RIO DE JANEIRO, BRAZIL – A new outbreak has added to the perfect storm caused by the Covid-19 pandemic in everyday business: the escalation of cyber attacks. Several companies have already fallen victim to a scam in which cybercriminals break into systems, hijack data and leave the internal network encrypted.
Then they ask for a ransom to unlock the data and prevent the stolen information from being sold to the competition or becoming public on the deep web, the internet layer that is not accessed by search engines like Google.
Cybersecurity experts alert that as a result of the pandemic, companies are even more vulnerable because of remote systems access through the home office.
A survey by Kaspersky, the Russian cybersecurity company operating in Brazil, shows that attacks directed at tools that allow this remote access increased 333 percent between February and April in this country alone. It is impossible to know how many of these attacks have evolved into the crime of extortion.
In any event, these attacks occur all over the world, with a wide variety of targets: from an influential celebrity attorney in the United States to health, agrobusiness and energy companies, including Brazilian firms such as Companhia Paulista de Força e Luz (CPFL), Cosan, Aliansce Sonae, and Arteris, in addition to the Portuguese EDP, which operates in the electrical power sector in Brazil.
EL PAÍS tracked the deep web pages that are used by six international hacker groups, but studies conducted by specialized websites show that at least 11 gangs are active in this type of cybercrime, called double extortion. The hackers monitored by the report attacked at least 100 companies, of which at least 22, which did not want to pay the ransom, have their data being auctioned in real time. According to ads, for an initial bid of US$600,000 (about R$3.2 million) one can take part in the auction of pop star Mariah Carey’s data. They form part of a package from Grubman Shire Meiselas & Sacks, a major entertainment law firm based in New York that has other star clients such as Madonna, Lady Gaga and Elton John.
The cybercrime business has been growing in recent months and Brazil is among the targets. Kaspersky showed that in April this year alone, Brazil was the target of over 60 percent of attacks identified by the company in Latin America. The second most affected country in the region was Colombia, with 11.9 million attacks, followed by Mexico (9.3 million), Chile (4.3 million), Peru (3.6 million) and Argentina (2.6 million).
Here in Brazil, CPFL was among the companies that fattened this account. To prove that their data were stolen, the Maze group hackers released a small piece of data – another common practice among the groups – as a kind of free sample. When contacted, CPFL failed to answer the reporter’s questions.
The Corporate Leaks webpage, of a gang called Nefilim, displays data from attacks on the systems of the Brazilian companies Cosan, Aliansce Sonae, and Arteris. “Cosan’s negligence in cyber security has allowed us to violate its network and move freely within it for months,” the hackers said; they have not publicly disclosed how much they are charging to return the data.
Cosan is one of the largest business conglomerates in Brazil, and includes companies in the energy, logistics, infrastructure, and agriculture sectors. Among the group’s branches are Raizen (a joint venture between Cosan and Shell), which operates in fuel distribution, and Comgás, which operates in gas and electricity generation and distribution.
Since 2005, the group has been listed on the São Paulo Stock Exchange (B3) under the New Market category, where companies with the highest level of corporate governance are listed.
As the company is listed on the stock market, the rules of the Brazilian Securities and Exchange Commission (CVM) provide that “in the event of a leak of data or if the company’s securities fluctuate atypically,” the company must immediately notify the stock market, “even if the data refers to operations under negotiation (not completed), initial negotiations, feasibility studies or even the mere intention of closing the transaction”. On March 11th, Cosan announced that its operations had been interrupted by a “criminal hacker attack”.
However, the company failed to again notify its shareholders about the consequences of the attack, which remained active with the disclosure of company data on the deep web. Following the strategy of allowing time for negotiation, the hackers disclosed the company’s first data package on March 20th. Everything suggests that it concerns files used in tax planning, process controls and tax risks, between 2014 and 2020.
With no negotiation, on April 1st the hackers took a further step: they released the legal department’s database, which contains details of the labor, civil and even criminal lawsuits in which the company may be liable. The bait consists in appealing to the ethical principles of the website’s visitors, pointing out the decisions against the company for exploiting slave-like labor.
“If you disagree with slave labor, then get in touch with the people who are directly responsible for it,” the hackers published on the Corporate Leaks webpage, listing emails and cell phone numbers of the company’s top executives. By June 25th, the group had released six packages of company data.
Carlos Sampaio, IT manager at CESAR, a digital transformation and innovation center, alerts that the increase in the number of attacks during the pandemic is no coincidence. “We’ve just sent workers home, which is different from building a home office, and this has placed companies at the mercy of all sorts of scenarios,” he says.
The reason is that companies were not prepared to offer the same security structure that they have in their offices to employees’ homes. Uncertified networks, open routers, higher volume of connections in the neighborhood, all this can turn into gateways for malicious individuals. Even companies that have offered a VPN (virtual private network) are not fully secure. “The VPN is a tunnel headed straight into the heart of a company’s network,” he cautions.
Ransomware attacks are old company acquaintances. “In 99.9 percent of cases, the attacker doesn’t want the data in his possession, he only encrypts it, which means shuffling the information with a key that only he holds, and then extorting the company to sell that key,” Sampaio explains.
“The gateway to ransomware is the weakest point in technology: the human being. We don’t just send employees home in the pandemic, we send CEOs, directors, people in charge who sometimes carry the whole database on their notebooks with the argument that it will make their job easier.”
Thiago Giantomassi, a partner of lawfirm Demarest’s Mergers & Acquisitions and Capital Markets group, explains that publicly-traded companies are the main targets, precisely because they are required to comply with disclosure rules considered relevant. “Information is valuable, consider the Internet companies that work with data for their business, like Facebook and Instagram,” he says.
But despite the rules, it is still unusual to find relevant facts from publicly traded companies that deal with cyber attacks. Giantomassi explains that companies routinely assess whether the attack has a relevant impact on their business before notifying the market. “Often, the company has no idea of the extent of what occurred, and even if it does, it may be confidential and strategic data that it does not want to see in the media to protect its own and its shareholders’ interests.”
This may be the case of Aliansce Sonae, the largest shopping mall management company in Brazil. After the invasion and declining negotiations, the company currently has three packages of its data available for download on the deep web. The data ranges from investor presentations to audit reports, billing and collection spreadsheets. The company has not notified the CVM of this fact. Aliansce confirms that it suffered a virus attack in the early hours of May 3rd, but that the action “did not cause any relevant impact to the company’s operations.”
Arteris, part of the Spanish Abertis group, which operates in the segment of road concessions, was yet another giant that suffered such an attack. “The company suffered an attempted cyber attack on April 13th, but succeeded in taking all the required protection measures to preserve its operation and ensure the security of its employees’ data and the vehicles that travel along its highways,” it declared in a statement.
Nevertheless, there are currently four data packages released on the deep web. Among them are legal documents on litigation, many of them related to the Chico Mendes Institute for Biodiversity Conservation (ICMBIO). Although it has failed to notify the CVM, the company states it has engaged the police authorities and is contributing to the investigations.
Source: El Pais