The world’s worst and weirdest cyberattacks

Few people know more about digital crime than Rik Ferguson. A member of the Infosecurity Hall of Fame, Ferguson serves as Vice President of Security Research at IT security firm Trend Micro as well as being a special advisor to Europol’s European Cybercrime Centre (EC3). 

Ahead of his presentation at the Swiss Re Corporate Solutions’ Corporate Resilience Days in November, I sat down with Rik to talk about the evolution of internet threats. 

Rik, could you talk us through some of the more striking cyberattacks that you’ve seen, and the legacy they have left?

The one that all of the people that we speak to will be familiar with is WannaCry. At the time, in 2017, it was the fastest spreading ransomware attack in history, because it took two established criminal attack methodologies and put them together to devastating effect: it took ransomware, and it took the concept of an internet worm. 

The attack kind of followed the sun: as people were waking up, the attack was hitting their country. Luckily for the world, it never quite got as global as it could have, because a hacker, Marcus Hutchins, discovered the WannaCry kill switch, which stopped it from encrypting the other systems it would go on to infect. 

WannaCry caused USD 4 billion in losses the year it appeared, and even today it is still the most detected ransomware that we find annually. So it's still out there – it’s just not springing to life. It was the fact that they took those disparate things, put them together, and created an example that has since been abused by others.

As always happens in cybercrime, one innovation is co-opted by a bunch of other different groups, and improved upon.

What would you describe as a particularly unusual attack on a company?

There’s a casino in the US that, as part of their facilities, has a very big and impressive fish tank for guests to marvel over and to stare at in wonder while they part with their hard-earned dollars. And because it’s a big installation, it’s relatively automated: it has a bunch of sensors inside to control things like temperature, the salinity of the water and automated feeding. 

Casinos are targets for cybercrime: they have financial data and intelligence on people who are regular or big-spending customers.
Rik Ferguson, Vice President of Security Research, Trend Micro

The casino in question had its fish tank connected to the corporate network so that staff could remotely check on the fish. No one paid any attention to it. As a result, the cybercriminals used the fish tank’s internet-connected thermostat to export more than 10 gigabytes of stolen data from the casino.

The real lesson here for any organisation trying to secure its estate is that one of the most important things you can do is to have a constantly monitored and verified asset list.

You need to know what you have, where it is and what it’s doing when connected to the internet or the corporate network, and you need to have an effective baseline to know what the expected behaviour of all those assets should be. Otherwise, you have no visibility whatsoever when something out of the ordinary occurs in your ecosystem from any one of those assets. 

And what has been the most alarming attack of recent years that corporate risk managers should be aware of?

The attack on the Ukrainian power grid in 2015 and 2016. It was really the first wide-scale and very successful and damaging attack on critical national infrastructure. It unfolded in a very deliberate and patient way. It was so meticulously planned and executed – concerning, in terms of the targets that were in the sights of the attackers. 

It is maybe doubly concerning because the attack could very easily be viewed as a proof of concept: the attackers wrote custom firmware – that’s the software that runs on the piece of hardware – for these serial-to-ethernet converters, which basically broke them. It meant that when the attackers flipped the digital switches to turn off the power supply, the operators couldn't digitally flip them back, because the attackers had effectively burned out that physical connection. 230,000 people were left without power.

Critical national infrastructure in any country has a few problems: a lot of it is technology which has a 30-year life cycle, which is very different to IT-type technology, with maybe a five-year lifecycle.

Historically, there haven’t been many security solutions that have been designed for those kinds of environments: even if you want to secure them, it’s actually really difficult to do so. So, there are lots of concerns in that area – both for the people affected and for the companies operating in the country.

How has the nature of attacks changed since you started working in cybersecurity, and what’s driving that shift?

I have been working in technology since the mid-nineties, so I am (un)fortunate enough really to have witnessed the birth of professional and organized cybercrime. In the 20th century malware was really about mischief and experimentation, the people behind malware like Code Red, Nimda, Melissa, Iloveyou, MS Blaster et al, they weren’t thinking at all how they could monetise those attacks, they did it for kicks.

It really didn’t take long though for organized crime to realize the potential that digital attacks could afford them.
Rik Ferguson, Vice President of Security Research, Trend Micro

Well certainly as regards ransomware, cybercrime always used to be a consumer-facing threat. It would encrypt a home user’s PC. It would encrypt all of their documents and photos and music and all the other important stuff and ask for a relatively low ransom, maybe 50, 60 dollars. It became less and less effective. For the attackers, it was a big investment of time and resources to get people infected for a relatively low return per attack.

I think 2017 was probably the year when the focus really began to change and attackers became much more targeted, much stealthier, and much better researched. 

If you can go for a big corporate and encrypt the systems that help that business run, every moment that the business is not running is costing a given amount of money. So as long as your ransom demand is lower than what your activity is already costing the company, the chances they will pay are quite high.

Tags

Coffee chat with Rik Ferguson

For further insights on the cybersecurity threats facing corporations today, register for the Corporate Resilience Days session with Rik Ferguson.

Register