There is mounting evidence that the WannaCry and NotPetya ransomware attacks may have only been practice runs for a far more ambitious large scale attack on Western infrastructure.
The infrastructure of developed economies is becoming increasingly vulnerable to cyber-attack as industrial control systems are linked to corporate IT networks, and the Internet of Things (IoT) brings a bewildering new array of devices to corporate networks whose security was designed only to protect PCs and laptops. These new vulnerabilities are tempting targets not only for cyber-criminals but also for state actors or even terrorists, whose goals may not be financial but rather to cause maximum disruption and damage to a targeted state.
Although the WannaCry and NotPetya attacks were designed to look like the work of organized criminal gangs (OCGs), the ransom demands were ludicrously small given the technical and organizational skills needed to launch such far-reaching global attacks.
This is likely to have been the work of someone with significant cyber resources, such as an OCG or a nation state behind them. Despite this, the ransomed demands were astonishingly meagre, with major corporations being asked for only $300 in Bitcoin. The crime is reported to have netted a total of $104,436, despite the disruption caused to businesses across the globe.
According to an FBI source, one known single Russian OCG has an annual revenue of roughly $20 billion. A genuine OCG would be unlikely to become the focus of so many law enforcement agencies across the world for just over $100,000. The only other organizations likely to fund and execute such an operation are nation states and terrorist groups.
A long running campaign targeting the Ukraine also caused widespread power outages in 2015 and 2016 and subsequent attacks on the energy sector also bears the hallmarks of a politically motivated power disruption. Since then, there have been others, such as a ransomware attack in June that hit Chernobyl's radiation monitoring system, shutting down its sensors. The Ukraine’s power grid, airport, national bank and communications firms were first to report problems, before it spread rapidly across Europe. UK advertising giant WPP, the largest agency in the world, was also among dozens of other firms affected.
The scale of future attacks is set to become increasingly ambitious as cybercrime becomes sophisticated. A recent example is US-based credit monitoring company Equifax, which this month (September) admitted cyber hackers had exposed the social security numbers and other data of about 143 million Americans.
As companies become more interconnected with one another, attackers have an ever easier path to propagate not only within a target corporate network, but also between businesses. This means that attackers targeting critical infrastructure will increasingly use malware such as WannaCry and NotPetya to create wide ranging attacks that make it all but impossible for governments to accurately determine the source of a massive attack or the motivation behind it.
It is only a matter of time before Western economies such as the US and the UK are hit by a massive cyber-attack aimed at taking down critical utilities or financial infrastructure. The integration of information technology systems used for data-centric computing with operational technology systems, used to monitor industrial operations, also create new opportunities for threat actors targeting the industrial control systems used by the energy sector as cybersecurity solutions and expertise geared toward the IT world are often inappropriate for OT applications.
The Internet of Things and the rush to connect devices such as security cameras is also opening up new security loopholes. Device impersonation, device hacking, device counterfeiting, snooping, tampering, disruption, and physical damage of all kinds are now being reported. The vast plethora of devices now connected to ageing IT systems makes the financial industry, a prime target in a large scale cyber-attack.
To avoid the threat of a far reaching and destructive cyber-attack, all types of organization must now be aware of both external and internal threats. Companies need to scan both their own and their partners’ and vendors’ networks for vulnerabilities.
Using the right architecture, an organization can constrain an attack to only a segment of its network/business in order to avoid the entire system being brought down. It is also essential to carry out regular ongoing simulations of potential attacks based on threat intelligence. For example, those organizations compromised by WannaCry and NotPetya would have stayed clear of being infected had they implemented the required patching and then followed up with an attack simulation.