—— Companies and government agencies around the world are increasingly falling victim to cyberattacks—launched by thieves, blackmailers and spies. Those affected are often helpless. Yet usually simple measures are all that are needed to protect them.
TEXT LARS-THORBEN NIGGEHOFF ILLUSTRATION KLAWE RZECZY
On July 2 of this year, much of Sweden came to a standstill. Supermarkets, pharmacies, gas stations, even the national rail system: throughout the country, stores had to close or switch to emergency operations. In some cases, it became absolutely impossible to pay for things with either cash or card. Computer systems went down, and employees had to write invoices—if they could at all—by hand. It took several days before the crisis passed and life in this northern European country returned to normal.
The cause was a large-scale cyberattack that wasn’t even targeting the Scandinavian country, but a software company in Miami, around 8,000 kilometers away from the Swedish capital of Stockholm. The company, Kaseya, provides other IT service providers with a software program that installs updates on their clients’ computers. Clients such as the Swedish supermarket chain Coop.
The attack demonstrated how greatly global networking increases the risk of cyberattacks. A security vulnerability in Florida can, with just a few degrees of separation, endanger the sale of foodstuffs in Gothenburg. Criminals and rogue states are taking advantage of this, trying to sneak into the computers of companies, public authorities or major infrastructure to either steal data or extort money. “The impacts are striking closer to home, and with increasing regularity,” says cybersecurity expert Tim Berghoff from the company G Data in Bochum, Germany.
Indeed, the cases are piling up. In the US this year alone, for example, both the meat processer JBS as well as the Colonial Pipeline System were crippled by criminals. Facebook and T-Mobile reported data breaches. In January, hackers were able to penetrate the systems of the European Banking Authority and the Norwegian parliament, among other institutions, due to a security flaw in the email servers of technology giant Microsoft. In the German county of Anhalt-Bitterfeld, near Leipzig, everything came to a grinding halt. The public authorities couldn’t be reached via email for almost a week, among other problems. Hackers had managed to insert malware that encrypted all of the data. And in September 2020, there was probably even a first fatality in connection with a cyberattack when hackers more or less knocked the University Clinic Düsseldorf out of commission.
There are myriad reasons why hackers can manage such feats. The first is the increasing spread and networking of digital infrastructure. Where there’s a lot of technology, there are many points of entry. At the same time, attackers have become more professionalized—the cliché of a hoodie-wearing hacker in their mom’s basement who paralyzes a company’s servers just for fun has even less to do with reality these days than it did in the past. Instead, organized gangs are behind such attacks and they often offer their services to other criminals. And those affected? They’re quite aware of the problem. A survey conducted by the professional services giant Deloitte found that 77 percent of decision-makers in politics and business consider data breaches to be a problem, while 76 percent think the same about malware attacks. However, they struggle to take the necessary countermeasures, raise their own firewalls and train their employees against such attacks. If one does occur, those affected prefer to keep quiet rather than admit to their own mistakes and failures. In critical areas including the economy, infrastructure and public administration, it’s important to be armed against cyberattacks. Each faces its own set of challenges, yet at the same time the measures that can be taken are often very similar. What follows is an overview of the issues across three sectors.
EMPTY SHELVES Ransomware attacks can hit any company. The meat processing conglomerate JBS had to shut down some of its factories after such an attack in June. Even the FBI got involved.
MORE LUCRATIVE THAN DRUG TRAFFICKING
Many people have learned over the past months how centralized the meat-processing industry has become. In 2020, when a factory of the Tönnies Group in Germany was forced to shut down due to a corona outbreak, a gigantic backlog formed throughout all parts of the industry, bringing sausage and steak production in the country to a standstill. Yet Tönnies is just a lightweight compared to the true giants of the industry. The Brazilian-American meat conglomerate JBS has almost six times the sales of Tönnies. Which means, of course, that the impact is that much higher when their slaughterhouses suddenly grind to a halt. The company handles one quarter of the beef and one fifth of the pork production in the United States. In June, a ransomware attack caused five of its largest sites to close down in the US, Canada and Australia. In a ransomware attack, the victim’s data is either stolen or encrypted by malware. The threat: it will be made public (in the first case) or destroyed (with encryption) unless the victim pays a ransom. JBS paid, and quite a lot: 11 million US dollars in bitcoin went to the blackmailers.
“Today things are much more precise. Attackers scout their targets over a longer period of time and search for individual weak spots.”
The Brazilian headquarters remained tight-lipped about the cause of the incident. Yet a culprit was quickly found. The Russian ransomware operation REvil was allegedly behind the blackmail operation. Groups such as REvil have revolutionized the cybercriminal world. “Before, ransomware attacks were more likely to use a watering can approach,” Berghoff says. With the watering can analogy he means that the attacks used to be more broadly distributed among various targets in the hope that at least one of them would bite. “Today things are much more precise,” he says. “Attackers scout their targets over a longer period of time and search for individual weak spots.” And they find them, because companies neglect to introduce even simple countermeasures. “The basics of self-protection have principally been the same since the Nineties,” Berghoff says. Employees shouldn’t click on suspicious emails and should use secure passwords.
Such emails are almost guaranteed to arrive at large companies because digital crime has become incredibly lucrative. “According to the German Federal Criminal Police Office’s situation report, revenues from cybercrime have outstripped those from international drug trafficking for several years now,” says Peter Wirnsperger. Wirnsperger works for Deloitte helping clients set up effective security systems and he also co-authors the company’s annual Cyber Security Report. This gives him a regular, close-up look at how the criminals operate. “They now have hotlines and provide manuals on data encryption,” he reports. For a long time now, they haven’t just been working on their own, but offer their services to third parties. Experts speak of “ransomware as a service”.
TÜV SÜD, in its current report on trends for 2022, also warns that this type of cybercriminality will continue to increase. This development requires new measures against dubious service providers. “The increase in this trend is making it necessary for companies to boost their investments in cybersecurity and focus on protecting themselves from such sophisticated attacks,” says Head of the TÜV SÜD Cyber Security Office Sudhir Ethiraj. He also believes that it is essential for companies to share more about their experiences with hackers. Many often remain silent out of misplaced feelings of shame when they’re affected by a ransomware attack. As Ethiraj emphasizes, this is a mistake: “Regular monitoring of the latest threats and active participation in cross-industry threat intelligence platforms are the order of the day when it comes to staying up to date.”
One example of this type of platform is the Charter of Trust. It was launched by Siemens at the Munich Security Conference in 2018. Members of this initiative include companies such as IBM and Deutsche Telekom, as well as TÜV SÜD. The goal: to create industry-spanning standards and rules for cybersecurity. Together these large companies want to do the groundwork so that smaller companies and society as a whole also benefit from increased security standards.
DEADLY THREAT Attacks on hospitals are on the rise. A modern security structure is essential for protection.
A CLOGGED PIPELINE
The issue of cyberattacks is increasingly affecting infrastructure, which further multiplies the danger. A few days without meat production may be a bitter pill to swallow, but it’s not necessarily life-threatening. Things were much different in autumn 2020 in Düsseldorf. The local university hospital was paralyzed because hackers had snuck into the systems. An ambulance had to be turned away because of this and divert instead to Wuppertal, a good 25 kilometers away. The patient died shortly after arriving at the hospital there. It cannot be definitively said whether or not the extra half hour of transport directly led to her death. But suddenly the question was whether the cyberattack was at least indirectly to blame for it. The police quickly contacted the hackers. According to the authorities, they were surprisingly cooperative when they learned they had crippled a hospital and provided the decryption codes for the ransomware without receiving payment. The hospital reported that it took four weeks after the attack to get halfway back to normal operations.
Hackers are increasingly targeting critical infrastructure, and not all of them are so forgiving. The German government reported that last year, operators in sectors including energy, water management and telecommunications reported 345 incidents, up from 254 in 2019. The government also said that not all of these incidents could be traced back to hackers, as human error can also be a cause—but it assumes that the number of unreported incidents is even higher.
Attacks on critical infrastructure are becoming an increasingly serious problem all over the world. In the US this year there was an attack on the Colonial Pipeline System, which supplies large parts of the American East Coast with diesel and gasoline. A hack of the operator’s invoicing system caused a stoppage in the pumping of fuel from Texas eastward. At least five states experienced fuel shortages as a result.
It wasn’t clear if the attackers would have managed to jump from the invoicing system into the system responsible for real-world operations, but the fear of this prompted the company to perform an emergency shutdown. As Berghoff explains, this is a problem that affects many infrastructure operators and companies: “Many victims don’t exactly know which of their systems are critical and so don’t secure them very well.” Yet there are certainly ways to set up internal firewalls. Companies that use external service providers for some of their operations need these firewalls because hackers often use such services as gateways, as the cases of Kaseya and Microsoft’s email servers show.
Unfortunately, some companies often shy away from the effort and expense that a truly effective defense against cyberattacks entails. “Security is a lifelong task, not a project,” Wirnsperger says. Reviewing the situation now and again isn’t enough. “Companies must set up exercises and run through various scenarios based on the results of the investigations.” If possible, these should match up with employees’ daily working environments and not consist merely of watching a slide presentation. One person who offers this sort of training is Julien Ahrens. This white-hat hacker has been working in the field of IT security for thirteen years. He offers his services on the HackerOne platform, among other places. One of his money-earners these days is what are known as penetration tests, in which he tests a company’s security systems for potential flaws. One way to do this is by sending fake phishing emails to employees. “The degree of realism can vary,” he explains. The email could very much look like an attempted fraud, but he can also recreate the level seen from professional hackers. “But you’d be surprised how many people fall for the simpler version.”
THROUGH THE BACK- DOOR INTO A GOVERNMENT COMPUTER
Colonial Pipeline was ultimately able to restart operations fairly quickly. This was also because a ransom of reportedly around 5 million US dollars was paid in bitcoin. That may be understandable when it comes to getting infrastructure back up and running again quickly. But, as Berghoff says, it’s fundamentally the worst way to stop an attack: “You never know if you’re actually going to get control back or if data has already been stolen that can be used to blackmail you again later.” In the end, the US Department of Justice was able to recover a large portion of the ransom by gaining access to a bitcoin wallet. The agency didn’t disclose exactly how this was done.
However, relying on government agencies also isn’t always the best idea. They, too, can become victims to cyberattacks, as happened in Ukraine in 2017. A large-scale attack with the malware Petya affected large parts of the state apparatus: ministries, banks, the subway system and telecommunications. Even the system for monitoring radioactivity at the former nuclear plant in Chernobyl was offline for some time.
THE NEW WAR Countries have long since shifted their conflicts to the digital world. For instance, Russia has been suspected several times of carrying out attacks against other countries, including Ukraine.
“Security is a lifelong task, not a project.”
The systems were hacked via a control software that is commonly used in Ukraine. The timing was probably deliberate, on the eve of Constitution Day, a national holiday when many civil servants would be at home and the malware could spread more easily throughout the system. At first, those affected assumed it was an extortion attempt, and computer messages suggested as much. Except that instead of just encrypting the data, as is common with ransomware, Petya corrupted it, thus disrupting the work of the Ukrainian state over the long term. One possible reason for this, as later reported by Ukrainian intelligence services: it wasn’t criminals behind the attack, but rather state-sponsored hackers, possibly from Russia. The authorities were initially able to repel the attack within a day. However, they later discovered that the hackers had installed a backdoor into the software, thus leaving open the possibility of future attacks. The company responsible for the software was thoroughly screened to rule out additional attacks as much as possible.
Berghoff explains what makes state actors particularly dangerous: “They have all the time in the world, they can infiltrate systems at their leisure.” At the same time, unlike blackmailers, they also frequently prefer to remain undetected. That means that some victims don’t even know they’ve been hacked and accordingly leave dangerous backdoors open for exploitation. However, backdoors in systems can be detected, for instance by paying so-called “bug bounties.” To do this, companies offer bonuses to hackers who find vulnerabilities in their systems and report them. “Unfortunately, this isn’t really widespread in Germany,” Ahrens complains. In the US, for example, even the military would operate such a program.
“What everyone must realize is that there is no 100-percent security,” Ahrens says. Attacks can sometimes even take well-prepared facilities by surprise. Then it’s a matter of dealing with it openly to find out what the issue was. The only problem is that those affected still tend to keep such incidents under wraps and then call in experts late in the day. “We get a lot of calls on Fridays,” Wirnsperger says. This isn’t because cybercriminals suddenly become active before the weekend. “Companies naturally attempt to fix the problems themselves in the first few days, since a cyberattack isn’t always obviously recognizable. Unfortunately, far too often the real threat isn’t realized until just before the weekend.” Victims also need to be made less afraid of sounding the alarm prematurely. “I would love it if I had to go out for a false alarm every once in a while.”