Cyber Warfare / Cyber Crime

[NurembergVillan]

With news still emerging of a "ransomware" attack on the systems of the NHS, and something similar happening to Telefonica and other Spanish companies today, it seems that cyber-related issues are becoming a growing problem.

Whilst the above cases could have occurred accidentally rather than being targeted, if you look at the suggestions around Russian interference in the US election, the ability of some companies to make realistic social media "bots" who will push particular rhetoric (it's been claimed this may have influenced the results of the EU referendum and the US vote) and WikiLeaks - is cyber warfare now becoming a major player in global politics / life in general?  Or is it just the latest media focus?

[blandy]

42 minutes ago, NurembergVillan said:

is cyber warfare now becoming a major player in global politics

Yes. The espionage side of it for want of a better term is massive. If anything the media focus on it is less than it warrants. It's not so much the stuff that makes headlines - Russian interference in the U.S. election that is the big deal - propaganda and such has always been a thing, but it used to be the case that if you wanted to (say) get the plans for the next model of a Car Company, or you wanted to find out about a missile system then you had to use humans - bribery, agents, physical theft of plans and so on.

Now it can be done remotely with computer hacking. It's an absolutely humungous issue.

And this NHS ransomware thing - a large part of an essential infrastructure has been stopped from working by, again a group with a computer. There's no guns, bombs, hold-ups and negotiating while surrounded by the law.

And what's also underplayed is that Western Governments know that China, Russia, N. Korea etc. are permanently "at it". And vice versa. If it was planes and tanks then the world would be on the brink of complete destruction, but computers....it's al underplayed.

[Midfielder]

1 hour ago, NurembergVillan said:

With news still emerging of a "ransomware" attack on the systems of the NHS, and something similar happening to Telefonica and other Spanish companies today, it seems that cyber-related issues are becoming a growing problem.

Whilst the above cases could have occurred accidentally rather than being targeted, if you look at the suggestions around Russian interference in the US election, the ability of some companies to make realistic social media "bots" who will push particular rhetoric (it's been claimed this may have influenced the results of the EU referendum and the US vote) and WikiLeaks - is cyber warfare now becoming a major player in global politics / life in general?  Or is it just the latest media focus?

Hi. NHS worker here (but not at a site affected by what has been reported), no I think it needs bringing more public so companies and institutions look more into stepping up their counter-measures. We're so crippled, financially, like all of our public sector counterparts that despite several close calls recently, not enough in my opinion is done. 

This last week alone, the staff in the department I work in, each of them have been receiving suspicious emails this week that appear entirely legitimate from known people to us that simply haven't sent the emails, some with attachments. Not just confined to our department but widespread. We have approximately 8000 staff and we haven't even had a global email raising awareness of this unprecedented wave of weird stuff. Sites we have to access, web based, encrypted by the way, we sometimes click on and it takes us to random sites even though these are saved links in our computers. 

Ok some of it may just be someone's idea of a joke or something more sinister but these are systems that we rely on. These "hackers" then have put patient safety at risk. People attending clinics, without their results available, people due scans and the radiographer not even knowing what is required of them for that scan, someone brought into A and E unconscious without their allergy history being made available. That's just pure terrorism. 

Imagine someone attending today for an appointment to do with an onocological diagnosis , having to wait for a rescheduled appointment, it's unacceptable. The waiting lists, that are carefully managed and backup up like you wouldn't believe (with failing target turnarounds already the case) and having to get these people somehow rebooked and with inconvenience to them and any others on altered lists, it's quite shocking. 

Not new news but when this happens to the health sector, it's kind of disgusting as it absolutely affects patient care so many ways over. I say, we don't have the money for continually trying to future proof against these attacks but such people are one step ahead anyway that even with stepped up measures there'll always be another way in. 

I mentioned the dodgy emails and the somehow altered web history / bookmark links we use and that's probably small-fry, but these little ways in, I don't think the NHS does enough to attempt to safeguard more to stop staff innocently opening themselves and their Trust up to an attack. Terrible what's happened but the media focus will force Trusts to do more. We are so archaic at times, that I'm surprised this hasn't happened sooner but on a micro scale this raises awareness and hopefully causes out IT infrastructure teams to get their heads together.

 

[limpid]

24 minutes ago, blandy said:

Yes. The espionage side of it for want of a better term is massive. If anything the media focus on it is less than it warrants. It's not so much the stuff that makes headlines - Russian interference in the U.S. election that is the big deal - propaganda and such has always been a thing, but it used to be the case that if you wanted to (say) get the plans for the next model of a Car Company, or you wanted to find out about a missile system then you had to use humans - bribery, agents, physical theft of plans and so on.

It is still mainly people (social engineering). Data exfiltration usually starts by getting someone to click a link they shouldn't. Why try to crack a firewall when you can get someone that opens Excel* files in emails to bypass it for you?

And those same people click links which crypto their hard disks. The bad guys do it because most people don't keep backups and so pay the ransom. Some of the schemes mean you can get out of paying if you cause some number of others to be infected - so you send a link to someone who knows you and then deny all knowledge. It's hard to fault the business model

Currently tens of thousands new virus signatures are detected per day. Traditional AV can't cope with the cryptor services and SSP. Cybercrime QA is better than that of many legitimate businesses. It's another reason why I recommend ChromeBooks for most home users.

 

* other piss poor executable file formats are available.

[snowychap]

3 hours ago, Davkaus said:

In fact, that's basically confirmed:

It's a cryptolocker variant, asking for $300 to decrypt the files on each PC. That's not a targeted attack on an organisation, it's the same shit users get on their home PC every day.

The question is how this has got on to multiple machines across several trusts. I'd guess a dodgy link going out through official mailing lists?

Some Prof bloke quoted on The Grauniad:

Quote

From what we can see, it is a piece of ransomware called wanna decryptor. It goes by other names but it emerged in February 2017. Since then, it has been modified and there is evidence that it is spreading using a flaw in the Microsoft network protocol called SMB, which was exposed in the recent dump of exploits that were allegedly from US intelligence agencies.

It is not just the NHS affected: reports suggest it is a global problem. The virulence is likely to be because some organisations have either not applied the patch released by Microsoft, or they are using outdated operating systems (such as XP) that are no longer supported by Microsoft and hence no patch exists.

My concern is that this isn’t the last of this type of attack. Since the dump of the exploits earlier this year, it was obvious that someone was going to enhance their ransomware (or some other form of malware) using the SMB flaw to allow the malware to spread across large networks once a foothold had been established. The disappointing aspect of this is that the patch has been around since March but many organisations have clearly not applied to patch or, worse, they are on something such as XP which is no longer supported and hence cannot be patched.

Wanna Decryptor is actually just a reincarnation of wcry (I first saw it in Feb 2017) but it has been enhanced using the SMB/eternalblue exploit to spread more easily. The concern is that even once this attack dies down it won’t be the only ransomware that has been enhanced in this way. The result is inevitable.

This is not about having some fancy technology in place to protect yourself. It is about the basics: use supported software and keep it updated.

 

[Demitri_C]

The most incredible thing for me is that some nhs trusts still use XP. and this to protect patients details. Jesus 

[Midfielder]

3 hours ago, limpid said:

It is still mainly people (social engineering). Data exfiltration usually starts by getting someone to click a link they shouldn't. Why try to crack a firewall when you can get someone that opens Excel* files in emails to bypass it for you?

And those same people click links which crypto their hard disks. The bad guys do it because most people don't keep backups and so pay the ransom. Some of the schemes mean you can get out of paying if you cause some number of others to be infected - so you send a link to someone who knows you and then deny all knowledge. It's hard to fault the business model

Currently tens of thousands new virus signatures are detected per day. Traditional AV can't cope with the cryptor services and SSP. Cybercrime QA is better than that of many legitimate businesses. It's another reason why I recommend ChromeBooks for most home users.

 

* other piss poor executable file formats are available.

Limpid what you say there, about getting people to click on to something to bypass firewall etc is entirely true. All these NHS trusts on the BBC news article there, employ thousands of people. Probably about 1.2-1.3 million people are directly employed by the NHS in U.K.  

An organisation of that size, even when broken down to compartmentalised trusts of a few thousand employees a pop, it only takes a few of those people there to click on an attachment regardless of how suspicious or savvy they are about what they're receiving, and these bad people have a way in. 

Target the many, and a few will fall foul. It's all very sinister and unfortunate for everyone concerned. 

Im not IT savvy I have to admit but it's actually quite scary. We live in a time where IT runs our lives, runs systems we are reliant upon for policing, for healthcare for business, for our own living. Yet we are vulnerable with that reliance. 

Our trust right now is moving from , please excuse my lack of knowledge, but Outlook housed on local server I think it would be called , instead to the nationwide, entirely web based NHS Net as it's called. We will be at massive risk in the future. If hackers have done this, as they have it'll only get worse and people even in the minority of a majority will always open attachments or follow bad links, quite innocently as their appearance seems genuine. 

Not asking for you to comment the above I guess is just a commentary. But these are scary times in that regard. If people can effectively sabotage health care systems across so many NHS trusts then they're capable of much worse. 

Maybe some of this is even "state sponsored" I couldn't say, or just individuals / groups looking to make some money. However, the holding to ransom of the NHS ones strikes me as odd as the hackers would take the time and effort to do what they did but no NHS employee would pay individually to have their workstation restored, yet they've done it to their pc anyway. That is suspicious too, almost like a "look what we can do" aspect to it , as anything we do at work is always backed up , it's the "I can't access stuff today because my of is over ridden " that effectively is the disruption to some extent and surely the hackers know that. 

Anyway this post is long but this whole thing is not the first cyber attack and won't be the last but the fact they chose the NHS and the time it took to do so , that as a motive is a two fingers up and a show of prowess but as a public institution a lot of the gateway info is out there, accessible to all so maybe I'm underestimating how much "work" and time it took for them to do so. 

The public sector needs to learn from this and do more, but what that more is, I'm not sure will ever be enough. 

Dare I say it, it's actually impressive, the scale of their ability, despite the absolute intrustion and unacceptable outcome that becomes of their actions. 

Theres a lesson though for us all, to backup what we have to an offline source. If someone can do that simultaneously across an organisation as big as the umbrella NHS with its constituent trusts within (running different operating systems and software) then these "terrorists" will have no problem with our own data / kit. Anyway. Sorry long read. I wasn't affected by the issues but it's an eye opener of what's possible and regretably of what is to come. No tinfoil hat here. 

[Midfielder]

37 minutes ago, Demitri_C said:

The most incredible thing for me is that some nhs trusts still use XP. and this to protect patients details. Jesus 

Damned straight my friend. Even I, as an IT laggard know XP is old hat and poses many risks relating to modern day, cutting edge realism of what problems exist for "business continuity" of using such an outdated system. public sector cash is tight - non existent but something so profound as patient systems and patient data there is no excuse, in this digital age of not moving with the times (as much as possible) point being I agree entirely with you there fella. Our trust moved from it about three years ago at massive infrastructure expense but there definitely still are ones that use it outside of our region. Such is the autonomy and free choice of the constituent trusts within the main parent NHS of what to use, i think a lot of meetings may happen over the next few weeks as to moving with the times, belatedly. Needs to happen. 

In line with Nuremberg's original post though, hopefully the media reports highlight how vulnerable they are, and others even with more modern setups, to take stock and accept this as an ongoing reality and not a one off. 

[Awol]

Noting everything said in posts above about the crime aspect, it's worth remembering cyber was classified some time ago as a new domain of warfare alongside air/land/sea/space.

A weapon made of 1's and 0's has already caused real damage in the physical world by breaking 1000's of Iranian nuclear centrifuges, so it goes far beyond messing with data. 

Only a relatively small handful of people really understand the offensive cyber capabilities available to major states, more worrying is the inevitable proliferation of that capability down to non-state actors.

[limpid]

11 hours ago, Midfielder said:

Our trust right now is moving from , please excuse my lack of knowledge, but Outlook housed on local server I think it would be called , instead to the nationwide, entirely web based NHS Net as it's called. We will be at massive risk in the future. If hackers have done this, as they have it'll only get worse and people even in the minority of a majority will always open attachments or follow bad links, quite innocently as their appearance seems genuine. 

I'm not familiar with this, but it is almost certainly a good thing. It means a smaller attack surface which is correspondingly easier to defend. If the data that needs to be secured is kept in the central service and not on thousands of ancient PCs then it will be much more secure. Even though a compromise would be mush more significant, it makes it much less likely to occur. There's a whole science to risk analysis which I don't pretend to know about.

It's much more concerning that if this attack had been targeted, then the bad actors could have made copies of all this data, not encrypted the contents and no-one would know.

6 hours ago, Awol said:

Only a relatively small handful of people really understand the offensive cyber capabilities available to major states, more worrying is the inevitable proliferation of that capability down to non-state actors.

Yep. In the cyber security community it s widely accepted that if a state actor is targeting you there is no practicable mitigation. They have too many different attack methods (physical, financial, cyber) available to them and as a functioning business your attack surface is huge.

It is possible to protect against most smaller actors though. The weak link is almost always human and companies are REALLY bad at training their staff. There are companies (including mine sadly) where people email attachments to each other, despite secure collaborative and sharing facilities being available.

[jon_c]

I thought the NHS used a SAP computer system? I'm surprised that didn't cripple the NHS without any cyber warfare being involved.

[Dr_Pangloss]

No expert on this, but given this attack has hit some '100 countries' would something this be almost impossible to get away with?

[NurembergVillan]

13 hours ago, Demitri_C said:

The most incredible thing for me is that some nhs trusts still use XP. and this to protect patients details. Jesus 

[Chindie]

The government is quietly blaming the NHS this morning. 

You couldn't make it up.

And anyone trying to suggest that perhaps the cost to an underfunded NHS being too much is perhaps a problem for government to deal with is accused of making it political.

Ha.

[Demitri_C]

32 minutes ago, NurembergVillan said:

Not entirely true. Some trusts choose not to use some of their budgets for upgrading their IT systems. I work for one of the biggest trusts in the country and they truly wasted a lot of money on rubbish before upgrading to windows 7 end of last year. The money was there they just chose to use it on other things. The government are to blame for a lot of things but not this.

[OutByEaster?]

So from what I can gather, the attack that hit the NHS was an NSA written piece that they'd not managed to completely keep in house. They'd warned Microsoft who had issued a patch (using information supplied by the NSA) but because Microsoft doesn't support XP anymore and the NHS can't afford to upgrade, the NHS hadn't picked up on it because it wasn't an automatic update. A strange mix of state action, corporate reaction and political incompetence - it's a wonderful world. 

There was a documentary on the BBC iplayer not too long ago about the Iranian nuclear centrifuge thing that AWOL mentioned earlier - and the things they were talking about in that were terrifying.

Right now, there's a man in Maryland with a bobble head Stormtrooper on his desk who could turn off your electricity, turn off your water supply, stop you withdrawing cash, prevent planes taking off, trains running, black out your phone and your internet connection, stop your car starting and stop your streetlights working - all at the push of a button. We're talking about the ability to "switch off" a nation in an hour - it'd be carnage, riots, looting, lawlessness, chaos. All of this is possible today and the possibility's are frightening.

 

[snowychap]

1 hour ago, Chindie said:

The government is quietly blaming the NHS this morning. 

You couldn't make it up.

And anyone trying to suggest that perhaps the cost to an underfunded NHS being too much is perhaps a problem for government to deal with is accused of making it political.

Ha.

They're having a Cobra meeting this afternoon - what's the likelihood they'll announce some intention to (ineffectively) legislate in response?

[OutByEaster?]

I'm sure this will be down to the inefficiency of the NHS and that someone like Cisco systems will be able to step in and save us (at a reasonable market rate of course).

 

[Dr_Pangloss]

If only the NHS were privatised, things like this would never happen! 

[magnkarl]

Hang on. Aren't NHS using private contractors to provide IT support and systems? I presume they pay through the nose for this so why hasn't someone pulled their finger out and at least upgraded to windows 7? Also why on earth isn't there a failsafe server where you can fall back to linux or apple based frameworks in case of an attack? It's not like it takes a whole lot of time to set these things up, and even if XP is vulnerable there is plenty of software that can plug these gaps.