Cyber attacks: Well armed against hackers
Company | Digitalisation and industry 4.0 | Worth knowing | In January 2019, the German hacker "G0d" published sensitive data of about 1,000 politicians, journalists and celebrities on the net. However, his attack only resembles a skirmish one as compared to the challenges that thyssenkrupp's IT specialists have gone through – for example, when they fought back a large-scale hacker attack in 2016. What happened during the then secret project "White Amflora" – and how serious is the threat of spy hackers for industries today?
It is 2016, and October is slowly coming to an end. On Early Friday morning, the weekend is only a few hours away for most of the employees of thyssenkrupp in the German city of Dortmund. Since 7 a.m., up to twelve people have been working on their computers in a makeshift room that was somewhat cramped. It’s not always the same people, by the way. In fact, they operate in shifts. Nobody can do this work for more than six to seven hours as it demands extreme concentration and precision. Correspondingly, the situation is quite calm. In a muted voice, Karin Reschke gives her colleagues instructions. Karin Reschke, that is not just a random alias for the head of the team of in-house IT experts, external specialists and specialized employees. Her real name should not be mentioned, even photos of the woman in her early 30s are not appreciated. Her anonymity has a good reason: Reschke and her colleagues stand in the way of crooked hackers. Criminals who sometimes make an unfriendly house call in order to get closer to their prey, or more precisely: data from the global networks of technologically leading companies.
At this point, the team in the office building in the southeast of the city is working on a worldwide project that is to take only three days. The goal: to repel a highly professional hacker from the global computer network of thyssenkrupp’s Industrial Solutions business unit. The company is currently the target of a cyber-attack. The attacker, probably from Southeast Asia, has entered the Group’ s network in pursuit of information that can be turned into money or monetary advantages. Karin Reschke’s team calls her room on the second floor the “war room”. It is a stage in the cyber war – a digital battle that is fought all around the clock and all around the world with the greatest commitment.
Counter-attack in one fell swoop
In Dortmund, the cyber defense team has prepared itself for an exhausting confrontation. Especially fruit gums and licorice from Haribo are available in large quantities. The menu of the nearby Pizzeria Regina is ready to hand. Coffee, water and plenty of Club Mate, also known as “Hacker Soda” in Germany. The caffeinated soft drink is considered a cult drink in German hacker circles. So, you could say that at thyssenkrupp, people are fighting hackers at eye level.
“Like a hot knife through butter,” says Christian Pagel, referring to the clean-up that is in progress. “Clean-up” is the technical term for actions like this. In other words: 80 servers in North and South America, Asia, India, Europe and Africa are taken offline simultaneously and then reinstalled so that the attacker can be thrown out. Of course, it’s also about bringing all servers back online in such a way that 4,000 to 6,000 employees operating on them are able to use them on Monday morning. Christian Pagel – this name is real. He is the Chief Information Officer at thyssenkrupp Industrial Solutions, the division that calls Dortmund its home. Pagel is responsible for the worldwide campaign and has therefore been on call around 24/7 for days. On this day, he calmly strolls through the corridors in jeans and a blue cardigan – things are going well: the team in the “war room” as well as another 70 employees worldwide are working together successfully. On Sunday at 9:50 p.m., the cleanup is complete, the racket is over. On Monday at 10:33 a.m., Pagel’s e-mail with the subject ‘Project target achieved’ hits the mail boxes. “This success would not have been possible without the unconditional willingness and commitment of our employees as well as the cooperation and flexibility of the Executive Board of our Business Area, the Business Unit Management and the Workers Council,” says Pagel.
Anti-Hacker Project “White Amflora”
It’s a major success for thyssenkrupp’s Industrial Plant division – but what about the rest of the company? At Group level, Alpha Barry is managing the project. Alpha Barry is the real name of thyssenkrupp’s Head of Strategy, Governance and Security. The cover name for the hacker attack is White Amflora. Under Barry’s leadership, the IT experts systematically examined the server landscape of the Group.
“To our knowledge, the hacker has only been active at Industrial Solutions and thyssenkrupp in Hohenlimburg,” he explains. The server scan also revealed that the attacker was not looking to sabotage, but to spy. Above all, he was interested in plant engineering technology. And in fact, he indeed managed to steal data, albeit on a small scale and only fragmented. “The attacker did not penetrate our Secure Zone, which, for example, secures the communication between the Management Board and the Supervisory Board.” However, this security zone alone costs around ten million euros a year. Naturally, the entire IT landscape of thyssenkrupp cannot be protected at such a level. The network of the Marine Systems division, with its sensitive secret information, was not affected either as its servers are specially secured and not connected to the corporate network.
At thyssenkrupp in Hohenlimburg, the experts used an annual production shutdown to eliminate the attacker. “For him, was a plausible reason why he suddenly no longer had access to the hot strip mill network,” explains Barry. In projects like White Amflora, it is crucial that the attacker does not realize that he has been detected before the entire network has been scanned. Otherwise, he hides even better and waits, only to continue a few months later. Or he commits a final act of sabotage before saying goodbye. That’s why the security team has to know about all affected servers to simultaneously clean up the digital nodes in a concerted action. Only then, the company is able to finally get rid of the intruder.
Cyber-attacks can hit anyone
The large-scale attack on thyssenkrupp in 2016 was everything but an isolated case. Cyber-attacks have become a serious problem for the entire economy and are regarded as a central security challenge of the 21st century. According to the current situation report on IT security in Germany, 70 percent of the participating companies stated that they had become the target of hacker attacks in 2016 and 2017. Only half of the affected companies were able to successfully fend off the attacks. In 2016 and 2017 alone, the total damage amounted to 55 billion euros – eight percent more than in the previous two years. This was determined by the business consulting company KPMG.
Despite increasing investments in the security of data networks, cyber criminals never tire of searching for new entry points into companies and organizations in order to exploit them for their own purposes. Currently, it is not possible for a single company to protect 100 percent of the complex data networks of international corporations such as thyssenkrupp – at least not at reasonable cost. That’s why in 2015, German companies founded the German cyber security organization DCSO. DCSO works closely with the Federal Ministry of the Interior and the Federal Office for Information Security. It operates as a central cyber security service provider for the German economy. thyssenkrupp is a member of DCSO and has involved its experts in the problem from the very beginning.
Always be vigilant
thyssenkrupp is currently investing heavily in the reorganization and safeguarding of its IT infrastructure. For example, a joint global data network is being set up for this purpose. Since 2016, thyssenkrupp has also expanded its security zones, for example to include research and development as well as patent information. Will this prevent cyber-attacks? “They will definitely become even more difficult,” according to Barry. “One reason is the significantly lower number of access points from the internet to our network. And we will be able to react even faster. Nevertheless, even then, everyone can be hit. There is no such thing as one hundred percent security.”
So, there is one thing that matters most: being vigilant, preferably around the clock. There are automatic monitoring systems that record what happens in the thyssenkrupp network. And specialists who recognize immediately if something is wrong. They work in thyssenkrupp’s Computer Emergency Response Team, CERT, which also successfully fought back the hacker attack White Amflora in 2016. At present, the team has around 20 members. The fact that they understand their job is demonstrated by their discovery of the attacker in the White Amflora case just under two months after his arrival. Normally, it takes more than six months on average for such events to be identified.
Ansgar Roloff, that’s not his real name, is leading the team. He explains how the attackers had betrayed themselves: “They were anomalies in the usual operation. Then one of our forensic experts took a closer look. It quickly became clear that we were dealing with a dangerous attacker.” thyssenkrupp – this becomes clear when you visit Roloff and his team – is under fire virtually at any time. The range of attackers extends from students who try out their hacker talents to absolute professionals who may be sponsored by an international government.
When the email becomes a spy
As there are many different ways of penetrating networks, counter measures are often very difficult to find. Roloff: “E-mails are a frequently used gateway. Here, everyone can do something to make our company more secure.” An example are phishing mails – fraudulent e-mails to which malware is attached. Once opened, it installs spyware that is often not even recognized by current virus scanners. The attacker can then remotely control the computer and use it to attack other systems in the company network.
Another common attachment are malicious programs such as so-called ransomware or blackmail Trojans. With them, an intruder prevents the use of data and the entire computer system and demands a ransom for the release. Roloff urges users to be extremely careful when handling e-mails. Everyone should take his advice very seriously: There is hardly anyone at thyssenkrupp who knows hackers and their strategies better. Roloff and his team are absolute insiders. And of course, they also have boxes of Club Mate in their offices.