While ransomware attacks are multiplying rapidly for private corporations, don’t expect our cybersecurity agencies to do much other than warn about them. In fact, they remain a core part of the problem of what will become a key element of 21st century life — the vulnerability of even the largest corporations to being locked out of their own data and systems.
By one count, ransomware attacks have increased 62% globally since 2019, and more than 150% in North America. That skewing reflects the fact that several major ransomware groups operate with relative impunity from Russia, on the proviso that they never attack Russian institutions.
This week a major US fuel pipeline was shut down by Russian ransomware group DarkSide, leading to Colonial Pipeline paying around US$5 million to the hackers.
Coincidentally, this week also marked four years since the attack that brought the ransomware threat to public prominence — the global WannaCry attack in May 2017 that disrupted government bodies like the National Health Service in the UK, major corporations like FedEx, universities, and individuals.
The WannaCry tool — which originated in North Korea — used an exploit called EternalBlue developed by the US National Security Agency to exploit a flaw in Microsoft’s software. The NSA didn’t bother telling Microsoft about the flaw, preferring instead to use it in its own spying operations. Problem was, hackers stole EternalBlue from the NSA. Microsoft took the unusual step of publicly criticising the NSA for its stockpiling practices.
There is evidence that the NSA is now more ready to alert software companies to major vulnerabilities. But variants of WannaCry continue to be used around the world, and one estimate suggests a quarter of systems running the relevant software remain unpatched and thus vulnerable.
So when cybersecurity agencies like the Australian Cyber Security Centre (ACSC) warn about the threat from ransomware, they’re engaging in a profound hypocrisy. The ACSC is run by the Australian Signals Directorate (ASD), which stockpiles vulnerabilities — in collaboration with its Five Eyes partner, the NSA — in order to undertake espionage, frequently commercial espionage, to help companies in Five Eyes countries.
That’s because the ASD is fundamentally conflicted. Its motto is “Reveal Their Secrets. Protect Our Own.” But WannaCry showed it’s impossible to do both. The very tools with which you Reveal Their Secrets leave you unable to Protect Your Own. And the task of protecting Australian companies, universities, government departments and individuals will always be a lower priority than the ASD’s desire to get access to the Indonesian president’s phone, provide trade intel to the Americans in their negotiations with non-Five Eyes countries, or look after the interests of Australian resources companies.
And for that matter, the ASD can’t even get its bureaucratic colleagues within the federal government to achieve the most basic of its cybersecurity requirements.
So governments have stood by and done little except lecture business about being more secure as ransomware has proliferated, and the ransoms paid have escalated into the millions. That growth has demonstrated the strong business model behind what is now a ransomware industry, complete with leasing agreements between hackers and professional-looking media releases from the perpetrators. Meanwhile, governments continue to tell business they shouldn’t pay ransoms to ransomware outfits — just this week, the UK’s bumbling Home Secretary Priti Patel warned companies they shouldn’t be paying ransoms, while offering no alternatives for corporations that can’t get their data back.
Until our governments decide spying on others isn’t worth the disruption of ransomware attacks and the cost of millions flowing to Russian hackers, the ransomware industry will continue to grow at a rate of knots. There’s too much money to be made.
It’s worse than that. Our government legislated to force software companies to allow backdoors in their code. https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/data-encryption
Thanks, Mike. It gets a lot worse than that. It has been strongly speculated that in some instances of penetration of computer systems in other parts of the world that the backdoors exploited were deliberately created to allow selected intelligence agencies such entry.
Of course, we have honest governments which would never allow that to happen.
It was revealed via the Vault 7 document drop from a certain US agency to Wikileaks in 2017 that the agency was able to leave fingerprints to their hacking that incriminated innocent parties and nations.
Always Russia when most attacks (over 50%) have US IP addresses.
I read this morning that the pipeline was not shutdown by hackers, but by the company itself
apparently, the hackers didn’t disable any machinery or similar, instead they locked-up the computers that monitored fuel distribution for billing purposes
so, rather than have anyone be undercharged for the fuel they received, the company simply shut the whole thing down
… or at least, that’s what I read this morning
That would make more sense – the hackers just wanted money, quietly, not even a large amount by corporate standards.
A fraction of what the company would have lost through inaccurate billing – HAD THEY A CONSCIENCE AND NOT CHOSEN TO DISRUPT MILLIONS OF PEOPLE.
Once you pay the ransom, you’ll never be rid of ransomeers.
You’re correct.
Given the Federal, State and various Local Governments policies towards IT in general I am surprised that our various Departments haven’t been breached themselves (that we know of). The waste, lack of coordination and lack of an overall IT Strategy is palpable.
The hypocrisy of the US, UK in being leaders in cyber crime, while attempting to make everyone believe they are a “force for good” continues to amaze me.
We may not have seen anything, yet…. but in most respects it is quite simple, an IT strategy that includes security, data back-up systems (inc. non digital), recovery and restart, that has been regularly audited and/or tested.
The latter itself is an issue if shutting a system down briefly means forgoing any income in the short term….. hence unpreparedness for black swan events…. aka Covid.
That is quite simplistic but at a high level is correct. Alignment of IT in Government is usually on a Ministerial basis with little to no Shared Services across Departments, overarching Architecture, Security or DR policies etc etc. A comprehensive E2E IT Strategy across Government would address that, reduce costs and risks across the board.
Appropriate Mirroring and Failover design would eliminate the forgoing of income during any testing and actual events. The Ministerial alignment creates Silos of inefficiency and risk.
As the ultimate non-tekky, that makes sense to me simply in overall terms.
There are so many conservatives on the Crikey forum. It really shows their obsessional mindset that they will pay and subscribe to a broadly left-wing publication, read it, and expound their views ad nauseum. And they cannot hide behind the defence of ‘reading outside the bubble to broaden the mind’: they don’t fundamentally change their mind about anything.
And of course it’s all so utterly pointless.
Ebp, what sources do you suggest be read for expansion of mind on this topic?