The Axis of the Ransomware

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus auctor nisl vehicula nisi semper, non porttitor nisl auctor. Duis nec eros tortor. Duis rutrum lacus arcu, a interdum nibh sodales vel. Suspendisse at euismod ante, et mattis mauris. Donec molestie dui non eleifend pulvinar. Donec pellentesque velit lacus, ut laoreet enim egestas non.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

George W. Bush had the ‘Axis of Evil’. Joe Biden has the ‘axis of cybercrime’. State sponsored cybercrime is on the rise with North Korea, China and Russia leading the way. The situation has become so critical that the President has even raised the possibility of a military response.

Example of an attack

Russia, North Korea and China have been ramping up their cyber activities for a number of years, but it was the attack against the Colonial Pipeline in the US which pushed the issue to the forefront of the national security agenda. Hackers, thought to be using ransomware loaned out by a criminal gang, Darkside, broke into the systems of Colonial, bringing production to the USA’s largest pipeline to a sputtering halt.

The corporation eventually agreed to pay a ransom of US$4.4mn in order to restore operations. They did so after consulting with experts who had experience of Darkside and its operations.

The attack highlighted the danger to US interests from cybercrime and prompted Joe Biden to issue an executive order bolstering the government’s defenses against cybercrime. However, it also highlighted the role played by certain foreign governments in nurturing cybercrime.

DarkSide is a criminal operation thought to be based in Russia which produces ransomware and rents it out to cyber criminals who carry out attacks. They claim to be apolitical but have been decidedly one sided about who they attack.

Targets are almost always English speaking and located in the West. Indeed, the ransomware is said to include a component designed to shut down if it detects Russian, Ukrainian, Belarusian, Armenian, Georgian, Kazakh, Turkmen, Romanian or any other language associated with Russian geopolitical interests.

The Kremlin has long allowed cyber criminals to operate unfettered in its borders as long as they do not go after its own interests. There are suggestions that Vladimir Putin is quite happy to give cybercriminals leeway to operate against its own geopolitical rivals.

The rise of state sponsored attacks

If that’s the case, they are not alone. Since 2019 there has been a 62% rise in ransomware attacks, with a 158% surge in the US according to the SonicWall Cyber Threat Report. Attacks are becoming larger, more sophisticated and target key pillars of infrastructure: with government offices, schools, hospitals and fuel depots being common targets.

In addition to the Pipeline attack, there has been a massive cyberattack against the Irish healthcare system, the attack of JBS (the world’s largest meat market), which disrupted the global supply and an attack against schools in Iowa.

In many cases attacks have been traced to locations in Russia, North Korea and China. Hackers operating either with the tolerance or active blessing of their respective governments have been attacking targets in the West.

North Korea, in particular, has helped to fuel some of the most aggressive cyberattacks, stealing millions from corporations, individuals and public organizations around the world. Their efforts have been helped by the pandemic, with 2020 seeing a surge in phishing attacks emanating from Pyongyang using COVID-19 as a cover.

For example, the notorious North Korean Group ‘Lazarus’ targeted government agencies and other organizations around the world tasked with the distribution of government aid to businesses and individuals. The group used millions of emails to target people with spoofed messages pretending to be agencies such as the Bank of England, the Department of Agriculture in the US and Japan’s Ministry of Finance.

China has also been using cyberattacks against rivals at home and abroad. Earlier in the year, researchers uncovered an attack against the country’s Uyghur community claiming to come from the United Nations offering grants and other means of support.

Earlier in June, hackers with suspected ties to China penetrated the systems of New York’s Metropolitan Transportation Authority. Although the hackers did not succeed in breaching systems, gaining control of critical operations or compromising personal details, researchers reported that a week after the attack, systems were still vulnerable.

This was the third attack against the city’s transport systems by hackers believed to be linked to hostile foreign governments. According to the cybersecurity firm FireEye, which works with the US government, these attacks made no attempt at financial extortion but were part of a sophisticated cybercrime operation organized by the Chinese government.

Russian hackers, meanwhile, have repeatedly launched attacks against Ukraine as tensions between the two escalate. The latest came in June — phishing emails targeted individuals claiming to be from the Kyiv Patrol Police Department prompting people to settle unpaid taxes.

Recipients were urged to download an RAR File included in the email which dropped a fake PDF file. Victims would then unwittingly install a remote access software called RemoteUtilities which would ping back to remote command and control servers in Russia, Germany and the Netherlands.

Attacks such as these are opening up a new front in the struggle between East and West. Last year, the head of the UK’s armed forces, General Nick Carter, warned that China and Russia were using cyberattacks, disinformation and mass surveillance to wage a ‘political war’ on the West.

Their goals are both geopolitical and financial. Extortion is a lucrative operation. Cyber warfare represents a new form of espionage against which the West’s defenses are ill equipped. More generally, the aim — as much as governments may deny it — is to foster discord and instability amongst their main rivals. Disrupting traditional alliances, compromising systems and disrupting crucial pieces of infrastructure are central to a new dimension in global power politics. 

Recent events have tilted the playing field even further in their favor. Whether it’s the Chinese impersonating the United Nations, North Koreans claiming to be the Bank of England or Russian backed hackers targeting organizations involved in the production of COVID-19 vaccines, the pandemic has taken cyberwarfare to another level.

Such attacks are easy to execute but difficult to defend against. Cybercrime is by its nature difficult to trace at the best of times. By operating through shadowy groups based in their borders, states can maintain a sense of plausible deniability. It is one thing to show that a group is operating within a state’s boundaries — another thing to demonstrate they are doing so with the blessing or cooperation of those governments involved.

The Russian, Chinese and North Korean governments have all denied involvement in state sponsored cybercrime. However, states do not even necessarily have to be closely involved. As in the case of Russia, they can simply turn a blind eye, safe in the knowledge that they will wreak the chaos on your behalf.

Countering the Axis

The growing threat has prompted a forthright response from the US government. In addition to a cybersecurity executive order, President Biden has appointed world-class cybersecurity experts into key leadership positions. Using the kind of language normally reserved for national security threats, the administration has stressed all options remain on the table in the fight against cybercrime, including military.

He is also urging his allies to do more and will be pushing for the North Atlantic Treaty Organization (NATO) to expand its involvement in cyber defense when they next meet in Brussels.

Nevertheless, the situation is extremely complicated with extensive room for misperceptions and escalation risks. When confronting the axis of cybercrime, the lines will perpetually be blurred between actions condoned by a government and crimes committed by groups which are simply operating within their boundaries.

There are signs that all sides are looking to stabilize the situation — including the criminals themselves. In the Colonial pipeline and Irish healthcare attacks we saw criminals making an attempt at reputation management reiterating that their intentions are only financial rather than political.

These groups have attempted to adopt a more professional approach in recent times. Their communications often resemble those of a corporation and have sought to distance themselves from actions by activists which cause disruption.

After the attack against the Colonial Pipeline, Darkside issued the following statement:

“We are apolitical, we do not participate in geopolitics. Our goal is to make money, and not create problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” 

The pledge to be more careful in future echoes attempts by major companies responding to a crisis in an attempt to avoid further crack down from regulators. Reputation management has become increasingly important to these firms. To them this is a business. The involvement of politically motivated activists — or governments — in cybercrime represents a threat to their own income, if they prompt a crackdown from those governments which become targets.

How should companies respond?

Businesses will also have to examine their role in how they respond to cybersecurity threats and social engineering. With cybercrime climbing up the list of priorities, the pressure will grow on all firms to up their game. Biden’s executive order on cybercrime may nominally be focused on official government organizations and those which work with them, but it also represents an attempt to build capacity overall through leadership by example.

State sponsored cybercrime is not just a threat against governments — it’s something that can affect all organizations. However, the most vulnerable targets include healthcare organizations, education institutions, financial services companies and any company which provides services — especially digital — to governments.

Organizations will need to invest in their defenses and ensure they are future-proofed against evolving attacks. Working from the board level down, businesses need to do much more to ensure they are aware of the latest threats, have taken actions to safeguard sensitive data and to identify and respond to attacks as quickly as possible.

Such an approach can reduce — if not eliminate — the chances of an attack and limit the damage done if and when it happens. The government has already signaled its intention to build its defenses and will be looking to the private sector — especially all companies it’s considering doing business with — to do the same. 

You might also be interested in


ZibaSec Joins Forces with Anti-Phishing Working Group

ZibaSec has joined the APWG as a sponsoring member, leveraging the APWG data sets in its development of research and engineering initiatives.

Read the Article
White Paper

PhishTACO Platform Overview

We believe there is a better, more honest way to do phishing simulations. We do it differently.

Get the One Pager...

See for yourself

PhishTACO is easy to use, and we’ve made it just as easy to schedule a demo.

Book now with Calendly