Hacker attacks: germany’s “extremely vulnerable” it infrastructure

Hacker attacks : Germany’s ‘extremely vulnerable’ IT infrastructure

Catastrophic, it sounds dramatic. It sounds like floods and forest fires, reactor accidents, plane crashes and terrorist attacks. In the Anhalt-Bitterfeld district, the term has stood for another scenario since the summer of 2021: a hacker attack. In the first week of July, practically nothing worked in the administration of the district: no e-mails, no vehicle registrations, no payment of social security benefits. To better respond and request help from other agencies, the district administrator called 9. July finally triggered the first cyber disaster in Germany’s history. If experts are to be believed, it won’t be the last one.

At least 100 German offices, government departments, state-owned clinics, city administrations and courts have fallen victim to hacker attacks in the past six years, according to recent research by Bayerischer Rundfunk and "ZEIT ONLINE". Most recently, the Wolfenbuttel hospital was hit in mid-July. The attackers almost always use so-called ransomware: malware that is infiltrated via security holes or an infected file and encrypts computers and data – until the victims are willing to pay the ransom demanded.

This article is included in Spektrum Kompakt, Cryptography – Communicating securely

Things don’t look any better in business and research. A recent study by the IT industry association Bitkom concludes that 86 percent of the companies surveyed suffered damage from cyber attacks last year. This year, the MADSACK publishing group and the automotive supplier EDAG were among those hit; at the beginning of the year, the attack on the SolarWinds company spread around the world; and last summer, several German supercomputers, universities and research institutes were targeted at once. In its latest annual report, the German Federal Office for Information Security (BSI) assesses the IT security situation in Germany as "still very tense".

Professional cyberattacks hit vulnerable infrastructure

"The examples of the last few weeks and months show that we are extremely vulnerable," says Michael Wiesner, IT security expert and one of the spokespersons for the independent Critical Infrastructure Working Group (AG KRITIS). Small and medium-sized companies, organizations and municipalities in particular are often inadequately positioned when it comes to defending against cyberattacks, he said.

The reasons are manifold. One explanation is that the type and nature of the attacks are changing. For a long time, victims mainly caught malware because employees accessed contaminated websites and files. Viruses, Trojans and computer worms were spread as widely as possible by attackers using botnets (see glossary) to cause as much uncoordinated damage as possible. "These kinds of vulnerabilities are now reasonably well under control," says Thorsten Holz, a professor at the Chair of System Security at Ruhr University in Bochum, Germany. "Attackers have become more professional, there are fewer lone wolves and instead more organized groups offering hacking as a service," Holz says.

This leads to the fact that the targets are selected more and more precisely. Particularly in the case of ransomware attacks, the attackers want to find victims who are as financially strong as possible; they therefore usually target companies or the operators of critical infrastructure. In the attack on the U.S. Colonial Pipeline in May, about 3.6 million euros were captured with it. "Instead of immediately starting to encrypt everything, the malicious code often first reports to the attacker that it has infiltrated a system," says Michael Wiesner. "Then the hackers look to see who they’re actually dealing with and what’s there for the taking, sometimes even checking company financial statements first."

To infiltrate malicious code, criminals are increasingly exploiting so-called supply chain attacks. This is what happened in the case of SolarWinds, for example, or the hack of the US service provider Kaseya: In both cases, the hackers first infiltrated the manufacturers of special software that the victim companies use. On the back of these systems, they then penetrated the IT of the customers. The perfidious: companies must trust the software they use from service providers on principle. "The affected software typically has high privileges in a network, so it can spread quickly and is therefore an attractive entry point for attackers," says Thorsten Holz.

An important weak point is still the human being

How can you protect yourself against increasingly complex attack scenarios?? As the industry association Bitkom writes in its latest study, IT security starts with the "human factor," the supposed weakest link in the security chain. In fact, so-called spoofing and phishing attacks continue to be a major gateway. In doing so, the attackers pretend to be someone else, for example in fake e-mails. These contain infected attachments or links to replicated websites. Anyone who clicks on the attachment without thinking or reveals critical login data on the fake page may make it easy for attackers to take over not just individual computers, but entire systems.

To counteract this, one thing helps first: create awareness. "Regular employee training, the use of strong passwords, two-factor authentication, firewalls and antivirus software are all important steps to make life more difficult for attackers," says Richard Werner, spokesman for security company Trend Micro. Two-factor authentication, for example, requires that in addition to a user name and password, the user also enters a code that is sent to the user’s cell phone via text message. This avoids the attacker being able to use stolen login data directly – he would additionally have to get control of his victim’s phone.

The use of VPN connections, which allow employees to log into the corporate network via a secure connection from their home offices, for example, also contributes to rudimentary protection, as does making regular backups and using encrypted communication channels. But that alone is far from enough, says Werner: "I can’t defend against all attacks. Sooner or later, something will get through."

IT expert Michael Wiesner takes a similar view: "I always have to assume that there’s a security hole somewhere that I’m not yet aware of."Strong passwords and regular backups are important in principle, but their use alone says nothing about how effective they really are. "If I, as an attacker, take over a system that is not properly secured, it is usually easy to read the passwords. Whether it has 15 characters or only seven, I don’t care at that point," says Wiesner. Similarly, when it comes to backups, he says, you always have to check that they really are isolated from the rest of the network and that the recovery works at all. Simply pulling data onto an external hard drive now and then, which is then later connected to infected computers and is subsequently compromised itself, does little good.

What’s missing: a plan for what to do when it happens

Talking to experts, German companies and government agencies lack, above all, the right planning that kicks in as soon as a cyberattack occurs or is discovered. "Above a certain size, every company needs a management system for information security. In other words, processes in which you regularly analyze What threat do I have? What risks does this pose for me as a company?? And what can I do about it??", says Wiesner. Too often, victims would not optimize their systems until an attack has taken place. In this case, a lot of money is spent on selective improvements that are already outdated by the next attack.

"You should continuously monitor what’s going on in your network, where the data is flowing to. That way, I can see if an attack is taking place and how best to respond," says Trend Micro’s Richard Werner. "Detection& Response", i.e. "detection and response", is the name of this procedure. And it is precisely in this area that there is often still a lack of response. "In the best case scenario, I have a checklist as a company that I work through," says Werner, "it says what tools are available for defense, what contacts I have and how I can best reach them."For small companies, such as tax offices, it can help to have an external IT service provider perform a thorough analysis of the threat situation. For large companies with several hundred or even thousands of employees, on the other hand, it is essential that specialists are directly on site who can react immediately at any time.

Michael Wiesner recommends always expecting attacks and optimizing systems for this scenario: For example, he says, it is important to ensure that hardware and software are always up to date, also with regard to the supply chain attacks mentioned above. Especially in public institutions and companies that do not have their own IT department, the systems are often outdated and therefore insecure. Authorizations also need to be checked again and again: Which employees have access to which parts of the system? Too often, even former employees can still access company computers, says Wiesner. All of these are attack vectors that can be avoided by introducing clear processes.

Glossary: Popular cyberattacks

These are security vulnerabilities for which there is no countermeasure at the time of the attack. Developers have no time ("zero days") to protect users. Hackers usually keep zero-day vulnerabilities secret for a long time or sell them for a lot of money, for example to state actors. They are considered one of the most powerful weapons in cyber warfare.

Advanced Persistent Threats
APTs are targeted cyberattacks on selected institutions and facilities, in which an attacker gains permanent access to a network and subsequently expands it to other systems. Such attacks, such as the one on the German Bundestag, are often very specialized and therefore difficult to detect.

A backdoor is a program, usually installed by viruses, worms or a Trojan, that gives third parties unauthorized access to a computer. Security holes and vulnerabilities are often exploited to introduce backdoors.

A botnet is a network of numerous computers, all of which are infected by a remotely controllable malware program (bot). The botnet operator controls the computer network from a central location and uses the combined power to spread further malware or launch DDoS attacks (see there).

Denial-of-service attacks target the availability of services. The goal is to paralyze websites, individual systems or entire networks through countless simultaneous requests.

An exploit is the ability to exploit vulnerabilities that have arisen during the development of hardware and software. Security holes and malfunctions of programs or devices are used to gain access. A special form is the Drive-by exploitAutomated exploitation of browser or operating system vulnerabilities to install malware, for example when simply viewing a website.

Another term for malware or malicious code; the made-up word is derived from "malicious software" and refers to software, such as Trojans and viruses, developed with the aim of executing unwanted and usually harmful functions. Malware is usually designed for a specific operating system, such as Windows or Android.

Composition of "password" and "fishing": the attackers try to obtain an Internet user’s personal data, for example login data or credit card information, via fake websites, e-mails or Whatsapp messages. These are then used to penetrate other systems, or resold.

Malicious programs that make it impossible for the victim to access their own data or systems by encrypting the contents. Only upon payment of a ransom, usually in the form of cryptocurrencies, do the blackmailers lift the lock again – if you’re lucky.

Supply chain attack
Here, backdoors (see there) and malware (see there) are not infiltrated directly into a system, but via third-party software. Vulnerabilities are specifically sought in software developers and service providers in order to access customers’ systems via their products.

Critical infrastructure (critis) companies, such as hospitals or energy suppliers, have these processes more clearly defined than private sector companies. For example, the companies concerned must deploy "state-of-the-art IT security" and review it regularly; they must have direct contacts for the BSI, report security incidents and meet industry-specific minimum standards. However, looking at the attacks on clinics and administrations, that doesn’t seem to be enough. And besides, Wiesner says, in many industries, the critis includes only those operations that, if disrupted, would affect the supply of more than 500,000 people. In other words, only a comparatively small proportion of all companies and institutions in Germany are even subject to the statutory requirements.

Improved hardware and a patchwork against hacker attacks

In order to improve IT security in Germany, it is not only necessary to train staff and companies better. Science can also contribute to this. Thorsten Holz and his colleagues at Ruhr University, for example, are researching algorithms that cannot be decrypted even by future quantum computers. Another team is looking at hardware security: how to better protect microchips themselves? Can security mechanisms such as encryption be integrated directly into the hardware and thus fend off attacks such as Meltdown and Spectre?? Others are looking for tools that programmers can use to detect any software vulnerabilities before attackers do. And last but not least, it’s always about the users themselves: IT security must be made more accessible to everyone, for example by making it more attractive or easier to access.

"As far as security research itself is concerned, the conditions in Germany are super, especially in comparison with other European countries. A lot has happened here in the past ten years in particular, even if the operational implementation is still lacking at times," says Holz. "Operational implementation," which ultimately also affects politics and law enforcement. For example, the German government is not only working on a new cybersecurity strategy, but has likewise established a complex network of competence centers and authorities together with other European countries over the past decade to help prevent and prosecute hacker attacks, even across countries.

That this already succeeds well enough may be doubted in view of the latest news. "This patchwork is rather a hindrance," says Michael Wiesner of AG KRITIS. "There is a lack of a central coordinating body; attempts, such as with the National Cyber Defense Center, have been a flop so far."In the event of a large-scale attack, it is still difficult to coordinate the various responsibilities of federal and state criminal investigation departments, the Central Office for Information Technology in the Security Sector (ZITiS) and the Federal Office for Information Security (BSI). And as far as support for victims is concerned, the BSI in particular must invest much more in advice and education so that companies are more secure in the future, the expert demands.

Richard Werner of Trend Micro, however, can also report positive experiences: "A lot is happening in Germany and Europe, and the police, as long as they are organized internationally, are not as blunt as we have often felt in recent years," he says, referring to the case of the dangerous malware Emotet, whose infrastructure was dismantled at the beginning of this year, partly as a result of investigations by the Federal Criminal Police Office.

Still, the situation remains tense. Unless something fundamentally changes, Michael Wiesner believes it’s only a matter of time before it really hits the German infrastructure: "I always say in my lectures that what you see in James Bond like this is not fiction, but unfortunately reality. In security audits of critical infrastructure, we see time and again that it takes relatively little effort to break in and manipulate live systems there."And Thorsten Holz also believes that companies, ministries and critical infrastructure in particular will remain popular targets for hackers: "It is rather unrealistic that we will not see any successful attacks in the next few years."And that the term "cyber disaster" retains its alien sound, probably also unfortunately.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: