While ransomware attacks are multiplying rapidly for private corporations, don’t expect our cybersecurity agencies to do much other than warn about them. In fact, they remain a core part of the problem of what will become a key element of 21st century life — the vulnerability of even the largest corporations to being locked out of their own data and systems.
By one count, ransomware attacks have increased 62% globally since 2019, and more than 150% in North America. That skewing reflects the fact that several major ransomware groups operate with relative impunity from Russia, on the proviso that they never attack Russian institutions.
This week a major US fuel pipeline was shut down by Russian ransomware group DarkSide, leading to Colonial Pipeline paying around US$5 million to the hackers.
Coincidentally, this week also marked four years since the attack that brought the ransomware threat to public prominence — the global WannaCry attack in May 2017 that disrupted government bodies like the National Health Service in the UK, major corporations like FedEx, universities, and individuals.
The WannaCry tool — which originated in North Korea — used an exploit called EternalBlue developed by the US National Security Agency to exploit a flaw in Microsoft’s software. The NSA didn’t bother telling Microsoft about the flaw, preferring instead to use it in its own spying operations. Problem was, hackers stole EternalBlue from the NSA. Microsoft took the unusual step of publicly criticising the NSA for its stockpiling practices.
There is evidence that the NSA is now more ready to alert software companies to major vulnerabilities. But variants of WannaCry continue to be used around the world, and one estimate suggests a quarter of systems running the relevant software remain unpatched and thus vulnerable.
So when cybersecurity agencies like the Australian Cyber Security Centre (ACSC) warn about the threat from ransomware, they’re engaging in a profound hypocrisy. The ACSC is run by the Australian Signals Directorate (ASD), which stockpiles vulnerabilities — in collaboration with its Five Eyes partner, the NSA — in order to undertake espionage, frequently commercial espionage, to help companies in Five Eyes countries.
That’s because the ASD is fundamentally conflicted. Its motto is “Reveal Their Secrets. Protect Our Own.” But WannaCry showed it’s impossible to do both. The very tools with which you Reveal Their Secrets leave you unable to Protect Your Own. And the task of protecting Australian companies, universities, government departments and individuals will always be a lower priority than the ASD’s desire to get access to the Indonesian president’s phone, provide trade intel to the Americans in their negotiations with non-Five Eyes countries, or look after the interests of Australian resources companies.
And for that matter, the ASD can’t even get its bureaucratic colleagues within the federal government to achieve the most basic of its cybersecurity requirements.
So governments have stood by and done little except lecture business about being more secure as ransomware has proliferated, and the ransoms paid have escalated into the millions. That growth has demonstrated the strong business model behind what is now a ransomware industry, complete with leasing agreements between hackers and professional-looking media releases from the perpetrators. Meanwhile, governments continue to tell business they shouldn’t pay ransoms to ransomware outfits — just this week, the UK’s bumbling Home Secretary Priti Patel warned companies they shouldn’t be paying ransoms, while offering no alternatives for corporations that can’t get their data back.
Until our governments decide spying on others isn’t worth the disruption of ransomware attacks and the cost of millions flowing to Russian hackers, the ransomware industry will continue to grow at a rate of knots. There’s too much money to be made.
Save this EOFY while you make a difference
Australia has spoken. We want more from the people in power and deserve a media that keeps them on their toes. And thank you, because it’s been made abundantly clear that at Crikey we’re on the right track.
We’ve pushed our journalism as far as we could go. And that’s only been possible with reader support. Thank you. And if you haven’t yet subscribed, this is your time to join tens of thousands of Crikey members to take the plunge.
Editor-in-chief
Leave a comment
It’s worse than that. Our government legislated to force software companies to allow backdoors in their code. https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/data-encryption
Thanks, Mike. It gets a lot worse than that. It has been strongly speculated that in some instances of penetration of computer systems in other parts of the world that the backdoors exploited were deliberately created to allow selected intelligence agencies such entry.
Of course, we have honest governments which would never allow that to happen.
It was revealed via the Vault 7 document drop from a certain US agency to Wikileaks in 2017 that the agency was able to leave fingerprints to their hacking that incriminated innocent parties and nations.
Always Russia when most attacks (over 50%) have US IP addresses.
Are you serious Bernie or, as usual, playing to a balcony barely more informed than yourself?
This stuff is global; investigate Cameroon (one African state) when you have an hour.
You didn’t bother to investigate the operating systems that are vulnerable; NO Bernie, they are NOT all the same. Then consider the security legislation of Oz from 2017 and compare that to the defence statement of NZ of 2018.
Start there Bernie.
You’re not playing a too open game with your fellow-readers, Erasmus.
What in cyberspace are you getting at?
Pray, please tell us a little.
I posted quite a screed some years ago in regard to the government’s perception of airport and cyber security; both equally confused as was Cky’s assessment.
Security on aearoplanes is one thing but consider trains and shopping centres which move rather more volumes of people.
When WiFi appeared members of a Linux group would write notes to major cooperation with ample evidence of the C: drives on (obviously) Microsoft servers and personal workstations conveying obvious security issues. The general reaction was one of umbridge and very seldom of thanks!
Keane did a much better job of summarising the budget than this issue. Take a look at the doco mentioned. As a side point UNIX was developed half a century ago from a project funded by the DoD that would enable computers (mainframes) to be both secure and reliable. The are numerous versions of UNIX of which Linux seems to be the best well known. Apple has adopted and modified BSD (a UNIX variant) and renamed it as MacOS. Then, coming up the distant rear, we have Windowz.
I’m happy to assist with any specific question.
(love the down-votes of fact!)
It’s even worse than just (or even) operating system differences. Widespread use of various “security” services and software in the corporate sector effectively punch holes in whatever built-in defenses the OSes have, adding vulnerabilities and enormously expanding the attack surface. Overriding system key stores to subvert the security of standard network protocols, in the name of “deep packet inspection” is ubiquitous these days. Hackers were roaming the systems “protected” by SolarWinds for over six months, and not a single one of the “behaviour monitoring” packet analysis or malware detection systems twigged.
Long ago I decided that the CIOs of the world get their entire security perspective from in-flight magazines and golfing conversations.
There is a lot of high end cronyism. Given budgets, large projects are initiated that don’t (surprisingly) enhance anything or do so only cosmetically. Woodside and BHP are examples but only examples.
‘ipchains’ (which secures the internet – on a good day) is FREE. However, one error in the rule-set can be perilous. There is no free lunch.
Then there is IT ideology which, perhaps unwittingly, Bernie’s article reflects.
Colonial actually shut the pipeline down themselves, guess why, because the hack made it impossible for them to identify who was getting the oil and gas. Profits come first.
I read this morning that the pipeline was not shutdown by hackers, but by the company itself
apparently, the hackers didn’t disable any machinery or similar, instead they locked-up the computers that monitored fuel distribution for billing purposes
so, rather than have anyone be undercharged for the fuel they received, the company simply shut the whole thing down
… or at least, that’s what I read this morning
That would make more sense – the hackers just wanted money, quietly, not even a large amount by corporate standards.
A fraction of what the company would have lost through inaccurate billing – HAD THEY A CONSCIENCE AND NOT CHOSEN TO DISRUPT MILLIONS OF PEOPLE.
Once you pay the ransom, you’ll never be rid of ransomeers.
You’re correct.
Given the Federal, State and various Local Governments policies towards IT in general I am surprised that our various Departments haven’t been breached themselves (that we know of). The waste, lack of coordination and lack of an overall IT Strategy is palpable.
The hypocrisy of the US, UK in being leaders in cyber crime, while attempting to make everyone believe they are a “force for good” continues to amaze me.
We may not have seen anything, yet…. but in most respects it is quite simple, an IT strategy that includes security, data back-up systems (inc. non digital), recovery and restart, that has been regularly audited and/or tested.
The latter itself is an issue if shutting a system down briefly means forgoing any income in the short term….. hence unpreparedness for black swan events…. aka Covid.
That is quite simplistic but at a high level is correct. Alignment of IT in Government is usually on a Ministerial basis with little to no Shared Services across Departments, overarching Architecture, Security or DR policies etc etc. A comprehensive E2E IT Strategy across Government would address that, reduce costs and risks across the board.
Appropriate Mirroring and Failover design would eliminate the forgoing of income during any testing and actual events. The Ministerial alignment creates Silos of inefficiency and risk.
As the ultimate non-tekky, that makes sense to me simply in overall terms.