It has been discovered that the cyber hacking group Turla is targeting the UK with updated variants of Neuron and Nautilus, a type of malware designed to embed itself into compromised networks and stealthily conduct espionage. The UK’s National Cyber Security Centre (NCSC) has issued a warning that Turla is deploying a new version of Neuron which has been modified to evade discovery. IT security experts commented below.
Israel Barak, CIO at Cybereason:
“Critical infrastructure is the soft underbelly of any developed society, and the UK has indeed been lucky to escape the wave of attacks in countries around the world.
An attack on energy, transport, finance or health infrastructure will have a serious economic impact on a nation and can easily threaten human lives. Energy infrastructure in particular is especially vulnerable, with malware such as Trisis, BlackEnergy and Stuxnet causing emergency shutdowns.
It’s also been made abundantly clear that our electoral systems are extremely vulnerable to interference from cyber threat actors, whether they are nation states, opposing political parties, or an individual citizen from inside the country.
It doesn’t take much to create a high-impact cyber operation that is capable of crippling national infrastructure. The right individual with a computer they can create the next generation of Advanced Persistent Threat, while advanced malware strains are increasingly available as a commodity on the dark web. The next big attack may not come from a rival or rogue nation state, but from a terrorist organisation or even a single individual.
However, the UK, as with most nations, has invested heavily in protecting classified networks and weapon systems, but security for critical infrastructure is usually handled by private organisations. We need to see stronger government regulation and guidance to ensure that high priority targets such as transport and energy are well protected.
Organizations and government agencies should have the ability today to detect threats to their personal information and critical infrastructure inside their network in real time, so they can respond quickly before there is an escalation and possible data exfiltration. Without that expectation expect to be breached. Advanced detection and response technologies will give organisations the ability to meet the attacker head on before any actual damage is done.”
Bill Evans, Senior Director at One Identity:
“Recently the head of the UK’s NCSC warned that a cyber attack on the UK is a matter of when, not if. Ciaran Martin went on to claim that the UK had not yet been the target of a C1 attack which is defined as an attack that might cripple infrastructure.
The UK should count itself lucky.
Several countries in Europe and the US have already faced such attacks.
Martin goes on to admit that some attacks will get in – the goal is to limit the damage. While that’s true, it’s wise to consider both sides of that action – prevention and remediation.
On the prevention side, there are a number of activities that businesses and agencies must take to secure their applications and date. Those include: end user education to limit the success of phishing attacks, multi-factor authentication, true governance of access and privileged account management to protect the most power, administrative accounts.
On the remediation side, having a plan is paramount. Being able to understand when you are being attacked swiftly is a top concern. Once you know you are being attacked, how can you quarantine the threat while at the same time continuing to provide services, especially in the area of governmental infrastructure is the top concern.
Based on my experience and a distillation of the interview with Martin, it seem the UK is in good hands. Martin doesn’t have delusions that threats won’t target the UK nor that they can be completely defeated. This is the right approach.”
Joseph Carson, Chief Security Scientist at Thycotic:
“Cyberattacks have already been happening, the biggest issue is determining who and if a nation state was behind the cyberattacks. Attribution is one of the most difficult tasks in cybercrime and when cyberattacks cross border without full cooperation of the foreign government or nation state it is difficult to affirm who was sitting at the keyboard and who was instructing them to carry out the instructions. Yes, sometimes attribution back to a single computer is enough to put pressure on an individual however is it enough to claim it was directed by a nation state?
So, when Gen Sir Nick Carter calls for more defence spending, Cybersecurity has been lacking for many years and the importance to step up Cyber Readiness and Response is crucial in the stability of both the UK democracy and economy.
With so many cyberattacks increasing at an astonishing rate and many of them crossing nation state borders via cyberspace in a hyper connected world – what type of cyber-attack should be considered an act of war? and when should governments hold other nation states responsible for the actions of their citizens? Cybersecurity is no longer just a technology challenge, it is a challenge for everybody who uses and interacts with technology daily. The protection and security of both your work and personal life are no longer separated and they have been intertwined with evolving trends of social networks, the internet of things and unlimited connectivity. Because of this it means that cybersecurity is no longer just the responsibility of the company IT department or the government but it is now the responsibility of every employee/citizen not just to protect your work assets, your personal data as well and ultimately our way of life.
Information cyberwars have now become a major disruption to our way of life, filling our daily news and feeds with fake information to influence our actions and change the outcome of important and vital decisions, rather than focusing on important citizens needs like tax, health and education many governments are now embroiled in trust and transparency challenges caused by the continuous disruption from cyber-attacks.
In Europe, recently the European Union member states have drafted a political document which states that any serious cyber-attacks from a foreign nation state can be constituted as an act of war. Should other nation states follow the same stance to protect their citizens in cyberspace? We have seen real-world damage caused by such attacks for example the attack on the Ukrainian Energy sector that shut down the power to 86,000 homes or hospital devices hit with Ransomware causing state of emergencies being declared since the hospitals where unable to continue critical services. Democracy itself has been targeted with many countries election process being at the end of information wars.
One thing that is clear is that cyberattacks are crossing country borders and disrupting our way of life. What is difficult and challenging with many cyberattacks is attribution is almost impossible without nation state cooperation and transparency. We hear about cyber-criminal groups that are behind many of the major cyber incidents in recent years whether it was a major data breach, ransomware or government agencies classified data being targeted. Several companies and governments have linked these cybercriminal groups to nation states though without revealing concrete evidence and those nation states denying any involvement. Without clear cooperation and transparency this will continue to grow as a major problem with a possibility of a full cyberwar as retaliation.
To prevent such a major catastrophe from occurring, governments and nation states need to work together with full cooperation and transparency to ensure that cyber attribution is possible and hold each other responsible for the actions of criminal organisations carrying out cyber-attacks from within their borders. It is important that governments do not provide a safe haven for cybercriminals to carry out such attacks especially when they are doing it for both financial, political gains and extreme aggression.
Trust has become an issue in cyberspace and information wars are in full effect with clear intention of political and social disruption that should be considered an intent of war using extreme aggression. It is time for governments to act, protect democracy and our way of life.”
James Lyne, Head of Research and Development at SANS Institute:
“Whitehall continues to warn that a major cyber-attack in the UK is a matter of if and not when. Last night, not only did the Head of NCSC Ciaran Martin reaffirm this, but General Sir Nick Carter, Chief of the General Staff did too. Category one, or C1, cyberattacks from external forces are now anticipated, rather than theorised. Ciaran Martin stated that when attacks get through, what organisations need to do is “cauterise the damage”. This needs to go beyond technology, which can be bought, updated, and deployed as a shield against attack. Instead, it needs to extend to people – the real weapon in the ongoing cyber fight. There’s a reason why phishing is such a lucrative tool in the cybercriminal’s armoury. It targets the weakest link in the chain – humans.
“To edge the fight in our favour, organisations need to be looking at the correct training of every employee to better respond to and stamp out the impacts of attack on an organisation. This means cybersecurity will no longer be the realm of IT departments – all employees, including the C-Suite, through to HR and the wider workforce will be required to know how to prevent hackers from penetrating the corporate network. Investing in people takes time, but it’s time well-spent.
“Starting to make everyone across the organisation aware of cyber threats is paramount to help begin the process of creating a far safer United Kingdom to live and do business in. While education will never be the absolute cure, it will stem the tide of breaches and cyber incidents that have plagued our digital age. We need to start taking cyber security more seriously, and ensure we’re equipping our current and future workforces – tapping into talent old and young, regardless of gender – to help present a united front online. Cybercriminals will not and do not make exceptions for those they target, and organisations of every level shouldn’t do the same with those they train.”
Kevin Bocek, Chief Cyber-Security Strategist at Venafi:
“Martin is absolutely right – it’s only a matter of time until the UK suffers a crippling attack. Adversaries have already tried to manipulate elections and target critical infrastructure in Europe and US . Escalation of hostilities – whether criminal or by nations – is one of the most basic rules of human history. Much of the reason the UK is so vulnerable is that many organisations – both in the public and private sectors – are simply bad at doing the basics right. With security teams being pulled from pillar to post by constant attacks, they don’t have the time to take care of a number of key precaution. It’s precisely these oversights which can let attackers in!
“For example the defences most organisations have in place are useless against a whole new set of attacks involving machines and their use of encryption. Last year around 40% of attacks came through encrypted traffic, a figure that would be unthinkable if organisations had a proper grip of what machines encrypting communications should be trusted or not.
“It’s these failures to sort out cyber-security basics which make Martin’s prediction of a C1 level attack within the next 2 years all the more likely to come true. What’s more, given that many of these issues can be automated, fixing the problem doesn’t even involve taking analysts away from tackling live threats. Martin’s warning should be a reminder for all organisations, particularly those responsible for our critical infrastructure, to get a handle on these processes immediately – otherwise they are simply laying out the red carpet for those who want to do us harm.”
Andy Miles, CEO at ThinkMarble:
“The comments from Ciaran Martin come as no real surprise to those already on the front line and tackling the challenges of protecting organisations from increasingly stealth-like hackers. As recently as yesterday we’ve seen new customers become victims of cyber-attack, the root cause being human failing and attackers using known vulnerabilities to gain access to organisations through the use of phishing e-mails.
Our penetration testers were on site performing an internal test yesterday for a small company of 50 users, which demonstrates that this affects businesses of all sizes and not just larger entities, and within two hours of the test they had gained access to the finance team and were able to watch the banking transactions. There needs to be a greater level of awareness within organisations as to how to protect their networks and stay on top of basic cyber hygiene best practices, as advocated by the NCSC, such as patching, so they don’t become the pivot point for the larger Category One type cyber attacks that Ciaran refers to. We’ve already seen some evidence of other governments taking action in locking down potentially critical routes into sensitive networks, for example, another client who has a presence in China appears to have had external communication with their server blocked – quite possibly as part of the recent clamp down by the Chinese Government on the use of VPN access.
With the GDPR and e-privacy regulations coming into effect in the next 86 working days, the perfect storm is brewing for all sizes of companies.”
Jamie Stone, Vice President of EMEA at Anomali:
“While it is clear that the UK must protect itself against category one (C1) attacks that may cripple critical infrastructure, we must remain vigilant and continue to defend against perceptively smaller attacks (C2) as well. With GDPR coming into effect in May this year, UK organisations will come under increasing scrutiny over their data security and could be crushed by the heavy fines following even a low category strike.
Organisations can implement a number of processes to protect themselves, including swiftly sharing intelligence and operationally collaborating on observed and perceived threats with peers and government alike. This could mean the difference between someone else getting breached and being able to stop it quickly. But first, public and private sector organisations must come together alongside the government to achieve a greater understanding of the cyber security environment. Industry collaboration is crucial to better identify, protect, detect and respond to cyber-attacks.”
Chris Day, Chief Cybersecurity Officer at Cyxtera:
“Mr. Martin’s assertion that a major cyber-attack on the UK is a matter of “when, not if,” is spot on. Everyone in the public and private sectors should adopt that mindset because adversaries don’t discriminate. We’re seeing increasingly bold steps by nation state actors to disrupt everything from the electric grid to elections. Category one (C1) attacks on critical infrastructure have already occurred in places like the Ukraine, and the US has fallen victim to tampering in its democratic processes.
“Governments must shore up security programs to cover both defensive and offensive strategies. Most have done a reasonably good job on the defensive side yet many rely too heavily on outdated security tools. New technologies, like those employing a software defined perimeter (SDP), protect today’s complex, distributed IT environments in ways that traditional methods simply cannot. SDP establishes a secure, one-to-one connection between the user and network only after authenticating what they are entitled to see. Everything else on the network is hidden, which dramatically reduces the attack surface by preventing lateral movement by illegitimate users. From an offensive perspective, there is much work to be done. Most organisations don’t have the internal resources to simulate and assess how far an attacker can go by exploiting even a single vulnerability. My advice is to engage with an offensive-oriented cybersecurity firm that specialises in offensive-based services. Only then can you get a complete picture of risk and work to prevent something as catastrophic as a C1 attack.”
Javvad Malik, Security Advocate at AlienVault:
“While it’s definitely likely that hostile agents would seek to launch an attack on national infrastructure, it’s worth bearing in mind that due to the ever-increasing connected nature of critical national infrastructure, incidents of similar impact can occur through negligence or error. An incorrect patch, poorly designed security controls, lack of assurance, lack of monitoring or environmental awareness are all factors that could contribute to a similar scenario. Just like how we saw in Hawaii, where a poorly designed interface led to a false missile alert being sent out that caused mass panic.”
Chris Doman, Security Researcher at AlienVault:
“Turla are perhaps the most sophisticated group of attackers operating out of Russia- and some of their earliest attacks date back some 25 years.
There is always a difficult decision to be made when making information public – and personally I think it’s a good thing the NCSC is sharing information more publicly. Turla may now continue to evolve their toolset to evade the additional detections, but that will cost them time. Turla seem to have been experimenting with expanding their toolset recently – of which Nautilus and Neuron are part of the result.”
Paul Cant, VP EMEA at BMC Software:
“The last twelve months have certainly been memorable for the cybersecurity industry, with cyber-attacks taking hold on a previously unseen global scale.
International outbreaks like the WannaCry attack that convulsed the National Health Service in the UK and critical national infrastructure overseas last May, and the international spread of the NotPetya ransomware for example, wreaked havoc with digital defences around the world.
When also taking into account the fact that two of the four largest breaches in history took place in the last 16 months (Equifax and FriendFinder), as well as the magnitude of the Yahoo! user accounts breach from three years ago finally having been disclosed, it wouldn’t be unreasonable to expect this trend to continue throughout national infrastructure, businesses and government organisations.
The inordinate quantity of bytes of data continues to grow at an exponential rate – and now amounts to quintillions –meaning that more and more sensitive material is being exposed to breaches by the minute. Notably, the rise of multi-cloud and IoT devices also presents a larger attack surface for hackers to target and lay bare.
Proactivity is the cyber industry’s best friend. Implementing the necessary security measures to ensure sensitive data is protected will be the lever that protects reputations and prevents companies from becoming tomorrow’s next big headline.”
Itsik Mantin, Director of Security Research at Imperva:
“I definitely agree with this analysis.The NSA leak from last year not only released cyber nukes to the wild, exposing the world to cyber-crime attacks of power and volume that were limited in the past to nation-state, but also was a reminder that there is no such thing as unbreakable security. If the attackers won’t find their way in through the fortified perimeter, they will find their way in through social engineering or recruiting an insider. Security officers need not only to invest in building walls to prevent penetration and tools to detect attacks, but also to assume that breaches will happen (if they haven’t happened already), and to focus on post-infection detection and incident response procedures.”
Andy Norton, Director of Threat Intelligence at Lastline:
“It is a numbers game. The UK reported 590 significant cyberattacks last year, of which 30 were rated a C2 event, one level below a C1. If the distribution of national infrastructure events is similar in severity to data breaches, in that 1 in every 32 intrusion incidents go on to be classified as an actual data breach, then a C1 event could happen any time.”