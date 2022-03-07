Reference image. Photo: K_E_N

Cybercriminals and government-sponsored hacker groups have made critical infrastructure one of their preferred targets. Hacking technological infrastructure that controls essential services supposes strategic advantages for participants in a political, territorial or armed conflict, or it can represent copious sums of bitcoins in the digital wallet of those who are dedicated to this type of extortion (it can even be the combination of the two ).

The ransomware is a piece of software that encrypts or locks data on a computer system in order to demand a ransom for its recovery. But the extortion does not end there, because, normally, in the process of taking control of other people’s systems, it is possible to extract a large amount of information, such as databases, financial, confidential information or information related to intellectual property that is later used to try to get more money in exchange for not publishing the leaked material. Sometimes they can even sell the information on the black market.

From the current war between Russia and Ukraine, the tensions in the Middle East, to smaller scale criminal actions in Latin American scenarios, the ransomwarewhen it is aimed at attacking critical infrastructure of a State, it can also have the impact of a missile in a scenario of geopolitical conflict.

The dangerous mix of economic, political and military incentives involved in attacking infrastructure and critical activities connected to the internet is a threat to the life, health, stability and security of people and must be taken seriously to mitigate the damage already have been provoked and those that will inevitably be provoked.

Hospitals, water treatment plants, oil pipelines, airlines, logistics companies, transport systems, providers of technological services and products, and state entities, to name a few, have been victims of cyberattacks that not only involve the theft of important information, but also , more and more frequently, end up with blocked or sabotaged systems, preventing them from providing their services and notably affecting the normal development of society.

The leak of personal data that is later used in other crimes or contexts and even causing damage that can lead to the death of people is another frequent consequence of these attacks.

Ransomware: a tactical ally for war and politics?

Governments have been known to use the same techniques as criminals to attack enemy countries and sabotage their critical activities in a conflict. In fact, it is often difficult to distinguish whether an attack with ransomware It is only economically motivated and does not hide politics in the background.

The blurred line that separates military cybercommands, intelligence agencies, groups of ransomware or groups hacktivists operating in the global geopolitical sphere is becoming less and less visible and it is often difficult to attribute an attack to a country or group because, unlike remote missile attacks, in the cyber world it is possible not to leave such clear traces and it’s easier to wash your hands of blaming the other actors.

Attacks on critical infrastructure are not the only action in cyber warfare, but it is perhaps one of the most effective. In a high incidence, they affect the lives of the civilian population and could be considered acts of war.

Cyberwar: Russia and Ukraine

During the Russian invasion of Ukraine, in addition to the traditional denial-of-service attacks on Ukrainian government pages, the ESET company detected a computer virus — which it baptized HermeticWiper — on hundreds of computers, whose function is not to spy or encrypt information but to destroy it outright, disabling systems. Reports show affected Ukrainian government and financial entities. In January, Ukraine had already been attacked with a variant of this malware.

For its part, the Ukrainian government has asked the hackers local, through forums of hacking of the underworld, to join the country’s cyber defense. groups hacktivists Internationals like Anonymous and the Belarusian Cyber-Partisans have answered the call and declared the critical infrastructure of Russia – and its friends – the target of their attacks, having already hit the Russian news channel RT and the Belarusian train system.

In this conflict, attacks on critical activities are not new. In 2017, a ransomware called NotPetya spread especially in Ukraine, as it was distributed through a vulnerability in a software popular accountant in that country, but, unlike the wipers (data drafts) more recent, it charged a ransom. Given the popularity of software accounting and that this virus was distributed as a worm (automatically distributed from device to device), the Ukrainian industry and government were highly affected. As it seemed to be an economically motivated attack, it was difficult to attribute it, but given the circumstances it would not be surprising if it was an act of Russian sabotage.

In 2015, during a Russian military attack, the Ukrainian power grid was attacked by the Sandworm group, which is connected to the Russian intelligence agency GRU, leaving more than 200,000 people without power for hours. And so we could stay for hours listing incidents related to this hybrid war being waged in the field and in cyberspace.

For its part, US intelligence presented President Biden with a menu of cyberattack options that could be strategic in this war, including communications cuts, stopping trains and derailing them, or cutting off power supplies. If the United States executes any of these attacks “officially” it would be a breaking point and we would be witnessing the first cyber war. It will dawn and we will see.

The new cyber conflict units in the world

Although when it comes to cyber warfare, Russia comes up in the soup, obviously it is not the only important actor. There is an asymmetry in the information that we consume on these sides of the world that blinds us a bit from the perspective of “non-Western” countries in general. If disinformation in the digital age has a nest, it is in cyberwar actions.

Rarely is a cyberattack attributed to a government directly, but instead a group or APT can be identified (Advanced Persistent Threat) that may be “allegedly” linked to a State or a state entity… or not.

For example, in October last year the Iranian fuel distribution system was attacked – allegedly – by hackers Israelis, blocking gasoline pumps with a message that included the president’s phone number and causing chaos due to fuel shortages. At the same time, several digital road billboards displayed the message “Khamenei, where is my gasoline?”, an allusion to the Iranian Supreme Leader, Ayatollah Ali Khamenei.

In 2010, Iran was the victim of one of the most sophisticated cyberattacks in history, when it was discovered that the Stuxnet cyberworm managed to crash more than a thousand nuclear centrifuges at the Natanz plant in Iran. This worm, which has infected more than 60,000 computers worldwide, only attacked when it reached the Iranian nuclear plant.

Similarly, Iran was accused of cyberattacks against Turkey’s critical infrastructure in 2015, when it allegedly left 44 Turkish provinces without electricity for twelve hours, and in 2017 for attacking the British parliament for twelve hours, among others.

The clear political-military motivation of these attacks suggests that they are the result of geopolitical conflicts. However, the attribution of these incidents is usually assigned to an APT or a group of hackers belonging to a —known or suspected— cyber defense unit of a State.

What happens in Latin America?

Unlike ransomware economically motivated, Latin America does not seem to be in the sights of international APTs, for now. In fact, there are no Latin American APTs linked to intelligence services or States and the few that exist are groups that, apparently, are only dedicated to fraud.

On the side of hacktivism In the region, although there have been incidents of denial of service and the publication of confidential or private information during times of social tension, there have been no recorded attacks on critical infrastructure for political purposes.

*K+LAB, Karisma Foundation.