Date added: 2022-05-16
Critical infrastructure and cyber security. Interview with prof. dr hab. Jan Kreft
Whether we should be worried about that fact, what should the management of critical infrastructure do about it, who the hackers are and how they operate is explained in the article:
The progressive digitisation of critical infrastructure, which includes, inter alia, seaports and terminals, facilitates many operations but also requires greater attention to be paid to security. The maritime industry becomes the target of hackers more and more often, as demonstrated by the series of attacks on related companies over the past several months. Whether we should be worried about that fact, what should the management of critical infrastructure do about it, who the hackers are and how they operate explains prof. dr hab. Jan Kreft from the Gdańsk University of Technology, who is an expert on the impact of algorithms on human life.
In recent months, we have witnessed a considerable number of attacks on maritime companies. We might not even be aware of many of them. Is the industrial sector an attractive target for hackers at the moment?
Definitely. In the maritime industry, the line between what is IT and what is not directly related to IT is more and more blurred. In fact, such a line does not exist anymore. A crane, for example, must also be controlled externally, digitally, therefore: computer systems permeate every aspect of business life.
What do such attacks look like?
The methods of attacks do not change but the interesting fact is that they get combined. One of the most recent attacks in the maritime industry, on Maersk and on several port terminals, was surprising as ransomware and a DDoS attack were combined on a great scale for the first time. It's a difficult task. It requires more than just a small group of attackers. A lot of computers need to be used. This was the first case, I am aware of, where "bugs" were introduced into systems, and then, the victim was threatened that if the entity refused to comply with the demands it would be completely blocked. That's something new.
Who is responsible for the attacks? Does anyone admit to them?
Such groups can be identified and some groups actually admit to attacks. Moreover, they sometimes manage their own websites. Over the last few weeks, however, we have been dealing with something unique in this world. To the best of my knowledge, this is the first time in history that something like this has happened and it is indirectly linked to the events in Ukraine. I mean the so-called Conti group. This group was formed two years ago. It was not difficult to collect information about them as it turned out that they were the subject of quite detailed research and analysis, although not in Poland. Conti was the very top group among those responsible for cyber attacks. They attacked companies with revenue of more than USD 100 million. On February 27, however, they experienced the worst catastrophe of all groups of that type I am aware of. The day before, they declared that they were on Russia's side in the war against Ukraine. But the group was international and one of its member admitted to have supported the other side - Ukraine - that person created Conti Leaks on Twitter - something like Wiki Leaks - and shared 170,000 documents from internal chats of the group.
For the first time ever, people who work in cyber security have full insight into the history of the formation, development and organisational culture of a hacker group - there was usually no information.
What is there in those documents?
A year ago, Conti admitted to attacks on the Irish healthcare system, the group was famous for leaving traces. They blocked the whole system. It was very expensive to rebuild it. The target of the group was mainly the financial sector, environmental, law or charity sectors and they got well-known for attacks on hospitals on a large scale.
Conti was known for being very efficient and ethically insensitive. They were experts at ransomware attacks and it is estimated that the group has made USD 180 million over 18 months - that shows the scale of the business. It is an international group but Russian-speaking. Thanks to the fact that - as I mentioned - one of its members stepped out of line, we get to know them "from the inside".
It turned out, for example, that the person shared the last two basic source codes used for cyber attacks. And here's an interesting fact: the latest code is weaker than the previous one - Poles have analysed it and it turned out that the code looks as if it was written by someone hired to do so, by someone not very very smart. At the same time, it is worth noting that if someone with malicious intentions accessed that code, the person could develop it.
Back to the group - the average scam of Conti was approximately USD 800,000. The basic message that was displayed to the victims did not look very professional. It included information that the victim had been blocked, there were demands and a deadline for meeting them - usually three days. There were also unusual elements, such as Chinese characters and, for no apparent reason, a re-encoding button. In a word, it looked amateurish, although, again, there should not be hasty interpretations.
The group consisted of 62 permanent members plus approximately 30 ad hoc ones - approximately a hundred people in total. Some of them were not awre that they were working for the "dark side of power". They simply performed services for which they were paid from USD 1,400 to USD 2,000, so relatively little. In turn, those who negotiated extortion had a share of high-level profits.
The organisational structure of the group was also interesting. The disclosed chats showed an interesting hierarchy - middle management, programmers, or "worker bees", who wrote malicious codes, an IT team, who maintained the servers, also own HR department, for example. Therefore, it seems that the members of the group were "employed" under the usual terms and conditions. The group looked for open offers, also on the darknet. In April 2021, there was a full-time journalist "employed" in the group who was paid 5 % of the share for making the victims pay the ransom. The members of the group were paid normal salaries - on the 1st and 15th of each month. In the chats, some of them complained that they were not able to leave Russia because they were recruited from there, often from St Petersburg. They wanted to establish a branch in Moscow. They wrote other things too: someone complained that the person run out of money, someone was happy to have bought a new Apple laptop, an iPhone... Conti also had a list of targets and a price list. They complained if someone was lazy, there were also awards, e.g. "the employee of the month".
If someone had financial problems - they received assistance. Someone's mother got cancer; there are traces of correspondence with support, so there was some kind of "social fund".
Their channel of communication was Rocket Chat, a version of Slack. At the same time, conversations within one "cell" were usually conducted by four people, which means that the members of the group did not know each other. A newly hired person got included in one group, so the person only knew three people, etc.