The IT security situation has become even more acute as a result of the Ukraine war, ransomware, espionage and sabotage. At the same time, companies are facing new cyber risks anyway due to their advancing digitalization and in times of increased remote working. We spoke with Matthias Nehls, our founder and managing partner, about the greatest current IT threats and strategic countermeasures:
Matthias Nehls, the risk of cyberattacks has never been as high as it is today: What are the greatest dangers in 2023 and what has changed compared to the previous year?
The current security situation for companies is extremely tense, as confirmed by the BSI situation report: Cyber attacks pose a substantial threat to companies in every industry and of every size. According to a Bitkom study, nine out of ten companies were victims of data theft, espionage or sabotage in 2021. The main threat continues to be ransomware , which hacker groups use to encrypt corporate networks. We observe that the cases have become much larger in 2022. Previously, the groups behind ransomware primarily demanded ransom to expand their own criminal infrastructure. Now, the focus is on demonstrating power.
The cyberattack on a listed automotive supplier last summer, for example, shows just how high the potential for damage is. Sensitive company data, including patents, supervisory board minutes and customer data, was captured; the data transfer of around 40 TB remained undetected for four weeks. Some of the stolen information is being offered for sale on the darknet for $50 million – the same price as the ransom demanded. In view of the enormous sum, it must have been clear to the attackers from the very beginning that the attacked company would hardly agree to the demand. The aim was therefore to generate a showcase victim with media impact and to highlight their own power influence. This development is fueled by the tense geopolitical situation.
BKA President Holger Münch also warns of more cybercrime as a result of the war in Ukraine. What new phenomena are you observing in this context?
We are seeing an increase in ransomware attacks in the wake of hybrid warfare that extends into the digital space, blurring the lines between extortion gangs and state-controlled groups. “Zeit online” recently published an elaborately researched article on this. It reveals that ransomware backers hide behind cover names and are covered by Russian intelligence services – presumably because they are involved in state cybercrime and spy missions.
In addition, on both the Russian and Western sides, we are seeing an increase in state-related loose connections of individuals who are cyber-hacktivists carrying out politically motivated attacks. For example, distributed denial of service (DDoS) attacks on state institutions are being planned via Telegram groups, causing IT infrastructures to collapse and companies’ operations to grind to a halt through greatly increased traffic. Information about criminal successes, as well as false reports, appear in these chat groups every minute. Even professional hacker attacks on selected companies are planned there.
With the ongoing conflict also comes a greater potential for European or international hackers to do their mischief under the guise of Russian IP addresses. Western law enforcement agencies quickly reach their limits here: They will not receive any background information from a Russian Internet provider to clarify an IT security incident – even if no local hacker gang is involved. This makes investigation more difficult: Cybercriminals from all over the world can hide on one political side or the other.
What is your cyber risk forecast for 2023 – will the trend continue or will the IT security situation improve again?
The number of attacks will increase due to technological progress. While a few years ago it was hardly possible for hackers to scan a large number of IP addresses in the blink of an eye and use these results for cybercrime purposes, automated tools are now available for this purpose. This opens up new possibilities for scaling the volume and intensity of attacks.
In addition, the role of organized crime in the attacks is increasing: Hacker groups, such as the one researched in the Zeit article and most recently known as Conti, generate millions, if not billions, in revenue. They have management structures, operate internationally and use extremely perfidious methods. Support centers of ransomware-as-a-service providers are also frighteningly well positioned and offer better service than many legal companies.
Last but not least, the East-West conflict is motivating young people with an affinity for the Internet to express their political opinions with casual means, i.e. “hacker kits” from the dark web or the Internet. This also increases the number of attacks carried out with simple tools.
Why do cybercriminals continue to rely on ransomware in particular?
Attacks with ransomware are a lucrative source of income for hackers that can be generated without much effort: out of concern for their business and reputation, companies are repeatedly willing to pay large sums of money for the release of their encrypted systems and data.
In addition, the Ransomware-as-a-Service business model ensures lower barriers to entry into the hacker milieu through automation and professionalization. Criminals no longer have to program the malware themselves and keep it up to date. They receive a comprehensive service package via monthly subscriptions. If a virus currently in use is detected by virus scanners, users receive instructions on the necessary upgrade. Payment flows are also automated – there are now even organized gangs that take care of laundering payments from extortion cases. All in all, junior hackers need far less know-how today than in the past: ransomware is making it easier and easier to set up a criminal business on the Net.
The media are increasingly reporting cyberattacks on CRITIS companies – what are the reasons for this?
Attacks on critical infrastructures (CRITIS), especially energy suppliers, are indeed on the rise. A change in values can be seen from this: In the past, cyberattacks on hospitals, gas and electricity providers were considered taboo according to hacker ethics. It did happen that, for example, a university hospital – according to the attackers behind it – was “accidentally” encrypted as well, since it belonged to the network of the targeted university. In such cases, the attackers provided a decryption key to restore the systems.
The geopolitical conflict has changed this abruptly: CRITIS companies are particularly popular targets for attack because massive effects can be provoked here. Operators must adapt existing protection mechanisms to this, which is also stipulated by the IT Security Act 2.0. However, since the regulatory requirements are complex and vary, for example, according to the size of the company, there is a lot to consider. If consulting expertise is purchased for this purpose, those responsible should focus their attention on specialist knowledge. Up to now, security has often been co-supplied by classic IT service providers, which is negligent in view of increasing risks and the fact that cyber security is a complex discipline in its own right.
Our CRITIS experts advise you on all questions concerning the IT Security Act 2.0
What should companies generally consider to meet IT security requirements and reduce cyber risks in 2023?
Many companies have adapted to the uncertain situation and created extensive cyberattack detection capabilities. This is certainly a step in the right direction. However, the classification of IT security incidents and the correct response to them require experience and expertise.
Currently, “false positive” attack reports are piling up in companies because the new tools simply mean that more cyberattacks are being seen. This also has to do with the fact that PCs are increasingly being hacked automatically. An unprotected computer falls into hostile hands after just two minutes via automatisms that continuously scan the Internet. However, attacks associated with this tend to be part of the background noise on the Internet and are less critical than attacks by professional hackers. The latter hardly appear in the statistics of companies: they penetrate systems quickly and specifically in order to steal data, and use legal employee login data, for example obtained through phishing mails, to do so. Since access and data theft go unnoticed, these attackers usually cause the greatest damage.
In order to interpret cyberattacks correctly and respond appropriately, it is advisable to work with an IT security partner such as DGC . Our Cyber Defense Operation Center (CDOC) and the IT security tool cyberscan.io® enable effective attack monitoring and defense. In addition, we support the establishment of appropriate IT security standards with penetration tests and preventive security awareness training.
What specific actions are important for increasing cyber resilience?
Companies should always keep their IT infrastructure up to date with the latest technology, be informed about new attack paths and threat scenarios, and rely on an established cyber security service provider to support internal security officers with additional expertise.
For example, all legacy devices in the system environment, from machine and heating controls to fire alarm systems, should be checked for security gaps. It is also advisable to use the latest technology standards for virus scanners.
With regard to ransomware, a backup concept is essential: system copies should be stored physically separately, for example on external hard drives in lockers. This way, companies do not have to pay high ransom sums in the event of data encryption, but can restore their data themselves. However, the risk of public exposure and publication of sensitive data on the darknet remains.
In view of the imponderables, those persons in charge are well advised to establish all-round IT protection: All measures from A for awareness to Z for zero trust access should come together in a well thought-out overall concept. Such an IT security concept is as individual as a company and its risks: The goal should be to deal with threats appropriately in order to be able to act and be well protected at all times. In order to provide companies with specific and comprehensive support, DGC has developed a modular partnership model: Solutions and services can be combined into a customized cyber security package according to need and requirement – the result is 360-degree security.
What is the risk of inadequate protection?
Dealing strategically with risks is a matter of the utmost urgency for management and the future success of the company. If a company falls victim to a cyberattack, the decision-makers can be held responsible with their private assets if they are not adequately protected. Insolvency after a cyberattack is no longer a rarity – high financial burdens for system recovery, delivery bottlenecks and compensation claims from customers as well as the enormous loss of image drive companies to ruin.
The good news is that with appropriate measures and prevention, attacks can be averted or at least the damage limited.
Thank you very much for the interview.