The UK national cyber security centre is warning of the high risk to UK businesses of cyber attacks which have increased since the invasion of Ukraine.
All local businesses who use the internet are at risk and so I spent a couple hours at Riela Cyber recently, understanding how dangerous this risk is.
It is a security operations centre in Ballasalla and I’m standing in front of a large screen showing a map of the world.
There are constantly moving and shifting lines connecting countries and continents.
It looks like the sort of schematic airlines use to display their routes but the truth is far more sinister. What these lines indicate are live cyber attacks from hackers based in one country against computer systems in another.
There is a running total of the number of attacks that have taken place today. It has reached nearly eight million and it’s not yet lunchtime. On some days, according to Riela Cyber’s Dr Joseph Ikhalia, it can get up to 60 million.
If you think your organisation is safe from hackers it may be time to think again.
Joseph is risk and threat management lead. He is responsible for cyber risk management, assessing clients’ digital vulnerabilities and hunting down threats to their organisations.
He says: ‘The first key objective of the security operation centre (SOC) is to gather intelligence.
‘It’s important to have this ability because one of our key principles here is that you cannot protect what you cannot see.’
Joseph indicates another large screen: ‘This is an open source threat map which displays threat intelligence. It allows us to track web attackers, denial of service attackers and intruders, as well as scanners.
‘The web attackers are those who look for vulnerabilities on your website. They can inject code remotely from their laptop, from anywhere – they could even be on the beach and have developed a bot to automate the website attack.’
Denial of service is another big threat to organisations. The goal of these attacks is quite simply to take down your business.
The war between Russia and Ukraine has been taking place, not just on the ground but digitally, through denial of service attacks between the two countries, taking down government websites and financial payment systems.
Cyber crime is big business globally and the threats can be driven by any number of incentives, from almost anywhere in the world, though Joseph says some locations are more conducive to the hackers.
He says: ‘Some of the Russian hackers are very brazen, they don’t even mask their identity.
‘They leave a digital footprint because there is protection from the state [in Russia] and you can’t subpoena them. There’s no agreement with any nation to get a criminal through Interpol and bring them to justice.’
Cyprus, Malta and Turkey are also popular locations for hackers to base themselves because these countries are also less well regulated.
Sometimes attacks are carried out to gain a commercial advantage.
Joseph says: ‘Seven years ago a British national was hired for $10,000 dollars to take down the major telecoms infrastructure in Liberia and it was a competitor in Liberia who paid him. He didn’t do it from Britain, he travelled to Cyprus. Within a month Liberia had no internet and the other company stepped in.
‘So your cyber threat actor could be anyone: it could be a competitor, it could even be a disgruntled employee.’
How would an attack typically unfold?
Joseph explains: ‘One of the first things a hacker will do is find problems on your network using a scanner. It’s not really an attack, it’s the reconnaissance phase, to gather information.’
Assuming they find a vulnerability, they would then penetrate the outer permitter defence using this vulnerability and start looking at ways of accessing valuable data be it emails, banking information or even GDPR-sensitive information. While an oversimplification, this is generally done by using malware which would be in the form of viruses, spyware, trojans or worms.
No network is infallible and is why monitoring of all systems is crucial to successfully mitigate potential threats.
‘Security triaging’ is a process used by security operations centres, to classify and prioritise threats according to the level of danger they pose.
As an example of a typical attack where multiple intrusion attempts happen concurrently, we would prioritise a cobalt strike over crypto mining or brute force knowing the risk perspective and potential impact to the business.
Riela Cyber staff pride themselves on being proactive in security. They go looking for threats. Their enterprise class vulnerability software can scan client networks from both inside and outside. As well as detecting vulnerabilities at the time, that data is stored for 12 months so trends can be spotted as a pattern builds up.
Joseph recalls: ‘Two years ago, in 2020, we identified and stopped a persistent threat to one of our high -worth clients and through our investigation we were able to identify the perpetrator as a well-known Russian hacker, Alexander Volosovik. He is protected by the Russian state, so other than thwart his efforts, there was nothing we could do to bring him to justice. He tried unsuccessfully for four months to gain access to our customer using thousands of different locations.’
We always think of our island location as being safe from traditional crime but it’s worth remembering that hackers don’t think in geographical terms – ‘for them it’s just one short hop, just one IP address away,’ says Joseph.
For local companies the most debilitating threat to their business is a ransomware attack which have become more prevalent since Covid. Working from home, in effect extending the workplace, has made it easier for criminals to find vulnerabilities. Ransomware attacks encrypt company data and it can only be decrypted by paying a ransom to the hackers or restoring from backup which most hackers delete prior to encrypting.
Christian Goelz, a director of Riela Cyber, says: ‘The ransom is not even the most expensive bit.
‘If you get your data back when you’ve paid a ransomware, which we advise against, you still need to rebuild your entire data structure. The decryption doesn’t restore your data to its original format, it just allows you to access it. The worst case we worked on recently saw a company lose five months of accounting data: imagine having to call your customer to ask them how much they owe you?
‘We have had customers with no email for weeks as well as no access to any of their files or contracts. It can be extremely expensive to recover your operations.
‘Then, once you have recovered you then need to consider whether any GDPR data has been stolen and take appropriate actions to notify authorities and consumers who are affected. If you hadn’t taken any cyber measures your GDPR fine may be higher than the ransom.
‘An issue we find is that a lot of Isle of Man companies are unprepared and quite unaware of the risks so there’s little budget for cyber security.
‘Even insurance companies are starting to get more restrictive on their cyber policies as a result of the high risk posed to all businesses.
‘Businesses should deal with the threat upfront and it can be done in a structured way with the right controls in place. However most don’t understand the risk and don’t think they can be a target. ’
And, according to Christian, it’s not the egaming or digital businesses that get hacked, as you might expect, as these are more prepared for cyber threats.
‘It’s more often traditional businesses who aren’t aware of the risks: manufacturing, hospitality, corporate services or the legal sector who overlook how much of their organisation is dependent on digital technology.
‘Your manufacturing equipment doesn’t work without a computer anymore and, when the database is compromised, the machine doesn’t turn on,’ says Christian.
And he adds: ‘A lot of companies in the island just see cyber as part of IT but actually a cyber security specialist will look at it from a different angle.
‘We always say that IT makes your infrastructure work, makes your computer turn on and your email work, whereas cyber makes sure it’s secure.
‘So it’s a full-time job keeping it going and it’s a full-time job making it secure.’