Cyber Attacks 

a image showing a network attack alert as a visual representation of a red team engagement

Since we digitized our companies, operations, lives, and society itself, crime has sought to digitize itself. There are many reasons for this, including the reduced risk of prosecution, as the criminal can literally be on the other side of the globe and be very difficult to trace and prosecute. There is also a strength in being able to automate crime to make the operation more efficient. 

At its core, all digital crime will primarily be about theft, fraud, or extortion. Today, this primarily manifests itself through Ransomware, DDOS attacks, and Business Email Compromise. We don’t know what it will look like tomorrow, but we can be fairly certain that it will continue to be about these primary purposes, even if the technology and methods may differ from today’s crimes. For example, we see some indications that traditional Ransomware attacks sometimes do not encrypt the information but instead first take a copy of it and then delete the original. Then offer the victim to buy a “backup” from the threat actor. 

Almost all of these crimes’ end goals are preceded by an intrusion into the IT environment. That is, before the criminals can carry out their crime, they must first break into the IT environment. This is of course a crime in itself, but apart from a very specific group of criminals, it is only a step along the way. However, there are criminals who have made the intrusion into the IT environment their business. They break in and then ensure access to the IT environment with backdoors and other techniques. Once this is done, they then sell this access, often at auction, to other criminals who then use it to carry out their criminal activities. 

Today, we can only speculate about the methods criminals will use in the future, but we can be sure that they will be about theft, fraud, or extortion. 

So what are the typical methods used today? 

Extortion:

Ransomware 

This is undoubtedly the most talked-about form of cybercrime today. The attack is carried out in such a way that the criminal makes the company’s information inaccessible by encrypting it. Then the victim is offered to buy the decryption key needed to make the information accessible again to the company. Often, the criminal first ensures that all information is affected by the attack by obtaining the highest possible permissions in the IT environment. Then the backups of the IT environment are destroyed or deleted (or encrypted). When the criminal is confident that the victim will not be able to restore their information without buying the decryption key, the encryption of the IT environment and all its information is carried out. 

Since the pandemic years, it has become common for the criminal to steal information from the company before the actual encryption is carried out. This is to be able to put additional pressure on the company with threats of making all the stolen information public. The criminal claims this would lead to problems with both the company’s brand but also create problems with legal frameworks and regulatory authorities. It is common for the criminal to refer to the data protection law (also known as GDPR) and its high sanction fees in cases of, for example, the company’s negligence regarding data protection. Instead of paying 3-4% of global turnover in sanction fees, the victim can pay the criminal a significantly lower amount, and no one will know what happened. 

Ransomware has today developed to the point that many groups of cybercriminals today offer this as a service. This can then be used like any cloud service, but with a very illegal, immoral, and unethical purpose. Either you pay to use the service with cryptocurrency or a credit card, or you give a percentage of the revenue you get in the form of ransoms for the decryption keys. 

DDOS 

Distributed Denial of Service (DDOS) attacks are used to make Internet-based systems unavailable. These are typically systems such as websites, e-commerce sites, integration platforms, mobile apps, and the like. Simply put, it is about overloading the systems with enormous amounts of traffic or incorrect requests. A bit like standing and shouting into a megaphone with someone trying to talk to others or, for example, talking so much in another language that the recipient cannot understand that they simply cannot formulate a thought into a sentence. The attack continues until the criminal is paid to stop overloading the victim’s systems. 

This type of attack, just like Ransomware, is today well developed and serviced by criminals. All that is needed is cryptocurrency or a credit card, and anyone can buy this type of attack against any target at a relatively low cost. Depending on how much you pay for the service, you get different types of capacity, the ability to attack multiple simultaneous victims, and different types of cleaning services such as technical support, etc. 

Fraud:

Business Email Compromise 

Business Email Compromise (BEC) is an attack where the criminal takes control of an email account in an organization. This type of attack is, in volume, the most common form of attack today. What constitutes the goal of the attack can vary, but it is usually about stealing information from the company or redirecting financial transactions. In this type of attack, it is common for the criminal not to do anything that can be detected until it is too late. This leads to the “break-in” being able to go on for a very long time before anything harmful actually happens. 

Theft:

Bitcoin mining 

Mining digital currencies has long been a side business for many criminals. That is, they use their victim’s IT environment to mine digital currencies while otherwise attacking the company. However, there are several cases where this is the primary goal of an attack. 

This often affects small to medium-sized companies that have outsourced their IT operations to an IT provider. 

The IT provider’s administrative accounts are taken over by criminals who then use these to attack the IT provider’s customers’ IT environments. Powerful instances are then started in cloud services to mine digital currencies. This is usually discovered at the end of the month when the invoice comes from the cloud provider, and it is often for millions of kronor. 

So the theft in this context is the computing power that the criminals steal from the victim to mine digital currencies. 

Data theft 

Data is often stolen in connection with extortion attacks, such as Ransomware, to be used as leverage against the victim. Through this procedure, data theft is common in connection with digital attacks. When data is only stolen for its own purposes, such as corporate espionage, this is rarely discovered or noticed. This means that we do not really know how common this type of attack is. The reason it is rarely discovered is that organizations generally lack security controls to detect pure data theft, and in these attacks, criminals avoid being detected to the utmost. 

Other types of attacks: 

Supply Chain Attacks 

Supply chain attacks are a type of cyberattack where attackers target an organization’s suppliers or partners to gain access to their systems and data. Instead of directly attacking the main target, the attackers exploit vulnerabilities in less protected suppliers who have access to the actual target’s IT environment. 

A well-known example of a supply chain attack is the SolarWinds attack, where hackers exploited a vulnerability in a network monitoring program to infiltrate hundreds of companies and government agencies. By compromising a supplier, the attackers can spread malware or gain unauthorized access to sensitive information from multiple organizations simultaneously. 

Supply chain attacks are often used for various types of crimes. A common purpose is to steal sensitive information, such as trade secrets, personal data, or financial data, which can then be used for identity theft or financial fraud. The attackers can also install malware, such as ransomware, to lock the company’s systems and demand a ransom to restore access. In some cases, these attacks are used to sabotage the target company’s operations, which can lead to significant financial losses and damage the company’s reputation. 

Phishing 

Phishing is a form of fraud where scammers try to trick people into revealing sensitive information such as passwords, credit card numbers, or other personal data and information. This is usually done by sending fake messages that appear to come from trusted sources, such as banks, authorities, or well-known companies. 

Phishing attacks can occur in various ways. A common approach is to send an email that appears to come from your bank and urges you to click on a link to update your account details. The link often leads to a fake website that looks like the bank’s real site but is created to steal your information. Another common fake site that the link can lead to is a copy of the organization’s own website or Office 365 login page. 

Phishing is used for several different types of crimes. One of the most common is identity theft, where the scammer uses the stolen information to open new accounts, take out loans, or make purchases in the victim’s name. It can also be used to install malware on the victim’s computer, which can give the scammer access to even more information or the ability to remotely control the computer. In some cases, phishing is used to carry out financial fraud, where the scammer transfers money from the victim’s account to their own. 

Previously, these fake messages were relatively easy to identify as they often contained small errors such as incorrect logos, wrong fonts, or odd language. But now with AI-generated text, it has become much more difficult to distinguish them from authentic messages. Additionally, it is much easier and more effective for the scammer to map out their victims by using AI to gather information about the victim and thus create an even more targeted message that feels genuine. 

Business Email Compromise (BEC) 

Business Email Compromise (BEC), or compromising business email, is a type of cybercrime where the scammer first compromises a company’s email account(s) and then uses these emails to trick someone into sending money or revealing confidential company information. The attackers often pose as a trusted person, such as a manager or a business partner, and send a credible email with a request for payment or sensitive information. 

BEC attacks can occur in several different ways. A common approach is to send fake invoices that appear to come from trusted suppliers. These invoices can be very well-made and difficult to distinguish from genuine documents. Another method is for the attacker to pose as a high-ranking executive, such as a CEO or CFO, and request that an employee make a quick and confidential payment. The time pressure and confidentiality make it difficult for the recipient to check the request thoroughly. 

BEC is used for several different types of crimes. One of the most common is financial fraud, where the scammer manages to get the company to transfer large sums of money to their account. It can also be used to steal sensitive information, such as trade secrets or personal data, which can then be used for identity theft or other fraud. In some cases, the BEC attack can lead to malware being installed on the company’s systems, giving the attacker further access to the company’s network and data.