The Times Magazine 37It wasn’t just the US that Beijing’s hackers
targeted but institutions in Vietnam, Mongolia,
Taiwan and the Philippines, in attempts to
get a hold on its own pandemic.
The World Health Organisation reported
a 500 per cent increase in cyberattacks by
April. The attacks came from all over the
globe, including China but also Iran, where
hackers were caught trying to break into the
personal accounts of WHO staffers.
In North Korea, the country’s most well-
known hacking unit was caught primarily
targeting cryptocurrency exchanges to
generate badly needed cash, and aimed its
attacks at six countries – the UK, Singapore,
the US, Japan, South Korea, India – that had
announced financial support for businesses
reeling from coronavirus restrictions.
But the virus also saw the emergence
of state hackers that rarely make headlines.
In Pakistan, a group of state-sponsored
hackers used the pandemic to break into
India’s defence agencies and embassies.
In India, a patchwork of state-backed hackers
were caught using Covid-themed phishing
emails to target Chinese organisations in
Wuhan. That attack, and a perilous military
standoff between the Indian army and
Chinese soldiers on their border, triggered
a swarm of unprecedented hacking attempts
by Chinese hackers on India’s IT and banking
infrastructure. Over a period of just five days,
Indian police said that Chinese operatives
attempted more than 40,300 cyberattacks.
In Syria, hackers affiliated with the Syrian
Electronic Army used Covid-19 themed emails
and texts to entice victims in the Middle East
to download mobile spyware. And in Nigeria,
scammers used the pandemic to target
unemployment insurance programmes in a
massive fraud scheme that made off with as
much as $100 million from six US states.
But the damage from those attacks pales
in comparison to the incalculable damage
from Russian hacks, only recently discovered
in the United States and France, on software
supply chains.
The US is now unwinding a breach of
some of its most critical government agencies,
only detected after FireEye, a cybersecurity
company, discovered that it was hacked last
December. Only in dissecting its own attack
did FireEye learn that the hackers – suspected
members of Russia’s intelligence – came
in through SolarWinds, a huge American
software company, and had made its way
into 18,000 SolarWinds clients, including the
NHS and more than 400 of America’s largest
corporations and electricity companies. But it
appears the primary target of that attack was
nine US government agencies, American
officials announced ten days ago, and that
technology companies such as SolarWinds
and Microsoft and security companies like
FireEye and Malwarebytes were also targeted
as conduits for further attacks. The goal,
it appears, was espionage, in an attack that
compromised America’s Department of
Energy, including its nuclear labs, the treasury,
commerce, State and justice departments,
as well as parts of the Pentagon and the
Department of Homeland Security, the very
agency charged with keeping Americans safe.
This month, we learnt the US was not
alone. Russian hackers targeted the French
software firm Centreon, also in a supply chain
attack, to compromise its clients including
Airbus, Air France, Thales, ArcelorMittal, the
world’s leading steel and mining conglomerate,
Orange, the telecom giant, and Électricité de
France, the world’s biggest maker of nuclear
energy. That attack is believed to have started
as far back as 2017 and is eerily similar to the
attack on SolarWinds, but different in one
disturbing way.
Russia’s SVR intelligence agency is the
leading suspect in the attack on SolarWinds.
That group, which was previously responsible
for an attack on the White House and the
US State Department, is known as a quiet
prowler, and its attacks are designed primarily
for espionage.
The same is not true for the Russian actor
behind the attack on Centreon. That incursion,
officials say, was the work of a disparate group
of Russian hackers known as Sandworm,
which operates on behalf of Russia’s military
intelligence unit, the GRU. Sandworm is
known for its destructive attacks, particularly
in Ukraine, where it cut off power to
Ukrainians in the dead of winter, first in 2015
and again a year later in Kiev. Then in 2017
came the NotPetya attack that decimated data
at Ukraine’s government agencies and railways,
and made it impossible for Ukrainians to take
cash out of ATMs and pay for petrol at the
pump. That attack also boomeranged out of
Ukraine, hitting any business that had so much
as a single employee in the country. It wiped
data at the pharmaceutical companies Merck
and Pfizer, FedEx, the shipping giant, Maersk,
the world’s largest shipments company, and
most chilling of all took out the radiation
monitors at the old Chernobyl nuclear site.Officials believe and hope the attacks
related to SolarWinds and Centreon were
designed for espionage, not destruction, but
they are not ruling it out. The same accesses
Russia already has could, with a few clicks, be
used to wipe or manipulate data, or turn off
the lights. Its hackers can and have used those
same access points for devastation.
It could be months, years even, before
officials and private investigators can
confidently say they have identified every
last victim, discovered every last Russian back
door. In the meantime they have to assume
every network, every communication channel
they use is untrustworthy.
Working our way back from the brink
will entail difficult choices. It will be costly.
In the US, President Biden recently squeezed
$10 billion in new cybersecurity funding into
his proposed Covid-19 recovery bill. In the UK
last year, the government allotted dedicated
funding to boost cybersecurity training and
resources to sectors under particular duress,
such as healthcare.
But those funds will only work if they
are deployed efficiently, if governments can
recruit individuals with the skills necessary
to take stock of our digital inventory, our
software supply chains, our electrical grids,
our hospitals; if businesses adopt security
by design instead of rolling out vulnerable
software and malicious updates to cars,
aeroplanes, nuclear reactors, the grid; if
individuals recognise their own role in our
collective cyber predicament and deploy better
password management, switch on multifactor
authentication, run their software updates,
and stop clicking on links and attachments
that give hackers entry to everything they
touch with a mouse. If our schools and
companies adopt a culture of security
awareness and training, and if we trade
some of the conveniences we now take
for granted for better security.
As I write these final words, I am still
sheltering. The cyberattacks have become
so prolific that, from my quarantined perch,
I have lost track. I am watching the world
ask the same questions – Why weren’t we
better prepared? Why didn’t we have enough
testing? Better warning systems? A recovery
plan? Why did we leave ourselves so
vulnerable? – knowing full well that these
same questions apply to cyber too.
I am crossing my fingers that the next
big cyberattack waits until this pandemic has
passed, and when it does hit we will be better
prepared. But finger crossing has never taken
us very far. It is time to act. nNicole Perlroth covers cybersecurity and digital
espionage for The New York Times. Her latest
book, This Is How They Tell Me The World
Ends (Bloomsbury, £14.99), is out nowThe tools used by Russian hackers could, with a few
clicks, be used to wipe data or turn off the lights