The Canadian Communications Security Establishment said that if had conducted “foreign cyber operations” to “impose a cost” against hackers, in its first admission of offensive action against ransomware operators. The CSE was acting according to a mandate introduced by the government in 2019 that allowed it to conduct operations against overseas activists, provided that Canadian citizens or residents were not targeted.
In a statement to Canadian TV company Global News, CSE spokesman Evan Koronewski said “Although we cannot comment on our use of foreign cyber operations, or provide operational statistics, we can confirm we have the tools we need to impose a cost on the people behind these kinds of incidents.” He added, without providing any further details: “We can also confirm we are using these tools for such purposes.”
The willingness of national security agencies to take public action against foreign operatives comes in the wake of attacks on critical national infrastructure like the Colonial Pipeline. In an interview with the New York Times, the director of the National Security Agency (NSA), General Paul Nakasone, said that the agency was aggressively targeting criminals, as well as state-sponsored hackers — although the lines can be blurred.
Attacks are certainly rampant. According to a just-published survey from CrowdStrike, two-thirds of over 2,000 respondents had suffered a ransomware attack in the past year. And they’re hitting companies in the pockets, the average cost of every attack is nearly $2 million, with US companies particularly heavily hit, with an average ransomware payment of $2.35 million; European businesses are typically forking out $1.34 million.
The CrowdStrike research found that businesses are getting hit twice over. Cyber criminals are not only demanding a ransom to decrypt the data but they are also threatening to leak or sell confidential corporate data unless an additional fee is paid – about $800,000 on average.
What makes matters worse is that companies are increasingly finding it taking longer to identify attacks. Respondents said it would take 146 hours to detect a cybersecurity incident, a sharp increase from the 117 hours it took in 2020. And, as a sign of how the Covid pandemic is affecting security, 69% of respondents said that their company had been hit because of the number of employees working remotely.
As a sign of how ransomware is affecting everyday life. Last weekend, UK supermarket chain Spar had to close several of its stores when its IT services provider James Hall & Co was hit by a ransomware attack.
British cyber agencies have warned of the dangers of such attacks. In October, GCHQ said that ransomware attacks in the UK had doubled in the past year, while the head of the National Cyber Security Centre warned that Russia was behind most of the threats. But not everyone is gung-ho about offensive action.
“Ransomware is proliferating – the reason it is proliferating is because it works; it just pays.”
That was Sir Jeremy Fleming, Director of GCHQ, speaking at the Cipher Brief Annual Threat Conference in October 2021. As he put it: “In the shorter term we’ve got to sort out ransomware and that is no mean feat in itself. We have to be clear on the red lines and behaviours that we want to see, we’ve got to go after those links between criminal actors and state actors and impose costs where we see that.”
He was speaking days after a multi-country operation against the ransomware group REvil. A leadership figure known as “0_neday,” said REvil’s Tor-based portal had been hacked by an unnamed party: “The server was compromised, and they were looking for me,” 0_neday wrote on a cybercrime forum in early October, as first spotted by security firm Recorded Future. “Good luck, everyone; I’m off.” (That campaign was followed by arrests and indictments led by the US Department of Justice announced on Monday November 8, 2021).
As Fleming emphasised, however: “Sorting that out isn’t anymore the preserve of spy agencies or niche security organisations it’s a genuine public, private and international partnership and getting that right is probably the single most important thing we could do” — with the GCHQ director striking a counterbalancing cautionary note to the more gung-ho of his colleagues in national security, saying “with due respect to all of my military colleagues on both sides of the pond there is real danger of over-militarising the cyber domain…”