New CDA Institute blogger Mike Belyea discusses malware vulnerability.
Just before the 2016 New Year, the office of the American enterprise, Children in Film, was buzzing. Employees were putting the final touches on the business’s expense reports before enjoying the upcoming holiday. The company’s files are backed up using a cloud storage system, so as employees save files, they are synced and saved onto machines elsewhere. Hard at work, one employee opens an email, with an attachment that appears to be an invoice. She opens the file and goes about her business. Thirty minutes later, no one in the company has access to any files. They had all been encrypted with a message on how to pay a ransom. Once paid, allegedly, the hacker would return the files.
It happened covertly. When the employee opened the attachment she believed was an invoice, she was actually allowing a form of malware, called ransomware, onto her computer. Moving undetected, the ransomware spread to all her files, encrypting them. That would have been devastating enough. Cloud storage, however, functions by duplicating a computer’s files and copying them onto other machines stored elsewhere. This is what makes cloud storage such a tempting target for attackers. Once the employee’s computer files were compromised, they all synced to the cloud storage. Since the storage makes exact copies, the backup files also contained the malware.
Not only were the employee’s files stored on her computer encrypted, so were her backups. But it gets even worse. All employees in the company backed up their files onto the same cloud storage. Since one of the benefits of cloud storage is that everyone has access to every file, all the employees are attached to the same network. This is a double-edged sword. Once the ransomware reached the files stored on the cloud, it spread through everyone’s files. In 30 minutes, the business lost accessibility to all its data. Luckily, whoever created the malware made certain errors in the code that allowed those within the company to eventually retrieve all the compromised files, though not without a week of lost productivity.
Here we have a pertinent example of an important security concern for both business and government. In 2016, the Canadian government announced its Cloud Adoption Strategy as a backup system for government files. Its aim is to provide services on par with those in the commercial service sector. Canada’s cloud storage is provided by Microsoft Azure. The Communications Security Establishment (CSE) espouses confidence in the government’s strategy. “You can’t be held ransom for data you have stored elsewhere” is the line given in their 2017 journal article, “Be Proactive: Prevent Malicious Attacks on Your Network”. The logic behind this sentence is that if your backup data are stored on a separate machine and are not attached to a network, there is no way to access them. However, whether the backup machines only come online briefly and then turn back off, or are online continuously syncing files, is irrelevant. Once the infected files are synced, the cloud storage becomes compromised. All the files kept on that storage machine, which is usually shared between companies, individuals, or government departments, may become encrypted. This CSE article was published after the large 2017 WannaCry ransomware attack, which infected computers in almost every country, though luckily missing Canada.
According to the Microsoft Security Intelligence Report, v.22, global ransomware attacks have increased by 300 per cent in the past year alone. Cloud storage is not immune. Microsoft has an army of its own to counter the hackers. Canadian computers running Microsoft services have seen their encounter rate with malware drop by roughly half from January 2017 to March 2017. That means in March 2017, 3.2 per cent of computers in Canada using Microsoft real-time security products detected malware. Detecting malware doesn’t always mean the system has been infected. But as we’ve seen in the case above, it only takes one open email attachment to compromise an entire system, including its cloud backups.
The CSE article gives recommendations on how government departments and agencies can avoid a ransomware strike. Even if every safety precaution offered by the CSE were in place before May’s WannaCry attack, they would not have been enough to protect against the virus. Canada was spared by luck alone. If a Canadian government employee opens the wrong attachment, he or she might inadvertently grant the virus access to the organisation’s cloud storage, encrypting all the files. This is what happened to the British National Health Service (NHS), preventing employees from accessing patient files when the NHS was attacked by WannaCry.
We are entering into a new age of friend and foe. We don’t always know who our enemies are. Sometimes, our attackers are infiltrating our systems unwittingly. The employee at Children in Film was an unwilling attack vector. There was no way for her to know that she was letting a worm into her company’s network. It was just a matter of chance that she opened a malicious email, and her contemporaries in other companies, or in the government, didn’t. The WannaCry attack in May 2017, which infected almost a quarter million computers around the world, was not targeted at any particular government or organisation. This piece of ransomware was sent out en mass, waiting for someone to open the attachments in which it was hiding. Like drug smugglers who hide their merchandise in passengers’ bags and coat pockets before they step onto a plane, hackers slip ransomware into file attachments and wait for someone to open them.
The world is witness to a new type of virtual crime, where information is the prime target and people’s privacy and integrity are the main casualties. Canada’s susceptibility to this new form of street crime goes much further than the loss of files. Anonymous hackers are possibly the greatest threat to the Canadian government today, because their knowledge and tools match those of the government. A small team of hackers can encrypt government information and compromise critical infrastructure such as dams or electric grids. They can release information on government employees and compromise anybody’s identity and personal security. There is only one way for the government to defend against such attacks. The Canadian government must incorporate private sector cyber security firms into its defence strategy. It needs to share information and allow ethical and responsible hackers to penetrate its systems. Integrity should be prioritised over privacy behind Canada’s most heavily-guarded door. Attacks against people’s integrity are more damaging, especially when their information can easily be altered by malicious actors. For the private sector to help the Canadian government, the government is going to have to be a little more open.
Mike Belyea is a computer programmer with a Master’s Degree in Public Policy and Public Administration.