Architects at risk of cyber attacks through email systems
It is not just large corporates and multi-nationals that can fall victim to cyber attack, cyber criminals are just as likely to hold design firms to ransom says David Fleming, Chief Technology Officer of security services Mitigo.
Architectural practices hold confidential and valuable information belonging to their clients and the projects they work on. They also have their reputations to protect. This combination makes them the ideal target for cyber criminals who, once inside a firm’s IT systems, can use a number of tactics to hold a firm to ransom.
The professional services sector has seen a worrying number of cyberattacks in recent years. Big name architects have been amongst those who have experienced the trauma of serious cyberattacks on several known occasions and often, they have chosen not to make public.
In July of last year, Sheppard Robson, the UK’s fifth largest practice, was faced with a hefty ransom demand and a significant downtime period when it was forced to disconnect its systems from the internet after noticing ‘unusual activity’ on its network.
The practice did not pay the ransom fee demanded, instead notifying the police, and it recovered well. But it learnt the hard lesson that few are invulnerable against a determined cybercriminal. “We take cyber security and the protection of data extremely seriously and have the government-approved security procedures and certification,” it commented at the time. “However, although security is in place, professional criminals have still managed to impact our network.”
Just two years before, Zaha Hadid Architects experienced a similar ransom attack in which confidential information was stolen.
In the past, some ransomware gangs focused on bigger, national targets. Now, some of them have become wary of the attention of law enforcement agencies (who save most of their resources for large infrastructure attacks) and have shifted their focus to small and medium-sized organisations. They can be particularly vulnerable to attack, because they often only rely on their external IT support companies, and therefore do not have the right protections in place.
Having more staff work remotely since the pandemic, can also make systems potentially more vulnerable and risks are further ramped because so often there are a myriad of people and companies involved in a design and construction project. This again can potentially provide weak spots for cyber criminals to attack.
One estimate shows professional services suffered around 20% of ransomware attacks in 2022 making it the worst affected sector. Cybercriminals know that firms have a duty to keep their clients’ affairs confidential, are working to deadlines, and that prolonged downtime can be disastrous. Consequently, they can be more likely to pay ransom demands, which can range from the tens of thousands to millions of pounds.
Cybercrime poses is an evolving threat with the nature of the operators or gangs involved becoming ever-more sophisticated and the types of attacks they orchestrate.
The world of cyberattacks
While cybercrime has a far greater geographical reach and speed of execution, it also has many similarities in organisational structure to more traditional criminal gangs. However, it also has one major advantage. Its sophistication makes it extremely difficult for authorities to trace the perpetrators and originators of any cyberattack.
The ransomware gangs have names and some analysts even produce league tables with an assessment of market shares. In the second half of 2022, one assessment showed BlackCat in the lead with responsibility for around 15% of the ransomware attacks globally. Hive had the next largest share at 13.5% having ‘earned’ their place by attacking hospitals without question (some groups claim to shy away from certain sectors to operate more “ethically”). Other names such as Black Basta, Dark Angels, Phobos and Vice Society are said to hold between 3% and 6% of the market, the latter being responsible for attacks on UK schools..
One of the most notable developments over the last few years has been the rise of Ransomware as a Service (RaaS); a business model not dissimilar to Software as a Service (SaaS). RaaS changed the face of cybercrime. A cybercriminal no longer needs to be a “techie” as they can just purchase ready-to-go ransomware..
Ransomware operators develop ransomware which is sold to affiliates via websites on the dark web, marketing and packaging it for sale in a manner similar to businesses that trade legitimately. They engage in marketing campaigns, publish user reviews, provide service guarantees as well as after sales support. Unsatisfied with the service? Suppliers offer your money back. Levels of sophistication range from subscription models to portals allowing tracking of the status of an infection.
This allows individuals in any country to get involved in the criminal activity. Often, they operate as lead generators, having gained access to a business, they pass on the opportunity to more sophisticated players to exploit in return for a cut in profits.
Double extortion
The consequences of ransomware can be devastating for its victims. Once inside an organisation’s IT system it enables data, files and systems to be encrypted, with payments being demanded in exchange for the decryption key. Business is brought to an abrupt halt. We find that backups are rarely configured in a way which will survive a ransomware attack. The overwhelming majority of ransomware attacks now also involve data exfiltration. The criminals first steal your confidential and sensitive data before encrypting it, adding another level of risk. This particular type of attack, sometimes called the double extortion technique, means that not only can a demand be made to decrypt data, but a release to the public of stolen data will be threatened unless a further ransom demand is met. Gangs have websites and PR machines which support their threats to highlight their successful attacks and publish stolen data.
It is however worth bearing in mind the Information Commissioner’s Office (ICO) and National Cyber Security Centre stance on this. In a joint letter issued in summer 2022 to the legal profession, the two bodies made it clear that payment of ransom will not protect stolen data or result in a lower penalty by the ICO, if an investigation is made. Furthermore, remember you are dealing with criminals – payment offers no guarantee of decryption or return of stolen data or prevention of re-extortion a few weeks down the line.
An evolving threat requires professional defence
Cyberattacks shut down organisations and are now one of the most serious threats to any business. They should be at the top of your risk register. Attackers and the techniques they use are sophisticated, ever evolving, and defending against them is complex. Small and medium-sized professional services firms are particularly vulnerable. When you have professional criminals attacking your organisation, you need professionals defending you.
The RIBA has partnered with Mitigo to offer technical security services. For more information contact Mitigo on 0161 88 33 507 or email riba@mitigogroup.com.