The invasion of Ukraine by Russia on February 20th 2022, has brought into stark focus the hostility of the Russian government to international legal norms. Cyber-attacks on western business have exponentially increased in scale and sophistication in recent years and a majority are thought to have emanated from Russia. It has been widely observed that the Kremlin identified a chink in the armour of western legal systems by successfully interfering with two democratic processes in 2016 (the election of Donald Trump and the UK Brexit Referendum) recognising that social media communications could be used to manipulate elections from abroad. It appears that a similar chink in the legal armour of the west has been identified by increasingly high-tech cash rich Russian cyber gangs, if not actively supported then, at the least, encouraged by the Kremlin. The unprecedented onslaught of sanctions against Russia will only serve to further heighten the cyber risk faced by western businesses and providers of critical infrastructure.
CYBER ATTACKS – KEY CONCEPTS
| Botnet | A Botnet is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge |
|---|---|
| Denial of Service (DoS) | A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users |
| Phishing | Phishing is where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker |
| Malware | Malware is a catch-all term for any type of malicious software designed to harm or exploit any programmable device, service or network |
| Man in the Middle Attack | A Man in the Middle Attack (MITM) is where the attacker positions himself in the conversation between a user and an application to eavesdrop or impersonate one of the parties. The goal is to steal personal information such as login credentials or credit card numbers. |
| RaaS (Ransomware as a service) | Ransomware as a Service (RaaS) is a criminal variation of the software as a service model based on a joint venture between ransomware operators and attackers in which the attackers pay to launch ransomware attacks developed by operators. |
| Ransomware | This is where malicious software is used to block access to a computer system until a sum of money (a ransom) is paid. |
| Wiper Attacks | A Wiper Attack involves removing data from the victim. Wiper attacks are destructive in nature and often do not involve a ransom. |
These cyber-attacks have exposed significant weaknesses in western legal systems and have in two ways turned the principle of deterrence on its head. Firstly, the increasing steady stream of legal ransom payments to Russian cyber gangs often covered by cyber insurance policies of western business does not deter cyber-attacks, Instead they pour fuel on the fire of cross border cyber-crime by encouraging and empowering these gangs that have grown into increasingly powerful organised crime enterprises. Secondly, Russian cyber gangs and entities closely associated with the Russian, Belarussian and North Korean governments are able to easily attack western business digitally while simultaneously remaining anonymous and, by being located beyond the reach of the law, are in effect able to operate within our borders with impunity. There is little prospect of Russian, Belarussian and North Korean prosecuting authorities co-operating with western prosecuting authorities while extradition proceedings are simply out of the question.
As shown on the timeline below the scale of cyber-attacks has dramatically increased. In 2021 the USA saw a 1,885% increase in the number of ransomware attacks sustained: the healthcare industry alone faced a 755% increase. The size of ransoms demanded and paid has also significantly increased. The harm sustained is vast. The Notpetcha Attack caused no less than £10 billion of damages and in May of last year the largest ever ransom of $50 million was paid by ACER to REvil. Cyber attackers, in particular those engaging in ransomware, are becoming increasingly sophisticated in their approach. Cyber hackers targeting western entities are tactically now engaging in triple extortion as leverage in ransomware negotiations. Triple extortion is effectively a combination of ‘single extortion’ (data encryption) and ‘double extortion’ (data encryption and threat to release sensitive or personal data that has been exfiltrated). Now hackers are compromising the systems of the targeted organisation’s customers, users or other third parties while also sending ransom demands based on information obtained from the primary attack.
TIMELINE – ESCALATING CYBER ATTACKS
| Date | Attack, Incident or Event | ||
|---|---|---|---|
| Nov 2014 | A ransomware attack was carried out on SONY by cyber gang “Guardians of the Peace”. Confidential information was leaked, and a demand was issued to SONY to | ||
| May 2017 | A Wiper Attack named the “Wanacry Attack” was unleashed in May 2017. | ||
| 27th June 2017 | The infamous Notpetcha Attack Wiper Attack was launched by Russian hackers who had infiltrated Ukrainian software. Many thousands of international companies lost all their data. As a Wiper Attack there was no prospect of retrieving data through payment of a ransom. Damages were calculated at $10 billion. Perpetrator: Russian Hacking Group “Darkside” | ||
| May 2019 | The American city of Baltimore was attacked. All servers were taken offline. A $76,000 ransom was demanded. | ||
| Jan 2020 | During the San Miguel Attack a ransom of $250,00 was demanded. | ||
| May 2021 | US Company ACER was attacked following exploited vulnerability in Microsoft Exchange Servers. A $50 million ransom was paid – the largest ever. Perpetrator: Russian Cyber Group REvil | ||
| 15th May 2021 | A ransomware attack was carried out on the Irish healthcare system. The Irish government denied that any ransom was paid. Perpetrator: Russian cyber gang Conti | ||
| June 7th 2021 | The Colonial Pipeline in the USA suffered a ransomware attack and closure of pipeline. A ransom of $4.4 million was paid to the attackers to restore service. | ||
| November 2021 | US treasury announced that the Russian Cybergang REvil had to date received $200 million in ransom payments | ||
| 10th Jan 2022 | The Sonic Wall Cyber Threat Report stated that governments worldwide saw a 1,885% increase in ransomware attacks during 2021 and the healthcare industry faced a 755% increase. | ||
| 14th January 2022 | 70 Ukrainian government websites were closed down and replaced with a statement “be afraid and wait for the worst” Perpetrator: Suspected Russian state sponsored hackers | ||
| 9th February 2022 | European and US regulators warned banks to prepare for onslaught of Russian cyber attacks | ||
| 15th February 2022 | Large denial of service attacks brought down websites of Ukraine’s defence ministry and Ukraine’s two largest banks Perpetrator: Suspected Russian state sponsored hackers | ||
| 24th February 2022 | Anonymous is a decentralised international “hacktivist collective”. On 27th February 2022 Anonymous declared cyberwar on the Russian government in response to the Russian invasion of Ukraine | ||
| 27th February 2022 | A satellite necessary for functioning of Ukraine’s defence forces was disabled following attack on ground infrastructure owned by US company VIASAT. | ||
| March 2022 | Significant increase in the number of attacks on Ukrainian citizens. On one day 9th March 4.6 million separate cyber-attacks on Ukrainian citizens were recorded. | ||
Ransomware as a service (RaaS) has also developed and proliferated in recent months. This is a criminal variation on the software as a service (SaaS) model. Ransomware as a Service (RaaS) combines ransomware operators and affiliates acting as co-conspirators in which the affiliates pay to launch ransomware attacks developed by operators. Cyber gangs who use these platforms are starting to treat victims of attacks as if they are service providers referring them to their help desk to receive encryption keys following payment of ransoms. It is widely anticipated that cyber gangs will soon be further empowered through the use of quantum computing which will enable them to crack much of the current encryption technology.
The use of cyberattacks (and particularly ransomware attacks) has created a core expertise that has during the invasion of Ukraine been utilised as part of Russia’s hybrid warfare. The clear similarity in approach between ransomware attacks on western businesses and those used against Ukraine in tandem with military invasion clearly indicate a close nexus of knowledge and skills between cybercriminals and the Kremlin.
The UK legal framework relating to cybersecurity contains a number of acts of Parliament that are so out of date that it would seem they were drafted for a different world: the Communications Act of 2003 is primarily tailored for TV and radio and PECR Directive of 2003 largely governs electronic marketing activities. The Computer Misuse Act, which is still used as a basis for prosecution in the UK, has a date of enactment – 1990! – that is in itself quite astounding in the extraordinary fast moving technology sector. While the GDPR of 2018 is more up to date, wide-ranging and comprehensive, the purpose of this legal framework is to protect personal data of EU data subjects rather than to deter and protect against ransomware attacks.
The American legal system’s approach to cybersecurity is similarly out of date. In the USA, as with the UK and Europe, the payment of ransoms is not prohibited (unless made to a known terrorist organisation) and taking out insurance policies that cover the cost of paying ransoms is also lawful. Companies in the USA, as in the UK, are not obliged to report a ransomware attack or payment of a ransom even if that ransom is worth many millions of dollars. In the USA there are even tax incentives in favour of paying ransoms which may be categorised as “ordinary and necessary expenses” on profit and loss statements.
In totality the international legal framework relating to cybersecurity and, in particular, ransomware attacks is woefully out of date, unfit for purpose and creates a perverse framework of incentives. One of the most important issues that requires legal clarity relates to the payment of multimillion pound ransoms to cyber gangs. In November 2021 the US treasury announced that the Russian Cybergang REvil had to date received no less than $200 million in ransom payments.
The sudden prohibition of ransom payments by western governments, while welcomed by many, would be likely to inevitably lead to short term injustices. If a hospital were attacked and unable to pay a ransom, lives could be lost. Businesses may go insolvent in similar circumstances. However, the ongoing flow of millions of dollars in ransom payments, as a principal cause of the current crisis, must be addressed by lawmakers. Preliminary steps can be taken that fall short of a sudden outright ban. These include (a) mandatory reporting of ransomware attacks and reporting of payments of ransoms as there is currently a lack of systematic data, (b) improved regulation of crypto currencies so that ransom payments can be tracked and recovered, (c) desperate people facing attack should not be left to deal with these crises alone and the state should intervene and provide emergency support. In the UK the NIS Regulations can and should be strengthened to create a set of agreed qualifications and certifications for those working in cyber security and the list of companies within the scope of the existing regulations should be widened.
The Prohibition Acts of the 1920s in USA which banned the sale of alcohol created a huge incentive for gangsters such as Al Capone to amass fortunes through the illegal sale of alcohol. These criminal activities became a platform for narcotics importation and distribution. It was this flawed legislation that created a breeding ground for the Sicilian Mafia to empower itself through illicit means in the 20th century. A century later and we have a new flawed legislative framework that has created a breeding ground for a new form of mafia style organisations which are further given the backing of national governments hostile to international legal norms (i.e., Russia, Belarus and North Korea). A century ago, the world witnessed the rise of the Costa Nostra. Now the rule of law is being strategically undermined by the new mafia style organisations of REvil (59 known high-profile attacks), Darkside (161 known ransomware attacks) and Conti (480 known high profile ransomware attacks). The latter organisation of February 25th issued the following chilling statement of intent:
“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of the enemy”.
Ben Kaplinsky worked as a trial advocate in the higher courts before re-specialising as an in-house technology lawyer. He is principal technology counsel for FTSE 100 company Kingfisher PLC.
