—— Cybersecurity specialist Werner Thalmeier talks about how hacking attacks have changed, how companies can protect themselves and why hacking nowadays is a big business.
Mr. Thalmeier, you’ve been working in IT for a very long time. How have hacking attacks changed over the past decades?
When I started thirty years ago, hackers were only in science fiction films—they didn’t yet play any role in real life. The question more important than anything else back then was: Do I have a backup in case my system crashes some day? Those were always strenuous weekends, when we would check the complete backup and system availability. After all, something could have gone wrong at any time. The first professional hacker groups showed up in the years that followed, with a focus on blackmailing. In those days it was mostly what we call denial-of-service attacks.
What was that like?
At the time, hackers would send emails to companies and demand a ransom. If the company didn’t pay, they threatened to send so many requests to the company website—or to other specific infrastructure—that it would collapse under the demand. Back then, they sent threats like these to thousands of companies or corporations all around the world, and some paid. Many companies were worried that they might lose customers without a website, a risk that naturally increased as the internet became more important. Another focus was on spam attacks, which at that time were kind of like shooting a load of buckshot out of a shotgun. Today, attackers are much more dedicated and deliberately select their targets.
How does that work?
Thanks to social media, hackers can find out more about individual people as well as companies. Where does someone work? What department are they in? What are their hobbies? Hackers then use all this information to send an email to the victim. If the person works in the public relations office, the email will be about a media inquiry. If the target works in production, then the hackers might ask about the current status of a certain product. If they’re sending an email to the CEO, perhaps they will pretend to be an investor or bank employee who is approaching the CEO directly about an urgent matter. If the victim then clicks for example on a link in the email, which thanks to all the information seems very trustworthy, the hackers get into the system and a ransomware attack is in full swing. Then the companies really only have two choices. Either they are slow, in which case they’ll have to surrender. Or they’re quick, unplugging everything and hoping that something in their databases and systems is still unencrypted and available.
If these fake emails are so elaborately designed, then it seems an employee barely has a chance to spot one.
It’s extremely difficult when hackers put in a lot of effort. Let’s take an example from Bavaria that happened last year. A medium-sized company was in the middle of its year-end business and everything was a bit hectic. Then they received an inquiry for another order, including a link for the invitation to bid on the job. Someone clicked the link, which installed an extortion trojan, and suddenly the company couldn’t access any of its data. They were in a double-bind: they couldn’t finish their year-end business, which would cost them a lot of money—and they also couldn’t access the data for the annual financial statements, which was hellish from both an organizational and tax point of view. It wouldn’t have happened if they had followed a very simple and basic IT rule that I highly recommend to any business: a backup is still the most important thing to protect against a ransomware attack. Then it doesn’t matter if attackers encrypt your data or not, because you can restart and reboot the system from the backup. The ensuing data loss is usually manageable.
When we talk about hackers, many people still imagine young men wearing hoodies in dark rooms or in the their mom’s basement. What does the hacker world really look like?
I’m sure there used to be a few kids who made money that way back in the day. But that was a long time ago. Even hackers wearing hoodies in dark rooms don’t exist in real life any more. Hackers don’t work like James Bond, they work like companies—and highly professional ones at that. Within these organizations, as in every major corporation in the world, there is a division of labor. Some hackers exclusively write the access programs, looking for technical weak points and preparing modules for them. Others within the organization are analysts who are specifically looking for companies or individuals worth extorting a ransom from.
That almost sounds like a normal job.
In Eastern European countries especially, where many of these organizations are located, that’s certainly the case. Some of the hackers there have a 9-to-5 job and take vacations. When they’re sunning themselves in the summer, we register far fewer attacks and when they return in autumn, the number of attacks on companies and public authorities goes up again.
The only thing missing is the service hotline.
Hackers already have those, too. Naturally it’s not a traditional landline, but when hackers use ransomware to encrypt a company’s data nowadays, the company’s bosses have to know how much ransom to pay and when and where to pay it. The hackers usually use chatbots to communicate with companies and instruct their victims on what to do and when to do it. Hackers often demand to be paid in bitcoin, for example, and if the company doesn’t have access to cryptocurrencies, on top of everything else there are instructions about how to set up a digital wallet and how to send the money. All of this today is a massive big business, to the point that large hacking organizations have actual dashboards where victims get their own case numbers, like with health insurance or contracts. When you contact the hackers as a victim, you need to have your number ready.
How can a company be certain that it hasn’t paid a ransom in vain and that its data will be decrypted afterwards?
This is in the interest of the hacker organizations. What they want most of all is the ransom money; nothing else matters to them. But nobody would pay the ransom if it were clear that the data would remain encrypted afterwards. In the conversations and chats between companies and hackers, the attackers always remain very polite and to the point. Once the data has been decrypted, there are often also tips and tricks about how you can better protect your data in the future. That’s kind of like an extra service, on the house, that comes with the package if the company follows the instructions to the letter.
If all of this is known then why can’t the authorities intervene?
Investigators don’t have it easy. If the attackers are in Russia and attack Russian targets, then national security services are usually quick to intervene. But if they attack targets in other countries, it’s virtually impossible to take any legal action. The only option left for investigators is to shut down the infrastructure in the background. However, this is extremely difficult because the hackers go to great lengths to remain anonymous. For instance, they forbid companies from contacting the police if they ever want to get any of their data back again, which means a large proportion of attacks and the methods used for them never become known. This makes it difficult to shut down the attackers.
Which companies are currently particularly high-risk targets?
There are two decisive aspects for attackers: firstly, there’s the question of whether a company has intellectual property and if the company depends on it for its business. Secondly, there’s the question of how much the company would suffer if it couldn’t access its data. That’s how hackers decide who to attack. In Germany, I see hidden champions in particular being targeted, and otherwise engineering companies that live primarily from their knowledge and expertise. Another trend we’re seeing right now is the transfer of all this information to the cloud, driven in particular by Microsoft 365.
How do hackers go about it there?
They try to get hold of usernames and passwords, for instance via a fake website. As soon as an employee has fallen for it, they can virtually impersonate an in-house employee. As a system administrator, you don’t see if the person on the computer is really an employee or actually a hacker. Once inside, the hacker can infect the entire system, read emails, access secret documents. In the worst case, this can also lead to data being stolen. This may sometimes be proprietary documents, because access rights in the cloud are often not as strictly controlled as for an in-house network. This then becomes a serious problem.
What can companies do to protect themselves?
When, for example, you board a ship and someone spends five minutes explaining all the safety measures, then you nod in understanding—but two hours later you no longer have any idea what it was all about. It’s the same thing with employee trainings and that’s why such trainings must be relevant to their everyday work and continually repeated or integrated into daily routines. Then you also need mechanisms that identify suspicious emails from the get-go. For instance, are you receiving emails sent from “JohnDoe” or “JohnDoe1”? Then you definitely need a regular backup of your data. If you have that, then ransomware attacks will scarcely affect you. A plan is also essential.
What sort of plan?
This sounds trivial, but many companies don’t know who is responsible for what and when during an emergency. This applies for IT, but subsequently also for a communication strategy. You must communicate very openly and clearly so you don’t get called “dumb” or “incompetent” in the headlines afterwards. It may all sound simple, but many companies disregard these basic rules and only harm themselves in the process.