A year in cybersecurity, as in politics, is a long time. Part of the UK National Cyber Security Centre’s (NCSC) role is to identify shifts in the cyber threat environment so organisations can prepare accordingly. At the recent RESET conference on cybersecurity hosted by BAE System, NCSC head of cyber assessment Eleanor Fairford spoke about the role of assessment and how the attribution and nature of attacks have changed over the past year.
“Assessment sits at the heart insofar as we take on board all of the information sources and various information that is available from all bits of the NCSC and more broadly,” she explained.
“So we’re looking across all the different sources across the cybersecurity sector in general, and then attempting to draw what is generally a very strategic broad overview of the cyber threats, usually designed to inform policy decisions and senior decision-makers and ministers at a senior government level about the cyber threat.”
The NCSC collects intelligence from open-source reporting, plus broader information from industry, international partners and other major sources to develop what it understands to be the latest highlights and trends in cyber threats.
“It’s a wee bit broad, strategic and high level; the idea is that what we produce is readable by a non-technical person,” said Fairford. “This is kind of the stuff that we put forward to ministers who, believe me, are genuinely a non-technical audience.”
The evolution of cyberattacks
NCSC began tracking public cyberattack attributions in 2017, which Fairford said pushed cybersecurity and the cyber threat from hostile states up the political and public agenda.
“What we did not see in 2018 were these big standout attacks we saw from 2017, like WannaCry and NotPetya, these massive global campaigns, in these cases by self-propagating worms,” she said. “Nonetheless, there were ransomware and data-wiping attacks that we saw in the UK and globally.”
Fairford noted that whereas previously the NCSC would look at the impact of attacks directly targeting the UK, many recent ones were the result of unintended consequences.
“They’re about adversaries attacking each other elsewhere and us being a kind of knock-on effect or a collateral target,” she said. “We had the widely reported Iranian attack using Shamoon malware against a Saudi petrochemical company, which happened to have headquarters in Glasgow so the UK business suffered the data-wiping attack. That was not part of the initial MO.”
Data breaches became higher profile in 2018, thanks in part to GDPR regulation, and more frequent, which Fairford said is to be expected in an increasingly connected world. There was also increased consciousness of data use and abuse, not least following the Cambridge Analytica scandal which used data from Facebook to support political campaigning.
“We saw a lot of data breaches reported in the context of GDPR; they had to be reported by ICO [the Information Commissioner’s Office], so it raised the profile,” said Fairford. “And we also saw the scope for abuse and misuse of data in general. Cambridge Analytica obviously involved the use of Facebook data, and we saw that Facebook also had data-sharing agreements with Russian and Chinese companies, as well as elsewhere. It was not just Cambridge Analytica; it was other states’ interests as well.”
Cyberattacks are becoming more sophisticated
Another significant theme NCSC noted over the past year was evolving techniques in financial attacks.
“We’ve seen North Korean banking attacks, particularly against Bangladesh Bank for $82m,” Fairford said. “Last year we saw the globally coordinated ATM cash-out phenomenon with the cash being taken from ATMs, where $2m was taken out in a really short period of time. These are really sophisticated, clever attacks that are well-coordinated on a global level and take it to a whole new level.”
One extraordinary global risk that surfaced in the past year or so has been the Chinese Government supplying IT hardware gifts with backdoors – embedded systems or hidden devices that secure remote access to passwords and data.
Fairford explained: “The African Union headquarters in Ethiopia received an IT gift from the Chinese Government. They found the servers were mysteriously exfiltrating data to Beijing overnight and they realised that that was a backdoor built-in. Subsequent research discovered that there are many, many more instances of IT being gifted from China to other states, particularly in Africa, which are undoubtedly being exploited to their maximum capacity as well.”
Cybercrime meets state sponsors
Finally, Fairford flagged up that the crossover of cybercrime with state-sponsored activity is another key issue that the NCSC is coming across.
“A lot of this North Korean activity we refer to as cybercrime because it’s against a bank, but it’s sponsored by states as well,” she said. “We see cybercriminals who move in and out of state-sponsored circles. They become part of the state apparatus and they might function there and move back in again; sometimes they are directly employed, and sometimes they’re not.”
The NCSC sees cybercriminal groups who fully understand what the state intelligence requirements are and will obtain relevant data; although not state-sponsored, it is very much carried out with the state’s requirements in mind, which Fairford said leads to a unique employment opportunity.
“We see states spotting really good cybercriminals and employing them because they’re great,” said Fairford. “There are loads of examples of where states and criminals are increasingly overlapping and organised crime groups become similar to advanced persistent threats [typically state actors].”