Welcome to the DACHsec 2023 Annual Report. For each event in our Cyber Series of cyber security summits, we’ll produce a report similar to this one, where we’ll explore the themes and topics of each region covered by its respective annual in person event.
This report looks in-depth at several key topics and trends relevant to cyber security professionals based in the DACH region (and beyond) in the run up to DACHsec 2023.
The theme for this year’s event will be risk management for major threats leading from RaaS criminal gangs and the Russia-Ukraine war. This is particularly pertinent for the DACH region, as we have seen over recent years the evolution of cyber crime into a full-blown, advanced industry with the capability to cripple vital IT systems. Given the centrality of German and Austrian industry to the world economy, and the importance of Switzerland to the global banking system, such threats must be accounted for. Further to this point, the region has already seen a massive impact leading from the war in Eastern Europe that may come as a warning sign of things to come.
We hope you find the contents of the report thought-provoking and exciting. Feel free to get in touch with us at info@sequre.digital if you have any questions or would like further elaboration on anything in the report.
Table of Content:
1. The impact of Geopolitical Crisis
2.1 How the War has Impacted the Threat Landscape
2.2 How are Cyber Criminal Gangs Affecting the Threat Landscape?
3. Summary
1. The Impact of Geopolitical Crisis
The ongoing Russia-Ukraine war has had significant impacts on cyber security worldwide, not least in the DACH region. One of the most significant impacts is the heightened threat of cyber attacks from state-sponsored actors, such as those aligned with Russia. But attacks can also reach unintended targets as a result of the complexities of the software supply chain. In 2017, the NotPetya cyber attack, originally intended to target organisations in Ukraine, spread around the world as the malware infected the global logistics company Maersk. But it doesn’t stop at malware. These attacks can take many forms, such as phishing emails, ransomware, and distributed denial-of-service (DDoS) attacks.
More broadly, the war has led to the increased tensions and mistrust between Russia and Western countries, including those in the DACH region. As a result, conflicting reports could create a confusing picture, which can be especially dangerous when it comes to cyber attacks. Take the recent destruction of the Nord Stream Pipeline. Nord Stream is a system of natural gas pipelines between Russia and Germany. Several of the pipelines were destroyed in September 2022 during a coordinated explosion, cutting off all natural gas running through the pipelines between the two countries. Initial Western intelligence sources suggested that Russia was responsible for the attack, although the motive was unclear. More recent intelligence suggests that a pro-Ukrainian group was responsible. While this was a physical attack, the inability of intelligence services to say definitively who caused the bombing should be a warning signal to cyber security leaders in the DACH region. Cyber attacks are notoriously difficult to attribute, as they are often done by non-state actors, though this doesn’t preclude the possibility of state-sanctioning. The inability to pin down responsibility for attacks could give the impetus for aggressive and targeted cyber attacks as state-sanctioned threat actors take bigger risks. Targets could include critical infrastructure such as power grids and water treatment plants, which would have serious consequences if successful.
2.1 How the War has Impacted the Threat Landscape
While Ukraine has obviously bore the brunt of cyber attacks leading from the war over the past year, the rest of the world has not been immune. The targeting of users in NATO countries has increased by 300% since 2021. This is part of what may be called a cyber conflict: actions short of a war that can still have a major impact on a country’s economy or security. It is this conflict that is raising tensions all over Europe, including the DACH region. The conflict is not just limited to cyber attacks. It also includes acts of espionage, as well as propagandistic actions, such as web page defacement and the publishing of misinformation on social media. The concern for NATO members, such as Germany, therefore, is that this conflict can lead to destability.
Germany in particular was already seeing a number of attacks prior to the war. In 2015, the German government suffered one of the biggest cyber attacks the country has ever seen, which resulted in sensitive data being stolen and a shutdown of MPs’ offices. Five years later, another attack saw Angela Merkel’s office compromised and emails stolen. Recent attacks appear to spike in response to high-profile actions that Germany takes in relation to the Russia-Ukraine war, such as when the decision was made to send tanks to Ukraine in February this year.
The response to this expanding threat landscape has been marked. The German government has expanded its Federal Office for Information Security (BSI) to ‘create new instruments with which the security authorities can stop cyber-attacks and resolve them’. This comes as part of a wider shift by Germany away from its previous policy of Ostpolitik based on trade and energy links with Russia. With the destruction of Nord Stream, Germany has been forced to find new ways of procuring its energy needs, decreasing its dependency on Russia and simultaneously bolstering its support for Ukraine. While this response may be justified, it is certain to invite a greater number of cyber attacks.
There is undoubtedly a sense of resilience among organisations in the DACH region who are becoming aware of the threat posed to them. Companies that didn’t previously have any cyber strategy to speak of are now pursuing ways to bolster their security. It remains to be seen if this resilience will be enough in the face of the threat posed, but the coming year will surely give us a greater insight.
2.2 How are Cyber Criminal Gangs Affecting the Threat Landscape?
Related to, but not always synonymous with the war in Ukraine, is the proliferation of cyber crime groups in Eastern Europe. The war has caused many criminal gangs to choose a side in the conflict, with others even splitting over the war. The result is that there are a greater number of criminal groups and the origin of perpetrators of cyber attacks is becoming less clear.
Gangs dealing in ransomware have been growing in sophistication. Not only are they continually improving their techniques and developing more sophisticated attack methods, they often leverage advanced encryption algorithms and obfuscation techniques to make their attacks harder to detect and reverse.
In recent years, there has been a noticeable shift in ransomware gangs targeting critical infrastructure, such as energy grids, healthcare systems, and transportation networks. These targets are chosen because the disruption caused by ransomware attacks on such systems can have severe consequences and increase the likelihood of victims paying the ransom. It is expected that attacks of this nature will only increase and the ‘cyber conflict’ increases in intensity. The threat to human life from these attacks is very real, which is why governments across Europe are treating them as a top priority for national security.
Further, many ransomware gangs have adopted a “double extortion” strategy. In addition to encrypting victims’ data, they also exfiltrate sensitive information before encrypting it. This allows them to threaten victims with the publication or sale of their data if the ransom is not paid, increasing the pressure on organisations to comply. In this, we see that ransomware gangs have become more organised, often operating as a network of individuals with specialised roles. Some gangs specialise in initial access, others in spreading malware, and some focus on negotiating and receiving ransom payments. This specialisation allows them to streamline their operations and increase their efficiency. Usually, gangs will target zero-day vulnerabilities that are unknown to software vendors. By leveraging these vulnerabilities, they can gain unauthorised access to systems and deploy their ransomware more effectively.
These gangs often utilise dark web platforms for communication, recruitment, and monetization. Dark web platforms provide a degree of anonymity and make it more difficult for law enforcement agencies to track their activities. Usually when criminal actors are caught by the police, it is the result of a highly sophisticated and well-executed operation by multi-national law enforcement agencies, as was the case recently when members of the Russia-linked DoppelPaymer group was arrested in Germany.
Because of the growing sophistication of ransomware gangs, as well as the generally expanding threat landscape, the onus has been placed on CISOs and other security professionals to grapple with these threats and prepare their systems for possible attack. Increasingly though, as the likelihood of attack increases, more professionals are seeking out means to mitigate against the damage an attack can cause by reducing their risk and prioritising their most precious data.
3. Summary
In the proceeding section, we’ve taken a look at the biggest factors in the expansion of the threat landscape in the DACH region. The war in Ukraine has given birth to a ‘cyber crisis’ that is affecting a much wider geographic region. The destruction of the Nord Stream Pipeline, although not a cyber attack, was the most obvious example of how the impact of the war is spreading westwards. Those in positions of authority in organisational cyber security will have to deal with these threats as they proliferate across the DACH region.
We’ve also seen an increasing lack of clarity around such attacks and who perpetrates them. Cyber security then, can find itself front and centre of an information war which will only complicate matters, particularly for those working in government who will need to devise a response to oncoming threats. This is compounded by the expansion and increasing sophistication of ransomware groups, particularly in Eastern Europe. The task of staying ahead of these threat actors will require ever more hard work and determination.
There is room for hope, however. The changes to the threat landscape and the entrance of a new stage in the cyber conflict had produced a resilience attitude from users in the DACH countries, both at the government and private sector level. The region certainly has the tools to defend itself. The question is whether they will be used effectively.
You can hear more about the threat landscape and our collective response to it at this year’s DACHsec Summit, taking place 16-17 May 2023 in Frankfurt. We will delve into the themes of this report in the form of presentations, panels, case studies and roundtable conversations. Find out more here. We hope to see you there!
