Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: Organisations worry about cyber attacks arising from Russia’s invasion of Ukraine, as the Conti Gang that attacked the HSE last year announces their support of the Russian attack, and then learns that it was not its smartest move.
This week’s action: 3-2-1 Backup or 3-2-1 Over.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: US Banks are worried about cyber-attacks linked to the Russian invasion of Ukraine
“The widely-condemned [Russian] invasion of Ukraine has resulted in the US ordering sanctions against Russia. But Russia has indicated that it plans to retaliate, with the country’s Foreign Affairs Ministry responding that its country would take steps ‘finely tuned and painful to the American side.’ And cybersecurity experts [..] have predicted that at least part of Russia’s response will involve cyberattacks against American businesses and government entities. [..] [As a result] CrowdStrike’s CEO George Kurtz has said that bank executives in the United States are concerned about the possibility of devastating Russian cyberattacks. [However, he also said that] ‘Thankfully, they have the money to actually put in a mature cybersecurity technology,’.”
2: Conti Gang announces allegiance to Russian state
It would appear that the US banks’ concerns are well-founded. The Conti Gang, the group behind the costly cyber-attack against Ireland’s Health Service, recently announced “its support of the Russian government in its invasion of Ukraine [..] The cybercrime gang posted the message to its site on the dark web along with the threat to retaliate against anyone targeting the Russian government in a cyberattack”. As Chris Krebs tweeted following the announcement, “the question of whether the Conti ransomware gang was aligned with the Russian government may have just answered itself”.
3: Conti gang’s announcement backfires
When the Conti gang announced its support of the Russian invasion, there was one problem: It drew the attention of pro-Ukrainian security researchers. And soon after Conti’s announcement, several months of internal chat logs and other sensitive data tied to Conti were leaked.
According to Recorded Futures, the leak includes online conversations between gang members from January 2021 to late February this year. The messages show the gang working with other cyber gangs and renting access to the computers and organisations that they have infected. Some messages also mention ransomware negotiations with companies that never publicly disclosed that they had been the victim of a ransomware attack.
In completely unrelated news, LockBit, a competitor of the Conti gang, released its own statement in eight different languages. It reassures us that ‘For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work.”
Their ransomware work is harmless and useful.
Ransomware. Harmless. Useful. Three words that I have never seen in one sentence before.
The Conti leak contains over 60,000 messages between gang members, providing a rare insight into the internal workings of one of the world’s most successful cybercrime gangs. Researchers are still reading through the trawl of data. At least one individual has already been identified, along with many of the techniques used by the gang to break into organisations and hold them to ransom.
“New analysis [by Chainalysis] suggests that 74% of all money made through ransomware attacks in 2021 went to Russia-linked hackers. Researchers say more than $400 million worth of crypto-currency payments went to groups ‘highly likely to be affiliated with Russia’. Russia has denied accusations that it is harbouring cyber-criminals. Researchers also claim ‘a huge amount of crypto-currency-based money laundering’ goes through Russian crypto-companies. [..] The report only looks at the flow of money to cyber-criminal gang leaders, and many run affiliate operations – essentially renting out the tools needed to launch attacks to others – so it’s not known where the individual hackers who work for the big gangs are from.”
Read more: https://www.bbc.com/news/technology-60378009
1: Backup: 3-2-1
For the last few weeks, I have recommended that we all read recent advisories from national cybersecurity agencies, including Ireland’s NCSC. My recommendation still stands.
But if you haven’t done this yet, and there’s only one thing you are going to focus on, then focus on your backups.
Numerous alerts have pointed to the fact that recent attacks use data wipers – They are designed to cause maximum disruption by permanently destroy your data and your systems. Even if you pay the gangs, they can’t recover your data for you.
Backups do not reduce the likelihood of you being attacked. But they will reduce the impact.
For your most critical data and systems, make sure you have implemented a 3-2-1 Backup Strategy:
- At least 3 copies of data
- Stored on at least two different types of media / services
- With at least one copy stored offline or on immutable media (Remember CD-ROM’s and DVD-ROM’s?).
If the bad guys get through your defences, your backups may be the only way your organisation survives the attack.
You may think I’m shouting “the sky is falling”.
But even if I am, it doesn’t mean I’m wrong.