Antwerp is the first major city in Flanders to be attacked by hackers. It won’t be the last, and soon even your car will be a target.
Tom Van de Wiele is an ethical hacker, as it is reassuringly called. From Copenhagen, he works for WithSecure, a company that is paid to try to hack other companies and point out weaknesses in their software systems. Van de Wiele has been in this business for twenty years, following the city of Antwerp from a distance, but with great interest.
Tom Van de Wiele: As a company, we followed up on the hack in Argentina, which was carried out by Play, just like the Antwerp hack. At least they work under the same name, because that does not necessarily mean that it is also the same collective. What is said about this is indeed speculation. I sometimes hear that companies or governments need to ‘hack back’ when attacked, but we usually have no idea who exactly they need to hack. It is possible that criminals are operating through a Russian hospital. Such criminal organizations are often real businesses run by executives, with criminals among them doing nothing but hacking all day. Play must employ many people to carry out such attacks, and then also conduct the negotiations.
Was Antwerp well prepared for this? The city still hasn’t fully recovered.
Van de Wiele: Some city services were down for weeks, and I read that the disruption could last more than a month. This means that Antwerp was not prepared for this at all, but it is true for so many companies and organizations. In fact, this must be practiced as for a fire, or planned as for a flood that we know will happen one day. It’s not a matter of ‘if’ a company ever gets hacked, it’s a matter of ‘when’.
It’s not a matter of ‘if’ a company ever gets hacked, it’s a matter of ‘when’.
Unfortunately, even large private companies sometimes choose to accept that risk without much preparation. So what can we expect from a local police force, hospital or library? It is therefore not really about whether such an attack can be avoided in the first place. There is no magic solution to this, such as a software package or a three-day course. It is about how quickly organizations get back on their feet after such an attack. Hopefully the city of Antwerp will be able to do it next time – because it will undoubtedly happen – much faster.
In Flanders, this attack was perhaps the largest to date. How common are such crimes?
Van de Wiele: It’s the biggest thing you’ve read about in the paper. Every week, hundreds of companies have to deal with infections in their systems. We do a lot of forensic work for companies whose names you will never see in the papers. Nobody wants to hang it on the big clock.
The damage to these organizations was imperceptible to outsiders.
Van de Wiele: Yes. Or at least no personal data was stolen. The European privacy law GDPR fines companies that do not report such theft of customer data.
During a press conference, the city has minimized the data that Play is holding, while the criminals themselves gave the impression that genuine personal data had also been stolen. Who is probably right?
Van de Wiele: It’s the word of the city against the word of the game. I hope for the people of Antwerp that their data has not been stolen, but everyone needs to be careful from now on. I bet this will be abused, perhaps by other criminals. Residents of Antwerp will soon receive an email with a link to check if they were victims of the data breach. Of course, it’s also just phishing, perhaps the most common way for criminals to get into a computer system. Click on that email and you’ve been hacked.
Residents of Antwerp will soon receive an email with a link to check if they were victims of the data breach. Of course it’s just phishing.
We regularly send such emails as a test to all employees of the companies we work for, because such follow-up attacks are often more dangerous than the original ones. But it is still unclear for now what exactly happened in Antwerp and why the city was removed from the victim list of Play on Saturday.
It appears that the attack is over. Is that right?
Van de Wiele: We do not know. Why would Play show a new trophy online that then turns out to have no data? In the past, criminals threatened to destroy the data they stole if payment was not made. Today, the threat is that the data will be published. But maybe Play will soon try to sell everything it has on the dark web. It may be months or years before we really have insight into this.
The city claims there was no payment or negotiation. Do you know a company that got rid of Play without paying?
Van de Wiele: Not that I know of, no.
Do you advise companies to negotiate or not?
Van de Wiele: There are companies that say they don’t want to negotiate. It is dangerous. I know a fairly large company that even denied that data was stolen. When the criminals showed a taste of what they had, they continued to deny. In the end, all their data was made public and they could forget about their business.
There are people today who are employed to conduct such negotiations. They will do their best for this, but it is completely unclear what skills they possess. You can also call yourself such a dealer and charge money for it, while this will not necessarily impress the criminals.
Did you advise Antwerp to pay?
Van de Wiele: It all depends on what information is involved. American police departments have already paid because evidence of ongoing investigations was stolen. If research material is stolen from a drug-trafficking case in the port of Antwerp, I can imagine people being paid not to publish it.
If research material is stolen from a drug-trafficking case in the port of Antwerp, I can imagine people being paid not to publish it.
Just hypothetically: Is it justifiable to lie about what exactly has been agreed with criminals?
Van de Wiele: You can only bluff if you really understand the game you are in. I hope that in the long run there will be clarity on exactly what happened and what the city did to prevent the attack. It would be nice if a report was published where the city is transparent. Hopefully we will also know what investments have been made to be able to react more quickly next time. City services going down for one day is no problem, but no one wants to go through weeks of headlines about one hack again.
How does Play get into its victims?
Van de Wiele: Play also uses phishing because there is always someone who makes a mistake in an unguarded moment. Phishing takes place in the most unimaginable ways, we as ethical hackers can also talk about that. I have already been to a bank to get my dear mother’s account transferred to my name, so to speak. With some banks, it only takes one form to get account information for something like this, and that’s enough for us to get into that bank. Only one bank employee should believe such a story. We were once asked to hack into another bank and one of the employees was a big fan of a certain artist. We recreated a website for an exhibition and sent him a specially designed invitation to the opening. All he had to do was scan a QR code to sign up for the opportunity. Even before he could check on the site that he would be there, we were already inside.
People still don’t realize how important a well-chosen password is.
Are there other strategies that criminals follow?
Van de Wiele: There are always vulnerabilities in the system that they can exploit. Sometimes one password is enough, so it is enough for one person to use the same password over and over again or to change their passwords in a predictable way, such as using a sequential number each time. People still don’t realize how important a well-chosen password is.
Like the criminal gangs, we know which files with passwords are traded on the dark web, so we know the risks our customers run in this. Of course, the criminals also monitor what security measures are taken against them. They hang out in the forums where such things are discussed and we try to keep an eye on them there as well.
What do you recommend that businesses be ready for an attack?
Van de Wiele: Have at least two backups in different locations. Make sure you know who can access your data and where the sensitivities are. Have a plan ready, because rebuilding such an internal network can sometimes be a lot like archaeology. Often it’s software on top of software on top of software, a twenty-year stack that no one can get rid of. This is what companies will test with us: are we ready for this and what do we need to protect our and our staff’s data? Fortunately, there are also new technologies such as the cloud. Companies no longer have a local network and store everything with Amazon. It is already much safer, although the company must also be aware of risks here.
Will such attacks get worse in the future or will we be able to protect ourselves in good time?
Van de Wiele: They work with ransomware, which they use to encrypt files until they are solved. Contrary to what everyone seems to believe, it has been around for a long time. In the 1980s, an AIDS conference was already attacked. People were infected through floppy disks and they had to pay money through Western Union. With cryptocurrencies and other innovations, we see many more attacks today, but the problem has existed for more than thirty years.
The ransomware problem has been around for over thirty years.
I’m afraid the genie is out of the bottle now. We have become completely dependent on computers – for good reasons – and this will always leave us vulnerable. The following goals will everyone smart devices are the ones we use today, even cars. The car manufacturers are hopefully well prepared for that. Otherwise yours smart car still runs if hacked but only to the bank to let you transfer the money to the criminals.