How hackers exploit our stupidity

The infection that crippled National Health Service (NHS) trusts in Britain, as well as computer networks in dozens of other countries, gained access because of stupidity: Perhaps a single person clicking on a fake link. But it spread because of laziness, penny-pinching and bureaucracy. The NHS hadn’t been willing (or perhaps able) to spend money on updating its systems: The hack relied on a known vulnerability, but IT managers failed to install a patch released two months ago to prevent precisely such an attack. Even if they had, 90 per cent of trusts still use Windows XP, an operating system declared obsolete back in April 2014, and thus lacking any such patches. To the public, it may seem reprehensible that the NHS was targeted by this “ransomware”, which holds files hostage until payment is made.

But for the criminals, endangering lives was a feature, not a bug. As they’d learnt with attacks elsewhere, people are more willing to pay up when it’s a matter of life and death. In explaining how all this happened, the best place to start is with the career of a man called Evgeniy Mikhailovich Bogachev. Bogachev was a bank robber — a very good one. He and his gang would hijack corporate computers, then empty the associated bank accounts. To cover their tracks, they would then launch a massive attack on the bank’s systems — in effect a digital smoke bomb. Then, Bogachev had a brainwave. To mount that attack, he needed to infect and hijack tens of thousands of computers. Why not make money from them as well?

He started using CryptoLocker, a form of ransomware, demanding $300 (Dh1,103) or $500 to unencrypt the files on the infected machines. Not only did this provide an extra revenue stream, but issuing 2,000 ransom notes for $500 was less likely to draw attention than a $1 million heist. Bogachev didn’t just come up with the business model for this latest heist. His story tells us why such attacks are so hard to stop.

First, it’s alluringly easy to make money from cybercrime. Bogachev himself got started by selling his bank-robbing software to all comers. Similar programmes are available for pennies on the internet. Second, such crooks can be incredibly hard to track down. Bogachev’s activities first came to the authorities’ attention in 2009. But it took five years, and a concerted international manhunt, to publicly unmask him. Finally, it illustrates how the involvement of governments has hugely complicated the situation. Bogachev’s gang was eventually dismantled, but the man himself is still at large. Because, being a patriotic Russian, he was also moonlighting for Russian President Vladimir Putin’s security services — which has protected him ever since.

This isn’t the only example of Russian complicity with cybercrime. The software that infected the NHS used two separate exploits developed by America’s National Security Agency. These were stolen and dumped online by a group called The Shadow Brokers — who are widely suspected to be connected to Russia’s espionage services. (Ironically, Russia has been by far the largest victim of this new attack, with even its Interior Ministry falling victim.)

Cybercrime, in other words, is such a problem because it is so many problems wrapped into one. You have to deal with human stupidity. You have to deal with a thriving international network of anonymous criminals. You have to deal with rogue governments, and, indeed, friendly ones who let their cyberweapons fall into the wrong hands. And you have to deal with hideously outdated systems: In the United States and United Kingdom, much of the code and many of the devices running cash machines, air traffic control and even nuclear weapons development date back to the 1970s.

Above all, you have to deal with the fact that the internet and other networks were designed to be open, for computers to talk to each other. And today, it’s not only computers that are online, and potentially vulnerable — it’s fridges, TVs, even light bulbs.

Back in February, Britain opened a new National Cyber Security Centre. Although part of GCHQ (Government Communications Headquarters), it works in the sun, not the shadows — and its job is to strengthen the UK’s infrastructure against precisely these kind of attacks. In truth, it is a Sisyphean task. Yes, we can — and should — invest far more in cybersecurity, on a national and corporate level, but we can never build perfect defences. All we can hope is that ours are strong enough that attackers seek easier gains elsewhere. And, of course, that people finally learn not to click on the wrong email.

— The Telegraph Group Limited, London, 2017

Robert Colvile is editor of CapX.