Skip to content

Am I being targeted by a cyber attack?

Best practice

12:00 Tuesday, 27 October 2020

UK Cyber Security Council

One of the most famous security incidents of recent times was the WannaCry ransomware infection of the UK National Health Service (NHS). One of the interesting common factors when one researches the attack is that the various reports (including the NHS’s own), are clear that the NHS was not specifically targeted, but was in fact one of many victims of an indiscriminate attack aimed not at specific organisations but at any systems that had a particular insecurity.

Targeted attacks do happen, of course – by which I mean attacks where the first step is for the attacker to consider whom to target, and then to find a way in. There is, however, a middle ground between targeted and indiscriminate attacks, which one could call “hybrid” attacks.

Anyone can use a search tool on the Internet to find vulnerable systems, and there are thousands of such systems in Britain alone. The search tools will tell you not only about the vulnerable systems, but will also show vulnerabilities – for instance, you can tell from the software version the systems are running whether there are known hacks for those systems.

Searches like this are the starting point of many attacks, particularly if starting from the point of view that you want to find potential victims for a particular vulnerability.

Six darts are sticking out of a dartboard, all apparently aimed at but not hitting the bulls-eye.

Take the example of an attack on the Isle of Man location of Cayman Bank. According to what purports to be his own account, the attacker did not set out to attack this institution specifically, but instead set out looking for vulnerabilities, then decided to look for the word “bank” in the results, then decided “Cayman” was attractive from the list of banks. The attack was targeted from that point, but had begun with no specific victim in mind.

This type of attack makes sense from a technical point of view. An attacker is more likely to find a victim based on a particular vulnerability than to be able to attack one specific organisation about whose internet-facing infrastructure he or she knows nothing. From the point of view of the potential victim, the solution is simple: to ensure that no systems are exposed unnecessarily to the Internet, and to maintain those that do have to be internet-facing such that the software is up to date and all known vulnerabilities dealt with.

At the time of writing, an internet search shows that a particular country has 2,267 servers with their integrated management adaptors (which can be used to gain full control of the system) exposed to the Internet. There are over 200,000 assorted devices with their management interfaces exposed to the internet.

If your systems do not appear on these searches, that is a significant step to avoiding hybrid attacks.