Recently, the Pool Re chief executive Tom Clementi made public comments on the risks the reinsurance market is facing when dealing with ever-increasing cyber-attacks on UK businesses[1]. Pool RE was set up by the UK insurance industry in 1993 in response to the IRA terror attacks against the city. Its purpose is to support businesses in the event of major terror attacks. However, the determination of such, which must be made by the Government, is becoming more difficult to define in cyberspace.
The wars in Ukraine and Israel, coupled with increasing friction between the West and Iran and China, have drawn into the public eye the nature of clandestine offensive cyber operations and how they affect the public. The “Grey Zone”[2] often referred to by ministers relates to a hybrid warfare whereby digital actors are recruited or enabled to conduct attacks against critical companies and infrastructure in “unfriendly[3]” countries. Whilst not within a strict foreign intelligence command structure per se, the actors undertake acts mutually beneficial to themselves (financial through ransomware) and the state permitting the behaviour from their jurisdiction. This presents an issue in the designation of an attack by the victim country, who are often unable to connect the two through clear and obvious evidence. As such, a natural reluctance to officially recognise that they have been targeted by a state nation leaves the downstream victims facing limited options for compensation.
A good example of these types of grey zone cyber actors is present in ATP 31[4]. ATP 31 is understood to be a Chinese state-sponsored (MSS) criminal hacking group. The UK and US alleged that ATP 31 is responsible for multiple cyber-attacks against government officials, activists, dissidents, journalists, defence contractors and a US smartphone maker. In March 2024, both the UK and the US designated the ATP and associated parties. However, ATP 31 is now understood to have been active since 2010. The period of operations between set up and the designation as a malign state tool is well over a decade, meaning that victims of the attacks faced a significant delay in the official recognition of a state-sponsored cyber-attack.
Malign cyber actors have a broad breadth of sophistication. ATP44 is described as a “highly adaptive” and well-funded cyber sabotage unit, sponsored by Russian Military Intelligence (aka the GRU)[5]. At the other end of the spectrum, “script kiddies” are considered organised cyber criminals but lone wolf actors that exploit simple (but damaging) vulnerabilities in systems and weak device configuration. “Matrix” is a recent example of a Russian script kiddie that had significant success in building a botnet weapon that consisted of network routers, digital video recorders and telecom equipment. In harnessing these, Matrix was able to execute significant Distributed Denial of Services Attacks (“DDos”)[6]. Whilst Matrix is not currently believed to act for a malign foreign state, the skillset is exactly that which foreign intelligence services are now turning to contract hire as part of Grey Zone operations[7].
The question is then asked as to what companies can do to regain control after an attack and take the initiative on the speedy and conclusive designation of cyber actors so they can better access their insurance facilities or those offered by their respective industries, such as Pool Re.
Business and their insurers are now seeking to close the vulnerability gap. Understanding weaknesses is paramount to target and harden your systems. Broadly speaking, if a threat actor sees that you are better defended than the (insert sector) company on the next Google page, they are less likely to focus on you. Undertaking tasks such as attack surface surveys will allow companies to close long-forgotten access points in their infrastructure.
That vulnerability gap then extends to knowing who you are dealing with. Many insurers will make provisions for ransom payments, however, this becomes impossible if the ATP has been designated within a sanctions program, such as the Russian cybercrime entity, ZSERVERS[8]. Businesses should understand from their insurers the policy restrictions and how the underwriters are adapting policies to these nuances in order to ensure the cover remains reliable.
Finally, and as has been preached for some time, companies must safeguard against phishing and spear phishing attacks by educating staff.
Quintel Intelligence is recognised in Chambers & Partners for Cybersecurity Risk within the Crisis & Risk Management rankings.
For more information on our Crisis and Risk Services, contact us at info@quintelintelligence.com.
References:
- https://www.ft.com/content/31f8bcbf-16e5-46e7-9d01-2548ed130519
- https://www.baesystems.com/en/digital/feature/competition-and-conflict-in-the-grey-zone
- http://publication.pravo.gov.ru/document/0001202409200036?index=1 (Russian State link)
- https://www.reuters.com/technology/cybersecurity/apt31-chinese-hacking-group-behind-global-cyberespionage-campaign-2024-03-26/
- https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf
- https://www.govinfosecurity.com/script-kiddie-matrix-builds-massive-botnet-a-26926
- https://www.lawfaremedia.org/article/russia’s-gru-thugs-double-down-on-recruiting-cybercrooks
- https://www.gov.uk/government/news/new-uk-sanctions-target-russian-cybercrime-network
