Tracking the threat actors: NCSC's Eleanor Fairford on the evolving threats to the UK's critical infrastructure

'We're seeing ransomware increasingly deployed against utility providers, law enforcement and emergency response units'

For a few days 18 months ago, the UK and many other countries appeared to be in danger of grinding to a halt. This was during the early stages of the WannaCry crisis which forced a number of NHS trusts to close facilities and crippled large infrastructure, transport and shipping companies like Maersk. Had WannaCry continued on its trail of destruction, we would have soon been in a "category one" (C1) situation, according to NCSC head of cyber assessment Eleanor Fairford, speaking at Computing's Cybersecurity Live event last week.

A C1 event is defined by NCSC as "a cyberattack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life," which could mean an A&E department being severely disrupted or, as a worst-case scenario, a hybrid assault combining a cyber incident with multiple terrorist attacks or similar, Fairford explained.

Fortunately, the destructive WannaCry and NotPetya attacks of 2017 did not attain C1 status and so far have not been repeated, but that certainly doesn't mean that we can rest easy. In fact, the number of ransomware attacks has doubled since 2017.

However, unlike the uncontrolled scatterguns of WannaCry, which NCSC attributes to North Korea's Lazarus Group, and NotPetya, for which Russia is the prime suspect, more recent attacks have been much more targeted, using strains like Ryuk, SamSam and RobbinHood whose infections can be harder to prevent as they propagate via multiple vectors but which don't tend to spread uncontrollably. The motive is generally financial (or disguised as such), and to maximise returns perpetrators calibrate the level of the ransom demand to the perceived ability of the victim to pay. They spend time beforehand researching and identifying targets least likely to have adequate defences and most likely to pay up, such as providers of vital services for whom any downtime is unacceptable. The tools may be more precise, but the targets are still big.

We're seeing ransomware increasingly deployed against critical infrastructure

"We're seeing ransomware increasingly deployed against critical infrastructure entities like utility providers, law enforcement and emergency response units, as well as private citizens, educational institutions and other targets," said Fairford.

The ideal target is an organisation providing important services whose extensive supply chains and complex internal structures make it vulnerable. In the US, victims this year have included healthcare providers and local authorities. In August, organisations connected to local government in the US state of Texas were hit by ransomware. This attack on the authorities' managed service providers using Sodinokibi ransomware took out online payment systems and email among other services in 22 municipalities; in November, Louisiana was hit by Ryuk.

In a globalised economy, the impact of cyberattacks is not confined by national boundaries. When the Brussels-based scientific materials supplier Eurofins was hit by ransomware in June, it turned out that this company was responsible for 60 per cent of forensics supplies to the UK police forces.

"An attack not targeting specifically the UK, but on a company that happened to support services in the UK, had potentially a major impact on court cases and police cases going through the system," said Fairford. "So for us, this was a really important shift, where the sorts of targets may not necessarily represent a direct attack on a UK interest, but where the UK nonetheless can be massively impacted."

Another shift, as cybersecurity has become a geopolitical rather than merely a technical concern, is a blurring of organised crime and state actors with each borrowing the methods, and quite possibly the personnel, of the other. This, together with the ready availability of exploits online, makes attribution of attacks, one of NCSC's functions, more difficult. Currently, attribution requires an average of three weeks of evidence gathering.

NCSC mainly tracks the high-level threat actors based in Russia, China, Iran and North Korea.

It is about not just tolerating or sleepwalking into increasingly bad behaviour by states

Publishing attribution for serious attacks is a fairly recent strategic tactic adopted by the UK, in concert mainly with the US. Previously, this sort of information would have been restricted to diplomatic channels, but state-sponsored threat actors like China's APT10 group, Russia's Cozy Bear, Iran's APT39 are now publicly named and, if not shamed, at least identified when the weight of evidence permits.

"This has really been designed to shift the public debate. It is about not just tolerating or sleepwalking into increasingly bad behaviour by states," Fairford said.

While it's debatable whether public naming lessens the incidence or severity of such attacks, attribution at least forces state actors to factor potentially adverse publicity into their thinking. It also reduces the silo effect that can sometimes impede defensive response, said Fairford.

"It enables my technical colleagues on the other side of NCSC to put out material that enables network defenders to bolster their defences alongside the political activities we're doing. You can do the two together in a way that we may not have been able to do if we hadn't gone public."