John brodersen
Pablo Javier Blanco
09/09/2020 - 13:22
Clarín.com
Technology
Within hours of the end of the deadline given by the cybercriminal organization NetWalker, the Government decided
not to pay the ransom of 4 million dollars
for information stolen in the hack to the National Directorate of Migration that occurred on August 27 and left the country isolated for more than three hours and forced the closure of the five land border crossings, the Ezeiza airport and the Buquebus terminal.
“Paying is out of the question,”
Interior Ministry sources
confirmed to
Clarín
.
A research hypothesis is growing in the Government:
the local connection.
And they point out that the attack may be related to a series of changes that were carried out in the new administration of the National Directorate.
Why does an international cybercriminal organization choose to attack Migrations from Argentina?
The question may have several answers, all of them plausible within the cloak of secrecy in which
groups such as "the Netwalker gang"
are managed
,
the group of cybercriminals that use this ransomware, as the virus that hijacks files is known, encrypts them and asks for a reward to be unlocked again and returned.
One: it
could have been broadcast
.
It means that the cybersecurity barriers were down, the criminals saw the opportunity and did it.
Without political readings to explain it, they threw the bait,
an employee of Migrations opened an executable file
(.exe) without suspicion and the virus took over the system.
In other words: a case of malpractice.
Another:
the Argentine leg
.
It is the hypothesis that takes force in
Casa Rosada
.
It has a 100% political reading and marks that the attack responds to a conflict of interest regarding the personal data handled by migrations.
This means that a person or organization came to Netwalker to
have their services and send a message.
“It is the idea of 'business units', in which this kind of portal of the deep internet [deep web] is used to attack a targeted place.
The protest is hung up, then the interested party associates with outside hackers and the attack is carried out ”, summarize official sources.
In other words, they went looking for a cybercrime freelancer.
That would explain, you understand,
why it is the first time that a State body has been attacked at this level:
although attacks on public institutions are common, it is not normal for a country's operations to be stopped by ransomware.
"The attack is striking, that is why we
do not rule out any hypothesis,
" they point out in the Interior, ministry headed by Eduardo Wado de Pedro, on whom Migrations depends.
This line of investigation would also answer why the ransomware appears to have been designed to attack a network of the Directorate's architecture that controls the borders.
In Migrations they point out that after the change of power, when Florencia Carginano took office, an
audit was carried out
that detected
serious security flaws in the system
.
They say that codes of people who did not work in the Directorate who were active were detected and it was seen that there were thousands of accesses in the hands of Security forces (Prefecture, Gendarmerie and the different police) without justification.
This analysis showed that, for example, the Metropolitan Police
had 19 thousand passwords
to access the Migration database.
"All that was cut off and it was agreed with the security forces who can enter and under what protocols to do so," they say.
"That was limited,
it went from 19 thousand accesses to only 100, and the system became transparent
," they add.
In parallel, during these hours the
lists of mails received
by Migrations
are analyzed
to see if there were any executable files that could determine whether it was
malpractice.
Internal investigations
were also initiated
.
Timeline of an attack
The Government will not pay the ransom for the data.
Photo EFE
Far from the political thesis and the lines of judicial investigation, the facts show that:
–On August 27, at 5:45 am, different border points begin to report system problems.
- That same morning, Microsoft, the firm in charge of backing up the database, reported that the backup was disabled, an indicator of
a virus attack.
–At 8:00 am, the Director of the System communicates with the authorities and requests permits to
deactivate the SICAM and database
, to preserve it and evaluate the situation.
At that point, the possibility of being under attack was not invoked.
–The deactivation of the Comprehensive Immigration Capture System forces the border to be closed because it cannot check or court orders or interpol IDs.
For almost four hours there are no migratory movements.
This is how the Ezeiza International Airport is today.
(AA 2000)
-
Telecom and Telefónica provide data
and notify Migrations that it is an attack and what type of attack it was.
There were folders referring to Interpol, AFI and embassies.
The list of folders released by NetWalker from the National Directorate of Migration.
Photo NetWalker Blog
–A provisional system is
put together to quickly put into operation the border crossings
of the pandemic: the five terrestrial, Ezeiza and Buquebus.
–At the same time, experts and companies from the public and private sectors are consulted.
A strategy is developed:
manually reset
the machines affected by the ransomware.
–It is decided that the affected machines have to be reset due to any threat of reinfection of the virus, a process that continues to be carried out to date.
–The complaint is filed with the Special Prosecutor for Cybercrime, in charge of Horacio Azzolin.
The case is drawn, it is in charge of Sebastián Casanello who delegates the instruction to the prosecutor Guillermo Marijuan.
Extortion via Netwalker ransomware to the National Directorate of Migration.
Photo Bleeping report
Extortion via Netwalker ransomware to the National Directorate of Migration.
Photo Bleeping report
–On Thursday, September 3, the director of Migration Systems, who has been in office for two decades, is asked to resign.
–On Friday 4, a company with a deep network listening system issued a notification to Migrations saying that they had detected the publication of the Netwalker site on the deep web, saying that a reward had to be paid for the stolen data.
–The first tests carried out for Migrations show that the machines you reach suffered encryption of local files and some of the Fill Server, where a part of the files is saved.
It also established that the database did not undergo encryption and that there were no modifications to its files.
"It is a provisional and preliminary report, but due to size and volume, it seems that it has not been able to affect it," they told
Clarín
in Migrations.
That is the chronology that the Government manages today on the events that occurred since the day that Argentina had to unplug itself from the world after the NetWalker attack.
Now, as they advanced, they are working on a reconfiguration of the DNM's computer security system, with advice from external organizations, both public and private.
Meanwhile, the countdown continues and the official decision in the face of extortion from the international group of cybercriminals is
not to pay any ransom
.
Netwalker: Once the payment is made, the attackers send files with instructions to recover information.
Photo: McAffee
For that reason, on Wednesday, at the request of Minister De Pedro, all the agencies that appear in the "proof of life" that the members of NetWalker uploaded to the network were informed a detailed report of all the data that appears in the material that would have been stolen.
What does the folders contain?
Information from the years 2015 and 2016 related to criminal intelligence, related to security issues, ID cards or Interpol alerts.
"
It is not critical information, or state secrets,
" they explained to Clarín.
There was also information requested by embassies, sensitive but not critical issues, they argue.
Expert word
NetWalker, the ransomware that attacked the Home Office.
Photo: McAffee
Brett Callow is a threat analyst at the cybersecurity company Emsisoft and was one of the first to alert people to the Migrations attack in networks.
In dialogue with Clarín, he gave details about what happened:
-
Is it common for former employees or employees to be involved in this type of attack?
-Recently a group tried to bribe a Tesla employee to gain access to the company's network.
Never rule out a local connection in these types of incidents.
Some cybercriminal groups have connections with governments and, in some cases, “freelance” for them.
That was the case with Evil Corp, which is believed to have planted the ransomware on Garmin.
- So there may be political motivations in the attacks.
- Theoretically, at least, some attacks may be politically motivated.
Even state-driven.
What better way would a state have to distance itself from an attack than to channel it through a known criminal enterprise?
To be clear, anyway: I have no evidence to believe that this attack was politically motivated.
It all depends on who did it and how much they hid the clues.
–Migrations says that they detected that about 19 thousand people had access to the internal system. Is not too much?
-I do not know.
The reality is that today's employees need access.
The question is how well (or bad) those hits are handled.
- Is it very common for cybercriminals to target government agencies?
-Very common.
966 public entities were hit by ransomware in the United States in the last year.
Attacks on public entities outside of the United States are less common, but they can happen.
Emsisoft data gives an overview of the numbers for Argentina.
The cybersecurity company, reputed in the environment, registered
6,111
file decryption
requests
in 2019 and
5,858 so far in 2020
.
The company estimates that 25% of people use this service, thus, they estimate that those numbers
must be multiplied by four.
Among those numbers there is no way to distinguish between requests from public institutions or companies, but it does give an overview of the scope of ransomware in our country.
PJB
