The recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises, Yuval Wollman, president of CyberProof and Chief Cyber Officer at UST, told CyberNews.
The scale of cyberattacks in 2020 was unprecedented. Malicious actors exploited the COVID-19 to the fullest, and attacks on such security bastions as FireEye or introducing backdoors into a product like SolarWinds left many cybersecurity experts uneasy.
More and more advanced tools that are being stolen from nation-states become publicly available. What is more, cybercriminals are now forming gangs and sharing knowledge.
“For example, one group – known as Access Brokers – gains unauthorized access to a network and sells this access to a ransomware expert, who later deploys ransomware on the network, or to an Advanced Persistent Threat (APT) actor, who proceeds with an attack. This has become quite common,” Wollman said.
According to him, the shortage of cyber talent, pressure on cyber budgets, and cloud migration will be the top cybersecurity challenges for 2021.
There have definitely been many cyberattacks, risks, and threats in 2020. Would you say that the scale of attacks was unprecedented?
The number and scale of attacks this year was unprecedented. There were many factors that contributed to this increase, some related to COVID-19. For example, with much of the workforce working from home, remote workers became a natural target for cybercriminals – particularly as remote work exposes more internal communication channels. Moreover, cyber activity capitalized on the fear and anxiety surrounding the disease. Hackers conducted different attacks (phishing attacks and other kinds of attacks) that were based on a COVID-19 theme.
The most notable attack of the year to my mind was the SolarWinds supply chain attack – in which hackers suspected to be working for Russia’s SVR intelligence agency inserted code into network management software made by SolarWinds, a large Texas company that provides technology monitoring services used by government agencies and Fortune 500 companies.
The compromised software was used to obtain unauthorized access to approximately 18,000 networks, including those of the Defense, Commerce, Treasury, State, Homeland Security, and Energy Departments as well as to large enterprises such as Microsoft, Cisco, Nvidia, Belkin, and VMWare – and to top cybersecurity firm FireEye, which first reported the breach. In some cases, the hackers managed to take full control of the networks it accessed. The widespread intrusion was so large that the full extent of the damage and its potential long-term impact are still unclear. I’ll just add that a second massive attack in the US was made public on January 6, the JetBrains supply chain attack – but it is still unclear whether that attack was connected to SolarWinds or is a separate, parallel attack. (JetBrains claims it hasn't been able to locate any evidence there's been any compromise of the JetBrains network or TeamCity's code - CyberNews).
Another massive attack this year was the attack on Universal Health Services (UHS) hospitals – in which over 250 hospitals across the United States were debilitated by a cyberattack that forced staff to cancel surgeries and work with pen and paper, as the hospital chain’s computer and phone systems failed. Hackers hijacked the organization’s systems and brought 400 US health system sites down in a massive Ryuk ransomware attack. The attack likely started via a phishing attack. It took several weeks for all of the websites to return to normal operations.
What scares you the most - data breaches, ransomware, state-sponsored attacks, or maybe attacks against cybersecurity bastions, such as FireEye?
The truth is that the recent SolarWinds and JetBrains attacks are a prime example of why state-sponsored attacks are so dangerous. From the very beginning, researchers and security experts surmised that based on its sophistication and complexity, the attack was likely to have been launched by a nation-state sponsored actor.
The strategy used in the SolarWinds hack is exactly what I would expect in a nation-state based attack: a widely used software company was used as the delivery pathway for hackers to insert backdoors into the software of an untold number of technology companies. After obtaining access to the networks, they invested whatever resources were necessary to maintain their presence there. They sought information related to government offices and spent time extracting information.
The hackers leveraged sophisticated, novel techniques to break into a network and obtain backdoor access into government agencies, enterprises – and even laboratories developing nuclear weapons. Introducing a backdoor into a product like SolarWinds is why supply chain hacks can have such wide-scale repercussions.
Name a few cybersecurity challenges that we are going to face this year.
I believe these are likely to be our top challenges this year:
Shortage of cyber talent. There is a growing shortage of skilled and experienced cybersecurity professionals that plagues businesses around the globe. This shortage makes it hard to put together an expert team. Retention is also a serious issue. The problem continues to intensify as the demand for cybersecurity professionals steadily continues to increase internationally.
Pressure on cyber budgets. In the current economic climate, security budgets are tight. But at the same time, our cybersecurity needs are increasing. The number of attacks – and their complexity – has gone up. This creates tremendous pressure and is prompting companies to reassess how they are using their cybersecurity spend, and to search for new ways to optimize their investments.
Cloud migration. One of the many things we saw this year is that the organizations that have been able to pivot and move more aggressively to digital models have been able to thrive in the new normal. Without cloud-based tools and services, many of the millions of people who have been in lockdown could never have continued to do their jobs at home. The result: As pointed out in Forrester Predictions 2021, in 2021 we can expect companies to accelerate spend on the cloud and embrace cloud-first strategies that support greater collaboration across organizations, objectives, and budgets. Forrester predicts the global public cloud infrastructure market will grow by 35% to $120 billion this year.
Many experts keep telling me that hackers are now using tools that previously were only available to very few threat actors because of the advances in technology and the cost of that technology. There’s ransomware-as-a-service now, and so the scale of cybercrime, which is almost untraceable, is growing. What do you think about this? Have cybercriminals reached the realms they weren’t able to conquer before?
Advanced hackers are stealing high-level tools or buying tools that can easily be found in black markets online – and frequently, conducting the transaction using stolen money. FireEye is a perfect example – because once the hackers breached FireEye, they stole all of their red team hacking tools.
In this case, the hackers who stole the tools came from a nation-state, so those tools did not go public. However, many other advanced tools that have been stolen become available publicly. The story surrounding the NSA Vault 7 breach is a parallel case – hacking tools and zero-days developed by cybersecurity experts were stolen, however, these became available to the public and were used by threat actors against several civilian targets for financial purposes.
Another change that led to more extensive cyber criminal activity is the growing cooperation between cyber criminal groups with different capabilities and areas of expertise. For example, one group – known as Access Brokers – gains unauthorized access to a network and sells this access to a ransomware expert, who later deploys ransomware on the network, or to an Advanced Persistent Threat (APT) actor, who proceeds with an attack. This has become quite common.
Ransomware-as-a-service can also be viewed as an extension of this same concept, i.e., where you don’t need to be such an expert in order to conduct a relatively extensive breach. You can rent the ransomware. You just need to have money, a little bit of knowledge, and the right contacts.
Do you think that the current threats will drive up cybersecurity budgets? On the one hand, companies are starting to realize the cyber threats. On the other hand, the economic outlook for the near future is gloomy due to the pandemic, so companies might freeze their further investments into cybersecurity.
It's not a question of the short-term situation but of a long-term curve. Companies are going through cloud migration and digital transformation, and this can lead to increased cyber risk – for example, by expanding the attack surface, making it harder for organizations to track all vulnerabilities and potential threats. In parallel, the number and sophistication of cyberattacks continue to grow – and the result of all of this is that, over time, there must be an increase in the budget in order to fight back and protect organizations against threats.
Today, cyber threats are increasingly viewed as a growing business risk. They are no longer seen through the narrower lens of being “just” a problem of cybersecurity or IT. And while this year has been tough economically and led to budget freezes, we’re looking beyond the current situation – and we are expecting to see recovery over the long term.