Heiko Löhr, Chief Cybercrime Director at the BKA, and Marc Wilczek, Managing Director at the IT security service provider Link11, analyzed the current threat situation in a digital panel discussion and identified the challenges in dealing with the extreme situation. Kai Widua, Chief Information Security Officer of Beiersdorf AG, a representative of a leading company that has proactively dealt with the danger posed by so-called “Distributed Denial of Service” (DDoS for short) attacks also had a say.
The discussion was moderated by Thomas Kuhn, Tech Reporter Innovation & Digitales, at WirtschaftsWoche. You can find the recording of the webcast here or the key points in the following summary.
DDoS extortion on the rise
Fancy Bear, Lazarus Group, Armada Collective – Ransomware DDoS extortionists strike more and more often. The number of companies affected by the extortionate overload attacks has risen sharply in recent months. The form of attack that has been around for over 20 years is more present than ever. There are several reasons for this: Companies immediately feel the consequences of a successful attack and are quickly under pressure to act as a result of IT failures. In addition, almost all companies can be targeted, as they offer more and more digital attack surfaces. The chance that you will be overlooked by the DDoS criminals is minimal, reports Marc Wilczek from Link11 from the daily protection practice. The prospect of quickly earning crypto money through ransom demands is too tempting. To make matters worse, cybercrime has become an industry of its own, which is becoming more and more professional.
Blackmail campaigns are spreading around the world
The attacks on behalf of certain perpetrators such as the aforementioned Fancy Bear or Armada Collective often take place in waves and pick up on social, economic and political developments, according to Heiko Löhr from the BKA. The best example of this are the attacks on institutions and companies that play a role in coping with the corona pandemic or benefit from it: These came from the healthcare, food, education, hosting and logistics sectors, among others. In this specific case, the blackmail campaigns started in the USA and spread to Great Britain and Central Europe. Initially, the attacks were often widely spread without checking the financial possibilities of the attacked companies. Over time, the attacks became just as targeted as the ransom demands.
Triple extortion and DDoS door opener – always new attack scenarios
The perpetrators are just as flexible in the use and combination of attack techniques. A new phenomenon that the BKA has observed more intensely in recent months are so-called “triple extortions”. This involves triple blackmail in which IT systems are paralyzed, infiltrated and encrypted (ransomware). The whole thing is initiated by low-volume DDoS attacks to reinforce the extortion. If malicious code has been smuggled in, the next blackmail follows in order to decrypt the data again. In addition, threats are made to publish the tapped data.
In addition to blackmail, attackers are increasingly using DDoS attacks to disguise downstream attacks, reports Wilczek. The perpetrators often use web servers to gain access to corporate IT. To do this, they place malicious code that is generated when the server is booted, e.g. B. after a DDoS attack, enters the company network and is executed. The hitherto common practice in IT security of first shutting down the systems in the event of an attack and restarting them after the attack is deliberately exploited by the attackers.
Prevention instead of reaction to cyber attacks
Given so much cybercriminal energy, corporate IT departments face major challenges. Kai Widua, CISO of Beiersdorf AG, knows about this. DDoS extortionists also targeted the consumer goods company. Unsuccessful! After previous attacks such as NotPetya, the company reorganized its IT security and has been working according to the Assume-Breach approach since then. Preparing for possible cyber attacks does not make you susceptible to blackmail. In practice, this means practicing response and recovery processes and enabling short decision-making paths. In addition, hosting providers / carriers and protection providers are involved preventively, as in the area of DDoS protection, and close contact is maintained with the authorities such as the LKA in Hamburg.
In the experience of Heiko Löhr, good networking with the investigative authorities, such as at Beiersdorf, is no longer an isolated case. Companies are increasingly approaching the police in order to involve them in their prevention and crisis management. The Central Contact Points for Cybercrime (ZAC) set up specifically for this purpose at the state level and at the BKA should ideally be contacted proactively before a cyber attack occurs.