Hacking, espionage, infiltration... How some states are taking advantage of the pandemic to carry out global cyberattacks
From energy to administration to hospitals, there are many sectors of activity affected by computer attacks in 2021, most often in exchange for ransoms. But other cyberattacks take place in the shadows because they aim to harvest strategic information rather than money. And they do not obey criminal groups, but states.
Many countries continue to use cyberspace as a hunting ground to carry out espionage or sabotage operations. Without having experienced the same explosion as ransomware attacks, they too have taken advantage of the Covid-19 pandemic to carry out some of the worst computer attacks in history. And France is not spared.
Hard-to-attribute attacks
In December, the National Information Systems Security Agency (Anssi) revealed that French entities had been targeted by two hacking campaigns in 2021. The names of the groups named as responsible, Nobelium and APT 31, are not not very evocative. But among professionals, there is little doubt about their sponsors: it would be respectively Russia and China.
"Ransomware has a 'wow' side because the effects are visible and immediate," summarizes David Grout, technical director in Europe for the cybersecurity company Mandiant, interviewed by franceinfo.
These covered actions, often carried out by groups working for states, have a name: "advanced persistent threats" (APT). Most are associated with the "Big Four" of "pirate" states: Russia, China, Iran and North Korea.
It is difficult to attribute an attack to a group – let alone a state. It is necessary that characteristic signs come back on several offensives: the same modus operandi, the same signature, the same objective... And when a group is identified, "the States confuse the tracks: the attacker can be directly integrated into the services of information, play the role of service provider, be supported or just tolerated", explains Julien Nocetti, associate researcher at the French Institute of International Relations.
A context conducive to piracy
The onset of the health crisis had a rather unexpected effect on these attacks. “We found that when strict confinements were put in place, a certain number of groups completely stopped their activity”, notes David Grout, for whom the hackers simply found themselves confined far from their equipment.
But they quickly resumed service, taking advantage of the weaknesses revealed by the generalization of telework. "Telework has exposed devices that were previously protected by their company's network or their administration directly to the internet", remarks Laurent Celerier, vice-president of Orange Cyberdefense. Multiplying the staging points (VPN, tools that can be used remotely such as Office 365, etc.) means multiplying the potential entry points for hackers.
They rushed to exploit flaws discovered by others, such as Log4Shell, one of the largest vulnerabilities in history made public in December and affecting millions of devices. But you don't need to be very sophisticated to hack a company: APTs often use phishing techniques, which consist of sending an email containing a booby-trapped link to an employee to recover access codes.
For these pirates linked to States, the activity also depends on geopolitical tensions. According to a report from Microsoft's cybersecurity branch, Russia has increased computer attacks against Ukraine since June 2020, attacks that accompany a significant military escalation. The cyber war between Israel and Iran has also reportedly intensified in recent months, with attacks on LGBT dating sites, hospitals and even Tehran's gasoline distribution system.
New targets for hackers
These hackers also took advantage of the pandemic to keep updating their strategies. Rather than forcing locks one by one, APTs are increasingly attacking the "locksmith", the service provider who owns the keys to the systems of thousands of customers. By attacking the IT services company SolarWinds in early 2020, the Russian group Nobelium was able to infiltrate nearly 18,000 entities, including several US federal agencies. Another massive hack, that of Microsoft Exchange by a group connected to China in January 2021, was based on the same principle.
These APTs have become more complex and their identification more difficult.
Some, for example, use open source tools freely available on the internet, which reduces the chances of leaving a clean signature.
The attacks are also targeting new targets, including NGOs. "The motivation is often financial, nuance Stéphane Duguin, director of the CyberPeace Institute center. But they obviously make very interesting targets for the States, thanks to the information they have, the list of beneficiaries they support..."
France knows it is threatened
France is not spared by these computer attacks. According to the cybersecurity companies interviewed by franceinfo, its main attackers would be Moscow and Beijing. "Russia is very active on geopolitical issues, to collect information that will be used in international negotiations, particularly on NATO or Eastern Europe", sums up David Grout. China, meanwhile, would be more interested in economic information to gain market share, for example in the pharmaceutical industry or energy.
France does not publicly designate officials in the event of an attack, unlike the United States. "She considers that it would prevent dialogue, so she goes through more discreet diplomatic channels," explains Alix Desforges, researcher at the Geode center. But in recent years, it has allowed itself to accuse groups whose links with states are known, such as APT 31 or Nobelium.
According to the specialists interviewed by franceinfo, France has become rather well aware of the danger. Potential targets have adapted to the threat, according to Timothée Crespe, Tech & Cyber Manager at insurance broker Aon France: "Companies have not all progressed at the same speed, but today they are almost both telework and face-to-face protection.
"Zero risk does not exist, but France is rather ahead", to inspire European regulations, says Laurent Celerier. The country knows it is threatened: the geopolitical context makes it a prime target. "There is the presidential election, the French presidency of the European Union, we will soon be organizing the Rugby World Cup and the Olympic Games... Some might have an interest in targeting the State, or the industries that revolve around of these events", predicts David Grout.
