"The attackers can not go through the door. They try to go out the window ». Presenting Monday, April 15 the annual report of the National Agency for the security of information systems (Anssi), Guillaume Poupard, its director general, wanted to characterize the new types of cyberattacks: failing to directly attack large organizations, which take the means to protect themselves from their aggressions, the attackers seek henceforth to reach them through their providers or suppliers.
1,869 reports, 16 major incidents and 14 cyber-defense operations were recorded by Anssi in 2018. About half of them are attacks. "Indirect".
France also the target of a "malicious cyberactivity"
One intermediary, several organizations
"The threat of these indirect attacks increases as the final targets become secure," explains the Anssi report. The cyberattackers manage to circumvent the security measures of very large organizations, more and more aware of the numerical risk.
Access to a single intermediary is sometimes enough to gain privileged access to several organizations, thereby increasing the return on investment of attackers. "They can then conduct large-scale campaigns targeting multiple targets of high strategic interest", says the report, exploiting a relationship of trust that intermediaries have with the final target.
Airbus: infiltration via a supplier
Last January, the aerospace giant Airbus announced that it had been the victim of a "Cybersecurity incident" in the computer systems of its commercial aviation branch. The cyber-investigators uncovered an attack of several weeks, conducted in two stages.
The cyberattackers began by penetrating the computer systems of one of the French suppliers of Airbus. Alerted by the Anssi in December 2018, the latter then informed the aeronautical group. After a few days of investigation, the experts realized that the attack on the subcontracting company was in fact aimed at the Airbus group itself.
Providers are often smaller companies, less prepared for this type of attack. It is then easier for attackers to have access to protected data, such as the identifiers or passwords of the final target.
Raise awareness among providers
The evolution of this threat over the past few months has prompted Anssi to raise the awareness of service providers about this type of risk. The agency handed over in June its first "Security visas" to 36 IT service providers, and wishes "Enhance the visibility of excellence solutions".
Anssi has also published the finalized version of its requirements repository for cloud computing service providers called "SecNumCloud" developed in consultation with market players. The list of service providers in qualification or qualified is available on the Anssi website.