GCHQ's National Cyber Security Center (NCSC) has warned the UK should be prepared for a major "category one" cyberattack — a major escalation from May's WannaCry ransomware assault, that hit government servers severely.
The NCSC is aware of connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors.
NCSC believes due to the use of widespread targeting by the attackers, a number of Industrial Control System engineering and services organizations are likely to have been compromised.
NCSC is the division of GCHQ responsible for the protection of "critical services" from cyberattacks, managing "major incidents" and improving the "underlying security" of the internet in the UK.
The agency's technical director, Dr. Ian Levy, spoke at the annual Symantec Crystal Ball event September 21, noting while predicting cyberattacks is difficult, he was "reasonably confident" about the impending event.
At Symantec's Crystal Ball event today, experts & #tech innovators join together to discuss #CyberSecurity predictions pic.twitter.com/K770l6vnsr
— Symantec EMEA (@SymantecEMEA) September 21, 2017
"Sometime in the next few years we're going to have out first 'category one' cyber incident, where you need a national response. There'll be an independent investigation and what will really come out is that it was entirely preventable. Unless we start to put some science and data into cybersecurity to demystify it, that's really going to happen," Dr. Levy warned.
Easy Pickings
Levy added the category one incident would not even be a result of some "unprecedented, sophisticated attack that couldn't possibly be defended against," but a simple error made by someone "who was just doing their job."
Given several seismic cyberattacks have been successful because the internet security teams of major companies and governments neglected to install updates to guard against widely known vulnerabilities, such a prospect isn't entirely unlikely.
Dragonfly use a variety of infection vectors to gain access to target networks, including malicious emails, watering hole attacks, and Trojan software.
Emails containing both specific content related to the energy sector, as well as general business concerns are sent to targets — once opened, attached malicious documents would leak victims' network credentials to a server outside the targeted organization.
The group appears interested in learning how energy facilities operate, and gaining access to operational systems themselves. Its efforts mean Dragonfly now could sabotage or gain control of these systems when and if it decides to do so.
In May, a survey commissioned by the British government found one in 10 companies quoted on the FTSE 350 stock exchange index do not have a response plan for a cyberattack.
.@DCMS: Two in three bosses at Britain’s biggest businesses are not currently trained to deal with a cyber attack https://t.co/53vSUyauix pic.twitter.com/pOvl2L92Ws
— NCSC UK (@ncsc) August 21, 2017
In May 2018, a new Data Protection Bill is due to come into effect, which introduces greater responsibilities on firms and charities for protecting confidential data.