Of Spyware, Ransomware and Botnets: A Presage of Things to Come

The past few months have been full of news about successful cyberattacks from all areas of the tech world. A ransomware paralyzed Colonial Pipeline and forced it to pay about US$4.4 million to attackers (although that was later recovered by the FBI), and a supply-chain attack against Kaseya affected hundreds of businesses (with the REvil group asking for US$70 million in exchange of the master decrypting tool, and between US$45,000 and US$5 million for individual victims, depending on the company size). Most recently, Saudi Aramco confirmed a significant data leak after a ransomware attack, with cybercriminals demanding US$50 million in ransom.

Another lucrative market that is flourishing is in IoT botnets. Mirai might have been the first large-scale successful IoT botnet-creating malware, but there are plenty of copy-cats out there aggressively trying to wrest control of vulnerable IoT devices from other groups. While the scale of Mirai hasn’t quite been replicated to date, there is a relatively stable contingent of infected devices which are actively being fought over by bot herders.

Finally, there are the recent allegations against NSO regarding their Pegasus spyware and their apparent successful installation on hundreds of mobile devices (both Android and Apple) globally, with many pertaining to heads of state, politicians, CEOs, journalists, and other high-profile persons of interest (to governments namely). The firm sells its software to over 40 different governments for the purposes of law enforcement, but clearly the decision on target installation belongs solely to the client, and not NSO.

While such news is nothing new in the tech world, the amounts demanded by cybercrime organizations, and the apparently successful mass infiltration of devices belonging to people who likely already use cybersecurity extensively, is worrying. It seems that there have been no lessons learned either in the power of organized cybercrime or state-sponsored cyber-espionage in the last decade, despite huge red flag events like Stuxnet, the NSA surveillance disclosures, botnets like Mirai, or the massive data breaches of the late 2010s stolen from companies like Yahoo (3 billion records), River City Media (1.3 billion), and People Data Labs (1.2 billion), among many others.  

Cyberthreats have become the norm and the cybersecurity industry is engaged in a profitable, adversarial game with threat actors. For some companies, like NSO, this means getting into legal grey areas by selling cybercrime-like tools—illegal for individual users and enterprises to use, but less so for nation states (which ‘legitimizes’ their solutions). This status quo is the driver of billion-dollar markets for cybersecurity products. And it is only going to become more lucrative for all stakeholders (criminal and legitimate) going forward. With the expansion of IoT devices, Low Power Wide Area Networks and 5G New Radio (as well as wireless local area networks), and digital transformation strategies pushing for smarter and greater connectivity, the threat landscape is going to expand exponentially.

The sophistication of both cybercriminal and state-sponsored cyber operations in the IoT space will only become more mature, more prevalent, and more profitable as the world continues to connect devices, systems, and people. It took just 30 years since the creation of the World Wide Web for European Presidents to have their phones hacked and multinationals to receive million-dollar cyber ransom demands. For the IoT, ABI Research expects this level of sophistication in the ecosystem to take no more than 10 years. The nature of the data being collected, analyzed, and commoditized is just too lucrative to ignore.

Hope for strengthening the cyber infrastructure against such a gloomy scenario is not lost, whether it is in IT, OT, or IoT. But it does require a significant change in how cybersecurity is deployed, which cybersecurity professionals have been advocating for years. Planning for and designing-in security from the start is key; embedding and integrating it into devices, systems, networks is crucial; monitoring and keeping abreast of cyber threats is just as important. It is a continuous cycle, but one which will get easier when concepts like trusted and confidential computing, cyber-resiliency, zero-trust, and automated security become commonplace for everyone. These concepts will flourish with the right support from standardization, regulation, and information sharing between public and private stakeholders. This is no easy feat, but the alternative scenario is too grim and likely to reign in the true potential of a densely connected and smart cyber world, and all the great innovation that it could bring to mankind.