A new form of hybrid warfare in this hot summer is gaining momentum, that of cyberattacks. In Italy, after the serious accident that hit the Lazio Region a few weeks ago, it is whispered among professionals that the list of companies targeted by ransomware and other forms of cyber extortion is increasing in our country.
We ask Pierguido Iezzi, CEO of Swascan (Tinexta Group), an innovative Italian cyber security company engaged in researching the systemic vulnerabilities of large and medium-sized companies, if this is true: “I have the impression – says Iezzi – that a war between gangs is underway seeking to increase profits and occupy market share. And this is what is causing an increase in attacks. In fact, in the last few months, Swascan has received more and more requests from its customers for assistance with ransomware attacks. This phenomenon is due to the proliferation of the Ransomware as a Service mode, which applies a pyramid and franchising marketing concept to the criminal hacking market. By distributing knowledge and technology and multiplying the actors, barriers to entry decrease, criminals increase, the market and the earnings of all participants in this illegal economy. Therefore, unfortunately, the companies attacked and the victims are also growing exponentially “.
The recent report by Varonis, an American cyber security software company listed on the Nasdaq in NY, seems to confirm what Iezzi says. In fact, it helps to give a dimension to the phenomenon, highlighting that ransomware attacks increased by 600% after Covid 19 and due to smart working. In 2021 to date there has been a ransomware attack every 11 seconds in the world. We have gone from 7.5 billion dollars in damages in 2019, to a projection of over 20 billion estimated for the current year. The average cost of recovery from an attack is $ 1.85 million. We are therefore talking about an enormous impact on the real economy, especially if we consider that companies that suffer this type of accident are forced to stop their activities for an average of 15 days, with a loss of 8500 hours of work.
The Italian Swascan underlines this worrying trend as only in the period between 2 July and 2 August, it detected, through the Malware Threat Intelligence service, over 90 thousand types of malware, 2194 of new conception or never seen before. This is a rather illustrative barometer of how cybercrime is becoming a major threat when it comes to digital security.
It is a phenomenon destined to grow over the years
. If yes, why
And what are the characteristics of this market ? Raoul Chiesa
answers us, dean of Italian ethical hackers (when he was known as Nobody), and co-founder of Swascan, says: “I observe with growing concern what is happening. Analyzing the historical periods, cyber crime has rarely been as aggressive as in recent months. What I see and what we are analyzing in detail with our SOC is a competition, a real competition between different cyber crime gangs to be the number one.
A few years ago I had already mentioned the behavioral aspects and the radical changes in the business model of cyber crime: unfortunately we got there, and success. More and more “as a service”, more and more through the concept of “criminal partnership”. ” Talking about the accident that hit Accenture in these hours, Chiesa continues: “But what scares me most is the somewhat brazen offer of the LockBit 2.0 gang aimed at recruiting” insider “employees of companies, who would then receive a conspicuous part of the gain. We are talking about millions of euros, not about bruscolini ”.
Looking at the numbers and listening to the opinions of the experts, it seems to be facing a phenomenon that is wider than a simple criminal market. It is an emergency that involves the human factor, but also the dynamics of a real criminal ecosystem determined by the fact that the victims pay the ransoms, if not a real phenomenon of terrorism as stated by the president of the Lazio Region Nicola Gypsies. To the fundamental question whether it is simple operations of criminal economy or new forms of espionage and attack, economic and political, we are answered by an intelligence community manager: “Both, a mix that combines profit … with ‘pleasure’, and however a new form of asymmetrical warfare. In this moment, very valuable information can be found in companies and consulting firms “.
Iezzi returns to what Graham Green defined the human factor: “The human factor is a fundamental element for the correct management of the corporate cyber security framework. “Social engineering” has always attacked this potentially weak element through deception, inducing the error that is the most frequent cause of computer incidents. It is no coincidence that in the ransomware attack that involved the Lazio Region, the entry point was the credentials of an employee stolen through a botnet. Here is that the case of the Accenture data breach, unleashed by the Lockbit gang, the architect of the attack, brings to the fore, in a sensational way, the insider as an element of threat of the digital perimeter, motivated both by gain and by mistrust towards the company and perhaps in the future for political reasons. The gang claims to have gained access to Accenture’s network through this very dynamic. ” It will be interesting to understand the actual damage Accenture suffered, the nature of the ransom, if any, and what documents were exfiltrated.
The company explained to Formiche.net: “While carrying out our security protocols, we identified irregular activity in one of our environments. The incident was promptly contained and the affected servers immediately isolated and fully restored our affected systems from the backup. There has been no impact on Accenture’s operations and our customers’ systems. ”
Instead we ask Professor Marco Lombardi, Full Professor and Director of the Department of Sociology of the Catholic University, Director of ITSTIME, whether attacking health facilities, blocking their functionality, can be considered a terrorist act: “Even a cyber attack and a terrorist attack according to a definition of terrorism that it is based on the evaluation of the effects and not of the motivations. First of all, the cyber, that is the digital world, is the new ecosystem in which the coexistence of real and virtual constitutes the specificity. Too many experts are anchored to the virtual – real dichotomy, which is now superseded by the synthesis of the “digital”, that new world meant by digital natives, in which there is no longer an alternation between virtual and real, merged in a space-time continuum that provides both identity, both relationship and operation.
It therefore arises spontaneously to ask Lombardi whether traditional Islamic terrorist organizations (Al Qaeda, Isis, Hamas) will be able to turn to these forms of attacks to finance themselves or to hit their enemies: “The presupposition – according to Lombardi – is that of terrorism as opportunist organization: unlike a formal organization, terrorism is not linked to a source of financing but uses what is functional to the objective, in this case to finance itself. Any religious and ideological impediments are also overcome through simple tricks: for example, if it is not advisable to trade in drugs, security is sold to those who trade in drugs.
In this sense, the cyber is now the most attentive environment (ecosystem) both in terms of communication and in strategic terms and in economic terms and, therefore, it is an ecosystem on which to intervene to take advantage of it. Therefore, either terrorism can continue its path of specialization to directly manage the opportunities with its own specialized groups or it can work in franchising (as already done in other areas) to share economic successes, perhaps indirect because results consequent to effectiveness. of the threat, with those who have the skills to quickly and effectively operate in cyberwarfare. Both situations must therefore be monitored: on the one hand, an increase in the recruitment of experts in cyberwarfare is expected to pursue an autonomous way of fighting, on the other, a partnership path with already operational specialized groups. The two paths are not exclusive: we are at the beginning of a new conflictual scenario in which the various actors are mutually taking measures ”.
When asked if ransoms should be paid, which seem to be a factor in the growth of the phenomenon, Lombardi replies: “There is no doubt: a ransom is always paid when the citizen of a country is threatened. This is also true in cyberwarfare, depending on the value of the threatened subject which, if he is not a citizen in his physical form, is information that defines a citizen or an institution in his digital identity. Any justification of principle with respect to the renunciation of the “payment of the protection money” and an ideological prudery that has nothing to do with the conflictual relationship with the enemy. Of course, the payment of the ransom never exhausts the relationship: strategically, the quick payment of a ransom must always correspond to the activation of an operation whose objective is the undoubted biological elimination of criminals. I see no alternative or better ways to this type of answer: simple, quick, effective “.
In closing, the geopolitical implications of a real asymmetric war in the digital world of this emergency are not overlooked: “It is evident – says Giuliano Tavaroli, expert in innovation and digital risks and partner of Intelligence Week – that these gangs operate through safe havens in Russia , China, North Korea, Iran, countries active in the arena of digital warfare and difficult to reach under international law. The dynamics of these groups seem to follow that of the nineteenth-century pirates, private contractors ante litteram, who acted on behalf of the empires, through racing licenses, which authorized them to attack enemy commercial transports by plundering them.
The recent story of REvil seems to confirm this hypothesis, that is a prolific criminal group among the most active in attacking targets in the United States, among the latest the American IT company Cattleya, which disappears from the network after the phone call between Biden and Putin, in during which US President Biden asked for a commitment from his Russian counterpart to limit attacks on the United States. Professor Lombardi raises an interesting topic, that of the right not only to defend oneself but to be able to reply to the attackers by hitting them in turn. A US senator had put forward a legislative proposal to that effect ”.
Certainly in the coming months not only the various democracies will run for cover with investments and inforcements in this direction, as in the case of Italy, but it will be interesting what kind of reaction and response to this asymmetric war NATO can devise. The solutions on the horizon for Italy have been widely talked about (and acted upon) in recent days: the national security perimeter, the new cyber security agency (ACN) and the over 200 billion of the PNRR dedicated to promoting the digitization of Village. Tools that represent an opportunity not to be missed and a great challenge for the relaunch of Italy.
“In a particular context like this – says Iezzi – we need to invest in prevention which costs less than managing an accident and restoring it, also in terms of reputation, which we have seen on average cost around 2 million dollars per accident. Prevention means implementing predictive security measures and placing the accent on the theme of Threat Intelligence, in order to know one’s exposure to cyber risk, the potential damage and how to efficiently allocate resources. Cyber crime – concludes Pierguido Iezzi – is a war of knowledge that is won with information “.
