Russia and Ukraine war: the US offers up to 10 million dollars for the identification of any Russian cyberattack against critical infrastructure | Technology

More than half of cybercrime teams are state-backed (49%) or are terrorists (5%) who use the internet as next-generation weapons. Its objectives are sensitive data, mainly defense data, or breaking into fundamental entities for the development of daily life, such as critical infrastructures (health, financial, or supply networks). Just over a quarter (26%) are activists who aim to influence political and social processes while 20% scour the web for money, according to the report (The cyberthreat handbook, Cyber ​​Threat Handbook) from the security companies Thales and Verint. The first and majority are the ones that most concern Western countries in the face of the war in Ukraine. United States offers up to 10 million dollars (€8.95 million) for “information on Russian state-sponsored cyber operations targeting critical infrastructure.” It seeks “the identification or location of any person who acts under the direction or control of a foreign government and participates in malicious cyber activities,” according to the Cybersecurity and Infrastructure Agency (CISA, for its acronym in English). Network invasions follow a precise, military-like, nine-step strategy.

US National Security Adviser Anne Neuberger has warned that “for the past decade, Russia has used cyberspace as an important part of its military activity beyond its borders.” Faced with this threat, cybersecurity services try to “shore up defenses and work with “partners and allies to disrupt malicious cyber activity.”

Keren Elazari, a computer hacker who ended up as a researcher at Tel Aviv University (Israel), assures that cyberattacks attack critical infrastructure not only to violate a country’s defenses but also to “undermine confidence in our system of life ”. Elazari, an expert in detecting security flaws in computer systems, warns that large entities are not the most vulnerable, as evidenced by the hundreds of annual attacks on local entities and security breaches in transport systems and companies.

And it also entails an economic cost. A report of JuniperResearch estimates that attacks on the Internet will cost up to five billion euros in two years.

According to the Thales and Verint report, the most virulent and trained groups do not even need to develop their own malicious programs (malware) but use those created and shared by others, such as those designed by groups of Chinese origin, or those purchased in the dark web (dark web), hidden sites that can only be accessed using a specialized browser.

The strategies of a cyberattack include nine actions, according to the CISA and in which the main security companies agree. They are similar to those of physical incursions in a war conflict, but, in this case, the battlefield is computerized.

Recognition. It consists of techniques to actively or passively collect information, from login credentials to information about the identity of the victim, which can be individual or collective.

Initial access. It is the use of various input vectors, especially any weaknesses in the access server. According to the CISA, with these vulnerabilities, credentials are obtained to access domains and accounts in the cloud [servidores remotos conectados a internet]. Another way to get these keys is the phishing, scam emails containing links that allow malicious programs to run on a local or remote system. The company Antispam Lab has warned this Friday of the massive sending of false email messages to clients of a financial institution with a significant presence in the US, the United Kingdom, the European Union and South Korea with the aim of stealing personal information and credentials online. .

Persistence. If successful, the next strategy is persistence using techniques to maintain network access despite reboots, credential changes, and other interruptions aimed at disabling fraudulent access. During this time, attackers study data and all systemsphases is known as “understanding the environment” and “collection”.

defense evasion. Once inside, the attacker has the possibility that the security services will detect the intrusion, so they develop techniques to avoid it. To do this, they hide or encrypt their executable commands and files. They also resort to uninstalling or disabling security programs. “Sometimes, some attacks are a distraction so that the security services do not focus on the real thing,” Kazari points out.

Escalation of privileges. If the attacker manages to enter, remain and bypass the security systems, the next objective is to obtain higher-level permissions by exploiting system weaknesses, misconfigurations, and vulnerabilities. With these new privileges, you can access or create a copy of the databases to steal information and device keys, users, and access rights.

Discovery. Spoofing keys that have broad access to systems allows attackers to unravel the internal network, copy files and directories, and pinpoint the specific locations of the information they need for the ultimate goal: to disable the entire architecture. They can also identify associated domains (such as those of trusted providers) to expand their attack with what is known as “lateral movement”.

Collection. All of the above steps lead you to collect not only the information itself, but also the sources of it. In this sense, the attacker can take advantage of repositories to extract valuable data. CISA highlights as one of the objectives SharePoint, an enterprise collaboration platform, made up of products and program elements that include collaboration functions, search and process management modules as well as document management platforms.

command and control. With all the information accumulated and the maximum credentials to act on the system, the attack moves on to the command and control phase, when normal traffic is imitated to communicate between the systems that it already manipulates and takes advantage of to obtain and transfer data. In this phase, to cover up malicious traffic, multiple proxiesservers, programs or devices that act as an intermediary in the resource requests made by a user.

Impact. It is the moment in which the achievement of all the previous phases allows to interrupt or compromise the attacked systems with the destruction, disabling, theft, manipulation or falsification of data and systems.