State-sponsored cyber attacks
In March the UK Government, backed by the National Cyber Security Centre (NCSC), formally accused the Chinese government of supporting cyber campaigns against MPs and the Electoral Commission. The state-affiliated cyber group Advanced Persistent Threat Group 31 (APT31) are believed to have been behind successful attempts to compromise the email accounts of various UK parliamentarians in 2021, and also illegally obtained data from the Electoral Register relating to 40 million voters around a similar time.
This marks another escalation in diplomatic tension between Western countries and China. Last month’s round-up raised concerns about attempts to attack critical infrastructure in the UK and US. The New Zealand government has also raised similar concerns, while the Google parent Alphabet’s cyber unit published a report highlighting likely attempts to infiltrate German political parties by Russian state-backed hackers.
Public servants and bodies remain at high risk for such attacks, particularly with upcoming elections in so many countries. This is highlighted by a major successful attack in late February on the US health insurance company UnitedHealth Group – also by Russian state-backed hackers. This has led to weeks of disruption at hospitals, community health centres and pharmacies.
More details have also been surfacing regarding an attack on Microsoft systems last year. This one was a surprisingly unsophisticated ‘password spray attack’, where hackers simply force their way into systems by trying a small set of known, compromised passwords across a wide range of accounts. By luck – or skill – the hackers found their way into the Microsoft internal environment through a legacy test account.
It is a timely reminder of the importance of carrying out thorough audits of account directories including reviewing dormant or privileged access accounts, multi-factor authentication, and utilising tools to identify compromised passwords. For example, the Have I Been Pwned password checker includes a downloadable database of compromised passwords that can be loaded into enterprise systems for password validation checks.
Account takeover scams
If you’ve been hooked on the BAFTA-nominated BBC series Scam Interceptors, you’ll know that scammers are using increasingly manipulative techniques to draw in their victims. Frequently, their techniques involve pressure tactics, pushing their targets into making quick decisions and keeping them on the phone for long enough that the web of lies – seasoned with a few truths that they have managed to establish from a little online research – starts to seem plausible. Before you know it, they have taken control of your phone or accounts, and are transferring money in front of your eyes.
Many of those featured on the programme believed they were savvy enough not to fall for such scams, until it happened.
This was very much the case for small practice owner Alex Falcon Huerta, who fell victim to just such a scam earlier this year to the tune of £53,000. Accountant Falcon Huerta was caught off guard having recently set up a new business bank account. A lack of familiarity with the bank’s fraud processes meant the cyber criminals quickly gained access to her account and made a number of transfers.
It appears that the fraudsters gleaned enough information from social media and other public activities to build a picture of Falcon Huerta’s banking activities – highlighting the perils of oversharing online and a warning not to accept requests to screen-share or install screen-sharing apps. If you think you are being scammed, the 159 service can help you connect with your bank quickly and easily.
ICO fine guidance
The Information Commissioner’s Office (ICO) has released new guidance on how it determines the levels of fines applied to organisations found culpable for data breaches. In particular, it highlights the aggravating and mitigating factors when determining the fine amount. On top of the legal obligations, the guidance touches on the level of cooperation, adherence to approved codes of conduct and, most crucially, actions taken to engage with bodies such as the NCSC, and whether advice or guidance provided by such bodies was followed.
In terms of what some of that support and guidance might be, the NCSC has launched a free tool to help small organisations review their email security, new guidance for CEOs on how to respond to a cyber incident, and an exploration of cybersecurity in operational technology environments.
Investment in cybersecurity remains a key challenge for some organisations, in particular demonstrating its value. A recent survey by the Department for Science, Innovation and Technology shows that adherence to cybersecurity standards remains low in medium-sized businesses and charities, despite some improvements. In this context, a recent article exploring the ROI of investing in resilience (of which cybersecurity is a key part) may help frame conversations with key stakeholders.
Want to learn more about cybersecurity?
Attend ICAEW’s Cyber Security immersion event on 6 June 2024. This is a hands-on approach to Cyber Risk management that will be held in person. More details and pricing are available here.
Got an interesting cyber story for us? Email techfac@icaew.com
Advice for government
ICAEW sets out its vision for a renewed and resilient UK, drawing on insights and expertise from its members.