Early in December 2021, the Catalan government suffered its worst distributed denial of service (DDoS) cyberattack ever. In the space of a few hours, attackers routed 350Gbps of data to the Generalitat's information systems, representing 100 times more traffic than it would typically receive within the same timeframe. The incident was contained within three hours.
A couple of months prior to the DDoS attack on the Generalitat, the Autonomous University of Barcelona (UAB) was forced to revert to pen, paper and chalkboards when it was hit by a ransomware attack. The connection to the network was reset at the end of December, with most email accounts having been recovered – and a double authentication system applied – which allowed virtual classes to resume. While most systems have since been restored, others aren't expected to be fully functional until the end of January.
These incidents are, unfortunately, not outliers. According to the Spanish National Institute of Cybersecurity (INCIBE), Spain has seen more than 150,000 cyberattacks since the beginning of the COVID-19 pandemic. Other high-profile cases include: an attack in April last year on the Spanish government agency that manages unemployment benefits; Catalan hospital Moisés Broggi; Barcelona's public bicycle service, Bicing; as well as a number of companies including beer company Damm. Security firm Checkpoint reveals Spanish companies are now exposed to 961 threats every week, 61% more than in 2020. Clearly, a worrying trend is emerging.
A global nightmare
The latest report from the Cybersecurity Agency of Catalonia, issued in mid-December 2021, points out that "there is an escalation in the magnitude of cyberattacks, the importance of the objectives and the impact they provoke, which constitute a threat to economic and social stability" – not just in Catalonia or Spain, but throughout the world.
The report estimates that cyberattacks against critical infrastructures and supplies (water, electricity, gas) during the second quarter of 2021 increased 300% globally compared to the previous quarter. It also highlights the fragility of the education sector, where cyberattacks have increased by 200%.
This escalation comes as no surprise. A 2017 report from Cybersecurity Ventures predicted that there would be a ransomware attack against businesses every 11 seconds on average by 2021. The pandemic, which has fostered an ecosystem of working from home that is pretty weak by IT security standards, coupled with the fact that exploits are relatively cheap and easy to attain on the dark markets, are to blame.
Experts have warned repeatedly that cybersecurity is a key issue that companies need to make a priority for economic recovery. While companies in Spain are increasingly taking out insurances against cyber threats, payments demanded by ransomware attackers have increased to an average of €182,000, meaning insurers have bumped up their premiums by 25-40%. Small and medium enterprises (SMEs) are paying the price.
Marc Alier, professor and researcher at the Polytechnical University of Catalonia (UPC), tells ZDNet there are many factors that have contributed to the rise in cyberattacks in recent years. For one, web apps, unified systems for authentication, working from home and social engineering have created the perfect recipe for phishing and consequent ransomware attacks, he says.
The malicious program that infected the Autonomous University of Barcelona (UAB) encrypted 650,000 files and folders that contained information relating to the campus going back eight years. In October 2021, Spanish media published that ransomware outfit PYSA was responsible for the attack, which demanded 60 bitcoins from the university – approximately €3 million – in exchange for its data.
Only 8% of companies that pay the ransom get the totality of their files back. Dean of UAB, Javier Lafuente, quickly made it clear that the institution was not going to pay up. This is in keeping with the recommendation of the Spanish National Institute of Cybersecurity (INCIBE), which states: "never pay the ransom, as it encourages cyber criminals to continue operating in this way."
UAB speculated that phishing techniques might have been used to capture credentials from students or staff that were then exploited to gain admin status and deploy ransomware tools. Some of the institution's IT services not only needed to be restored, but entirely reconstructed.
Nico Castellano, cybersecurity teacher and organizer of hacking and IT security conference No cON Name, says the attack on UAB should come as little surprise given its use of out-of-date software that attackers were able to exploit. Social engineering did the rest.
Castellano adds that the problem with this kind of attack is that "cyber criminals stay in your system a while to detect vulnerabilities so that they know exactly what to encrypt and [hold to ransom]. Therefore, it's difficult to know to what extent systems have been compromised."
Marc Alier, from the Polytechnical University of Barcelona, adds that "the perimeter of attack in a university is large" because students, professors and administrative personnel can all be targeted with social engineering. "If mail was hacked, what is the real scope of the UAB attack?"
Cryptocurrency has become intrinsically linked with ransomware attacks because it is considered untraceable, meaning finding out who the bad guys are is tricky. Yet Marc Rocas, former president of the Catalan Blockchain Association, believes blaming cryptocurrency is "unjustified" and only reveals "ignorance in this field."
"It's like wanting to get rid of small banknotes when ransoms were requested in these kinds of notes," he says.
Alier considers that cryptocurrencies and the Blockchain might help people become more cyber-aware. He points out that, 10 years ago, few people knew how Twitter worked. Today, it's commonplace. "Security will work the same way," says Alier.
A little optimism is a good thing – yet organizations and employees working from home should take a diligent approach to protecting themselves. In 2022, ransomware attacks are expected to become even more complex and personalized.
Oriol Torruella, director of the Cybersecurity Agency of Catalonia, says organizations should be prepared and be aware of their level of digitization. "Investment in cybersecurity should be a priority and companies and institutions need a plan to implement not only technological measures but also organizational measures and training," he adds.
There is no shortage of reasons for greater vigilance when it comes to IT security. Yet when you consider that 90% of security breaches are a result of human error – combined with a society made considerably more vulnerable by the COVID-19 pandemic – it is becoming increasingly clear why, as Torruella says, cybersecurity involves us all.