The scope and severity of the cyber attack is not yet known, but the SEPE ensures that the payment of benefits is not compromised

The case coincides with a ‘critical’ security breach in the Microsoft Exchange mail service

What is happening? In reality, this is day to day in an internet underworld, only that in the year that we have been a pandemic, the cybercrime business has flourished with so many remote workers: attacks have skyrocketed by 200%.

The dark part of the network is a kind of market where you can choose the type of virus you want. On the one hand, there are the developers of these malicious computer programs that adapt them to the client’s objective in exchange for taking a commission from what the business leaves. “It is a very organized criminal scheme. They develop new variants to make them increasingly undetectable. Then there is the administrative part in charge of laundering the money that is entered in cryptocurrencies, “he explains Josep Albors, ESET Awareness Manager.

“Before the attack, they look for entry points, vulnerabilities to access the internal network of a company or organization. Once inside, specific objectives are sought. They choose their victims very well, they know their weak points and how much money they can pay. It is not like before that only small companies were attacked. Now there are rescues that they ask for millionaire figures”, Continues this expert.

Ryuk, the virus that is suspected of attacking SEPE, is part of the so-called ransomware family (blackmail). He has been one of the prominent members of the saga that has managed to prevail worldwide. It is no longer the same as 2018: now its design is more complex and capable of doing many more things, experts explain. In the past, it has already attacked Spanish companies such as Everis or Prosegur.

The old and updated Ryuk breaks into the systems, steals information and then the threat arrives: either the reward is paid or the data is lost or made public. “A virus of this style would explain the fall of the entire SEPE system this Tuesday,” he explains. Lorenzo Martínez, director specialized in cybersecurity at Securizame.

From the Government insists that they have not asked for any kind of rescue to recover the alleged stolen data. “It is not the usual,” acknowledges Martínez. In other cases, the threat comes through customers and suppliers. “They call them to tell them that they have their data and where they got it from. They extort in a very strong way, ”says Albors. Finding them later is very difficult or almost impossible.

The attack on SEPE: what is known

It is still too early to know the scope of what has happened in the SEPE. “Benefits are not in jeopardy. We are investigating to be able to restore the service in the next few hours ”, assured Gerardo Gutierrez, general director of the organization. How dangerous can it be? “Let’s just say it can be quite annoying,” Albors answers. “The symptom of its presence is usually a note on the desktop of the computer like: It has been infected by Ryuk”, he explains Daniel Creus, Head of Research at Kaspersky. “It is too early to know much more. Now they are doing mitigation tasks ”.

Where has he been able to enter? A few years ago, email was almost the only entry, but now it can be the operating system, the remote connection, weak passwords for users on the internal network … The questions to be answered are very similar to those of a robbery: What have they taken? What part of the network is affected? How can backup copies be restored? Have they got what they were looking for? How can the virus be eliminated?

In the CSIF civil servants’ union they are concerned about this ruling. “We have been asking for months for decisive support in technological investment, since computer systems and applications have an average age of about 30 years“They have denounced in a statement.

There is no foolproof way to avoid these unauthorized entries, but there is a way to minimize their impact. “Two clients call us at least every week with a data hijacking problem. There is everything: small, medium and large companies ”, explains Martínez de Securizame. “No one can assure you that it will not happen again, but what is possible is to recover the data. Guarantee with a backup system that the information is yes or yes. I assume that in the SEPE they will have this ”.

“Outside of Spain, this type of ransomware virus has focused on attacking private medical clinics. Especially in the United States they have had a lot of relevance for this, ”says Albors. “The problem is that, even if you have a backup copy, if customer information is stolen and it is filtered, you will be fined for the issue of data protection.”

The “critical” gap in Microsoft Exchange

While the SEPE kept looking at what had happened, the European Banking Authority (EBA) restored its services and communications after having eliminated the threat of the cyber attack he suffered on Monday. In this case, the security breach was coming from the Microsoft Exchange email server system, not from a virus.

At the beginning of the month, the US company reported that four “critical” bugs that left the system vulnerable. This threat is potentially more dangerous than Ryuk if action is not taken, experts acknowledge.

“This can be serious. There have been many similar ones, such as the WannaCry that affected Telefónica in 2017 and that spread at the same speed as the covid through Microsoft, ”argues Martínez. The problem with these flaws is that they allow a cybercriminal to operate remotely on the system and even modify company or agency files. “It is too early to know, but a priori, knowing the techniques and procedures used by Ryuk, this problem should not appear in the case of SEPE. We have not seen this virus exploiting this type of vulnerability ”, clarifies Creus from Kaspersky.

The Microsoft Exchange failure is more difficult to detect. It may take months for the company to realize the risk. “As much as the threat tries to go unnoticed, it has to do something to steal information. Security systems are the ones that warn of anomalies ”, explains ESET’s Albors. This level of sophistication in cyberattack is more related to espionage and intelligence cases. Come on, more of James Bond.

Now the way to correct the risk is to patch the holes; upgrade the version of Microsoft Exchange. It is like when a car or appliance manufacturer detects a fault in a model and asks customers to take them to an official workshop for repair. The problem is that until the thousands and thousands of companies that use this mail system find out that this security breach exists they are all potentially vulnerable. In this world of internet it is said that this is an APT (Advanced Persistent Threat): a persistent advanced threat.

According to Microsoft itself, there is an APT group sponsored by the state of China known as Hafnium which is exploiting these vulnerabilities against US organizations to steal information. The Spanish intelligence services themselves have described the level of danger as “critical”.