The Good, the Bad and the Ugly in Cybersecurity – Week 18

The Good

As new insight into some of the most dangerous Russian state-sponsored APTs comes to light, such as the recent Industroyer2 malware, it is refreshing to see efforts to hold these attackers to account for the damage they have caused. This week, the US State Department Rewards for Justice Program announced they are seeking information behind the Russian GRU officers attributed to the Sandworm APT group.

At this time, the public is unable to assess how successful this program has been. However, in this case, the program is posting a reward of up to $10 million – a sum that would surely attract the attention of those with such information.

It’s also great to see the program allowing information transfer through properly encrypted channels, such as Signal, helping to protect the identity of those sharing their knowledge.

The program offers rewards for “information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure”. Therefore, this reward also applies to crimeware groups (such as ransomware) that intentionally damage critical infrastructure.

The Bad

Inevitably, ransomware remains active across the threat landscape. This week, there were two noteworthy events to highlight.

First, multiple incoming reports said the American Dental Association (ADA) was impacted by a ransomware attack. Interestingly, the lesser known “Black Basta” ransomware group claimed to be the source of the attack.

As we have seen with many ransomware groups, they continue to double-extort victims by the encryption of systems and data, plus slowly releasing stolen data publicly. Public exposure of sensitive data can be catastrophic for some organizations, while for others, the mere cost of getting operations back to normal can be so high as to put an organization out of business entirely, as happened recently to Lincoln College.

On the subject of educational institutions and ransomware, this week Austin Peay State University posted an alert over Twitter, warning students to shutdown systems as the university was experiencing an active ransomware attack. Despite the unfortunate nature of the incident, on the bright side the use of social media to alert affected parties appeared to be an effective way of gaining a lot of attention and hopefully limiting the damage.

Meanwhile, as reported by our colleagues at PwC, the number of ransomware victims continued to climb throughout 2021. We predict this trend will continue into and throughout the remainder of 2022.

The Ugly

Earlier this week an internet and telecommunication outage impacted a large number of French service providers in multiple regions. French media reported that Paris, Lyon, Bordeaux, Reims and Grenoble and others had all suffered simultaneous outages. Reports have suggested that the outages were due to coordinated acts of vandalism.

According to various sources, a number of underground cables had been cut, disrupting landline, mobile and broadband services. Fibre network connections linking Paris to various other cities had also been damaged. Rival service provider, Orange, said that they had not been targeted in the attacks.

No group or individuals have claimed responsibility for the attacks, and authorities remain open-minded as to who is behind them and what their motivations might be. Possibilities range from politically-motivated sabotage relating to the conflict in Ukraine, business rivalry, criminal extortion and hacktivism. In some cases, vandalism is just vandalism, with no other objective in mind. Given the many unknowns in this curious case, the DGSI, the French internal intelligence service, is assisting local police with the investigation.

At the time of writing, affected customers remain in the dark as to when the disrupted internet and telecom services will be fully restored.