Not long ago, everyone was talking about cyberattacks by intelligence agencies. Russian hackers drilled into the Bundestag's systems, caused the lights to go out in Ukraine, and sabotaged the opening ceremony of the Olympics. North Koreans stole millions of dollars crammed into open-plan offices and shut down train displays around the world. Experts agreed that when states go to cyberwar, things get dangerous. That's still true, but something has been added in recent months.Attacks of unprecedented intensity have rocked the West, hitting hospitals and universities in Germany and an oil pipeline company in America, so hard that gasoline threatened to run out on the East Coast at times. But behind these attacks were not state hackers, but ordinary criminals. They are not out to spy on anyone or to show muscle in the competition between the great powers, but solely for the money.
Nevertheless, their attacks have a political dimension: by their sheer scale, they threaten the critical infrastructure of nation-states, oil, electricity and medical supplies. And it is striking that most criminal hacker groups are based in Russia, and that the country itself has so far been miraculously spared such attacks. So Russian criminals are mostly attacking targets outside Russia. Can this be a coincidence, or does the state tolerate, even support, such attacks?
At first glance, the hackers' business model seems banal: they seek access to a corporate network and download all data of value: technical plans, customer data, personnel files. After that, they encrypt everything. A message pops up on the victim's screens with the amount of the ransom to be paid and email addresses for queries. If the victim pays, he usually gets his data back; if not, it is usually made public. But even though the hackers have been doing similar things for years, they have become very skilled. It's as if clumsy pickpockets have become highly intelligent con artists.
Charles Carmakal is technical director at U.S. cybersecurity firm FireEye. When hackers crippled Colonial pipelines in America in May, he and his team were called in to help. On Wednesday, he spoke about the case before the House Committee on Homeland Security. He described the professionalization of ransomware hackers in three steps: Just a few years ago, mostly lone wolves were downloading malware from the web and using it to infect as many companies as possible. Their tools were still crude: they encrypted files indiscriminately. Anyone who wanted them back had to pay for the key in Bitcoin, usually between 500 and 1000 euros.
That just often didn't get anything. In the rarest of cases, there was a key to recover the files in the first place, or the criminals didn't even bother handing it over for the money.Then hacker groups started taking over the business, that was the second step. There were those that encrypted data and those that siphoned data from companies to extort it. The hackers specifically chose their victims. The ransom demanded ranged from $50,000 to $250,000.
But it wasn't until the criminals started encrypting data and threatening to publish it at the same time that business flourished. Those who are attacked are now under double pressure: they have to get systems back up and running as quickly as possible; they have to get oil flowing through pipelines again; they have to get doctors operating, and they have to deal with a massive potential data leak.Even if the victim is able to recover the encrypted files on their own, customer data, trade secrets and internals are at risk of ending up on the darknet. Many companies prefer to pay up. This also has to do with the hackers. For months, they spy on the network to make sure they can do the most damage. They know exactly how solvent their victim is, and they've worked hard to give themselves the appearance of respectability. Those who pay should get their data back. That stimulates business. And most of the time, the price is less than the cost of rebuilding the whole system. Security agencies of all countries warn not to respond to the criminals' demand, but still it happens every day. The company Crowdstrike observes about fifty attacks every week, there they call it "big game hunting".
On average, companies transfer $5.6 million to buy their way out. As recently as Thursday, butcher JBS paid more than eleven million dollars. Hackers are even willing to negotiate: one analyst, who asked not to be named, says that in some cases companies have been able to push the price down. And also that some are now taking the precaution of stockpiling Bitcoin to have the ransom ready in case of a ransomware attack.
Carmakal of FireEye says, "Extortion attacks are now the biggest problem for cybersecurity." German security officials also say the problem has long been underestimated. It also has a political slant.The "Darkside" group responsible for the attack on Colonial pipelines originates from Russia, as do most of the others, according to analysts. What is striking is that Russian hackers almost always attack targets in the West, never any in Russia. Some malware automatically checks what keyboard settings the victim has. If it is a Cyrillic keyboard, the attack is blown off.
Experts assume that the hackers are cautious. They don't want to get caught. This is easier to achieve when attacking targets abroad. Russian citizens are rarely extradited to other countries. A Russian who steals from rich and powerful compatriots goes to jail, one who steals from Americans, anywhere. Cybercriminals drive souped-up Lamborghinis on Moscow's streets.While most analysts do not believe that criminals are working with state hacker groups like "Fancy Bear," they do believe that the Russian security agencies are working with them. But they do assume that Russian security agencies know exactly who the hackers are, what they are doing and have little problem with cybercriminals digitally crippling companies in America. Analysts also suspect there is a cost to getting rich off the West. The hackers may have to cede some of their loot. And should they have access to a particularly interesting company, they would have to share it with government agencies.
Image by Gerd Altmann