On July 30, the European Council announced that for the first time it was imposing sanctions in response to cyberattacks. The punitive measures include forbidding entrance to EU territory and freezing of financial assets. In addition, EU citizens and organizations are forbidden from making funds available to those listed by the Council.
Those sanctioned include individuals and organizations from China, Russia, and North Korea. They include four Russian and two Chinese citizens, the Tianjin Huaying Haitai Science and Technology Development Company, Chosun Expo from North Korea, and the Russian Main Center for Special Technologies, a unit belonging to GRU, its foreign intelligence agency. So, what cyberattacks are they responsible for?
The EU has accused them of carrying out, or intending to carry out, malicious campaigns that have caused severe damage to the interests and organizations of member states. These include:
- An attempted cyberattack on the Organization for the Prohibition of Chemical weapons (OPCW). The Netherlands detected and prevented a cyberattack using a malicious spoof Wi-Fi network (i.e. a replica of the genuine Wi-Fi network to trick users into connecting) from outside OPWC offices. Russian intelligence agents were arrested.
- This, the largest ransomware cyberattack in the world, brought many EU organizations to a standstill, including major institutions with cybersecurity systems in place.
- One of the most infamous Living-Off-The-Land attacks and particularly dangerous as it can affect industrial control systems (ICS) and consequently jeopardize critical infrastructure. Although it bears similarity to a common ransomware attack, such as WannaCry, it actually damages systems directly, as illustrated by the incident at Boryspil airport.
- Operation Cloud Hopper: This was a targeted attack campaign against cloud service providers (CSPs) carried out by the Chinese group APT-10. Cyberattackers used phishing techniques to implant malware that collected credentials from IT staff with permissions and access to services.
If there is one feature that characterizes all the cyberattacks for which the EU has imposed sanctions, it is their level of sophistication. And, behind these attacks, apparently, there are groups linked to nation states, so in effect we are talking about the tactics of cyberwarfare.
The EU sees its decision to impose sanctions as a considered response in proportion to the damage caused. Yet, in order to make that decision, EU authorities have had to identify and investigate the threats to conclude that the alleged perpetrators -individuals and organizations- were indeed responsible. This requires that the time involved in detecting and remediating the incidents is as short as possible, in order that the best possible decision can be made. However, this is a constant problem for organizations, as the time period involved tends to be excessively long.
In order to meet this challenge, Cytomic Orion accelerates response times and the search for advanced threats (including Living-Off-The-Land and fileless malware) based on behavioral analytics in the cloud. Tools such as the threat hunting library and Jupyter notebooks enable an effective search for threats and a much faster investigation on endpoints.
This means it can support countries and organizations in their switch to a more proactive security approach and reduce their investigation and response effort, to ensure they will be more prepared in the face of future advanced cyberattacks attributed to other global powers.