When the BBC reported that the criminals behind the cyber attack on the Co-op had contacted them, I was interested in this shift in tactics by the hackers behind the crime.
We have known for many years that hacking groups – individuals with no morals and who are criminal to their core – had tried to ‘up the ante’ when extorting money from organisations following a data theft or ransomware attack.
The access hackers achieve during these cyber attacks means they often find the personnel database containing details of each employee; they can then easily cross check with LinkedIn to know who is who. Using the contact details from the stolen data, they then reach out via WhatsApp to contact individuals, a step designed to exert pressure on the leadership of the organisation to pay a ransom.
For employees to receive these messages – especially those more junior who are manipulated by the hackers’ messaging – can be upsetting, especially at a time when they know their organisation has been hit by a cyber attack and is in a vulnerable position. In other words, criminals will go to any lengths to encourage organisations to pay millions in ransom payments.
In the immediate aftermath of an incident, the interaction between an organisation that has been hit by a cyber attack and the hackers, can be very delicate. Victim organisations will attempt to negotiate with the hackers, to buy time to find out the full extent of the breach. It’s not obvious what has been taken initially, especially in a large IT network, and claims from hacking groups needs to be verified.
After all, you wouldn’t pay a ransom for someone if they hadn’t been kidnapped in the first place.
And this is the situation we are facing with the Co-op incident. It’s highly likely that the teams investigating the breach did not know the extent of the data that had been stolen. It’s natural to be cautious in the first few days. The environment is chaotic, with systems failing or inaccessible, people working round the clock and emotions on edge. Even if the victim organisation was shown evidence of a data breach, this would still need to be verified.
And then the decision would need to be taken whether or not to pay a ransom. But to make that decision, the victim organisation would be buying time, potentially negotiating with the criminals, creating some time and space to decide their next steps and to uncover who is behind the attack. For example, some criminal hacking groups are sanctioned, therefore paying a ransom under those circumstances would be breaking the law.
So, what role should the media play in this exchange?
On the one hand, contacting the media, in this case the BBC, in the middle of an ongoing crime is novel and very newsworthy; the journalist taking the call from the hackers would no doubt have seen a brilliant opportunity to make their name. Senior editors would recognise the potential catchy headlines.
But let’s just step back for a moment and look at what is happening here.
The Co-op is in the middle of a criminal attack. It is being extorted by criminals, calling themselves DragonForce.
We do not know whether negotiations are ongoing or not. And we cannot trust the word of criminals because… well, they are criminals who have no respect for the law. Proclaiming the moral high ground by saying the BBC had deleted the data shared with them by the criminals is meaningless; the damage has been done.
The hackers’ lack of cooperation when asked about the Harrods and M&S incidents suggests they are close to being paid a ransom and discussing details with the BBC wouldn’t suit their criminal goals.
So where does this place a media organisation like the BBC in the middle of an ongoing criminal investigation? After all, the BBC’s breaking story forced the Co-op to share more details about the hack, probably much against their instinct, because the early days of a cyber incident are chaotic.
Whether the Co-op should have disclosed more information sooner is obviously the point of the BBC’s article.
It’s likely the Co-op had not been responding to the attempts by the criminals behind the attack to pressure them into making a decision on payment.
By publishing the story, the BBC has done the hackers work for them.
Ade Clewlow MBE 