Organisations vital to the security and day-to-day running of the UK attract a certain type of cyber attack.

These organisations are subject, like any other, to the general background noise of constant criminal activity in cyberspace; i.e. largely automated and indiscriminate attacks. But because of their critical nature they also attract political activists (hacktivists) and state-backed hackers, intent on destabilising countries and trading blocs.

Cyber threats vary in their manner and impact, and a concerted campaign will blend different attack types at different stages. Attacks on critical national infrastructure (CNI) organisations primarily seek one or more of the following:

1. User accounts for email and other systems
2. Access to confidential data – personal information, operating procedures and plans
3. Control over operational systems to disrupt services, campaigns or defences

For example, a campaign will often start with spear-phishing to gain access to a specific person’s PC. This is then used to send clone emails to others in the organisation, eventually achieving high-level access to systems. Then data is stolen via exfiltration, or systems are deliberately controlled or crashed, depending on the hackers’ goals.

What are all the different attack types and how do they damage CNI organisations?

Types of cyber threat

Phishing and its various off-shoots

Phishing is the number one way for cyber criminals to get a foothold in your network.

Many of these emails use a scatter-gun approach, sending the same generic email to a large number of email addresses. These will superficially resemble emails from delivery companies, online shopping platforms, banks or other widely-known organisations. They are usually deployed by criminals rather than hacktivists.

• Spear phishing is targeted and more sophisticated, using company logos and graphics in emails that target a particular organisation, team or even an individual, perhaps a technical supervisor with privileged system access.
• Whaling is a subset of spear phishing where the targets are high level. Targets can include directors and C-suite members, particularly the non-technical ones who may not be as cautious as a CISO or CIO.
• Clone phishing is a variant in which a copy of a previously seen message is created and sent from an email address that resembles a company address as closely as possible. Often this is a second stage – the email will be sent from an already compromised but low-level system, to try and gain access to higher level systems.

Malware

Often the intent of a phishing email is to draw people into downloading and installing malware. This generic term covers a multitude of malicious programs, but the ones most likely to be used by hackers and hacktivists against crucial public, infrastructure and defence organisations are:

• Trojans – masquerade as legitimate programs but, once installed, can be used to run a variety of other malicious programs, mostly aimed at finding confidential information
• Spyware – looks for potentially useful information to send back to hackers
• Keylogger / Keystroke logger –type of spyware that records keystrokes to collect usernames and passwords

Other types of malware, including ransomware and cryptocurrency mining software, are usually launched indiscriminately. CNI organisations are as likely to be hit by them as any other organisation (and should protect against them), but they will rarely be used as part of a targeted campaign.

Data exfiltration

This term refers to a technique for taking data out of an organisation once unauthorised access is achieved. The internet and internal networks rely on the Domain Name System (DNS) to direct packets of data to the correct servers (it translates between readable domain names and number-based IP addresses).

With the right malware in place, criminals can hide stolen data within DNS packets. As they are so crucial to basic network operations, DNS packets need to pass through defensive firewalls. This makes it hard to spot and prevent this type of information extraction, unless you can stop it at the DNS level.

This technique is very useful for cyber espionage, extracting details about systems, personnel and plans (such as documents that give criminals or terrorists access to government or defence tools).

Cyber espionage and the WannaCry ransomware outbreak

Perhaps the best example of ransomware in recent years is WannaCry, which crippled many organisations worldwide (most notably in the UK, the NHS) in May 2017. Although it was criminal extortion in nature and indiscriminate in its targeting, the genesis of the tool had its roots in cyber espionage.

WannaCry was a very sophisticated threat that combined several different techniques to create a very virulent and effective tool. One of the key elements was a software tool known as EternalBlue which exploited a vulnerability in Microsoft Windows (since patched).

Ironically, EternalBlue was allegedly developed by cyber security workers at the USA’s National Security Agency. It was subsequently stolen and leaked to the dark web (the internet’s underworld) by a criminal hacking group and integrated into WannaCry. Whether or not DNS exfiltration was used to steal the exploit isn’t known, but the audacious theft indicates the strength and depth of the actors targeting defence agencies and other national infrastructure operators.

Distributed Denial of Service (DDoS) attacks

DDoS attacks are a different type of threat to those discussed so far, as no infiltration of the targets’ networks, PCs or servers is involved. As DNS is crucial to effective network operation, criminals have developed ways to cripple networks by overloading DNS servers with thousands of spurious requests. The servers do their best to respond, but eventually slow to a crawl or crash, rendering the target’s network unusable.

Often a DDoS attack is launched by a botnet, a group of compromised PCs in the control of a hacker. This makes it harder to shut down – if it were only a few computers, their addresses could be blocked and the attack halted.

On 16 October 2016, a botnet-based DDoS attack on a company integral to internet operations in the USA effectively stopped the internet across North America and Europe, causing widespread disruption. The perpetrators of the attack were never definitively identified.

Note that while under a DDoS attack, it’s imperative to keep looking for other active cyber threats. Often the attack is be a smoke screen hiding other tactics – perhaps an attempt to crack essential command systems. Don’t be caught out.

Find out more

Our white paper on security for governmental, defence and CNI organisations covers this ground in more detail. It includes how Nominet’s tools and services use the DNS as a protective shield and can help organisations with secure digital transformation and regulatory compliance.