Revenge and inflation are key drivers behind an 800 percent increase in cyberattacks seen by a managed services provider since the days before the onset of Russia’s invasion of Ukraine last month, according to the company’s top executive.
The attacks are coming not only from groups inside of Russia but also from within the region as well from Russia allies like North Korea and Iran, historically sources of global cyber-threats, Emil Sayegh, president and CEO of Ntirety, an MSP that focuses on security, told The Register.
The US-headquartered biz, which was formed in 2019 after the merger of web hosting companies Hostway and Hosting.com, serves about 2,400 companies around the world, most of them small businesses and midsize enterprises and most in North America. Sayegh said Ntirety has seen the spike in cyberattacks throughout its customer base.
Sayegh attributes the sharp rise to pro-Russian cybercriminal groups linked to nation states lashing out at countries – first Ukraine and then Western countries – angry at the sanctions being leveled against Russia. At the same time, the sharp inflation that is spreading around the world is also hitting hackers, who need to make money to keep up with rising costs.
“It’s retaliation,” he said. “We know that [ransomware groups] Conti and REvil are associated with [Russian] intelligence agencies, so it is retaliation for Western countries backing Ukraine. However, the second piece this is … that even cybercriminals suffer from inflation pressures, so they have to make money. At the end of the day, this is their job. Just like you and I show up every day and do our jobs, this is their job and that’s essentially what’s going on there.”
The sanctions are putting more pressure not only on them, but threat actors throughout the region.
“That’s not now restricted just to Russia, where there’s impact of the sanctions, but they’re also impacting other countries that source their food from the Ukraine and Russia and source materials from Ukraine and Russia,” Sayegh said. “There’s incredible hyper-inflation, so we’re starting to see threats coming from there as a money-making scheme and as an extension of REvil- and Conti-type activities in those countries.”
The CEO has seen the evolution of cybercrime over more than a decade, in both the hosting space – he also was CEO of Codero Hosting – as well as the cloud, with both Hewlett Packard Enterprise and before that, with Rackspace, where he led the cloud business and began to understand the depths of the dark web at a time when the threat primarily came from hacker in their basements.
“They were not organized criminals and you would see them and there was maybe a network of individuals, but it was more into illicit, nefarious activities, some things like child porn or potentially online gambling,” he said. “I’ve been talking about this for 15 years, literally since 2006. … Most people that in my social circles and even my professional circles don’t understand how dark that that layer of hackers is and what they do.”
Now most threats are coming from highly sophisticated criminal groups, some associated with nation-states and their intelligence agencies. With Russia’s attack raging in Ukraine, many group are taking sides. That trend spilled out into the open when an anonymous source – thought by some to be a Ukrainian member of Conti angered over the group’s support of Russia – leaked a trove of information about the group that included everything from messages and chats to organizational data, all of which have been pored over and analyzed by threat intelligence groups.
Groups choosing sides also has fueled the revenge angle of some of the recent attacks that mostly have been aimed at Ukraine but have started spill over to other countries, Sayegh said. The threat actors are using a broad array of attack avenues, including phishing, man-in-the-middle and distributed denial-of-service (DDoS) and at times are using them in combinations.
The big money-making scheme is ransomware and some groups are putting a nasty twist on it. Typically, if a business pays a ransom, they are able to get their data returned unencrypted. For the bad actors, making good on their promises so means that their chances of getting paid for other attacks grow – they gain a reputation for making the ransom worth the cost – and they also can return to these victims with future attacks, given that they’ve paid before.
However, what Sayegh is seeing is that in some cases, the attackers are erasing all the data before returning the empty files. Most of these incidents have occurred against financial institutions in Ukraine, but they probably won’t stay there.
“Right now, there’s a revenge thing,” he said. “There’s a ‘we’re going to stick it to them’ thing. That is what we all need to be worried about, because it’s like vandals. If they want to steal, that’s fine, but why do you want to cut up my wedding pictures and my kids’ baptism pictures? That’s what’s going on right now. There’s a revenge that’s personal. These people actually feel cornered.”
It’s also why it’s important for companies around the world to have a disaster recovery plan in place, the CEO said. The threat to them is that they could lose the money paying the ransom because their data is never recovered.
The threat actors also are coming after companies of all sizes and not only larger ones that have the means to pay high ransom demands or the critical infrastructure organizations that represent a way to attack the United States and other countries. SMBs represent easy prey for cybercriminals in need of fast money.
“It’s SaaS [software-as-a-service] companies that sell software to the healthcare industry, it is consumer goods like silverware and cookware,” he said. “You wouldn’t think that these types of companies are a target, but they are the soft underbelly of our economy. They’re going after them for whatever they can get – a half a million, a million, even a few thousand dollars. Then they go to the next one because they’re easy targets.”
There is some good news, Sayegh said, pointing to the extradition this week of a member of the Conti group from Poland to the United States. Like the leak of the Conti information, that could help investigators learn more about how the organization is built and operates. That said, he expects Conti and other groups adapt and change.
In addition, attacks are going to get more pointed and more expensive, putting pressure on companies to understand where they’re vulnerable, to protect their infrastructures and create a disaster recovery plan.
People also have to understand that what they’re seeing in the Russian invasion of Ukraine is what they’ll see in all conflicts going forward.
“This is a hybrid global war,” Sayegh said. “You have multiple countries that are being involved on the cyber-front. Perhaps not on the kinetic physical fronts, but they’re involved in the cyber war. … It’s just a very complicated geopolitical landscape from a from a kinetic standpoint [and] from a physical standpoint. But the global cyber war is already raging.” ®