Cybercrime: Critical infrastructure is at risk and needs a combined private- and public-sector response

Supply chain cyberattacks have been rife over the last few months, affecting a large number of governmental agencies, law enforcement, companies and universities in the US and Europe.

A prominent example of such cyberattacks is the exploitation of a zero-day vulnerability in the file sharing software MOVEit, which is widely used by organizations to transfer data.

This cyberattack was led by the Russian-speaking Clop or Cl0p cybercriminal group, known for large scale ransomware-as-a-service campaigns. The hacking group has been operational since February 2019, targeting more than 3,000 United States-based organizations and 8,000 organizations worldwide.

Despite the 2021 Interpol-led arrest of some group members in Ukraine, this cyberattack in late May demonstrates that group-affiliates are still operational and dangerous.

On June 7, the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint cybersecurity advisory with the Federal Bureau of Investigation (FBI), and announced it was providing support to several federal agencies that had been breached.

The Department of Energy and the National Nuclear Security Administration were among the US agencies that have been impacted. Other public sector victims include California’s public pension fund, University of California, Los Angeles, Minnesota’s Department of Education, New York City’s public school system, the UK's communications regulator Ofcom and the Canadian provincial government of Nova Scotia, while affected companies include Siemens Energy, Schneider Electric, Shell, BBC and British Airways.

The hacker group has been “naming and shaming” the victims on their dark web page, publishing instructions on how to enter extortion negotiations and threatening to publish the stolen data if the ransom is not paid.

Over the years, Clop has been demanding ransoms of hundreds of thousands, sometimes millions of dollars. However, the hacker group has allegedly claimed to be solely targeting private businesses and that it will delete any data from governments or law enforcement.

In Europe, air traffic control agency Eurocontrol was attacked by the hacking group Killnet last April. The cybercriminals launched a distributed denial-of-service (DDoS) attack causing interruptions to the website, but luckily the attack had no impact on European aviation.

Killnet is a pro-Moscow hacking group notorious for denial of service attacks. The group also claimed responsibility for the cyberattack on Lithuania’s public services on June 26, in a tit-for-tat response to the government decision to block the transit of certain goods to the Russian enclave of Kaliningrad.

Similarly, in late June, the Luxembourg City Council and the European Investment Bank (EIB) websites were taken down for several hours by a DDoS cyberattack.

Killnet and two other cybercriminal groups had previously warned about upcoming attacks against the European banking system on Telegram channels. However, the only cyber fallout was the temporary disruption of the EIB’s website.

Swiss governmental agencies and cantonal offices were also targeted in a series of attacks in May and June. On June 12, the Swiss federal government website was taken down by a DDoS attack, launched by the hacker group NoName, supposedly in retaliation for the Swiss adoption of EU sanctions against Russia.

Similarly, a week before the parliamentary address of the Ukrainian president Volodymyr Zelenskyy, the Swiss parliament website was hit by a DDoS attack, revendicated by the same NoName hacking group on Telegram channels.

Switzerland’s public sector was also previously compromised via a supply chain attack in mid-May. A Swiss government software provider fell victim of a ransomware attack attributed to the hacker group Play.

The breach affected the country's Federal Office of Police, the Federal Office of Customs and Border Protection, as well as the Swiss Federal Railways and some cantonal authorities. The Swiss National Cybersecurity Centre has confirmed that stolen data includes operational data from various Swiss authorities and organizations.

In response, the Federal Council has formed a crisis team to manage the ransomware investigation and to revise the current contracts with the federal administration's IT service providers, to increase cybersecurity.

This latest incident affecting Switzerland, along with the MOVEit ransomware attack, highlights the cybersecurity risks associated with third parties and the possible implications for the public sector.

Cybercrime is transnational in nature, and cybercriminals' ties to government entities are often nebulous. However, the geopolitical tensions in the wake of Russia’s war against Ukraine have heightened the risks to critical infrastructure and its supply chain.

The European Union (EU) and North Atlantic Treaty Organization (NATO) have stepped up their cooperation with the launch of the EU-NATO Task Force on resilience of critical infrastructure, focusing on energy, transport, digital infrastructure and space.

The new US National Cybersecurity strategy also emphasizes the need to protect critical infrastructure and to disrupt and dismantle threat actors by integrating federal disruption activities and enhancing public-private operational collaboration.

Some examples include the international police operation Cookie Monster in April 2023, which led to the takedown of the largest illicit cybercrime forum known as Genesis Market; the FBI disruption against the Hive ransomware group made public in January 2023, and more recently the Five Eyes take down of the Snake malware and data theft network used in espionage campaigns by Russia’s Federal Security Service in May 2023.

In an increasingly complex and interconnected technological ecosystem, critical infrastructure is exposed to a variety of cyber threats. To mitigate systemic risks and to advance cyber resilience in critical sectors such as aviation, manufacturing, oil and gas and electricity, the Centre for Cybersecurity at the World Economic Forum is mobilizing a multistakeholder community across businesses, governments, civil society and academia.

As a result of this cross-sector industry-focused initiatives the World Economic Forum has established a blueprint for evaluating cyber risk across the oil and gas industry.

Moreover, in 2021, upon request from the European Commission’s Energy Directorate, the cyber resilience in electricity initiative provided 15 recommendations on the EU cybersecurity directives NIS 2.0 (Network and Information Security) and CER (Critical Entities Resilience).

Besides the efforts to strengthen cyber resilience in critical infrastructure, the World Economic Forum is also leading the Partnership against Cybercrime. Since 2020, the initiative is bringing together law enforcement agencies, international organizations, cybersecurity companies, service providers and not-for-profits to disrupt cybercrime.

In the effort to tackle rising cybercrime levels, at the 2023 Annual Meeting at Davos in January, the Centre for Cybersecurity launched the Cybercrime Atlas, supported by Fortinet, Microsoft, PayPal and Santander.

This new initiative will map the threat landscape and create a cybercrime repository based on public data and voluntarily shared information to enable law enforcement agencies to combat cybercrime more effectively.