A Q&A with Michael McLaughlin of Baker Donelson
When we consider the war in Ukraine, the increasing sophistication of technology, and a myriad of geopolitical tensions, companies and organizations can expect that cyber attacks by international threat actors and state-sponsored criminal groups will be a considerable threat for the foreseeable future.
With global cyber attacks on the rise by 7 percent in the first quarter of 2023 alone, this international cybersecurity epidemic is not likely to go away anytime soon.
We spoke with Michael McLaughlin, an associate in Baker Donelson’s Washington, D.C. office and a member of the Government Relations and Public Policy Group.
Michael is also the author of Battlefield: Cyber: How China and Russia are Undermining Our Democracy and National Security, about why companies need to be paying closer attention to these threats, and the groups behind them. The book will be released on August 15, 2023.
Baker Donelson is also a NetDiligence-authorized Breach Coach® firm.
What global cyber threats should companies be concerned about right now?
We tend to look at threats as an industry kind of indiscriminately because primarily if you’re a company and you get hit with ransomware, you don’t care if it’s the Russian government or if it’s China or if it’s just a random criminal actor that’s operating from Belarus. The company and the customer just want to get back to business as usual for the least amount of cost—and so we tend to not look frequently at who the actors are. Unfortunately, that’s going to have to change here very soon. I’ve already seen it start to change in the legal landscape.
Has anything in particular prompted a closer examination of global threat actors?
There are two key factors here: insurance and sanctions. Since the start of the war in Ukraine, the US government and international coalitions have imposed sanctions against Russia, Russian entities, and some Russian cyber actors. We all cheer this, but there are second- and third-order effects that I don’t think the government fully realized when issuing these sanctions.
The ransomware space is a great example of this. The US government—OFAC, in particular—sanctioned the threat actors Trickbot and Conti. Well, at the outset of the war in Ukraine, a Ukrainian-based actor who is part of Conti leaked a lot of their information and Conti has since broken into a bunch of different groups, including Royal and Karakurt. Royal is the ransomware group that hit the city of Houston, and Karakurt is a group that’s best known for extortion.
The insurance carriers are now looking and seeing the reports indicating that Karakurt or Royal are offshoots of Conti, which is a sanctioned entity. They, in turn, say that they can’t legally make that payment. Now the company that is hit with an attack is stuck either making the payment themselves and potentially violating sanctions.
Does the victimized company have any recourse?
They would have to hire a third-party threat intelligence company that is going to give them evidence or show evidence to the insurance carrier. The evidence would be based on factors such as the indicators of compromise, artifacts on the network, and the threat actor’s tactics, techniques and procedures. The threat intelligence company will then make a report saying, based on all of these factors, the threat actor is not affiliated with the sanctioned entity.
Then the customer is left praying that the insurance company is going to cover their claim for that payment. And that’s just on the ransomware side of it.
What is the other side of it?
Insurance carriers are more and more looking at their policies and saying that if the attack is part of an ongoing conflict that spills out, then that technically makes it an act of war, which trips wartime or acts of terrorism exclusions. Then they don’t have to pay out on that. Lloyd’s of London last year said flat out that if it is an act of a nation-state, that is going to be an exclusion in your cyber policy. So if Russia conducts a cyber attack that impacts your business, they wouldn’t be covering that.
Now all insurance carriers that fall under Lloyd’s of London have this specific exclusion in their policies. So more and more, it matters who is attacking and where they’re coming from, and the geopolitics behind the actor. So far, network owners aren’t necessarily paying attention to it, but as attorneys, cybersecurity vendors, insurance carriers, and brokers and agents, we’re forcing ourselves to become more aware of that context.
Has there been an increase in the ransom amounts threat actors are demanding?
In the ransomware space, I would say that we are seeing the same ask—typically in the six and seven figures for the initial ask or the initial demand on ransomware. That hasn’t really changed, and it’s going to depend on who the victim organization is. If ransomware actors are targeting a large K to 12 school district and they get a lot of PII, they know that they can extort more money from the victim than if it’s a mom-and-pop widget manufacturer. That’s where you’ll start to see potentially eight-figure demands. But by and large, we haven’t seen a significant change in what the threat actors are demanding as a result of the ransomware activity.
How about the frequency of ransomware events?
We’ve begun to see an uptick that I anticipate will continue pretty significantly as a result of the war in Ukraine. When the war started in early 2022 and through the summer of 2022, we saw ransomware drop off a bit. Part of this was that you’ve had a lot of patriotic hackers on the part of Russia or on the part of Ukraine targeting one another. They went from being ransomware actors to being hacktivists and operating in what they perceive to be their national interest.
Now that the war has raged on and sanctions are beginning to take hold in Russia, that’s changed. Russia has one of the largest IT industries in the world and some of the most sophisticated actors are some of the most sophisticated IT professionals. If companies in Russia are shutting down or if they’re significantly dialing back the type of services they’re getting from these IT professionals, then they have to turn somewhere for a revenue stream.
If that revenue doesn’t exist in Russia but the Russian government is giving you tacit approval and carte blanche to go target other countries and will not prosecute you or extradite you anywhere, then you basically have free reign to commit crime. I think we’re going to start to see an increase in a lot of these actors that were previously just IT workers that need a source of income and now the available source of income is cybercrime.
Have the tactics or threat vectors changed at all?
We’ve seen an evolution. It’s not so much that it’s more sophisticated malware, but you have actors who are more comfortable using traditional tools in malicious or nefarious ways. An example of that is PowerShell, which is a capability in a Microsoft application that allows you to run commands and code basically just from a desktop. It’s a really useful tool for IT professionals to be able to get into and kind of manipulate the network, manipulate the computer or the specific endpoint that they’re on in a very efficient way.
If you have a malicious instance of PowerShell or you’re able to gain system administrator level credentials, PowerShell is an incredibly powerful tool for accessing different parts of the network. There are also Teamviewer, Anydesk, the remote desktop protocol, and others. All allow you to access the network and once you are in and you have the right credentials, you’re able to “live off the land” and use the capabilities and tools that are already available on the network in a malicious way.
What that does is basically take the teeth out of CrowdStrike or any of the other hundreds of cybersecurity vendors, because those services are looking for anomalies. They’re looking for signatures. They’re looking for specific malicious tools or malware. If everything you’re doing looks like what an IT administrator would be doing up until you exfiltrate terabytes of data, you’re not going to identify that a threat actor is there, let alone that the threat actor could be in your network for months and nobody would ever know.
We continue our conversation with Michael McLaughlin in Part 2 when we look at the specific cyber threats coming out of China.
To learn more about Baker Donelson, visit their website.
To learn more about Mark Greisiger, visit this page.
Click here to learn more about NetDiligence cyber risk and incident response planning solutions, including Breach Plan Connect® and the eRiskHub®.