The new age threat actors also steal company information for greater leverage and then threaten to leak them if they don’t pay
Millions of people across India have been working from home ever since the covid-19 outbreak, using Wi-Fi networks and devices that may not be fully secure. This has widened the attack surface, resulting in an increase in cases of cyberattacks.
After the cyberattack on Cognizant, several organisations, including Indiabulls Group and National Highways Authority of India (NHAI), have been targeted by ransomware attacks.
Though NHAI maintains no data was lost from the email servers that were targeted, Maze ransomware operators, behind the attack, have released files worth 2GB on Dark Web claiming that it is only 5% of what they have stolen.
Welcome to the new breed of cybercriminals. Unlike traditional ransomware attackers who would infiltrate into company systems, block critical services and then wait for payment, the new age threat actors also steal company information for greater leverage and then threaten to leak them if they don’t pay.
“Data breach is a big deal which brings with it regulatory oversight as well as hefty potential costs if any customer information is found to be part of the stolen data,” said Sunil Sharma, managing director sales, India & SAARC, Sophos.
The recent advances in cybersecurity have forced cybercriminals to innovate and switch to new techniques and evolve along with the security industry. “Cyber security products have improved greatly in last few years. And so have cybercriminals. Improvements in cyber security products meant that regular attack techniques don’t work anymore; that necessitated them to innovate and come up with mechanisms to evade protection layers,” said Himanshu Dubey, director, Quick Heal Security Labs.
Dubey explains, established threat actors now offer malware-as-a-service and ransomware-as-a-service which can be bought by cybercriminals. They also sell new exploits / vulnerabilities, which are not publicly known along with other sensitive information related to target organization. This fuels cybercrime economy, which in turn results in even more products and services being made available.
Further, phishing scams are becoming more sophisticated. For instance, in many of the recent phishing campaigns, attackers used fake domain names and logos of legitimate organisations such as World Health Organisation and CDC (Centre for Disease Control) to trick users into clicking on a malicious links or attachments. In June CERT-In had also issued an advisory warning public of phishing attacks impersonating government agencies and department.
Some of these campaigns are targeting large organisations by sending emails to their senior executives. The emails would look genuine, have business and financial information in context with recent developments and sent in the name of company CEO or someone higher in the company hierarchy. Cybersecurity firm Agari recently detected one such campaign, named Cosmic Lynx, with alleged Russian link, and which has been used to target senior executives in 46 countries.
Many of the attackers are now working with state backed threat actors who have the resources to carry out large scale attacks. According to cyber intelligence form Cyfirma, which detected the conspiracy by Chinese hacker to target Indian government, media houses and private companies, some of threat actors involved had links to China backed hacker groups Gothic Panda and Stone Panda.
Faced with this new breed of smarter cybercriminals, organisations with minimal spending on cybesecurity are far more exposed. But no company is completely secure. “Realistically, nobody can claim to be 100% safe from cyberattacks. As history has shown, cyber criminals have been able to find ways to attack even the well protected. It’s imperative for organizations to be prepared for potential breaches and have an action plan to deal with them,” said Dubey.
Experts believe strong cybersecurity policy and adoption of a multi-layered approach covering endpoints, network, data and mobility is required. Organisations should spend on security solutions that can detect known and previously unseen malware. Regular audit of security infrastructure and training employees in basic nuances of cybersecurity hygiene can help improve security posture of an organisation.
According to a June report by EY, only 56% Indian organisations train employees as per the international standards of data privacy, only 32% had incident response plan in case of a data breach and only 47% regularly conduct data security audits of their supply chain partners.