The State Security Department of the Republic of Lithuania has recently presented an assessment of national security threats to the public. It states that in 2020 there were many instances of cyber-attacks, with websites of institutions being repeatedly hacked, and fraudulent emails with fake information being sent. Experts from Vilnius University (VU) also note that the threat of cyber espionage has increased during the COVID-19 pandemic. State-supported cyber groups have seized the opportunity of the pandemic to carry out cyber-attacks on national authorities, national security authorities, and energy and other strategic companies of other states.
According to Dr Renata Danielienė of VU Kaunas Faculty, one of the aims of such state-supported groups is to obtain as much confidential information as possible from the institutions of another country, business organizations or research bodies carrying out relevant research, developing new or improving existing inventions. Danilienė believes that the activities of such groups pose a serious threat to organizations using online strategic information systems.
“The attacks previously carried out by cyber groups in other countries show that the aim may be not only state or industrial espionage, but also an attempt to undermine any activity, such as the attacks during the US election campaigns. Attempts were made to break into the accounts of high officials, to publish secret information in order to shape the opinion of the population in a certain direction or to take revenge for critical statements against the country from which the attack is likely to have taken place,” Danielienė said.
Assoc. Prof. Dr Linas Bukauskas of VU Faculty of Mathematics and Informatics, also agrees that there has been a trend of information manipulation via social engineering, where the electronic space of non-friendly countries is used to achieve certain goals.
“In such cases, the aim is to lure people into a trap by means of social engineering attack. For example, citizens receive invitations to events or conferences taking place in a non-friendly country, often fully paid. Those who become interested may slowly become involved in activities that could be qualified as anti-state activities – to disclose scientific, state and technological secrets. The person’s vigilance is tested by using information. It must be remembered that ‘there is no such thing as a free lunch’, there is usually a hidden agenda,” Bukauskas warned.
Targets – public authorities and media sites
When evaluating reports of institutions responsible for security of Lithuania and recent cases in the media, VU researchers note that the number of cyber-attacks against Lithuania is increasing. According to experts, several elements related to cyber security can be distinguished: data loss, information manipulation, vulnerability of cyber security and the use of this vulnerability in state or critical infrastructure systems.
Internet sites of public authorities and media are often targeted. Criminals publish fake information in order to compromise organizations themselves and to form a certain opinion of the population. According to the National Cyber Security Centre at the Ministry of Defence of the Republic of Lithuania, in December 2020 alone, 22 public sector internet sites were hacked. Most of the internet sites were those of Lithuanian municipal authorities, where fake information was published.
According to Danielienė, Lithuania is not unique – many countries face similar problems. “The report published by the Estonian Foreign Intelligence Service in 2020 highlights that anyone can be the target of an attack, because hackers are looking for the weakest links, for example, an insufficiently protected device which can be linked by hackers to the cyber-attack infrastructure, thus becoming part of criminal activity,” the VU researcher noted.
Human error is the Achilles heel
When assessing the cybersecurity situation, Bukauskas distinguishes the use of indirect human errors in the public space in 2020. Human errors are left in the development or installation of systems, variables are not processed sufficiently safely or weak login passwords are created. These errors are used to leak data. In addition, people’s shared files or errors in software solutions are used by hackers.
“The most common attempt is to hack in by taking over passwords, exploiting vulnerable systems to run a variety of botnets. At VU Cyber Security Laboratory we use net flow sensors to monitor illegal connections. These sensors indicate the activity of hackers and the passwords used. An automated attack is looking for unsafe systems or unprotected places left by people, checking vigilance. For example, an individual system may be subject to 200 illegal hacking attacks on average in “quieter” weeks, but there can often be thousands and more,” Bukauskas said.
In order to avoid human errors in cyber security, professionals responsible for cyber security must be trained appropriately. At VU Cyber Security Laboratory, researchers are implementing several projects developing methodologies to identify early cyber security risks and also to improve the competences of cyber security specialists.
One-off investment is not sufficient
The population may suffer a variety of consequences due to cyber-attacks: from disconnected energy supplies to stolen personal data and financial losses. Meanwhile, the companies that are hacked may be disconnected from their critical systems, their confidential data and that of their customers and partners may be stolen, and financial losses due to the inability to provide services are incurred. In addition, they may be penalized for the disclosure of confidential data, suffer reputational loss, and loss of customer trust, all which may require considerable efforts to recover.
According to Danielienė, cybercriminals, whether organized groups or individual programmers, are constantly looking for vulnerable places in information systems or infrastructure, but they also use people’s credulity.
“The analysis of the attacks shows key issues such as security gaps in the infrastructure, the lack of knowledge of cyber prevention and cyber security managers and personnel, as well as a lack of leadership competences. There is often no information on the organization’s security policy or it is not complied with and, in the event of a cyber incident, nobody knows how to respond. In addition, organizations still do not pay sufficient attention to regular training and awareness raising in cyber security,” Danielienė added.
In order to reduce the risk of cyber-hacking, Danielienė believes that organizations need to take coherent and integrated measures, implement and maintain a cyber security culture within the organization, and managers and individuals in charge must be constantly attentive to trends in the cyber world and be ready to respond accordingly by taking certain security measures. “In this world of information technologies, it is not enough to invest in infrastructure once. Today organizations must allocate funds regularly to both infrastructure upgrade and cyber risk management,” Danielienė emphasized.
None of the system escapes attacks
According to Bukauskas, all systems, whatever they may be, will one day experience a cyber incident. According to the researcher, taking care of cyber security must be routine work, because the technologies used today do not have known vulnerabilities for now, but will be broken later.
“It is important to periodically monitor cyber security events, update software solutions, and monitor the environment as to who is interested in you as an organization. For example, if you see that you have received 1,000 queries from different IP addresses with a similar request, you should already be concerned about your security and monitor or look for vulnerable points. Cyber security professionals regularly monitor data vulnerability databases, which do not expose vulnerabilities, but only identify product x as vulnerable with indicators of compromise. They participate in threat-sharing networks, which help to obtain early information about the patterns of an ongoing attack or the characteristics of attackers,” Bukauskas noted.
Bukauskas once again reminds us that organizations seeking to avoid cyber security incidents must regularly update their software solutions, change passwords or use two-factor authentication. System administrators should also avoid using popular passwords that are easy to guess.
According to the expert, it is necessary to monitor not only the vulnerability of the systems used by the company, but also the applications and platforms used by employees during their workday, especially if personal devices such (i.e. shadow IT) as mobile phones and tablets are admitted to the network of the organization. Employees must be trained to assess the safety of the software. The applications, mobile apps or web browser extensions used for easy password storage in an organization also need to be monitored, because sometimes there is demand for excessive rights or even full-text passwords are stored in systems outside the EU.
The researcher also draws attention to the safety of mobile applications developed by technology start-ups. Start-ups should pay more attention to the safety of the products they develop and comply with the secure coding standards.
“Start-ups adapt the latest technologies, but very often forget to perform cyber security tests, and don’t always comply with the secure coding standards. The main purpose of such companies is to produce a product as soon as possible, sometimes without paying sufficient attention to the safety of the product. Young people are often involved in the development of such systems and may not always have sufficient experience in terms of security. Learning secure coding and programming techniques is a serious activity that requires specific knowledge based on experience,” Bukauskas concluded.