Daily Archives: November 30, 2020

The Multi-Million Pound Manchester United Hack

Earlier this year I wrote a blog post about the Manchester City Billion Pound Hack, which explored cyberattacks within elite football. Now it is the turn of City big rivals Manchester United, after they reported their IT systems had been impacted by a cyber-attack, widely reported in the UK media as a cyber-extortion attack.

In the last couple of years, cybercriminals have significantly ramped up efforts in targeting UK businesses with cyber extortion attacks, using ransomware malware and confidential data theft to leverage their victims into paying large ransom payments anonymously in Bitcoin. Many businesses have been quick to pay out ransoms after their operations ground to halt due to their IT systems being rendered unusable due to ransomware, and also to avoid dumping their confidential data on the internet by the cybercriminals.  

In July 2020 the UK National Cyber Security Centre (NCSC) specially warned that cybercriminals were targeting UK sports teams with ransomware attacks in a report. This NCSC report cited a ransomware attack against an unnamed English Football League club, which crippled their  IT systems to the extent it stopped their turnstiles from working and almost led to the cancellation of the league fixture, which would have cost the club hundreds of thousands of pounds in lost income. NCSC reported it suspected cyber attackers gained access to the football club's network either by a phishing email or by remote access system connected to the club's CCTV system. That access was used to spread ransomware across the entire football club IT network.  It is understood the cybercriminals behind the attack demanded 400 bitcoin (over £300,000), which was not paid.  It seems Manchester United have been targeted similarly

In a statement on 20th November 2020, Manchester United stated, 

'Manchester United can confirm that the club has experienced a cyber attack on its systems. The club has taken swift actions to contain the attack and is currently working with expert advisers to investigate the incident and minimize the ongoing IT disruption.

Although this is a sophisticated operation by organized cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this risk. Our cyber defenses identified the attack and shut down affected systems to contain the damage and protect data.'

Despite the assurances in the statement the cyber-attack does appear to be contained and recovered from as yet, as both the Daily Mirror and the Daily Mail reported on 28th and 29th November 2020 respectively, that hackers had accessed the clubs scouting system's 'confidential information on targets and scouting missions'.  Several UK newspapers also reported the club's email system remains disabled.

As yet, no details have been released about the cyberattack ingress method, the malware used or the suspected perpetrators behind the attack, when asked for details Man Utd stated 'The club will not be commenting on speculation regarding who may have been responsible for this attack or the motives behind it.'  Without any details of the cyberattack released by the club or leaked, at this stage it's difficult to draw any conclusions, but we can speculate.  

The likely suspect is a variant of the Ryuk ransomware, possibly orchestrated by Ryuk criminal group, together with the recently reported resurgence of the Emote trojan last month, Emote is a common dropper of ransomware. It was a new variant of the Ryuk ransomware that was behind a cyberattack on digital services firm Sopra Steria in October 2020. Another common ransomware culprit is Trickbot, however, Microsoft and their partners took action last month to disrupt Trickbot botnet.

No details have been released on how much this incident is costing Manchester United nor the ransom fee being demanded.  The media have speculated the ransom fee to be in the millions, likely based on that recent NCSC report, which stated an EFL club faced a £5 million ransom from cyber attackers.

If this attack is found to have breached Manchester United fans data protection rights under the UK Data Protection Act (GDPR), the club could face a fine of up to £18m or 2% of their total annual worldwide turnover by the UK Information Commissioner's Office.  Further, given Manchester United are listed on New York Stock Exchange, the club could face additional US legislation if they decide to pay the ransomware fee, that fine could be up to £15m ($20m).

The US Office of Foreign Assets Control (OFAC) warned that paying the ransom demand would only boost the criminals’ finances and encourage them to strike again elsewhere, stating, 

‘Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.

Ransomware payments may also embolden cyber actors to engage in future attacks'

The last sentence of the OFAC statement is an essential point, given many organisations are giving in to cyber-extortion demands and paying up, it is fuelling further attacks.  

If it was made illegal in the UK to pay a cyber extortion payment, that law would both remove the temptation of giving up on recovery and paying ransoms, but also push UK organisations into investing and deploying the appropriate level of cybersecurity controls to counter the risk, as there are simple security controls which can adequately thwart the risk of successful ransomware and data theft attacks. The simple truth is most ransomware and data theft attacks aren't really 'sophisticated', successful attacks can be prevented applying security control basics, such as continually patching IT systems (esp. internet-facing remote access VPN appliances), deploying and keeping anti-virus up-to-date, blocking external suspicious emails, and ensuring staff have a good level of security awareness, particularly in their ability to spotting phishing emails.

Without pushing down global criminal threat actors 'Reward Vs Effort' reasoning, we can expect to see further high-profile businesses like Manchester United targeted with cyber extortion attacks, which ultimately causes significant reputational and financial damage on their organisation.

Cyber security statistics for small organisations

No matter what size your organisation is, it will suffer a cyber attack sooner or later. There are simply too many malicious actors and too many vulnerabilities for you to identify.

Unfortunately, SMEs often fall into the trap of believing that they are too small to be on cyber criminals’ radars. Why would they even think to target you?

But criminal hackers target vulnerabilities rather than specific organisations. They look for weaknesses – whether it’s a flaw in a piece of software or an unprotected database containing sensitive information – and leverage it in whatever way they can.

That’s why small organisations need to be as concerned about cyber security as huge corporations. As we explain in our new infographic, 14 Cyber Security Statistics for SMEs, 43% of all cyber attacks occur at small organisations.

Here are some other stats from the infographic:

  • A small business is hacked every 19 seconds
  • 19% of business said the attack prevented staff from working
  • The average cost of a cyber attack increased by 61% last year, from £184,000 to £296,500
  • 70% of organisations said that remote working increases the risk of a data breach
  • Phishing attacks are the most common cause of a data breach

You can download the full infographic for free to remind you and your team of the cyber security risks that small organisations face.

See also:

The help you need with IT Governance

Most small organisations know that they should be doing more to protect themselves, but it can be difficult knowing where to begin.

That’s why, according to a Skurio report, 50% of organisations in the UK are considering outsourcing their cyber security.

This approach ensures that you get expert guidance when you need it and without the hassle of finding and appointing someone with the versatility to address whatever security issues you face.

Those considering this as a solution should take a look at our Cyber Security as a Service. With this annual subscription, you’ll receive the support you need whenever it’s necessary.

Our team will advise you on the best way to protect your organisation and guide you through essential processes such as vulnerability scans, staff training and the creation of data protection policies.

This service contains everything you need in one place, giving you the peace of mind that you’re doing everything possible to stay secure.

The post Cyber security statistics for small organisations appeared first on IT Governance UK Blog.