On 11 May this year, several Italian Web sites, including the Italian Senate, the Ministry of Defence, and the National Institute of Health, were taken offline and were unreachable for several hours. This was the first day of a long lasting cyber-attack which targeted Web sites in Italy, and several other countries.
Before Italy was in Killnet’s cross hairs, over the past few months, the group targeted government and private companies in other regions, including the US, Estonia, Latvia, Germany, Poland, Czech Republic, and Ukraine.
Pro-Russian hacker groups Killnet and Legion claimed responsibility for the attacks, which used the Mirai malware to carry out the DDoS or distributed denial-of-service attacks, on their telegram channel dubbed Legion – Cyber special forces of RF.
In addition, Killnet announced a slew of attacks on Italian targets, publishing a list of their Web resources on the same channel – a list made up of the Web sites of state entities, energy authorities, as well as entities in the telecommunications, transport and media sectors.
The call to action invited the members of the collective to carry out a 48 hour-long, sustained DDoS attack on the target Web sites, in retaliation against countries that oppose Russia.
Subsequently, an alert has been issued by Italy’s Computer Security Incident Response Team (CSIRT) warning organisations in the public and private sector of a heightened risk of cyber-attacks from pro-Russian hackers.
The attacks were reported by Italy’s postal police who are charged with fighting cyber-crime on 20 May, who said they were responding by blocking and analysing the floods of foreign IP addresses that were part of the DDoS attacks. They then reported the attacks to the Consiglio Superiore della Magistratura, the customs authority, and the ministers of foreign affairs, education, and cultural assets – all of whom were listed in Killnet’s posts.
This scenario news should raise concerns over cyber security in Italy, given the global threat scenario and the roll-on affect the Russian-Ukrainian conflict is having on the rest of the world. The parties involved are publicly fighting this war in the air and sea, on land, and in cyber space, making this the first truly hybrid war.
Since the invasion, began both parties have carried out attacks against the others’ IT and OT infrastructures, breaching systems and deploying disk wipers, ransomware and other malware, with the intent of causing destruction and damage. The actors behind the attacks have proven to be state sponsored or hacktivists acting out of ideology, which redefines the threat scenario.
The scenario that is unfolding today is we are seeing of barely known, obscured and even hidden threat actors acting in the dark and surfacing only when it is too late to act against them. However, using intelligence services to study these actors is the only way to better understand, and possibly stop them.
The accepted maxim today, is that it is not a case of “if” but “when”, when it comes to cyber-attacks, and companies need to be prepared, and the best way to do this is to set up an incident response plan. This is a set of tools and procedures that the security team can use to identify, eliminate, and recover from a cyber security threat or incident. It is designed to help the team respond rapidly and in unison against any type of threat. Having this plan in place help a company bounce back and recover more quickly, lessening the potential fallout of a cyber event.
Similarly, despite the wide range of security tools and solutions that are available, effective cyber security goes way beyond buying a product off a self. It needs to be developed proactively, through a combination of policies, culture and solutions. It should be viewed as an ongoing process with ongoing checks and an aim of continuous improvement. Conducting regular security assessments and penetration testing of your organisation and its assets help to gain awareness of your own vulnerabilities and how they could be exploited. Understanding where your weaknesses lie in time gives you the chance to plug any holes and reduce the attack surface.
Ultimately, even if your organisations has never been notified that it is on a list like Killnet’s one, it doesn’t mean that it isn’t a potential target, just that you’re not aware of what might be happening outside your office perimeter. Moreover, from a cyber security perspective, attackers are only one-click away from your most critical resources.
All organisations need to be aware should any group of hackers have them in their cross hairs, such as we saw in the case of Killnet. They should have as much information as possible about the threat, including how the group operates, why they are a target, and the magnitude of a successful attack, and they should have this before an attack takes place. Only ongoing intelligence on cyber threats can help a business to properly prepare for incidents, to help avoid them, and confidently mitigate them should they happen.
Take Killnet, for example. They are notorious for DDoS attacks, but do they use other techniques? Are they associated with other types of attack, such as ransomware or similar? In this instance they appear to act for Russia to help it with its attack against Ukraine, but do they have other motivations?
Being able to answer these questions in advance, can mean the difference between a temporary service disruption that could last minutes or hours, and a major business disruption that could destroy critical systems and see valuable data stolen.
In addition, digitalisation has multiplied the number of ways documents and data can be shared and even stolen, and on the other hand, it has enabled us to track down data in the network. The internet can be likened to a giant repository of information that can come in handy for many purposes, including cyber-attacks.
All organisations should be aware of any of their data that is available on the Web, particularly if they have had data exposed on the dark net. In the best case scenario, that data is as a result of an undetected breach that could result in fines and a blot on their reputation. In the worst case, that data could be exploited to attack their infrastructure and put business continuity and survivability at risk.
Stolen credentials can be extremely dangerous, and are used by attackers to deploy ransomware in minutes or even just to exfiltrate data, causing severe damage to the company. Without proper surveillance, this beach could even go unnoticed, and the victim would have no idea of what has happened until they have to deal with the consequences.
This is just the tip of the iceberg in terms of the valuable information that Intelligence solutions can offer businesses each day, to proactively shrink their attack surface and enhance their response.
Being prepared is the best defence when it comes to cyber security, since incidents are an inevitability. No one is immune and there is a good chances that it has already happened and you just don’t know it. It is just a matter of when, how, and how extensive the damage will be.
Proactive defence is the cornerstones of cyber security and helps build a security posture that could ensure business continuity should the worst scenario materialise.