New ransomware and cyberattacks are among top worries for executives globally, according to research firm Gartner. “Implementing good security does cost, but in today’s landscape, you have to have it”, Norwegian publisher Amedia’s director of security, Stein Damman, told a webinar organized by International News Media Association (INMA).
Damman had just been appointed head of security when his company was attacked by cyber crooks. His experience from being attacked: “It takes time for it to sink in. The consequences are unclear, and you’re not sure if it is ongoing. You’re completely in the dark.”
Cybersecurity experts from European media companies have participated in a webinar organized by INMA and share their experiences from cyberattacks on media.
INMA reports there were 18 major cyber-attacks on media companies in 2021 alone.
INMA moderator Mark Challinor stressed that cyberattacks can be conducted for a variety of reasons, including being a way to extort money in exchange for missing data. That was the case with Norwegian Amedia which received notification on December 28, 2021, that its network had been breached and all its data was encrypted.
The attackers in Amedia’s case used a RaaS model (Ransomware-as-a-service), which allows cyber attackers to purchase a package of customised tools to carry out their mission. It operates on the dark Web and bears a striking similarity to less nefarious online transactions:
“It leaves a customised letter and if the victim follows the instructions, they’ll be directed to that same customer care centre to get in touch with the attacker,” Damman told the INMA webinar. “If they agree to pay, they’re given a key to get their data back.”
Typically, Damman said, those payments are split 80/20 between the attacker and the provider, respectively.
EU agency for Cybersecurity (ENISA) says that hackers-for-hire is a rising trend among cyber-crime actors together with state-sponsored, cybercrime and hacktivists.
The rise of hacker-for-hire services refers to actors within the “Access-as-a-Service” (AaaS) market that is mostly comprised of firms that offer offensive cyber capabilities. Their clients are usually governments but also corporations and individuals, according to ENISA.
“These hacker-for-hire threat actors complicate the threat landscape. Their targeting cannot be predicted as it depends on the tasks their clients order; there is no focus on specific sectors and thus any sector has the potential to be targeted. These threat actors act as proxies and it is very difficult for defenders to identify their sponsors as well as their objectives, the report says”, ENISA says in a report.
According to ENISA, supply-chains attacks rank highly among prime threats because of the significant potential they have in inducing catastrophic cascading effects. The risk is such that the agency recently published a dedicated threat landscape report for this specific category of threat.
Amedia already had a policy in place and did not pay, because “paying criminals is supporting extortion.”
Amedia had a backup system that allowed it to recover the data and the company was able to continue publishing digital editions; only the print edition was affected and Amedia coordinated with another publishing company to print its newspapers until it resumed operations.
Damman said that one of the key elements of surviving a cyber attack is communication: with the police, with employees, with customers, and with the public. Since there was a chance that customer information was compromised, the GDPR required Amedia to send letters to each employee and customer informing them of the situation.
Damman’s advice: create a contingency plan and to be prepared to reach out for help. “
Jose Galvao, IT director for Portugal’s Impresa, said his company also was victimised by cyber attackers. But in this case, the attackers were well-known. On January 2, 2022, Impresa and a number of other companies were attacked by Lapsus$ Group is notorious for attacking larger companies.
“Lapsus$ Group attacks big companies, and their modus operandi is really well known,” Galvao explained. “They try to explore known vulnerabilities. And sometimes they explore new techniques, including recruiting people inside companies to help them.”
Impresa detected the attack because the Web site was defaced. What was unusual in its case is that the company didn’t lose any relevant data, nobody asked for ransom, and there has been no evidence of data exfiltration.
“We really don’t know their motivation,” Galvao said. “They made a massive destruction of our infrastructure and we were not prepared for that.”
Companies should identify tech vulnerabilities to prevent attacks and should be prepared to react, respond, and recover data if it happens, Galvao said: “People ask us to be agile; it’s important to be agile and implement quickly, but we should be aware that we should not do shortcuts. We should always be aware and consider the risks in our implementation.”
Andreas Schneider, group chief information security officer at TX Group, which includes Switzerland-based Tamedia, wrapped up the Webinar. Its free media platform 20minuten.ch has suffered a malware attack. All visitors to the site were infected with malware.
“It takes years to build up a real good security stack,” Schneider said. “But there are elements you can use to improve security.”
TX Group uses resilience elements to keep its companies healthy.
Some of the measures TX Group took included:
- Moving from Microsoft to Google’s G Suite.
- Moving to the cloud.
- Creating a security strategy.
- Implementing Endpoint Detection and Response (EDR) security.
- Implementing BeyondCorp.