against such attacks? Let's take a look.
Today's threat vectors:
The world's supply chain is highly digital these days, with most modern companies utilizing digital services in at least some capacity. Indeed, it's quite rare to find a business in Germany that is not relying on a third-party vendor for some outsourced service or tool.
This reliance on another company's services means your system becomes connected to theirs - an attack on one side could now compromise the other.
Today, APTs sometimes only need to attack one company to gain a foothold in a raft of others. If they were to compromise a software vendor, for example, they could theoretically piggy-back on that company's platform right into the heart of hundreds of clients (which has happened in real life - see case study below).
So, an attack up or down the digital supply chain isn't just a problem for the vendor, but for its partners. You could have the best security in the world but if they don't, you're at risk.
Case study - SolarWinds: The 2020 SolarWinds hack is one of the best modern examples of massive-scale supply chain compromise. A suspected Russian-backed cyber criminal group snuck its malware into SolarWinds' Orion software, which was in use by thousands of companies around the world. When those companies inadvertently installed an infected patch onto their systems, they opened their own doors to the Russian group. So, from one single attack, the group managed to compromise nearly 20,000 different businesses including major organizations such as Microsoft and the US Department of Energy's National Nuclear Security Administration.
For those of you who aren't sure what the term means, 'malware' is a general name used to describe infectious software that causes harm to, spies on or disrupts a system. Computer viruses are one type of malware, although there are many others.
Malware is the classic cyber attack vector, having been around basically since the dawn of the world wide web. Even now with all our advanced anti-malware software, it's still a huge issue - the German BSI noted there were about 322,000 new malware variants discovered per day last year in Germany alone.
Some other examples of malware include: ransomware, which we describe below; keyloggers, which can record keystrokes made by a computer; trojans, which enter systems in disguise; droppers, which can install other pieces of malware; bot infections, which can replicate and spread on their own; and then viruses designed purely for destruction - wipers.
Unfortunately, the ways that APTs use malware are as varied as malware itself, which is why it's so hard to stop. Groups often develop their own custom malware to help them attack companies and individuals through the channels of their preference (i.e. phishing, see below). But, they also often share malware with other groups and may compromise legitimate technology for their own purposes - Cobalt Strike, for example, is a tool that both legitimate and criminal groups use.
There are many different ways that attackers can inject malware into a system. Phishing is hugely common, but attackers may have other means such as trojanized files pretending to be something they are not (say, a PDF which is actually a virus), or perhaps spoofed websites that look real but which are out to steal your credentials or make you download infectious software. Macros in seemingly safe Word or Excel files are also popular.
Case study - Bouncing Golf: Bouncing Golf is an APT that has been detected in the Middle East, targeting military-related data. This group tries to sneak its software onto its victims' mobile devices; its malware poses as legitimate applications about news, sports, lifestyle and so forth, so that people will download it. This then gives the attackers access to the victim's device, where they can see files, call logs, SMS messages, device location, and more. They can also steal files from the device and download more onto it.
Ransomware is one type of malware. When injected into a system, it can actually lock the entire thing up and encrypt it so that its users lose access. The attackers will then typically ask for a ransom in return for access (hence the name).
Bonus fact: The average ransom paid in 2021 is US$170,404, but only 8% of organizations say they get all of their data back after payment (Sophos).
There are two common types of ransomware:
As you can see, the point of ransomware is to disrupt activity and force someone to pay up.
This is usually used as an act of cyber criminal activity as opposed to cyber terrorism, with the goal to make money rather than spy on or destroy key targets. Thus, it's often seen being done by independent cyber groups as opposed to state-backed actors.
One thing to note is that ransomware is often the final stage of a long string of activities, such as social engineering, vulnerability scanning (yes - APTs use the same thing companies do to look for vulnerabilities, but in this case to exploit rather than patch), and phishing. This makes it critical to detect such activities in advance.
Case study - New Zealand Waikato District Health Board: Even small, out-of-the-way countries are at risk. New Zealand might not seem like a big target, but in 2021 the district health board (DHB) of its Waikato region was struck by the worst cyber attack in the country's history to date. Criminals crashed the DHB's system (affecting computers and phones), gained access to confidential files, and demanded ransom for its return. This disrupted vital medical care, with services taking weeks to restore. In this case the NZ government chose not to pay.
Phishing is one of the most common attack vectors used by the world's most notorious APTs. It is the act of trying to get a user to perform an action (i.e. click a link, download a file) by pretending to be a legitimate source. Email phishing - called email spam - has been around for decades, but these days phishing can also be highly complex, involving long-term social engineering via social media and other channels.
Bonus fact: The FBI found phishing to be the most common cyber crime in the US, and it has only gotten worse (FBI).
Phishing versus spear phishing
You'll see in our top 10 APTs article, and around the web, the mention of both phishing and 'spear phishing'. Spear phishing is the same thing, but far more targeted - whereas phishing casts a wide net with the hopes that as many as possible will fall victim, spear phishing focuses on attacking highly specific individuals with more advanced techniques.
Some of the world's more common phishing techniques include:
Case study - Charming Kitten social engineering: Charming Kitten is an infamous APT believed to be working for Iranian interests that has become adept at social engineering. For example, in a famous case the group used social media channels to pose as journalists and build relationships with potential victims. After a degree of trust had been established, they encouraged victims to sign up for a 'webinar' which was, of course, actually malicious.
We've talked a lot so far about threats from without, but there's always going to be a risk that someone inside your company is themselves a potential threat.
Here we're not talking about the possibility of innocent human error, although that is always a risk. No, our point here is actually about the very real risk that someone somewhere in the company is being radicalized - either by people they know in person, or via online forums.
The internet and social media has made this problem worse. There is now an echo chamber effect online which can exacerbate the risk of radicalization. Facebook and Twitter are particularly bad for creating echo chambers, as users flock to like-minded individuals, and then content algorithms look to provide 'desirable' content to users, digging them further and further into their information bubble.
Read more: "The echo chamber effect on social media"
There are any number of ways a cyber threat group could use someone on the inside; someone on the edge is ready to be pushed over. If an individual or group that wishes to do your company harm is able to set up an 'inside man', as it were (by cultivating and nurturing their viewpoint or emotional state), they are already in a position where they can directly compromise your business from the inside, bypassing common security measures.
They might ask that staff member to inject malware into the company computers, to send phishing attacks via their accounts so that they appear to come from a trusted source, or some other form of attack.
Case study - US Armed Forces: The US Armed Forces is learning it must fight radicalization within its own ranks. According to an annual survey of active duty troops by MilitaryTimes, over a third of personnel witnessed ideology-driven racism (i.e. white nationalism) in 2019, up 22% from the year prior (MilitaryTimes).
Contextualizing this to business: Anyone with a social media connection runs the risk of falling into an echo chamber, and anyone runs the risk of growing bold enough (or angry enough) to act on their changing beliefs. If this were to happen to someone with access to your business network, it could be hugely damaging.
You'll see that a lot of the threat mitigation strategies we have discussed today could be applied to multiple threats. Essentially, a company that is capable of monitoring for suspicious activity, blocking it as it occurs, and defending against it should it enter the system, is capable of being reactive and mitigating a wide range of potentially damaging attacks.
Of course, prevention is almost always the best option. That's where training, support and monitoring come into play, to enable you to keep an eye on not just your technology but your people, so you can provide a safe, healthy environment for them to work within.
At dig8ital, we're experts in cyber attack mitigation and have been working with some of Europe's biggest companies for years to help them digitally transform into modern, flexible, defensible enterprises. Contact us today for a free maturity consultation.