Juha Saarinen: Cyber threat numbers don't tell the whole story

2097 incidents were reported to CERT NZ in the October to December quarter. Photo / 123RF

OPINION:

The numbers from the government's Computer Emergency Response Team New Zealand for the October to December quarter last year are out of their inexplicable embargo, and there's a surprise in them.

CERT NZ's stats from last year point to a decrease in incidents reported to them compared to the third quarter of 2020.

Between July and September 2020, 2610 incidents were reported to CERT NZ, which dealt with the vast majority of them, referring 14 per cent to seven other government agencies like the NZ Police and the Department of Internal Affairs.

The end of the year quarter however saw only 2097 CERT NZ reports, and with the fourth-lowest direct financial losses since the first quarter of 2018.

Provided the numbers are correct, then that's good news. It's not a reason for New Zealand to drop its guard and relax.

If anything, last year hackers ratcheted up the severity of digital threats by several notches, and are now being more discriminating about who they attack.

This becomes clear when you read the analysis by Google's elite Project Zero security researchers, who in 2020 found an unknown threat actor conducting targeted attacks on Microsoft Windows, Google Android and Apple iOS devices.

Said attacker used what Project Zero called expert and novel techniques, and that is high praise indeed, coming from some of the best security researchers in the world.

One striking feature of the campaign that Project Zero analysed is that the attacker burnt through no fewer than 11 zero-day vulnerabilities.

A "zero-day" is geek speak for a vulnerability that hasn't been seen or reported before, and is completely new. The zero refers to the amount of time defenders have to react and fix things before the attacks start.

It's not necessary in most cases to use zero-days for attacks as organisations have been slack at patching and setting up systems correctly.

Instead, zero-days are fairly rare, and for those select occasions when the value of the targets makes it worthwhile to use them. Once a zero-day is used, security researchers who notice the attacks and analyse them can figure out what weaknesses they are exploiting, and develop mitigations and software patches.

That makes a valuable attack method for which there wasn't a defence null and void, yet here's someone or some group that happily used up 11 of them in just a few months.

It means that there's a threat actor somewhere who most likely knows more zero-days that can be used at any time. No wonder then that the security research industry collectively did a sharp intake of breath when that realisation sank in.

Other signs that the threat landscape is getting worse are the recent ransomware attacks on large Taiwanese computer maker Acer and Asian retail chain Dairy Farm.

The ransomware criminals are asking US$50 million ($69.6m) and US$30m from the two organisations respectively, which is a massive hike compared to extortion demands seen in the past.

That's bold, but a new twist to the ransomware saga is how companies with "cyber insurance" to protect them against the consequences of attacks (well, to a degree at least) have moved up the target list to the top spot.

It's similar to people putting surveillance cameras and video doorbells on their houses, and which don't deter burglars but tell them that there's valuable stuff inside.

Ransomware raiders have figured out that if they hack insurance companies, they'll get lists of valuable targets to attack who are likely to pay up because… their insurance will cover it.

They also know that some organisations have taken out insurance instead of doing the hard yakka of being constantly vigilant against security threats and are easy pickings.

One positive development is that government security agencies have become more responsive, using newly-assigned powers to force private and public organisations to actually fix their vulnerable systems.

This in the United States especially, where the Cybersecurity and Infrastructure Agency (CISA) literally ordered organisations to unplug and patch vulnerable on-premise Microsoft Exchange Server installations, which are heavily under attack after an exploit chain leaked.

The campaign to patch the Exchange boxes is working, and the number of vulnerable servers is reducing by the day. Not fast enough, and those who are slow to patch will regret it as hackers rush to exploit remaining vulnerable systems.

That's the kind of active, fast response capability New Zealand could do with, as any drop in cyber incident numbers is most probably the lull before the storm.