2nd edition of National Cybersecurity Strategy Guide Launched

Agency News, Cyber Security CII sector, Industry News

The Guide to Developing a National Cybersecurity Strategy is one of the most comprehensive overviews of what constitute successful cybersecurity strategies. It is the result of a unique, collaborative, and equitable multi-stakeholder effort.

Over the last two decades, people worldwide have benefitted from the growth and adoption of information and communication technologies (ICTs) and associated socio-economic and political opportunities. Digital transformation can be a powerful enabler of inclusive and sustainable development, but only if the underlying infrastructure and services that depend on it are safe, secure, and resilient. To reap the benefits and manage the challenges of digitalization, countries need to frame the proliferation of ICT-enabled infrastructures and services within a comprehensive national cybersecurity strategy.

To help governments in this endeavour, a consortium of partner organisations jointly developed and published the first Guide to Developing a National Cybersecurity Strategy (NCS) in 2018. Since then, the number of national cybersecurity strategies or frameworks worldwide has increased significantly. In 2018, only 76 countries had adopted a strategy while today more than 127 countries have such strategies in place, and many have used the Guide as a reference and blueprint.1

However, the fast-changing nature of cyberspace, the increased dependency on ICT, and the proliferation of digital risks all call for continuous improvements to national cybersecurity strategies. Most countries have both accelerated their digital transformation and become increasingly concerned about the immediate and future threats to their critical services, infrastructures, sectors, institutions, and businesses, as well as to international peace and security, that could result from the misuse of digital technologies and inadequate resilience.

This second edition of the Guide could not come at a more critical time. The updated content reflects the complex and evolving nature of cyberspace, as well as the main trends that can impact cybersecurity and should, therefore, be included into national strategic planning. The objective of the Guide is to instigate strategic thinking and continue supporting national leaders and policy-makers in the ongoing development, establishment, and implementation of such national cybersecurity strategies and policies. We are confident that this new Guide will serve as a useful tool for all stakeholders with cybersecurity responsibilities.

The purpose of the report is to guide national leaders and policy-makers in the development of a National Cybersecurity Strategy, and in thinking strategically about cybersecurity, cyber-preparedness and resilience.

This Guide aims to provide a useful, flexible and user-friendly framework to set the context of a country’s socio-economic vision and current security posture and to assist policy-makers in the development of a Strategy that takes into consideration a country’s specific situation, cultural and societal values, and that encourages the pursuit of secure, resilient, ICT-enhanced and connected societies.

The Guide is a unique resource, as it provides a framework that has been agreed on by organisations with demonstrated and diverse experience in this topic area and builds on their prior work in this space. As such, it offers the most comprehensive overview to date of what constitutes successful national cybersecurity strategies.

Leave a comment , ,

Security Industry raises threat level to Omega Status (Plan for the worst)

Industry News

The Private Security Industry is the largest force in the world, bigger than any police, military unit or navy that is active 24/7. The security industry has been in a constant state of monitoring the threat and on August the 1st 2021 certain things rolled out that confirmed information which set the time clock for using specific second stage research that ended on the 12th of November.

On the 20th of November 2021, the recent biological threat security investigation now dictates that the Omega Status must be enforced based on the monitoring of the viral pattern formation taking into consideration, the human disorder besides other crime related to the threat. Within two days of the status being called for, a variant was identified by South Africa and within hours some countries banned flight travel to and from South Africa. This is even before the world -health organization named the variant which is now named Omicron.

It is the security industry that is implementing the health protocols on the ground but do more. They take the temperatures of people, manage the movement of people and that the populous satanize. They do more because there is crime related to the threat. The practitioners on the ground not only have to find new crime, evolving copycat crime, increased habitual crime, besides handling violent and aggressive behaviour. Furthermore, the practitioners have to protect their companies and sites.

Juan Kirsten Director Genera of ISIO | International Security Industry Organization says,‘’ the Alpha is the leader of the pack, and the Omega is the last born. We have experienced this Alpha beast that is changing at a moments notice in its way of movement and devouring everything in its path. The world is now at a time where the fundamental information gives conclusion to now plan for the worst because we have no idea of when and how the last born will behave’’

Security Success depends on the level of situational awareness of the people on the ground and their reaction speed (Kirsten, J 2018). Authentic situational awareness dictates that the security industry or any practitioner can never afford to be in a state of denial or bias towards any threat. When the industry calls for Omega Threat Status, the members know this is the highest form of threat alert and must be taken seriously!

This knowledge affirms the fact sufficiently to activate the planning and implementation of protocols to limit the level of damage of the Omega Impact (the worst situation)

Taking into consideration two objectives namely,
• the profit protection of security industry practitioners as well as their clients
• limiting the level of collateral damage of the active mutating bio-threat and its tailing threats.

Professional practitioners in this field are realistic and relevant! They consciously accept without bias the fact that the threat in theatre is here to stay and that they need to live with it but - the threat can easily turn nasty based on sound logical thought because of the pattern formation. They know that they must be in Omega Status.

Tony Botes the Administrator of Security Association of South Africa says, ‘’Security practitioners besides all stake holders must realize the importance the security sector as it is now officially on the ground and front line for Chemical, Biological, Radiological or Nuclear Warfare (CBRN). All must know the security protocols and crime related to the threat as to avoid collateral of not only the pandemic but also by citizens for example, anarchy which will cause even more ciaos’’

Professionals know what objectives and goals to focus on and where to obtain reliable information and protocols that they need to be fully versed on. Simply put - It is their obligation to be relevant!

Chairman Kunwar Vikram Singh of India’s Central Association of Private Security Industry (CAPSI) states that ‘’the security and safety professionals are still undermining the bio security threats and not responding the way they should have. They are responsible for millions of people. Political leadership and bureaucrats must realize the gravity of the new security challenges and act fast. Protocols already available by the security industry must be followed by law to save your world’’

View (https://www.human-investigation-management.com/cbts-certified-for-biological-threat-security/ )the knowledge and skills to set protocols to plan for the worst and actions to take for profit protection for the Omega Impact.

Presented by the following representing 9.15 Million Security Practitioners
Juan Kirsten Director General ISIO | International Security Industry Organization,
Kunwar Vikram Singh Chairman CAPSI | Central Association of Private Security Industry
Tony Botes Administrator of SASA | South African Security Association

 

Leave a comment

CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector

Agency News, Industry News, Telecomms sector

The Communications Sector is an integral component of the U.S. economy and faces serious physical, cyber-related, and human threats that could affect the operations of local, regional, and national level networks, according to the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and sector stakeholders.

The communications sector—comprising mostly private broadcast, cable, satellite, wireless, and wired systems and networks—is vital to national security.

The Cybersecurity and Infrastructure Security Agency supports the security and resilience of this sector, primarily through incident management and information-sharing activities. For instance, the agency coordinates federal activities during severe weather events, and manages cybersecurity programs.

However, the agency has not assessed the effectiveness of its programs and services to support this sector. We recommended that it do so.

In addition, CISA determined that the Communications Sector depends on other critical infrastructure sectors—in particular, the Energy, Information Technology, and Transportation Systems Sectors—and that damage, disruption, or destruction to any one of these sectors could severely impact the operations of the Communications Sector.

CISA primarily supports the Communications Sector through incident management and information-sharing activities, such as coordinating federal activities to support the sector during severe weather events and managing cybersecurity programs, but has not assessed the effectiveness of these actions. For example, CISA has not determined which types of infrastructure owners and operators (e.g., large or small telecommunications service providers) may benefit most from CISA's cybersecurity programs and services or may be underrepresented participants in its information-sharing activities and services. By assessing the effectiveness of its programs and services, CISA would be better positioned to identify its highest priorities.

CISA has also not updated the 2015 Communications Sector-Specific Plan, even though DHS guidance recommends that such plans be updated every 4 years. As a result, the current 2015 plan lacks information on new and emerging threats to the Communications Sector, such as security threats to the communications technology supply chain, and disruptions to position, navigation, and timing services. Developing and issuing an updated plan would enable CISA to set goals, objectives, and priorities that address threats and risks to the sector, and help meet its sector risk management agency responsibilities.

GAO is making three recommendations to CISA, including that CISA assess the effectiveness of its support to the Communications Sector, and revise its Communications Sector-Specific Plan. The Department of Homeland Security concurred with the recommendations. The Department of Commerce and the Federal Communications Commission did not provide comments on the draft report.

The Director of CISA should assess the effectiveness of CISA's programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience. (Recommendation 1)

The Director of CISA should complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. (Recommendation 2)

The Director of CISA, in coordination with public and private Communications Sector stakeholders, should produce a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities. (Recommendation 3)

Leave a comment , , ,

Risk Management: Helping the EU Railways Catch the Cybersecurity Train

Agency News, Cyber Security CII sector, Industry News

European railway undertakings (RUs) and infrastructure managers (IMs) need to address cyber risks in a systematic way as part of their risk management processes. This need has become even more urgent since the Network and Information Security (NIS) Directive came into force in 2016.

Objectives of the Railway Cybersecurity report

The purpose of the report is to provide European RUs and IMs with applicable methods and practical examples on how to assess and mitigate cyber risks.

The good practices presented are based on feedback from railway stakeholders. They include tools, such as assets and services list, cyber threat scenarios and applicable cybersecurity measures, based on the standards and good practices used in the sector. These resources can be used as a basis for cyber risk management for railway companies. They are therefore intended to be a reference point and to promote collaboration between railway stakeholders across the EU while raising awareness on relevant threats.

The main takeaways

  • Existing risk management approaches vary for railway IT and OT systems

For the risk management of railway Information Technology (IT) systems, the most cited approaches were the requirements of NIS Directive at a national level, the ISO 2700x family of standards, and the NIST cybersecurity framework.

For Operational Technology (OT) systems, the frameworks cited were ISA/IEC 62443, CLC/TS 50701, and the recommendations of the Shift2Rail project X2Rail-3, or the ones from the CYRail Project.

Those standards or approaches are often used in a complementary way to adequately address both IT and OT systems. While IT systems are normally evaluated with broader and more generic methods (such as ISO 2700x or NIS Directive), OT systems need specific methods and frameworks that have been designed for industrial train systems.

There is no unified approach available to railway cyber risk management yet. Stakeholders who participated in this study indicated that they use a combination of the abovementioned international and European approaches to tackle risk management, which they then complement with national frameworks and methodologies.

  • Asset taxonomies

For RUs and IMs to manage cyber risks, identifying what needs protection is essential. In this report, a comprehensive list is broken down to 5 areas; the services that stakeholders provide, the devices (technological systems) that support these services, the physical equipment used to provide these services, the people that maintain or use them, and the data used.

  • Threats taxonomies and risk scenarios

RUs and IMs need to identify which cyber threats are applicable to their assets and services. The report reviews available threat taxonomies, and provides a list of threats that can be used as the basis.

Examples of cyber risk scenarios are also analysed, which can assist railway stakeholders when performing a risk analysis. They show how asset and threat taxonomies can be used together and are based on the known incidents of the sector and the feedback received during the workshops.

  • Applying cybersecurity measures

Each scenario is associated with a list of relevant security measures. The report includes cybersecurity measures derived from the NIS Directive, current standards (ISO/IEC 27002, IEC 62443) and good practises (NIST’s cybersecurity framework).

Leave a comment , , , ,

Joint global ransomware operation sees arrests and criminal network dismantled

Agency News, Cyber Security CII sector, Industry News

A four-year operation across five continents has disrupted a ransomware cybercrime gang and seen the arrest of seven suspects believed to be behind global malware crime operations.

Codenamed ‘Quicksand’ (GoldDust) and carried out by 19 law enforcement agencies in 17 countries, the transcontinental operation saw officers collect and examine intelligence to establish a global threat picture about attacks by ransomware families - particularly GandCrab and Revil-Sodinokibi - and the suspects behind them.

The organized crime group that used these malwares is known for breaking into business and private networks using a range of infiltration techniques, and then deploying ransomware against their victims. The ransomware then encrypts files which are then used to blackmail companies and people into paying huge ransoms.

The suspects arrested during Operation Quicksand are suspected of perpetrating tens of thousands of ransomware infections and demanding more than EUR 200 million in ransom
Tangible results: multiple arrests worldwide

Intelligence exchanged during the operation enabled:

- Korean law enforcement to arrest three suspects in February, April and October;
- Kuwaiti authorities to arrest a man thought to have carried out ransomware attacks using the GandGrab ransomware;
- Romanian authorities to arrest two individuals suspected of ransomware cyber-attacks and believed to be responsible for 5,000 infections as well as half a million euros profit in ransom payments;
- The arrest of a man believed to be responsible for the Kaseya ransomware attack, thought to have been carried out last July by the REvil gang with more than 1,500 people and 1,000 businesses affected worldwide.

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action which INTERPOL can uniquely facilitate as a neutral and trusted global partner,” said INTERPOL Secretary General Jürgen Stock.

“Policing needs to harness the insights of the cyber security industry to identify and disrupt cyber criminals as part of a true coalition, working together to reduce the global impact of ransomware cybercrime,” added the Secretary General.

A powerful global coalition

A joint INTERPOL-Europol operation, Quicksand was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore where stakeholders shared live intelligence in an interactive and secure environment via INTERPOL’s global network and capabilities.

Through INTERPOL’s Gateway project, INTERPOL’s private partners Trend Micro, CDI, Kaspersky Lab and Palo Alto Networks also contributed to investigations by sharing information and technical expertise.
Gateway boosts law enforcement and private industry partnerships to generate threat data from multiple sources and enable police authorities to prevent attacks.

Bitdefender supported operations by releasing tailor-made decryption tools to unlock ransomware and enable victims to recover files. These innovative tools enabled more than 1,400 companies to decrypt their networks, saving them almost EUR 475 million in potential losses.

Leave a comment , , , ,

IOCTA 2021 unveils the most recent cyber threat (r)evolutions

Agency News, Cyber Security CII sector, Industry News

The accelerated digitalisation related to the COVID-19 pandemic has significantly influenced the development of a number of cyber threats, according to the new edition of Europol’s Internet Organised Crime Threat Assessment. Criminals have been quick to abuse the current circumstances to increase profits, spreading their tentacles to various areas and exposing vulnerabilities, connected to systems, hospitals or individuals. While ransomware groups have taken advantage of widespread teleworking, scammers have abused COVID-19 fears and the fruitless search for cures online to defraud victims or gain access to their bank accounts. The increase of online shopping in general has attracted more fraudsters. With children spending a lot more time online, especially during lockdowns, grooming and dissemination of self-produced explicit material have increased significantly. Grey infrastructure, including services offering end-to-end encryption, VPNs and cryptocurrencies continue to be abused for the facilitation and proliferation of a large range of criminal activities. This has resulted in significant challenges for the investigation of criminal activities and the protection of victims of crime.

In addition to expanding the efforts to tackle these threats from a law enforcement perspective, it is crucial to add another level of protection in terms of cybersecurity. The implementation of measures such as multi-factor authentication and vulnerability management are of utmost importance to decrease the possible exposure to cyber threats. Awareness raising and prevention are key components in reducing the effectiveness of cyberattacks and other cyber enabled criminal activities.

The key threats:

- Ransomware affiliate programs enable a larger group of criminals to attack big corporations and public institutions by threatening them with multi-layered extortion methods such as DDoS attacks.
- Mobile malware evolves with criminals trying to circumvent additional security measures such as two-factor authentication.
- Online shopping has led to a steep increase in online fraud.
- Explicit self-generated material is an increasing concern and is also distributed for profit.
- Criminals continue to abuse legitimate services such as VPNs, encrypted communication services and cryptocurrencies.

The new edition of Europol’s Internet Organised Crime Threat Assessment, launched today, looks into the (r)evolutionary development of these trends, catalysed by the expanded digitalisation of recent years. The report was presented during the Europol-INTERPOL Cybercrime Conference. The conference gathered about 100 experts together to share their insights into the latest cybercrime trends and threats and to discuss how innovation is essential in countering cybercrime acceleration.

Leave a comment , , ,

Joint Research Centre launches a revolutionary tool for monitoring ongoing floods worldwide as part of the Copernicus Emergency Management Service

Agency News, Industry News, Water sector

The European Commission’s Joint Research Centre (JRC) unveiled the beta version of the Global Flood Monitoring (GFM) tool, unique for its capacity to process all data received by the Copernicus Sentinel-1 satellites.

Making use of the synthetic aperture radar of Sentinel-1 that enables image acquisitions regardless of weather or daylight conditions, this tool will improve both the emergency response and the prevention for future floods worldwide.

It produces flood monitoring maps within less than 8 hours after the satellite has acquired the image at a spatial resolution of 20m at global level.

For Europe, the tool can provide updated flood monitoring maps every 1-3 days whereas for areas outside Europe updating of the flood maps may take between 6-12 days depending on the Sentinel-1 schedule.

The tool is currently accessible through the map viewer of the Global Flood Awareness System (GloFAS) of the Copernicus Emergency Management Service (CEMS) and will be, at a later stage, also available through the map viewer of the European Flood Awareness System (EFAS).

The monitoring of the ongoing floods using satellite data from GFM, complements the flood forecasts of EFAS and GloFAS that are calculated using weather predictions and a hydrological model.

The combination of both tools within one interface enables its users to better support the preparedness of an upcoming flood (forecasts) as well as the response to an ongoing flood event (monitoring). This constant, global, high-resolution monitoring represents a significant progress in the EU’s disaster awareness and prevention.

The results produced by GFM can be used for planning and coordinating emergency response to an ongoing flood or for supporting the international help in affected areas. In addition, the archive of the GFM, which contains flood monitoring maps derived from the processing of all Sentinel-1 data starting 1.

January 2015, enables decision makers to improve prevention plans to avoid or to reduce the impact of future floods and scientists to use the dataset of GFM to validate or calibrate models for improving predictions of impacts of floods under climate change.

The GFM is the result of years of scientific development of the JRC and partners (Earth Observation Data Center, Technical University of Vienna, Luxembourg Institute of Science and Technology, Deutsches Zentrum fuer Luft und Raumfahrt, Geoville, CIMA Research Foundation). This latest addition to the CEMS portfolio of products is launched during the CEMS Days, an event bringing together users of the CEMS tools to discuss the service and its evolution.

During the CEMS days, the JRC also presented the Global Human Settlement Layer (GHSL), which produces global spatial information about the human presence on the planet over time. GHSL has now been added to the CEMS suite of tools, as a new ‘exposure mapping’ component. Detailed information on exposure is fundamental to adequately managing crisis and disaster risk.

The GHSL provides highly accurate information derived from satellite and census data. It can help in answering questions like: how many people are living in the flooded areas? Or: how many settlements and people will be affected by a cyclone?

This information will be used in the on-demand mapping and early warning and monitoring components of CEMS. The information is also useful for a wide range of domains, from monitoring urbanisation to the progress towards the Sustainable Development Goals.

Leave a comment , ,

CISA Releases Directive on Reducing the Significant Risk of Known Exploited Vulnerabilities

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. The Directive establishes a CISA-managed catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.

CISA issued BOD 22-01 to drive federal agencies to mitigate actively exploited vulnerabilities on their networks, sending a clear message to all organizations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritization of vulnerabilities based on our understanding of adversary activity. The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. With this Directive, CISA is imposing the first government-wide requirements to remediate vulnerabilities affecting both internet-facing and non-internet facing assets.

“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA Director Jen Easterly. “The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

With over 18,000 vulnerabilities identified in 2020 alone, organizations in the public and private sector find it challenging to prioritize limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion. This Directive addresses this challenge by driving mitigations of those vulnerabilities that are being actively exploited to compromise federal agencies and American businesses, building upon existing methods widely used to prioritize vulnerabilities by many organizations today.

This Directive applies to federal civilian agencies however, CISA strongly recommends that private businesses and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.

Leave a comment , , ,

Joint global ransomware operation sees arrests and criminal network dismantled

Agency News, Cyber Security CII sector, Industry News

A four-year operation across five continents has disrupted a ransomware cybercrime gang and seen the arrest of seven suspects believed to be behind global malware crime operations.

Codenamed ‘Quicksand’ (GoldDust) and carried out by 19 law enforcement agencies in 17 countries, the transcontinental operation saw officers collect and examine intelligence to establish a global threat picture about attacks by ransomware families - particularly GandCrab and Revil-Sodinokibi - and the suspects behind them.

The organized crime group that used these malwares is known for breaking into business and private networks using a range of infiltration techniques, and then deploying ransomware against their victims. The ransomware then encrypts files which are then used to blackmail companies and people into paying huge ransoms.

The suspects arrested during Operation Quicksand are suspected of perpetrating tens of thousands of ransomware infections and demanding more than EUR 200 million in ransom

Intelligence exchanged during the operation enabled

- Korean law enforcement to arrest three suspects in February, April and October;
- Kuwaiti authorities to arrest a man thought to have carried out ransomware attacks using the GandGrab ransomware;
- Romanian authorities to arrest two individuals suspected of ransomware cyber-attacks and believed to be responsible for 5,000 infections as well as half a million euros profit in ransom payments;
- The arrest of a man believed to be responsible for the Kaseya ransomware attack, thought to have been carried out last July by the REvil gang with more than 1,500 people and 1,000 businesses affected worldwide.

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action which INTERPOL can uniquely facilitate as a neutral and trusted global partner,” said INTERPOL Secretary General Jürgen Stock.

“Policing needs to harness the insights of the cyber security industry to identify and disrupt cyber criminals as part of a true coalition, working together to reduce the global impact of ransomware cybercrime,” added the Secretary General.

A joint INTERPOL-Europol operation, Quicksand was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore where stakeholders shared live intelligence in an interactive and secure environment via INTERPOL’s global network and capabilities.

Through INTERPOL’s Gateway project, INTERPOL’s private partners Trend Micro, CDI, Kaspersky Lab and Palo Alto Networks also contributed to investigations by sharing information and technical expertise.
Gateway boosts law enforcement and private industry partnerships to generate threat data from multiple sources and enable police authorities to prevent attacks.

Bitdefender supported operations by releasing tailor-made decryption tools to unlock ransomware and enable victims to recover files. These innovative tools enabled more than 1,400 companies to decrypt their networks, saving them almost EUR 475 million in potential losses.

KPN, McAfee, S2W helped investigations by providing cyber and malware technical expertise to INTERPOL and its member countries.

Operation Quicksand continues to supply evidence that is feeding into further cybercrime investigations and enabling the international police community to disrupt numerous channels used by cybercriminals to launder cryptocurrency and commit ransomware crime.

With the combined global financial impact in ransom payments from ransomware families believed to be within the billions of dollars and thousands of victims worldwide, INTERPOL’s private partners and member countries work together to provide support to victims hit by the ransomware.

Research from Chainalysis found that criminals made USD 350 million in 2020 from ransomware payments, representing an increase of 311 per cent in one year. Over the same period, the average ransom payment increased by 171 per cent, according to Palo Alto Networks.

Leave a comment , , ,

12 targeted for involvement in ransomware attacks against critical infrastructure

Agency News, Cyber Security CII sector, Industry News

A total of 12 individuals wreaking havoc across the world with ransomware attacks against critical infrastructure have been targeted as the result of a law enforcement and judicial operation involving eight countries.

These attacks are believed to have affected over 1 800 victims in 71 countries. These cyber actors are known for specifically targeting large corporations, effectively bringing their business to a standstill.

The actions took place in the early hours of 26 October in Ukraine and Switzerland. Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions.

As the result of the action day, over USD 52 000 in cash was seized, alongside 5 luxury vehicles. A number of electronic devices are currently being forensically examined to secure evidence and identify new investigative leads.

The targeted suspects all had different roles in these professional, highly organised criminal organisations. Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments.

Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected and gain further access.

The criminals would then lay undetected in the compromised systems, sometimes for months, probing for more weaknesses in the IT networks before moving on to monetising the infection by deploying a ransomware. These cyber actors are known to have deployed LockerGoga, MegaCortex and Dharma ransomware, among others.

The effects of the ransomware attacks were devastating as the criminals had had the time to explore the IT networks undetected. A ransom note was then presented to the victim, which demanded the victim pay the attackers in Bitcoin in exchange for decryption keys.

A number of the individuals interrogated are suspected of being in charge of laundering the ransom payments: they would funnel the Bitcoin ransom payments through mixing services, before cashing out the ill-gotten gains.
International cooperation

International cooperation coordinated by Europol and Eurojust was central in identifying these threat actors as the victims were located in different geographical locations around the world.

Initiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway, France, the United Kingdom and Ukraine with financial support of Eurojust and assistance of both Agencies. The partners in the JIT have since been working closely together, in parallel with the independent investigations of the Dutch and U.S. authorities, to uncover the actual magnitude and complexity of the criminal activities of these cyber actors to establish a joint strategy.

Eurojust established a coordination centre to facilitate cross-border judicial cooperation during the action day. In preparation of this, seven coordination meetings were held.

Europol’s European Cybercrime Centre (EC3) hosted operational meetings, provided digital forensic, cryptocurrency and malware support and facilitated the information exchange in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters in The Hague.

Leave a comment , , ,
1 26 27 28 29 30 60