The stereotypical profile of a hacker in his parents’ basement developing and launching attacks can officially be put to rest. The geopolitical nature of executing attacks against states or those supporting a state have taken a prime position in the arena of ransomware.
Whether individual vendettas, hacker groups looking to exploit political situations for boasting or on a for-hire basis, and even state-sponsored attacks, the results are the same. As geopolitically motivated attacks continue an upward swing, it’s important to note that these attacks aren’t carried out until the criminal(s) already has access to the targeted systems.
Know the Main Players
Although a geopolitical attack can originate from almost anywhere, there are five primary sources from which most Linux-based ransomware attacks originate:
- China. Since the government essentially has complete control, it’s unlikely any attack is done so without state sponsorship. The goal is to “establish a broad network of compromised infrastructure.”
- Iran. Iran has plenty of motivation and technical know-how to target western-based governments or businesses. Cyberespionage group Charming Kitten is the primary actor.
- North Korea. The North Korean army, most notably its Unit 180 division, is allegedly responsible for any attack originating from the despot country.
- Russia. While a mainstay for many ransomware attack groups, attackers from Russia have two rules: 1) Do not stage an attack from an .ru domain, and 2) Keep ransom payments from being paid into Russian financial institutions.
- United States. The open aspects of internet traffic and availability makes the U.S. a more likely source of non-state sponsored attacks than the other four countries.
Ukraine Crisis Sparks New Linux Attacks
The ongoing crisis in the Ukraine has encouraged a surge in Linux-based attacks based on geopolitics. It has been interesting to watch how a potential geopolitical attack can quickly turn into a typical ransomware incursion.
That said, state actors vs. opposing state departments are growing, even if many smaller attack groups are using political ideology to forward their own financial gains.
The types and reasons for attacks since the beginning of the Ukraine crisis typically fit in one of these categories:
- Denial-of-Service (DoS) to prevent access to systems or files until payment is received
- The typical ransomware event (e.g., “pay us to unlock your files”)
- Using political goals as a form of ransom
- Placing internal pressure on governments by attacking citizens
- Bringing down national infrastructure to inhibit national response to events or attack
The intended purpose of these attacks usually dictate the severity and impact of the ransomware event.
No Agnostics in Government
While businesses have the option of being politically agnostic as a safety measure, this strategy doesn’t work well when it comes to state actors. Security can’t be a given even with the (arguably) more secure Linux-based systems running the show. An attack can prove to be a threat to the well-being of the general population, and may soon be seen as a bargaining chip at the negotiating table.
Nations and corporations are taking notice of how geopolitics are driving an increased number of attacks against devices. Some are taking action to get ahead of this trend, such as the cooperation between European Union and the United States. It will take this level of cooperation between countries and businesses to put a halt to geopolitical ransomware.
