The world is now facing an unprecedented spate of coordinated cyber attacks

Martyn Warwick
By Martyn Warwick

Oct 28, 2021

© Flickr / cc licence / Visual Content

© Flickr / cc licence / Visual Content

  • Ransomware incursions at pandemic levels
  • Old-fashioned DDoS attacks still pack a punch
  • “Never-before-seen” malware variants emerging every day
  • "wuxianpinggu507” spies on mobile users from within a carrier’s own network and systems

An “unprecedented” and “co-ordinated” spate of cyber attacks is hitting many UK VoIP services. So says the Comms Council UK, (which, until earlier this year was called the Internet Telephony Services Providers Association (ITSPA)), the trade organisation representing and supporting telecoms companies that provide services to business and residential customers. Membership comprises network operators, service providers, resellers, suppliers and consultants. 

The organisation says that for a month past its members have been, and still are being, targeted by DDoS (distributed denial of service (DDoS) attacks) in efforts to extort money from them. It says the incursions “appear to be part of a co-ordinated extortion-focused international campaign by professional cyber-criminals" and that “ransom threats have been made to numerous providers and an overall threat has been made to the entire industry. We have never seen anything like it since we were established back in 2004.” With characteristic sangfroid the UK regulator Ofcom merely confirms that it is “aware of the situation”. Meanwhile the Comms Council UK is liaising with the government and the National Cyber Security Centre (NCSC) as well as Ofcom.

Often categorised as unsophisticated “blunt instrument” attacks, the reality is that, despite considerable technological advances that offer greatly improved protection, when a DDoS incursion is successful, it can be devastating. Commenting on the notion that brute force attacks are primitive, Brian Higgins, a security specialist at Comparitech, the popular and influential website providing information, tools, reviews and comparisons to help consumers in the UK, North America and many other parts of the world improve their cyber security and privacy online, said, "It’s very naive to dismiss DDoS as an unsophisticated attack vector.

Like most criminal methodologies it has evolved over time into a very useful tool for cybercriminals. It’s often a vehicle for distraction whilst other data breach activity takes place but is equally useful as a ransomware technique. Ransomware relies on the inaccessibility of data and, whilst commonly achieved by network infiltration and encryption, denying access is equally effective albeit for a shorter period of time. The VoIP service providers currently under attack have clearly taken the best approach by informing and liaising with the relevant authorities. Whilst it may take some time to resolve the issue, their customers should be patient and observant, follow any advice provided, and be confident that this approach will make the sector a much less attractive target in the future."

495 million known ransomware attacks perpetrated so far this year

Meanwhile, today sees the publication by the Milpitas, California-headquartered network security, security appliances and Internet security specialist SonicWall of its report ‘‘The Year of Ransomware’ shows that over Q3 this year attacks increased by 148 per cent. The year’s 495 million known attacks (and who knows how many millions of others that have gone unreported?) make 2021 the worst ever recorded - and there are still a couple of months left for this benighted year to run. SonicWall forecasts that by January 1, 2022 there will have been 714 million ransomware attacks.

SonicWall, the world’s most quoted expert on ransomware, reveals that its customers averaged 1,748 ransom attempts over Q3 alone, the equivalent to 9.7 ransomware attempts per customer for each and every business day. That’s really bad but not quite as potentially awful as the 307,516 “never-before-seen” malware variants that the company’s Real-Time Deep Memory Inspection product discovered over September.  Overall, there was a 33 per cent rise in IoT malware attacks around the world with the most prevalent being in the US and Europe. There was also a 21 per cent increase in the incidence of cryptojacking with Europe being inundated by a massive 461 per cent growth wave.

Cryptojacking is malicious cryptomining performed when cyber-criminals hack into both business and personal computers, laptops, and mobile devices to install hidden software. When in place, the software uses a computer’s power and resources to mine for cryptocurrencies or steal cryptocurrency wallets owned by unsuspecting victims. The code is easy to deploy, runs in the background, and is very difficult to detect.

Earlier this month, as TelecomTV reported, the Biden administration in the US hosted a global ransomware summit and pledged to use ‘all national tools’ to stop cyberattacks on critical sectors. The trouble is that the response has probably come too late to prevent some shocking and disastrous attacks. The president and CEO of SonicWall, Bill Conner commented, “As we see it, ransomware is on a nearly unimaginable upward trend, which poses a major risk to businesses, service providers, governments and everyday citizens. The real-world damage caused by these attacks is beyond anecdotal at this point. It’s a serious national and global problem that has already taken a toll on businesses and governments everywhere. I’m hopeful that the recent global ransomware summit is the next step toward a greater response at global, national and state levels.” 

 If it is, and it should be, it needs to be quick. The ransomware juggernaut is rolling at ever-increasing speed and it’s going to batter through the defences of some big and seriously important businesses. government departments, agencies and organisations and cause catastrophic problems unless action is taken right now. We now know that, to date 2021, is the worst ever year for ransomware attacks, that they are growing daily and proliferating like the Covid-19 virus.

As Dmitriy Ayrapetov, VP of Platform Architecture at SonicWall says, “The techniques deployed by ransomware actors have evolved well beyond the smash-and-grab attacks from just a few years ago. Today’s cybercriminals demonstrate deliberate reconnaissance, planning and execution to surgically deploy toolchains targeting enterprise and government infrastructure. This results in larger victims and leads to higher ransoms.” He adds, “As long as organisations continue to overlook or fail to implement cybersecurity best practices to reduce their attack surface, ransomware groups will only increase investments in time, resources and money for launching campaigns that result in massive payouts.”

Mysterious hacking group spying on subscribers from within the mobile carriers themselves

To make matters even worse, hackers are breaking into telco computer networks all around the globe to spy on users from within the carriers themselves. According to the cybersecurity company Crowdstrike, they are gaining access to mobile infrastructure to spy on anyone whose device is connecting to those networks. It seems this mysterious coterie has been active since 2016, has developed its own tools to hack into mobile networks and knows much more than it should do about its targets.

Crowdstrike of Sunnyvale, California provides cloud workload and endpoint security, threat intelligence, and cyber attack response services and knows whereof it speaks. It says the information the hackers can steal "aligns with information likely to be of significant interest to signals intelligence organisations", but the highly-sophisticated hackers themselves remain unknown – apparently.

However, a major clue is being followed up. Crowdstrike found data was being sent to and from a remote server and that the compromised networks were being encrypted with a password readable in the in the code of the hacking tools themselves. The password? “wuxianpinggu507”, a Chinese phrase which translates to “wireless evaluation 507.” Crowdstrike is quick to point out that simply because a developer knows some Chinese, it doesn’t necessarily follow that the Chinese government is involved. On the other hand, others are not so circumspect say, “If it waddles like a duck, quacks like a duck and tastes good roasted with hoisin sauce, it’s quite likely it is a duck.” These are murky waters and Chinese duckponds can be particularly muddy. We’ll see what’s what in the end though. Probably a duck’s bottom.

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.