June 2021

Recent ransomware attacks have put cyber security in the spotlight again!

While the ransomware attack on the Colonial Pipeline and JBS made the headlines around the world they are just tip of the iceberg. So far in 2021 over two hundred sixty enterprises have reported attacks from six ransomware groups. These groups have been rewarded with over forty-five million dollars. Since these groups operate from countries that are hostile to the U.S they face little chance of retaliation. With that kind of risk-to-reward ratio we can expect that these attacks will not only continue but increase.

Hacking is not actually illegal...
unless you hack into someone else’s system without their permission. Many companies employ hackers to test their security. According to Zip Recruiter such a hacker can make upwards of $100,000 per year.

So, who are these hackers?
Most of the hacking and ransomware attacks come from just a few locations.

China
Some say that the Chinese are the best hackers. While the CCP have thousands of soldiers sitting at computers constantly attempting to hack into various systems I maintain that the best cyber criminals are Russian. The Russian hackers are working for tangible gains like a bunch of money, perhaps a dacha in the country, maybe even their own brand of vodka if they are successful. The Chinese hackers are working because the CCP forces them to do it. While the Chinese have vastly more people and money, they are trying to compete with motivated skilled professionals.

There aren’t any “independent” hacking organizations in China. Companies, (and I use the term loosely) like Huawei are actually just extensions of the Chines government. By law every company in China is part and parcel of the Chinese Communist Party

They also have Bureau 121 & Lazarus Group. They claim residency in North Korea but North Korea only does whatever the CCP tells them to do so I am listing them under Chinese hackers.

Russia
The Russian operatives are very good coders. They understand how computers and networks operate. I believe the Russians have the edge in a better quality of hackers. The Russian government utilizes three basic groups of hackers

1. The state-run operations like the Federal Protective Services (FSO), the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR). It is not just the KGB anymore.
2. Non state operations like the Fancy Bear group, sometimes called “Sofacy” or “APT28”. There is also the Syrian Electronic Army a pro-Assad group. Technically they are in Syria but since Assad is supported by Russia, I am listing them here.
3. Individuals whose hacking has benefited the Russian government. Edward Snowden for example has been given permanent residency in Russia.

It is important to note that if these people and organizations are operating in Russia, they are doing so with Vladimir Putin’s blessing. Those who lose or do not have Putin’s blessing end up like Mikhail Borisovich Khodorkovsky, or worse.

Iran
ITSec Team and Mersad (Private Computer Security company based in the Islamic Republic of Iran. They have a history of working with the Iranian government and the Islamic Republican Guard. They have also been the subject of several FBI investigations and US sanctions).

Other hacker groups.
This is a short list of other known hackers past and present.

Anonymous, (Part hacker and part activist, (hactivist) one of their more focused targets is the Church of Scientology. Decentralized and recognized by the use of Guy Fawkes Mask).

The Impact Group, (hacked the Ashley Madison website. A controversial dating site that helps people setup extramarital affairs).

Lizard Squad, (DDoS attacks on PlayStation and Xbox. Julius Kivimaki of Finland was convicted of 50,700 counts of cybercrime and Vinnie Omari was arrested by British authorities in connection with a PayPal theft).

I’ll bet a dollar, (which is big money in my little world) that corporations like Colonial Pipeline have whole teams of IT people. You can also be sure that they knew about the vulnerabilities in their systems and they drew up proposals for what needed to be done to harden their systems. But the powers that be shot those proposals down because they “cost too much”. The bosses decided it was cheaper to just buy insurance and that is what they did.

There has been a plethora of “experts” in the media speaking of ways to prevent this kind of attack from happening again. Calls for government to do something have been prevalent. But government can’t do it all. Remember that the Russians have repeatedly hacked into the US Government systems.

Recently the Russia’s SRV hacked into a great number of U.S. government computer systems including State Department, the Department of Homeland Security, Treasury, State Department, Justice Department, National Security Agency. They also got into at least some of the parts of the Pentagon, military, intelligence community and nuclear laboratories systems. At the time it was discovered the Russians had been in these systems from months, maybe years. We still don’t know the full scope of what they got into or what information they retrieved. And this was not the first time the U.S. had been compromised by these hackers

While this wasn’t a ransomware attack, just a plain old fashioned information gathering hack. One of the most embarrassing aspects was they penetrated the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, (CISA). While Christopher Krebs was assuring us that the 2020 elections where the most secure ever the Russians where roaming around inside his departments computer system. And he didn’t even know it was happening.

The Russians did this by compromising an update in SolarWinds, (a software company) Orion program that was used by many government agencies and private companies. In fact, it was a private cybersecurity company, FireEye that discovered the hack and informed SolarWinds that they had a problem. As a side note; Mr. Krebs, who was fired as head of CISA went to work for SolarWinds

Governments are not to be trusted, most certainly not our own! Given the history of government security, computer or otherwise I am not sure how much they have to offer to help preventing ransomware attacks or any other hacking. In some cases, it is the government that is doing the hacking. The law does allow for the government to access information on your computer in some cases. They decide if such action is warranted at their discretion. They are not required to get your permission or inform you of their actions.

While I don’t think we should expect much “help” from the government, U.S. or any other when it comes to protection from hackers. They can be quite helpful when it comes to tracking down the perpetrators. That is the main thing that governments need to do. Knowing that the power of the US Government is coming after you can be a deterrent to the hackers. At least the ones operating in places that the US government can reach.

For these reasons I don’t think that governments will be much help preventing future ransomware attacks. Would you really want their help anyway?

A stronger force
might be the insurance companies. I suspect they will get tired of paying out multi-million-dollar ransoms sooner rather than later. When that happens either they will raise the cost of insurance to a point where it is financially advantageous for companies to harden their systems or companies that have “at risk” systems will become un-insurable.

Cyber Security is the use of defensive action in concert with offensive actions.

Defensive options
The number one defensive against ransomware is backups. If your files are encrypted by a ransomware attack then you can delete the corrupted files and replace them with the good files from your back. It is best to have multiple backups stored in different places.

Antivirus makers and government agencies have managed to decrypt some of the common ransomware encryption. In some cases, these decryption sequences are available on line. If you are a ransomware victim and you do not have backups this could save you a great deal of grief.

Keep your system up-to-date! That includes OS updates, antivirus software updates and firmware updates. It is also important to keep your apps, like office apps, financial and bookkeeping apps and any other apps updated.

There are a number of antimalware programs available like Bit Defender Antivirus Plus, Cybereason and Cisco’s Umbrella. Microsoft’s Windows 10 offers a level of protection for files stored in folders like Documents. Downloads, Pictures, Desktop or Music.

The usual precautions for most malware still apply.

• Don’t click on suspicious links on unknown sites
• Don’t open unsolicited e-mails or messages from unknown senders
• Avoid pornographic sites and gambling sites especially ones that are not in U.S. jurisdiction.

Offensive options
Most of the offensive options are illegal so those of us in the private sector are prohibited from employing any of them. The U.S. Cyber Command, (USCYBERCOM) was created on June 23, 2009 but U.S. intelligence began working on computer security since as early as 1972. Much has changed since then and through years those early efforts have evolved into the current U.S. Cyber Command. As a part of the U.S. military, they are not constrained from using offensive tactics the way civilians are.

The Current Commander of USCYBERCOM is General Paul M. Nakasone. He has held that position since May of 2018. As the Commander of USCYBERCOM he is also the Director of the National Security Agency, (NSA) / Chief of the Central Security Service, (CSS).

While the use of encryption programs does help keep us safe. If not for the use of things like AES the government would be collecting meta data on all of us all the time. NSA has tools that can break things. In fact, if the NSA isn’t inside your device, (phone, tablet or computer) right now there is only one of two reasons.

1. It is against the law and the NSA is following the law. (Hey it’s possible.)
2. You aren’t worth the trouble. The real value of modern encryption programs is that hackers, and that includes government agencies, would have to expend at least some of their vast resources. So maybe they will direct their efforts against bigger fish and not waste their time on you.

The NSA also has tools to gain access into other computer networks. One of those is the Tailored Access Operations, (TAO). As a cyber warfare unit of the NSA, they are involved in intelligence gathering by what the NSA refers to as “Computer Network Exploitation”. They have software which allows them to break into most commonly used hardware like routers and firewalls. Reportedly they prefer to tap into whole networks rather just individual computers because of the large number of devices available on a single network.

Cyber Weapons
These agencies are usually reluctant to unleash their cyber weapons and with good reason. Unless the target is completely incompetent, they will find the “cyber bullet” and then they will have it to use at their discretion.

One such example was known as operation “Olympic Games”. A bit of code was written specifically to sabotage the centrifuge at Iran’s Natanz. It is generally believed that the Israeli Unit 8200 and the U.S. NSA wrote the code, (of course both counties deny any involvement) The code was then delivered to the facilities computer system on a USB flash drive by a Dutch operative. It was successful and it sent the Iranian nuclear program into a tailspin. The Iranian nuclear program eventually recoverd. However, that bit of code, with a few modifications, is now a common virus called Stuxnet and it roams through the Internet to this day. New renditions appear from time to time but most of the modern antivirus are equipped to handle it.

These days it is much easier to get malicious code into a victim’s computer. The “air gap” that required physical insertion with a USB drive no longer exists in most operations. It is much easier to just send a phishing e-mail and let the unsuspecting victim import the malicious code for you.

Different types of hackers:

1. White Hat Hackers (The good guys who use their skills to find vulnerabilities and fix them.)
2. Black Hat Hackers (The bad guys who use their skills to find vulnerabilities and exploit them.)
3. Grey Hat Hackers (They use their skills for fun, they just enjoy hacking into other computers and networks.)
4. Script Kiddies (Amateurs who do not have a full skill set. If they do manage to hack a system they often end up in jail.)
5. Green Hat Hackers (Hackers who are learning the ropes. Unlike the Script Kiddies they intend to become real hackers by learning from experienced hackers.)
6. Blue Hat Hackers (similar to Script Kiddies but the use hacking to gain popularity among their fellows or settle scores with adversaries. Like Script Kiddies they often end up in jail.)
7. Red Hat Hackers (Similar to white Hat Hackers but they are ruthless about going after Black Hat Hackers or counteracting with malware. They continue the attack and often end up replacing the entire system.
8. State or Nation Sponsored Hackers (They work to gain confidential information from other countries. They report only to their governments.)
9. Hacktivist (They work to gain access to government websites and network. The data gained from government files are used for personal, political or social gain.)
10. Malicious Insider or Whistleblower (These individuals work in an organization and can expose confidential information. They expose confidential information either because they have a grudge of because they came across illegal activities withing the organization.)

The first two types of hackers are the main concern in the cybersecurity business. These are the ones who cause most of the major hacks and they are very hard to catch. The back Hat Hackers are responsible for most of the ransomware attacks. They create their own scripts, they have a very good understanding of computer, routers and how networks operate. It takes many years of hard work to reach this level of sophistication and there are relatively few such individuals. They often operate under the protection of various governments or corporations which makes it very hard to find, let alone punish, them.

The next five are of less concern but still a problem in the cybersecurity business. They seldom pull off a serious hack or ransomware attack because they just don’t have the skill set and are not as hard to catch.

The last three work in different capacities and may be considered as good guys or bad guys depending on your viewpoint.

Things to do to keep yourself safe in a world of cyber threats.

• Keep you operating system, anti-malware and other programs updated.
• Don’t open email attachments from sources you don’t know and trust.
• Don’t click on links in un-solicited email.

 

And remember — always back it up!