Dipping Through Geometries

On August 4, the International Criminal Police Organization (INTERPOL) announced the results of its report of the impact of the COVID-19 pandemic on cybercrime.  The report found that cybercriminals – in the words of INTERPOL Secretary General Jürgen Stock – “are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.”

Key findings in the INTERPOL report included the following:

• Volume of COVID-19 Cybercrime Activity: One of INTERPOL’s private-sector partners found that in just one four-month period, from January to April 2020, it detected approximately 907,000 spam messages, 737 incidents related to malware, and 48,000 malicious URLs, all related to COVID-19.
• Online Scams and Phishing: The report showed that threat actors had revised their usual online scams and phishing schemes. Approximately two-thirds of INTERPOL-member countries that responded to INTERPOL’s global cybercrime survey “reported a significant use of COVID-19 themes for phishing and online fraud since the outbreak.”  Cybercriminals have been able to influence victims into providing their personal data and downloading malicious content “[b]y deploying COVID-19 themed phishing emails, often impersonating government and health authorities.”
• Disruptive Malware (Ransomware and Distributed Denial of Service Attacks): Tyhe report commented that cybercriminals “are increasingly using disruptive malware against critical infrastructure and healthcare institutions, due to the potential for high impact and financial benefit.”  It observed that in the first two weeks of April 2020, there was a spike in ransomware attacks by multiple threat groups which had been relatively dormant for the past few months.”  It also found a noteworthy refinement in ransomware attacks: that “the majority of attackers estimated quite accurately the maximum amount of ransom they could demand from targeted organizations.”
• Data Harvesting Malware: The report saw an increased deployment “of data harvesting malware such as Remote Access Trojan, info stealers, spyware and banking Trojans by cybercriminals,” using COVID-19 related information to infiltrate systems.
• Malicious Domains: The report also identified “a significant increase of cybercriminals registering domain names containing keywords, such as ‘coronavirus’ or ‘COVID” to take advantage “of the increased demand for medical supplies and information on COVID-19.”, there has been. An INTERPOL private-sector partner received reports indicating that from February to March 2020, there has been a 569 per cent growth in malicious registrations, including malware and phishing, and a 788 per cent growth in high-risk registrations.
• Misinformation: The report stated that an “increasing amount of misinformation and fake news is spreading rapidly among the public. Unverified information, inadequately understood threats, and conspiracy theories have contributed to anxiety in communities and in some cases facilitated the execution of cyberattacks.”  The INTERPOL global survey revealed that nearly 30 per cent of responding countries “confirmed the circulation of false information related to COVID-19. Within a one-month period, one country reported 290 postings with the majority containing concealed malware.”  The report also mentioned “reports of misinformation being linked to the illegal trade of fraudulent medical commodities” and “scams via mobile text-messages containing ‘too good to be true’ offers such as free food, special benefits, or large discounts in supermarkets.”

The report also identified four future areas of concern:

• Further Cybercrime Increase: A further increase in cybercrime “is highly likely in the near future,” as cybercriminals seek to exploit vulnerabilities “related to working from home and the potential for increased financial benefit.”
• Use of COVID-19 Themes: Threat actors “are likely to continue proliferating coronavirus-themed online scams and phishing campaigns to leverage public concern about the pandemic.”
• Business Email Compromise (BEC) Schemes: BEC schemes “will also likely surge due to the economic downturn and shift in the business landscape, generating new opportunities for criminal activities.”
• Availability of COVID Vaccine: “When a COVID-19 vaccination is available, it is highly probable that there will be another spike in phishing related to these medical products as well as network intrusion and cyberattacks to steal data.”

Note:  Although there has been extensive reporting with regard to the exploitation of COVID-19 for various types of cyberattacks, the report provides significant data to document how great the explosion of such cyberattacks has been during 2020.  Information-security and corporate-compliance officers in public- and private-sector entities should provide excerpts of the report’s key findings to senior executives in their organizations, and incorporate selected information into in-house information-security trainings and briefings.

On July 23, the Basel Institute on Governance released its 2020 AML Index.  The Index, which the Institute has published since 2012, assesses the risk of money laundering and terrorist financing (ML/TF) around the world.  It provides risk scores based on data from 16 publicly available sources, such as the Financial Action Task Force (FATF), Transparency International, the World Bank, and the World Economic Forum.

The 2020 Index’s general conclusions included the following:

• Changes: The Index “remains unacceptably high at 5.22 out of 10, where 10 equals maximum risk.” Only six countries improved their scores by more than a single point, while 35 countries’ scores decreased.
• Quality of AML Supervision: Of the 100 countries that have been assessed so far with the new FATF assessment methodology, one-third scored a “zero for the effectiveness of their supervisory bodies and measures designed to safeguard financial systems from abuse.”
• Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Systems: Since the FATF moved to its fourth-round methodology, which the Institute noted “assess[es] not just the technical compliance of a country’s AML/CFT systems but their effectiveness in practice,” “most countries that undergo a fourth-round FATF evaluation rate poorly for effectiveness.”

The 2020 Index also includes a new indicator for human trafficking, the U.S. State Department’s Trafficking in Persons (TIP) Report.  The Institute stated that this change “reflects the huge and growing proceeds generated by this transnational crime and laundered through international financial systems.”

The Public Edition of the 2020 Index includes scores and rankings for 141 countries, with the proviso that the FATF has not yet assessed many of those countries with its fourth-round methodology, which limits the comparability of those scores and rankings.  (In the Index, the higher the score for a particular country, the greater the ML/TF risk, which translates to a higher ranking for that country.)

The following are some of the noteworthy data on specific countries:

• Highest and Lowest Rankings: The five highest-ranked (i.e., riskiest) countries were (1) Afghanistan (8.16), (2) Haiti (8.15), (3) Myanmar (7.86), (4) Laos (7.82), and (5) Mozambique (7.81). The five lowest-ranked countries were (141) Estonia (2.36); (140) Andorra (2.83), (139) Finland (2.97), (138) Bulgaria (3.12), and (137) the Cook Islands (3.13),
• Africa: In addition to Mozambique, other higher-ranked African countries included Sierra Leone (7/7.51), Senegal (8/7.3), Kenya (9/7.18), Angola (13/7.02), Nigeria (14/6.88), and Benin (15/6.85). South Africa ranked 87 (4.83), Ghana 85 (4.89), and Egypt 82(4.96).
• Asia: In addition to Afghanistan, Myanmar, and Laos, other higher-ranked Asian countries included Yemen (10/7.12), Cambodia (11/7.1), Vietnam (12/7.02), China (18/6.76), and Kyrgyzstan (27/6.32).
• Australia: Australia ranked 124 (3.84).
• Europe: The five highest-ranked European countries were Turkey (41/5.76), Bosnia-Herzegovina (47/5.63), Russia (52/5.51), Malta (53/5.48), and Serbia (54/5.47).  The United Kingdom ranked 116 (4.02).
• North America: The United States ranked 100 (4.57), Canada 94 (4.68), and Mexico 68 (5.2).
• South America: The five highest-ranked South American countries were Nicaragua (16/6.78), Venezuela (20/6.56), Paraguay (24/6.45), Bolivia (31/6.12), and Panama (36/5.96).
• Caribbean: After Haiti, the next highest-ranked Caribbean countries were the Cayman Islands (6/7.64), the Bahamas (25/6.43), Jamaica (34/5.99), and Barbados (40/5.87).

Note: In its release concerning the AML Index, the Institute commented that the Index “will disappoint anyone wishing for tangible progress in combating money laundering and terrorist financing (ML/TF) around the world.”  Seasoned AML/CTF observers, on the other hand, should simply make use of the Index and bear its data in mind as various authorities, such as the European Union, strive to strengthen the structure and implementation of regional and national AML/CTF frameworks.

On July 29, IBM announced the release of IBM Security’s Cost of A Data Breach Report 2020.  The Report, which the Ponemon Institute conducted, was based on in-depth interviews with more than 3,200 security professionals in organizations that suffered a data breach during the past year.

Principal findings of the Report included the following:

• Nation-State Attacks: Data breaches believed to originate from nation-state attacks were the costliest type of data breach (relative to other categories of threat actors), averaging $4.43 million per breach in data-breach costs. Only 13 percent of malicious breaches were believed to have been carried out by nation-state actors, compared to 53 percent by financially motivated cybercriminals, 13 percent by hacktivists, and 21 percent unknown.
• Root Causes of Malicious Breaches: In incidents where attackers accessed corporate networks by using stolen or compromised credentials, businesses incurred saw nearly $1 million greater data-breach costs, averaging $4.77 million per breach. The second costliest root cause of malicious breaches was exploitation of third-party vulnerabilities, averaging $4.5 million.
• Data Breach Lifecycles: The average time to identify and contain a data breach, according to the Report, “varied widely depending on industry, geography and security maturity.” Companies with data breaches had an average “lifecycle” of 280 days (i.e., 207 days to identify a breach and 73 days to contain it).   Healthcare sector companies had an average lifecycle of 329 days, while financial-sector firms had a much shorter average lifecycle of 233 days.  The Report noted that companies that had fully deployed security automation had an average lifecycle of 234 days, compared to companies that did not deploy security automation (averaging 308 days).
• Data Breach Costs: The average total cost of a data breach was $3.86 million, a slight decline from $3.92 million in the 2019 Cost of a Data Breach Report.
• Cost Factors: Of 25 cost factors that the report addressed, security system complexity was the most expensive, as it increased the average total cost of a breach by $292,000 (resulting in an adjusted average total cost of $4.15 million). Undergoing an extensive cloud migration at the time of the breach increased the average cost of a breach by more than $267,000 (resulting in an adjusted average cost of $4.13 million).
• Costs of Mega Breaches: Data breaches involving compromise of more than 50 million records had average costs of $392 million (a very slight increase from $388 million in the 2019 Report). Data breaches involving compromise of 40 to 50 million records had average costs of $364 million (also a slight increase from $345 million in the 2019 report).
• Smart Tech Benefits: Companies surveyed that “fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs” of those companies that did not deploy those tools ($2.45 million vs. $6.03 million, on average).
• Incident Response Preparedness: Companies that had an incident response (IR) team and tested an IR plan using tabletop exercises or simulations had an average data-breach total cost of $3.29 million, while companies that had neither an IR team nor IR testing had an average total cost of $5.29 million.

Note:  By now, the cost of data breaches and the length of data-breach lifecycles should not be a surprise in any corporate sector.  Information-security and compliance teams, however, should take note of the disproportionate effects of nation-state attacks, and ensure that their cybersecurity risk assessment processes are monitoring open-source reporting on such attacks.  They should also incorporate a number of the Report’s principal findings – especially those pertaining to security automation tech and IR preparedness — into briefing materials for senior executives and training for corporate employees.

On July 21, the High Court in Tokyo imposed a ¥2.5 million (US $23,309) fine on Satoshi Uchida, a former executive of the Japanese power-plant construction company Mitsubishi Hitachi Power Systems Ltd. (MHPS), for his role in bribing a senior Thai official in a power plant project in Thailand.  In this case – the first in Japan involving a corporate plea bargain, with MHPS — the Tokyo District Court in September 2019 had sentenced Uchida to 18 months in prison, suspended for three years, for conspiring with two subordinates in charge of logistics to bribe the Thai official, who was in the Thai Ministry of Transport.

According to the Japan Times, in February 2015 the two subordinates paid 11 million baht ($347,000) to the Thai official, “who informed them the company had failed to meet necessary conditions for unloading cargo.”  The High Court evidently concluded that Uchida, who had approved the bribery, “was in a position to stop the two from bribing [the] official . . . but failed to do so.”

In Uchida’s case, the High Court found that the testimony of the subordinates, who had already been convicted of bribing the Thai official, was not credible.  In the Court’s words, Uchida “was consistently hesitant and urging them to come up with alternatives. The district court ruling . . . leaves reasonable doubt.”  Accordingly, it nullified the suspended sentence and imposed the fine.

Note: This ruling by the Tokyo High Court is significant for three reasons.  First, it involves the first appellate ruling in this first plea-bargain case under the revised Japanese Criminal Procedure Code.

Second, it establishes a precedent for imposing actual financial sanctions on Japanese executives convicted of foreign bribery.  Even if the amount of the fine is a vanishingly small fraction of the 30 billion baht contract that MHPS was awarded in 2013, that precedent should send a message to corporate executives that approving foreign bribery can have real consequences.  It also should send a message to other Japanese courts that future sentencings in such cases must do more than virtually absolve convicted defendants.

Finally, it should provide some added incentive for the Japanese Public Prosecution Office, which reportedly has been cautious about using its plea-bargaining authority, to pursue foreign-bribery cases.  Last year, the Organization for Economic Cooperation and Development’s Working Group on Bribery admonished Japan about stepping up enforcement of its foreign-bribery laws.  Pursuing more criminal-plea resolutions with leading companies could help in demonstrating Japan’s commitment to do so.

On July 29, U.S. cybersecurity firm FireEye issued a report by Mandiant Threat Intelligence that identifies a particular influence campaign, aligned with Russian security interests, that consists of several information operations that have leveraged website compromises and fabricated content and “have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe.”

FireEye labeled this campaign, which has been operating since at least Match 2017, as “Ghostwriter” because of “its use of inauthentic personas posing as locals, journalists, and analysts within the target countries to post articles and op-eds referencing the fabrications as source material to a core set of third-party websites that publish user-generated content.”

In particular, the report notes that “[m]ultiple Ghostwriter operations appear to have leveraged compromised websites, predominantly those of news outlets, to post fabricated news articles or documentation.”  Although there were some cases in which only the purported victim entity (e.g., a government agency) publicly claimed to have been compromised, in many cases FireEye “also located archived copies of Ghostwriter articles posted to the suspected compromised sites.”

Public reporting suggested “that in at least some of these cases, the fabricated articles were published using the sites’ content management systems (CMS) after obtaining user credentials.”  In addition, “it appears that rather than creating new CMS entries, the actors may have replaced existing legitimate articles on the sites with the fabrications.”

For example, in September 2019, a local Lithuanian news site “was reportedly compromised, and a false article published claiming that German soldiers had desecrated a Jewish Cemetery in Kaunas.”  FireEye “independently observed an archived version of that article having been posted to the site.”

Such falsified content, in turn, has been referenced as source material in articles and op-eds written by “inauthentic personas” – at least 14, by FireEye’s count – who pose “as locals, journalists, and analysts within those countries.” These articles and op-eds, which are “primarily written in English, have been consistently published to a core set of third-party websites that appear to accept user-submitted content, . . . as well as to suspected Ghostwriter-affiliated blogs.”

The report concluded that Ghostwriter “leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion and undermine local support for the organization in Lithuania, Latvia, and Poland.”  While these operations so far have been targeting audiences in only those three countries, FireEye cautioned

that the same tactics employed in the Ghostwriter campaign can be readily repurposed and used against other target geographies. Given the established history of cyber threat and information operations tactics regularly migrating from targeting Eastern Europe to targeting Western Europe and the U.S., this campaign may warrant special attention, especially as elections near.

Note: This report should be of substantial concern to information-security teams in legitimate news organizations, not only in Eastern Europe but in Western Europe and North America.  Chief Information Security Officers in such news organizations should promptly bring the report to the attention of senior leadership, and increase their teams’ cyber surveillance for indications that this or other Russian-affiliated campaigns are seeking to compromise their sites and post fabricated news content.