Cybercrime: “We assume they will come back”

interview

This is original content from the Capital brand. This article will be available for ten days on stern.de. After that, you will find it exclusively on capital.de. Capital, like the star to RTL Germany.

CAPITAL: The Federal Criminal Police Office (BKA) and the Hessian Attorney General’s Office say they have shut down several criminal botnets in “Operation Endgame”. This is the “biggest blow to date” against global cybercrime. How do you classify this operation?
THORSTEN ROSENDAHL: First of all, it is good and right that such actions are taking place. More than 100 servers have been confiscated or shut down, and there was a major international vote on this issue. Coordinating this is difficult. But even though this action was large and extensive, we cannot speak of a complete takedown.

What the BKA does, however…
A server takedown is explicitly mentioned. But when I hear the word takedown, I assume it’s an absolute end. And unfortunately that’s not the case. History teaches us that these groups come back.

Does this mean that such an action is essentially useless?
No, not at all. The groups behind the cyber attacks are certainly weakened. But there have only been four arrests, not 500. That means that the people with the know-how and technical insight are still out there somewhere. That’s why we assume that they will come back, perhaps even with the same software.

What type of cybercrime did the authorities tackle in this way? How can it be described?
To do this, you need to briefly understand how such a cyber attack works. There are many, many steps one after the other before the actual damage occurs. Relatively at the beginning are the so-called droppers, which are used to infiltrate a system and allow access. These are usually not harmful in themselves, but they allow ransomware to be downloaded, information to be intercepted and much more. And it is precisely these droppers that have now been taken action against.

The many steps you are talking about also show that cyber attacks are now carried out in a division of labor, with many specialists for each stage. How can we actually counteract this?
That’s right. There are many specialized groups that cooperate with each other. Some take care of the initial access, others take care of the ransomware, and still others provide the account data. These groups offer their services like in the classic IT world. It’s like buying new software and features in Office 365. That’s exactly how the actors on the dark side of the force do it. But that also shows how difficult it is to break something like that. Three or four arrests can certainly do them some damage. But then there are still 200 more out there who want to make money. And they are geographically distributed in a variety of locations.

During the pandemic, there was talk of an increase in the number of ransomware attacks in which victims were blackmailed with locked data. How has the situation evolved since then?
The trend is still that attacks are increasing, and not just those involving ransomware. What has changed, however, is that state actors are significantly increasing their armament. We are seeing more and more attacks from China, Iran and North Korea.

Also on companies?
Yes, even on companies. It’s less about financial transactions than about the theft of intellectual property. About blueprints or design plans for components. A few years ago, cyber criminals could still be separated from state actors. Now we see that these boundaries are blurring. This also means that the quality of the attacks is increasing.

What about the other side? Have companies developed greater capabilities to defend themselves?
It can be said that the large corporations in the Fortune 500, DAX or MDAX sectors are now very well positioned. They have their own security operations centers. Especially in the areas of finance and the pharmaceutical industry, i.e. everywhere where there is a historical understanding of security and plant protection. But it is difficult for small and medium-sized companies, especially in Germany. There are companies where the IT department consists of a student who comes part-time and is not a security specialist.

Why is that?
There is a general shortage of staff, salaries are increasing, and security specialists are not exactly cheap.

Are there any sectors that are particularly badly affected?
We see in our statistics at Cisco Talos that four groups are regularly at the top of the list when it comes to successful attacks: the manufacturing sector, educational institutions such as universities, the healthcare sector and public administration.

For them, it fails mainly due to a lack of money?
First of all, there is a lack of a basic understanding of security. But if you look at smaller German car suppliers, for example, you will see that they often have to calculate very closely. It’s a matter of a fraction of a cent for each component that is produced. It’s difficult for them to spend extra on security; they can’t tighten this screw that much. And so they become an easy target.