Ransomware, supply chains emerge as attack vectors in UK’s cyber threat landscape, says annual review

annual review

The U.K.’s National Cyber Security Centre (NCSC), a part of GCHQ, released its fifth annual review that analyzes how cyber threats faced by the U.K. and its allies continued to grow and evolve this year. These dangers included indiscriminate phishing scams against mass victims, ransomware attacks against public and private organizations, and targeted hostile acts against critical national infrastructure and government.

“While the threats came from a range of actors using an array of methods, they had one thing in common; they led to real-world impact. Life savings were stolen, critical and sensitive data was compromised, healthcare and public services were disrupted, and food and energy supplies were affected,” according to the report titled ‘NCSC Annual Review 2021.’

The NCSC has partnered with law enforcement agencies to monitor, counter and mitigate the threat, whether committed by sophisticated state actors, organized criminal groups, or low-level offenders. The review looked into some of the key developments and highlights between the period Sept. 1, 2020, and Aug. 31, 2021.

“We will work with the FCDO to put cyber power at the heart of the UK’s foreign policy agenda, strengthening our collective security, ensuring our international commercial competitive advantage and shaping the debate on the future of cyberspace and the internet,” Lindy Cameron, NCSC’s CEO, wrote in the annual review. “We will need to reinforce our core alliances and lead a compelling campaign aimed at middle-ground countries to build stronger coalitions for deterrence and counter the spread of digital authoritarianism.”

“This will involve better connecting our overseas influence to our domestic strengths, leveraging our operational and strategic communications expertise, thought leadership, trading relationships and industrial partnerships as a force for good,” Cameron added.

The Covid-19 pandemic continued to shape the cybersecurity landscape, as cybercriminals continued to exploit the pandemic as an opportunity, while hostile states shifted their cyber operations to steal vaccine and medical research and to undermine other nations already hampered by the crisis, the NCSC observed. “The pandemic has also brought about an acceleration in digitisation, with businesses and local government increasingly moving services online and essential services relying ever more on cloud IT provision. This has broadened the surface area for attacks and has often made cyber security more challenging for organisations,” it added.

The compromise of the software company SolarWinds and the exploitation of Microsoft Exchange servers highlighted the threat from supply chain attacks, according to the annual review. These attacks were two of the most serious cyber intrusions ever observed by the NCSC. They saw actors target less-secure elements, such as managed service providers or commercial software platforms, in the supply chain of economic, government, and national security institutions.

In March this year, Microsoft announced that four zero-day vulnerabilities in Microsoft Exchange servers were being actively exploited with at least 30,000 organizations reportedly compromised in the U.S. alone, affecting many more worldwide, the report said. In July, the NCSC assessed this attack was highly likely to have been initiated and exploited by a Chinese state-backed threat actor, with the objective of enabling large-scale espionage, including the acquisition of personal data and intellectual property. The SolarWinds attack enabled the onward compromise of multiple U.S. government departments, and the British cloud and email security firm Mimecast, among other victims.

Ransomware became the most significant cyber threat facing the U.K. this year, according to the NCSC. Because of the likely impact of a successful attack on essential services or critical national infrastructure, it was assessed as potentially harmful as state-sponsored espionage. Ransomware gained increased public attention following attacks on Colonial Pipeline in the U.S., which supplied fuel to the East Coast, and another against the Health Service Executive in Ireland.

The NCSC annual review said that in the U.K., there was an increase in the scale and severity of ransomware attacks. Hackney Borough Council suffered significant disruption to services, leading to IT systems being down for months and property purchases within the borough delayed. Attacks this year were across the economy, targeting businesses, charities, the legal profession and public services in the education, local government and health sectors. Among other ransomware incidents investigated was a major attack on the American software firm Kaseya.

In July, the NCSC helped to identify and support British victims after the Florida-based company was infiltrated by a hacking group, which seized troves of data and demanded $70 million in cryptocurrency for its return, the report said.

Last month, the Australian government announced its ‘Ransomware Action Plan’ that introduces criminal offences, tougher penalties, and a mandatory reporting regime, as the administration takes action to protect individuals, businesses, and critical infrastructure from ransomware attacks.

According to the review, the NCSC continued its work with global partners to detect and disrupt shared threats, the most consistent of these emanating from Russia and China. In addition to the direct cybersecurity threats posed by the Russian state, it became clear that many of the organized crime gangs launching ransomware attacks against western targets were based in Russia.

China remained a highly sophisticated actor in cyberspace with increasing ambition to project its influence beyond its borders and a proven interest in the U.K.’s commercial secrets, the NCSC said. The manner in which China evolves in the next decade will probably be the single biggest driver of the U.K.’s future cybersecurity. While less sophisticated than Russia and China, Iran and North Korea continued to use digital intrusions to achieve their objectives, including through theft and sabotage, it added.

There is a heightened concern globally about cybersecurity threats to IT and OT infrastructure, including in the U.S. Ahead of the Thanksgiving holiday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued on Monday a reminder to critical infrastructure partners “that malicious cyber actors aren’t making the same holiday plans as you.”

Citing recent history, the advisory said that “this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure,” it added.

“While we are not currently aware of a specific threat, we know that threat actors don’t take holidays,” Jen Easterly, CISA director, said in a media statement. “We will continue to provide timely and actionable information to help our industry and government partners stay secure and resilient during the holiday season. We urge all organizations to remain vigilant and report any cyber incidents to CISA or FBI.”

FBI Cyber Assistant Director Bryan Vorndran said that “we will continue to provide cyber threat information and share best safeguard practices. We urge network defenders to prepare and remain alert over the upcoming holiday weekend and report any suspicious activity to www.ic3.gov.”