The ransomware attack that started it all

The benefit of hindsight often provides a clear perspective of the importance of an incident. 

The cyberattack on Sony Pictures happened in 2014, and was orchestrated by a North Korean hacker group as retaliation to Sony’s release of the comedy movie, The Interview earlier that year. 

The movie was a satire about a CIA plot to kill the North Korean leader, Kim Jong-un, using two journalists who secured an interview with him. 

The attack affected almost all of Sony’s networks and erased data on nearly half of the 6,800 personal computers and more than half of the 1,555 servers comprising the studio’s global network. The malware also fried the infected systems, and they could not even initiate their start-up sequences. 

One of the US intelligence community’s top ransomware experts, Laura Galante, said the attack demonstrated, for the first time, how stolen data and information could be used as an extortion tactic to embarrass an organisation. 

Speaking to GovInsider, on the sidelines of the recent GovWare 2024 cybersecurity conference, Galante said the attack also showed that cyberattacks could have a severe disruptive impact – going beyond just IT system issues by crippling an organisation’s physical operations and damaging its reputation. 

The incident provided important lessons to both hackers and the global intelligence community which monitors their activities. 

“This [the attack] foreshadowed the kind of disruptive effects that ransomware attacks would have on critical sectors like healthcare, education, and infrastructure in the years to come,” said Galante, who is the Cyber Executive and Director of the Cyber Threat Intelligence Integration Center (CTIIC) for the Office of the Director for National Intelligence in the US.  

From January through June 2024, global ransomware attacks totalled 2,321, a slight increase from the number recorded during the first six months of 2023 and about half the total number tracked for the entire year, said Galante citing CTIIC’s data. 

While commercial sector entities remained the top targets, attacks on the healthcare and emergency services sector rose during the first six months of the year, compared with the same period last year, she added.  

“Ransomware has evolved from a nuisance to a serious security threat, as criminals have found ways to monetise the extortion of networks and data,” Galante said. 

Poor security and expanded attack surface 

She emphasised that many ransomware attacks exploit known vulnerabilities and poor security practices, such as the use of default passwords, highlighting the need for better cyber hygiene. 

A classic example of this was the ransomware attack on Indonesia’s Temporary National Data Centre (PDN)-2, in June, which paralysed many government services in the country and was later traced to password negligence.  

To subscribe to the GovInsider bulletin click here.

Another key driver for the increase in ransomware attacks has been the expansion of the digital attack surface over the past decade, she noted.  

“The shift to online banking, the digitisation of intellectual property and research data, and the move to digital telecommunications and energy systems have expanded the digital attack surface. 

“The connectivity of industrial control systems and operational technology (OT) in critical infrastructure sectors, like water and energy, to the internet has also increased the potential attack surface,” she added. 

Digitalisation of healthcare data and processes, as well as transportation systems, have also increased the attack surface, Galante said. 

“The interconnected nature of this digital attack surface means cyber threats can cross borders and impact entities globally, making them more challenging to address.” 

A related angle was that nation-states, who have historically conducted espionage operations in the physical world, have moved to the digital domain “targeting intellectual property and other sensitive information”, she said. 

“They have been leveraging cyberspace for a range of purposes, including espionage, disruption, geopolitical influence, extortion, and targeting critical infrastructure,” she noted. 

Use of AI and ML by attackers 

Galante observed that bad actors are increasingly using artificial intelligence (AI) and machine learning (ML) to automate certain types of cyberattacks, such as spear-phishing campaigns.  

“This allows attackers to scale their efforts and potentially increase the effectiveness of their malicious activities,” she noted. 

Galante stressed the importance of the cybersecurity community coming together to establish best practices for the secure implementation and use of AI/ML in cybersecurity applications. 

Existing risk management frameworks, such as those used by the government, should be updated to incorporate the use of AI and ML, she said. 

There is a need for a proactive, intelligence-driven approach to cybersecurity, where comprehensive threat intelligence is used to drive decision-making and provide early warning to both governments and organisations, Galante said. 

International standards crucial 

The development of international standards and frameworks would be crucial in enhancing global cybersecurity resilience and promoting common security practices, she added. 

To subscribe to the GovInsider bulletin click here.

Galante highlighted the value of public-private partnerships in bringing together various stakeholders, including industry, academia, and government, to collectively address complex cyber threats. 

“There is a need for joint problem-solving efforts between the public and private sectors to effectively mitigate cyber risks,” Galante said. 

Public-private collaboration will be essential in leveraging diverse expertise, coordinating responses, and sharing intelligence to enhance global cybersecurity resilience, she said. 

Singapore playing leadership role  

Galante noted that Singapore benefits from a very close business culture and a public-private sector that is "literally all together in the city here”. 

“This close collaboration and integration of the public and private sectors in Singapore's cybersecurity efforts is a strength”. 

Galante emphasised Singapore's leadership in OT security, particularly in the industrial control systems and critical infrastructure sectors. 

“The US can look to Singapore's OT security strategy and practices as a model for lessons on how to better secure this aspect of critical infrastructure,” Galante said. 

She noted that the future of cybersecurity is expected to involve an increasingly complex threat landscape, requiring a proactive, intelligence-driven approach and the development of international standards.