Someone has managed to access the organization’s internal network. This network is like the corridor that gives access to all the doors: from the website to the essential operations of the system or to the computer equipment of each worker. From there, he launched a massive attack that encrypted all the files and paralyzed the digital infrastructure. Nothing works. “I suppose that 100% of the services have been affected,” the technical manager informs the crisis committee.
This is a high-impact cyberattack, the most serious that a company or organization can suffer. It is the one that the National Institute of Cybersecurity (Incibe) launched against itself this Wednesday during a training simulation open to the press in which elDiario.es was present. An exam in which you analyzed how to improve your response system.
The organization carries out these exercises once a year on its own systems, but is also responsible for coordinating those organized against strategic operators of the Spanish economy and Ibex companies. Incibe is the entity that manages the reference emergency computer intervention team for companies and citizens, while the National Cryptology Center, dependent on the CNI, does the same with public companies and critical infrastructures.
In this case, the Incibe attackers are a group of researchers from the University of León who tried to find vulnerabilities in its defenses. After a few hours of trying to attack the castle from the outside without success, the organization opened the doors to the internal network so that the exercise could continue. “The security perimeter is very robust,” acknowledges the leader of the attacking team.
Climbing the IT walls of an organization like Incibe without internal help would be a daunting task, even for the major cybercriminal gangs. That is why few cyberattacks develop in this way today. The most common is to compromise an employee or a device of the organization and, from there, gradually infiltrate the depths of its systems.
Once inside the internal network, the University of León team launched its attack ransomware. A type of attack that encrypts all the victim’s files and demands a ransom in the form of cryptocurrencies in exchange for the password to release them. This is the most used attack method by international cybercrime.
“Typically, in ransomware incidents, the cybercriminal or cybercriminal group has been present in the organization for a fairly long period of time, during which time they have tried to steal all possible information. Ransomware is the last step,” explained Jorge Chinea, cybersecurity manager of Incibe’s Computer Emergency Response Team.
“That’s when it forces the company to make the ransomware payment, not only to release the information, but also to filter information about all its customers and projects if it doesn’t pay,” he continued. In these cases, it is always recommended not to pay, because there is no guarantee that the cybercriminal will keep his promise.
emergency mode
The exercise was carried out by attacking an Incibe digital twin, so the organisation continued to provide its services while its response teams attempted to contain the incident.
While normalcy reigned outside, the exercise participants saw how the organization had to put all its systems into emergency mode in the simulated environment. The attackers gave no respite, taking advantage of their privileged location at the center of the internal network.
“Not only does the University of León team not allow us to recover from the contingency, but the services we have recovered at the main headquarters are reinfecting us again,” explained Sergio González, head of the Incibe systems department. “This type of persistence is what is usually found in cyberattacks directed against specific targets,” he detailed with about an hour left in the exercise.
Incibe officials revealed that the center acts as a support to companies in the event of incidents of this type “every week.” However, it has never been exposed to effects as extreme as those who train for this type of exercise.
“It is essential to have done prior work and have a crisis management plan that contains communication plans, incident management plans, emergency plans, etc.,” said Jesús Feliz, head of security architecture at Incibe, who has been a spokesperson for the crisis committee that makes up the organization’s security leadership. “It is very important to stay calm and be prepared. If you lose your cool, you lose everything.
“The goal of the crisis committee is to follow up on the incident and take strategic measures that, on many occasions, will end up being passed on to the CEO himself, because they can even endanger the viability of the company and the business,” he added.
Share information
Incibe officials have warned that cybercrime is on the rise. In 2023, there were up to 83,000 attempted cyberattacks in Spain, recalled its director, Félix Barrio. “It is no longer just a technical challenge but a shared responsibility that affects all sectors,” he said.
One of the Institute’s missions is precisely to share information on how different attackers operate, whether they are international gangs or “lone wolves.” During cyber exercises like Wednesday’s, the Institute can simulate the behavior of threats already detected by other companies to improve the preparedness of the rest of the sector. “This is something that we share with all the entities with which we collaborate, with critical and social operators, not just with digital services or strategic entities.”
Finally, the exercise ended successfully. “We have the advantage of having situational awareness, that is, we know what we are seeing in Spain and this helps us design exercises that can be adapted to these scenarios or new situations that arise and that we believe will have some relevance in the future,” said Chinea, revealing that one of the last exercises tested by Incibe was a critical error in a key antivirus. Some time later, this type of failure caused Windows to crash worldwide.
