As hackers come of age, CEOs must up their game to protect against cyberattacks

In December 2020, less than 3 months ago, we learnt that one of the most secure and protected networks worldwide was hacked through an unprecedented and large-scale cyberattack – nothing short of the USA – with 18,000 businesses impacted, including strategic and government entities such as the Department of Defense, Energy, Labour, and Commerce. Most surprisingly, for a period as long as 9 months, nobody knew what was going on.

Against this sobering backdrop, I recently spoke to CEOs in Mauritius at an event hosted by Rogers Capital Technology, where we discussed how they can protect their businesses in the face of this latest wave of cyberattacks. Indeed, in this day and age, if our CEOs don’t know how to protect themselves against cyber criminals, they will be defenseless if targeted, because they will not know the implications of such an attack, or how long it has been in the making.

If a nation as powerful as the US can be targeted with such ease, what of our national cyber infrastructure here in Mauritius? As I discussed my findings with the CEOs at the event and listened to their experiences in turn, it became increasingly evident that the volume of cyberattacks has risen significantly in the wake of the technological acceleration triggered by COVID-19.

The three things that all CEOs must know about cyberattacks

Accordingly, mining my own experience at Rogers Capital Technology, I have the following three key messages for CEOs in Mauritius:

  1. Cyberattacks have taken a totally new dimension recently, becoming more and more sophisticated, increasingly fast-spreading and increasingly destructive
  2. New cybersecurity aspects need to be considered to properly secure businesses today
  3. Many businesses are lagging behind and there is need to catch up urgently.

Firstly, cyberattacks are becoming more sophisticated, destructive and with larger scale implications. The technology we are using is changing as we evolve towards using more and more connected networks. As we did more business on the internet, new apps started coming on the web, thus bringing more types of cyberattacks in their wake. With smartphones, we added on a plethora of mobile apps, and the menace of trojans commenced. But it is with the Internet of Things (IoT) that we have seen the largest scale of cyberattacks. As AI now comes into play, we face the risk of new types of attacks that are much more powerful and unimaginably faster, where our current systems will be helpless in the face of this onslaught. Finally, in the near future, we might witness the advent of Quantum Computing which will completely transform the landscape for cybersecurity yet again, by rendering today’s encryption-dependent cybersecurity obsolete. At the same time, we are seeing a proliferation of state-driven attacks or cyber warfare – wars between states being wrangled in cyberspace.

Secondly, speaking of sophistication, the number of malwares and attacks are increasing significantly. Indeed, the more deeply we are connected, the more we are at risk due to an increased surface of attack. With 4 million individuals worldwide on the internet, 6 million who possess smartphones, and the 25 million who are connected with the IoT – and with this figure only set to increase as the ‘Internet of Everything’ marches closer – we are talking about data and capacity – and correspondingly cyberattacks targeting such data – which are far bigger than we could possibly have imagined even a decade ago.

Thirdly, the likelihood and impact of cyberattacks is increasing. The risk map of the World Economic Forum (WEF) for the workplace in 2020 shows that cyberattacks have entered the Top 5 when it comes to the likelihood of risks happening in the globe and have also burst into the Top 5 in terms of their level of impact on businesses. Indeed, a cyberattack now jostles with natural disasters and extreme weather conditions in terms of its likelihood of occurrence and its severe implications on businesses. Where weather disruptions such as cyclones in Mauritius cause national committees to be formed, the high ranking of cybersecurity on the WEF’s risk map means that cybersecurity for many countries has attained the status of a national security priority. However, we are lagging behind in Mauritius where cyberattacks are still not accorded the importance they deserve.

The Top 5 most notorious cyberattacks globally

#1 Stuxnet: A state-driven attack by the US on Iran’s nuclear programme, it was discovered in 2010 but is believed to have been in the making for years. The question facing US hackers: How can you hijack a nuclear site in a desert where there is no physical connectivity, and attackers can be seen coming for miles ahead? The answer is social engineering. Indeed, people remain the weakest link in any cyberattack. The US hackers targeted the sub-contractors working on the nuclear site, implanting malware which hijacked the system for the nuclear plant and helped destroy the nuclear centrifuge remotely. Imagine, over 1,000 centrifuges were destroyed by this method, in the largest setback to Iran’s nuclear enrichment programme.

#2 Dark Hotel: In what is a cautionary tale for any CEO of a hospitality chain in Mauritius, the Dark Hotel cyberattack saw hackers latch onto the WiFi of several Asian luxury hotels, entering their programmes and accessing all the guest data. On connecting to a hotel network, guests were prompted to install a seemingly legitimate update for a popular piece of software, and their devices were immediately infected with the DarkHotel spyware, which the attackers specifically introduced into the network a few days before their arrival and removed a few days later. The stealthy spyware logged keystrokes and allowed the cybercriminals to conduct targeted phishing attacks.

# 3 Mirai: In the best-known case of distributed denial of service, a hacker set up a command-and-control centre whereby, in the space of a few hours, he was able to raise a number of vulnerable devices in an army consisting of IoT accessories such as digital cameras and DVR players. This command-and-control centre told these ‘soldiers’ to target a particular server on the internet, in this case the servers of Dyn, a company that controls much of the internet’s domain name system (DNS) infrastructure. In October 2016, this onslaught of small devices on the internet caused a large part of traffic to go down, including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US.

# 4 WannaCry: WannaCry was the widest scale cyberattack that the world has ever known. Once this aptly named malware hit, the victim got the message that all their files were encrypted, and they would have to pay a ransom to get them decrypted. It went on to state that the ransom amount would double in 3 days and if the revised amount was not paid in 7 days, the victim would lose their data forever. In 5 days, 250,000 PCs in 100 countries and 1500 cities were affected. Most of the industries in the affected countries – health, transport and utilities – were crippled and this cyberattack spread fast. In 2 and a half hours, half of Ukraine – around 20 million people – was impacted. Indeed, Mauritius also featured in the list of countries attacked by WannaCry, back in 2017, when this malware spread.

# 5 NotPetya/ExPetr: This cyberattack shook Ukraine one month after WannaCry in a similar modus operandi – the crucial difference with WannaCry being that this malware was designed to destroy the data without any possibility of getting it back. NotPetya was the costliest cyberattack to date and is suspected to be a state attack wherein one enemy state attacked Ukraine through a popular accounting software which most businesses were using. NotPetya was introduced through the software update, causing immense collateral damage – one key company impacted by this cyberattack was A.P. Moller – Maersk, the largest container shipping co worldwide. Imagine, every 15 mins, 10,000-20,000 Maersk containers are entering a port somewhere in the world, including Mauritius. Maersk had to install 49,000 servers, 45,000 PCs and 2500 applications – a 6-month exercise otherwise – in a heroic effort that took only 10 days. The whole exercise cost Maersk between USD 250-300 million in what was the costliest cyberattack in the history of the world.

Major data breaches in sectors relevant to Mauritius

While the years leading up to 2017 were marked by malware-driven cyberattacks, the latter half of 2017 and 2018 have seen data breaches enter the popular imagination. Be it hospitality, financial services or global business – all key sectors for the Mauritian economy – we have much to learn from the data breaches suffered by global majors with far larger resources at their disposal.

Indeed, 2018 witnessed the biggest data breach in hospitality, with Marriott finding that the customer data for millions of its guests was compromised. The Marriott data breach began with its acquisition of the Starwood loyalty programme in 2014 and these breaches entered Marriott with its continued use of the Starwood legacy system. As the testimony of the Marriott CEO to the US Senate Panel shows, when a data breach happens, it is the CEO who is taken to task. For CEOs here in Mauritius, the key learning from this data breach is that cybersecurity is not the job of the IT department. It is the responsibility of the CEO. It is the CEO who has to rise to the occasion and explain to regulators and the public what transpired – and to face the consequences such as fines and loss of reputation triggered by clauses in global data protection agreements such as the GDPR.

In the case of the financial services sector, the biggest data breach known to have taken place is in Equifax in September 2017. The scale of this breach is unprecedented, affecting 148 mn people – half the population of the US – whose accounts were hacked. As one of the three largest consumer credit reporting agencies in the US, while there have been larger security breaches by other companies in the past, the sensitivity of the personal information held by Equifax and the scale of the problem makes this breach unprecedented. In June 2019, Moody’s downgraded the company’s financial rating in part because of the massive amounts it would need to spend on information security in the years to come. In July 2019 the company reached a record-breaking settlement with the US regulator, the Federal Trade Commission, which required Equifax to spend at least US$1.38 billion to resolve consumer claims. For CEOs here in Mauritius, the key lesson is that exposing customers to identity theft in the financial services sector can lay a company vulnerable to much greater public censure, loss of reputation, and regulatory action, since it is a sector that deals with confidential consumer data of far greater sensitivity than other industries.

In case of the global business sector, Mauritius itself suffered a setback in the form of Mauritius Leaks, which started with a data breach at local law firm, Conyers Dill & Pearman. As many as 200,000 files were accessed by the International Consortium of Investigative Journalists and used as a massive exploitation of confidential information to constitute a case against the global business sector of Mauritius and to allege that the island was being used to avoid taxes in countries in Africa, Asia, the Middle East and the Americas. As we know first-hand from the data breach, such a cyberattack can have disastrous consequences for the entire economy, leave alone individual businesses within the global business sector.

Zero Day Vulnerability: A popular means to exploit weaknesses in cyber infrastructure

One of the most common ways in which hackers are breaching cyber infrastructure is through Zero Day Vulnerability. Indeed, as the whole world is connected to the internet and popular software systems abound, top hackers look for undetected security leaks in such software, or in other words, security leaks that have been known for ‘zero days.’

To elaborate, Zero Day Vulnerability is said to take place when even the vendor of the software is not aware of the existence of such a flaw. Imagine that an update of the software takes place and there is a flaw in the update, unbeknownst to the vendor. Hackers identify the flaw and use it as a backdoor to breach the company’s cyber infrastructure. Such a hacker will either penetrate the software himself or inform others on the Dark Web about it – the Dark Web making up the 6% of the internet that has only encrypted websites which cannot be accessed on a regular internet browser – and charge a price for such criminal knowledge.

Indeed, the first generation of hackers has come a long way from the time malware was harmless, 25 years ago, conjuring up images of geeks playing with software, up until the present, when messing about with malware can have disastrous consequences. It is estimated that Zero Day Vulnerability is being used widely in state-driven cyberattacks with Stuxnet having used as many as 20 Zero Day exploits for the US to deliver a major blow to Iran’s nuclear enrichment programme.

Why CEOs in Mauritius need to go the extra mile for cybersecurity

In Mauritius, we risk becoming victims of a false sense of security as we are not aware of cyberattacks primarily because we do not have the right tools to detect even simple forms of cybersecurity breaches such as malware. In the meantime, even as we imagine that we are safe from hackers, an increasing number of organisations in Mauritius are becoming victims of cyberattacks.

The Live Cyber Threat Map operated by Check Point Software Technologies shows that there had been over 9.6 million cyberattacks globally on just a single day of reference. In terms of geographies, attacks targeted to Mauritius arose primarily from South Africa and Europe while in terms of the types of attacks, we witnessed malware, exploits, phishing and botnet playing their part in waging war on cyber infrastructure in the island economy.

Based on the wide prevalence of such cyberattacks, it cannot be stressed enough that we ought to be proactive rather than reactive when it comes to protecting the privacy of our organisations and, by extension, our entire economy. Indeed, it is high time for a radical improvement of infrastructure in Mauritius and this effort can progress in the right direction and at the right pace only if organisations work in partnership with external service providers.

At Rogers Capital Technology, we specialise in cybersecurity advisory services and implementation. Based on our experience with helping clients counter cyberthreats including during famous instances such as the WannaCry malware which affected our economy in 2017, we cannot emphasise enough the significance of sharing intelligence on developing threats in Mauritius. Here, I believe that the creation of a forum where cybersecurity officers can come together to share their experiences and expertise is of paramount importance.

Ultimately, we must step up efforts to protect our businesses and the larger economy from the scourge of cyberattacks and we must begin by talking about breaches when they take place rather than taking pains to hide them. Only if we are aware of cyberattacks can we protect ourselves and those we love from the long-lasting implications of such a dangerous occurrence.

Dev Hurkoo

Managing Director - Technology