Telcos in the firing line as ransomware attacks hit new highs
23 July 2020 | Melanie Mingas
Telecom Argentina has become the latest to experience a ransomware attack, with perpetrators demanding the equivalent of US$7.5 million in the cryptocurrency Monero.
The development followed a string of high-profile attacks since Covid-19 lockdowns started earlier this year, specifically targeting critical organisations and infrastructure. The attacks were allegedly launched by ransomware groups and, in some cases, even nation states.
In line with these developments, analysis released today by SonicWall concluded that “ransomware is increasing ever faster”.
SonicWall said that in July 2019 the annual growth rate for attacks stood at 15% while today is stands at 20% globally, with 121.4 million attacks year to date. The problem is magnified in the US, where attacks are up 109%.
Further, intrusion attempts have reached 2.3 trillion incidents, up 19% year on year, while malware has declined 24%, from 4.8 billion to 3.2 billion cases. However, a new Excel malware variant has appeared, and the number of malicious Office files has “exploded” according to the research, climbing to 70,184 and marking a 176% increase.
SonicWall assessed threat intelligence data gathered from 1.1 million sensors in more than 200 countries and territories. It found that 7% of phishing attacks capitalised on the Covid-19 pandemic, while there was a 50% rise in IoT malware attacks, totalling 20.2 million incidents.
In the case of Telecom Argentina, news of its hack broke after an employee spoke to the El Periodista newspaper, confirming that the company had, at that point, endured a 72-hour attack on internal systems.
Details that have emerged since named REvil – also known as Sodinokibi – as the ransomware group involved. Some of REvil’s most high-profile recent attacks include Travelex in January and US law firm Grubman Shire Meiselas & Sacks in May.
In the case of the law firm, dozens of celebrity clients were affected as REvil stole more than 750Gb of contracts, NDAs, contact details, music rights and personal correspondence.
REvil sells the stolen data on its site and, reportedly, added an auction bidding mechanism to enhance the buyer experience in June.
The attack on Telecom Argentina started on 18 July and affected more than 18,000 internal systems, targeting Siebel, the customer management platform where client data is stored. Office365, OneDrive, the corporate VPN, Citrix, Genesys, the customer and field service virtual machines were also affected, however, user telephone and internet services were not.
Telecom Argentina was given until 21 July to pay the ransom and have its systems released. The company has not made an official statement but its memo to staff has been circulated online. At the time of writing, Telecom Argentina’s official website was still down.
The 2020 hackathon
While Covid-19 upped the game for hackers and ransomware groups, recent weeks have seen a sharp increase in high-profile attacks.
Twitter suffered a massive attack on 15 July with celebrity, politician and high-value brand accounts hi-jacked to promote a cryptocurrency scam.
Within days the UK, US and Canada confirmed they had all been targeted by different states for their Covid-19 research.
When the UK’s Oxford University was targeted for its Covid-19 research last week, the UK’s National Cyber Security Centre warned that a group known as APT29 (AKA Cozy Bear or The Dukes) was behind the attack and was also, more generally, targeting drugs and medical research companies.
The NCSC said it was “95% certain” that APT29 is linked to the Kremlin’s intelligence services.
The UK has since reported attempted “malicious” attacks from China and Wired this week reported that criminals working for the Chinese government attacked private companies, research institutions, and governments across the world in March and April.
The UK Parliament’s Intelligence and Security Committee said this week that Russia was “a highly capable cyber actor with a proven capability to carry out operations which can deliver a range of impacts across any sector”.
Ron Davidson, VP of R&D and CTO for Skybox Security, said: “The global Covid-19 pandemic has completely reshaped the way that organisations and their employees work.
“With the majority of the workforce now working remotely, the network perimeter has significantly widened – securing this perimeter now needs to be a top strategic priority. Organisations need to be able to identify the flaws that sit within both personal and professional devices. They also need to be able to model their expanded network so that they can understand all potential attack vectors. If they do not have these capabilities, then they will not be able to manage the mass of 20,000 new vulnerabilities, leaving them vulnerable to attack; something that they cannot afford at a time of global financial uncertainty.”
As such, Skybox has predicted that 2020 will break a new vulnerability record.
It counted a 72% increase in ransomware in H1 while mobile vulnerabilities increased 50%. It said attacks on critical infrastructure, including healthcare companies and research labs, have added to the chaos.
Sivan Nir, the firm’s threat intelligence team leader, said: “We observed 77 ransomware campaigns during the first few months of the pandemic – including several on mission-critical research labs and healthcare companies.
“The focus and the capability of attackers is clear: they have the means to impart serious financial and reputational harm on organisations. The need for focused remediation strategies that are informed by full network visibility and contextual, data-rich intelligence has never been more pressing,” Nir added.
13h | Natalie Bannerman
13h | Alan Burkitt-Gray
13h | Saf Malik
14h | Alan Burkitt-Gray