Why Cyber Criminals are Winning

Cipher Brief Expert Alex Cresswell led an operational division of GCHQ and served in the Cabinet Office, directing the team of analysts (the Joint Intelligence Organisation) which provides the British Prime Minister’s daily briefing and strategic assessments for the NSC. 

EXPERT PERSPECTIVE – On 17 February 2021, the DOJ and the FBI finally brought charges against three North Koreans from Lazarus, the North Korean state-endorsed group that launched the Wannacry attack of 2017.   This was a reminder of how far cyber-offensive and defensive – has come since that ransomware attack burst into the corporate world, paralysing companies and hospitals.

The Wannacry event showed business leaders that they could become collateral damage in the nation state cyber cross-fire.  As the malware spread across the globe, it almost certainly cost lives through delayed healthcare and it definitely incurred billions of dollars of business interruption loss, infecting more than 200,000 computer systems worldwide. But the direct damage inflicted was only a fraction of the subsequent losses from criminal hacker groups that launched copy-cat attacks inspired by Wannacry, over the next 5 years.

Today, those criminal hacker groups are sophisticated, and Wannacry looks like a blunt instrument.  In today’s world, close to 20 criminal groups use cyber to inflict severe commercial loss on private sector US businesses on a monthly basis.  Overwhelmingly, their members operate from Russia, Belarus and Ukraine.  And together, they form a highly profitable ransomware and cyber extortion industry.

This is an interdependent community where supply chains and operators work in specialised silos.  Intrusion set designers craft the malware exploits to sell to other hackers.  Access brokers secure bridgeheads into victims’ corporate IT systems.  Auction websites sell those access points and the intrusion tools to exploit them.  Negotiators front up to victims with ransomware and cyber extortion plays.  It’s safe to say that very few of the specialist participants in this industry would ever willingly change their career path.  They have taken risks to acquire their expertise, have earned recognition from their peers, have experienced the thrill of bringing down big corporate victims, and have pocketed sums which no other job in their location could offer.

But the flow of play is not all going in the direction of the criminals, at least not in the US.  The 2020 Cyber security industry metrics show clearly that, for US companies with revenues above $50 million per year, the incidence and severity of ransomware and cyber extortion attacks is plateau-ing.  In some industry sectors, it is even going down. Q4 2020 saw a fall in activity across the board.  Commentators put that down to a number of factors.

The first, is that there is no doubt that larger US corporations are now constructing better, more professionally monitored, technical perimeter fences.  At the same time, the hyper-scalers that provide the bulk of corporate cloud-based platforms are investing much more strongly in threat monitoring.  Between them, Microsoft, AWS, Apple and Google employ upwards of 20,000 personnel on digital security. They know that flaws in the defences of their cloud platforms could lead to a catastrophic loss of confidence and hemorrhaging of clients, so they are making sure that it is very hard for criminals to breach cloud-based services and to remain undetected once inside.  And they are hiring the talent, including ex-government talent, that they need to achieve this.  Another key factor in the decreased incidence is the coordinated takedown of malware infrastructure by national cyber agencies.  Trickbot, a very widely-used malware tool sold to attackers by criminal intrusion set developers, was heavily disrupted by what appeared to be multiple organisations working in concert ahead of the November 2020 US elections.  Lastly, some commentators see a political driver behind the drop-off in cyberattacks in the US in the final quarter of 2020.  They judge that the Kremlin, which provides what in Russian is called a “roof” (protection) for cyber criminals on their territory, have discouraged new attacks on US targets, calculating that now is not the time to be antagonising an incoming Biden administration.

Then, in the last few months, just as the general trend in cyber breaches was turning positive, two big events changed the calculus.  In late November 2020, (Sunburst – Solar Winds) and again in February 2021, (Hafnium – Microsoft Exchange), forced US corporations to  wake up to the discovery of two cyberattacks from state actor teams, one Russian and one Chinese.  In reality, although the national security impact of these two cyber events was significant, the direct commercial impact was in fact, quite limited.

The two campaigns touched upwards of 60,000 companies across the US, forcing C-Suites to focus on the potential business interruption threat.  But, although they constituted a wake-up call for the whole of corporate America and they impacted the companies whose software was used as a vector (Solar Winds, Microsoft) the bottom-line financial losses for the majority of US corporate victims was relatively low.  This may have been partly because government agencies and the US commercial players that were centrally implicated, clearly communicated that they were determined to shut down any party attempting to exploit these breaches.  CISA and the USIC moved quickly to attribute the attacks and provide remedial guidance.  FireEye, Microsoft and others did a great job patching the vulnerabilities and mitigating the threat.

So why should private companies still care about state-sponsored cyber intrusions when the impact is so limited?

Here are some future, more worrisome, trends to look out for.

First, we should expect cyber criminals to emulate the high-end techniques demonstrated by state teams in their recently uncovered campaigns.  Over time, just as occurred with Wannacry, criminals will repurpose a version of the intrusion techniques the state actors used.  Expect them to focus increasingly on nexus points in the digital landscape like Managed Service Providers (MSPs), and to make greater use of supply-chain attacks.  And expect the more sophisticated cyber criminals to be more determined in targeting humans as the weakest links in corporate perimeters.  They will get better at tailoring phishing emails to dupe particular corporate decision-makers, and, if the prize is big enough, they will make direct human-to-human approaches to company staff.

This week, a Russian national pleaded guilty in a US court to travelling to the US and offering a $1million bribe to a Tesla employee to enable the installation of malware on Tesla’s Reno factory’s internal network.

As I said at the beginning of this piece, criminal hackers in Russia, Ukraine, Belarus are unlikely to opt for a career change even if the height of corporate perimeter fences increases.  They will simply adapt to new techniques and switch to new, more vulnerable targets and markets.  It is noteworthy that the incidence and severity of ransomware and cyber extortion attacks in continental Europe increased sharply over Q4 2020 and Q1 2021.  European corporates have less-robust cyber defences than in the US, and the political risk for Russian and Chinese hackers is lessened.  In 2021, a surge of attacks in Europe to replace the loss of cyber-criminal revenue in the US seems like a fair bet.

Read more expert-driven national security insights, analysis and perspective in The Cipher Brief