I don’t care who hacked the Ministry of Defence, I do care how they did it
The UK’s Defence Secretary, Grant Shapps, has informed the UK parliament that a data breach has exposed the names, addresses, and, critically, bank details of current military personnel and veterans. But this breach, which occurred at Shared Services Connected Ltd (SSCL), a company providing payroll services to the Ministry of Defence, could be more than just a leak of payroll information.
“Any report and damage assessment into the hack will be highly classified, so we’re unlikely to find out just how much information the hackers have managed to extract,” said Ian Thornton-Trump, CISO at Cyjax.
However: “Analysis of the data could reveal military staff with special payroll or military services codes, indicating connections to branches of service or specialised forces — potentially increasing the risk to them.”
Related: And the award for most insecure government department goes to… the Ministry of Defence
Who was behind the Ministry of Defence hacks?
News reports about the Ministry of Defence hacks often fixate on the assumption that China was behind the hacking. While I can understand why the attribution is being made, it is far from a slam dunk.
“Attacks by foreign states usually aim at silently backdooring military networks, getting control over critical OT/ICS systems, or compromising classified military information,” said Dr Ilia Kolochenko, CEO at ImmuniWeb and Adjunct Professor of Cybersecurity at Capital Technology University. “Financial and personal data of UK military personnel is a desired target for organised cybercrime groups that run large-scale fraud, scam and blackmailing campaigns over the internet, being motivated by profits.”
For what it’s worth, the Chinese embassy has stated that these claims are both “completely fabricated and malicious slanders”.
Shapps, meanwhile, has perhaps understandably used the reasons of national security defence when it comes to not naming names. “We can’t release further details of the suspected cyber activity behind this incident,” he told his fellow parliamentarians. “However, I can confirm to the House that we do have indications that this was the suspected work of a malign actor and we cannot rule out state involvement.”
It’s about how, not who
Here’s the thing, though: from the cybersecurity purist perspective, does it really matter who carried out this breach? Of far more import than the who or even why, with geopolitical analysis being way above my pay grade, is the how.
Obviously, there’s the result of what Shapps has said will be a “full investigation, drawing on Cabinet Office support and specialist external expertise” to come before the precise technical details can be confirmed. That doesn’t mean the core problem cannot be reasonably discussed, namely the issue of supply chain security.
Adam Pilton, a Cybersecurity Consultant at CyberSmart, and formerly a Detective Sergeant investigating cybercrime at Dorset Police, agrees that attribution speculation is a distraction. “The real issue is that an external contractor has been breached. How was the contractor breached? Did they have security controls in place?”
This is especially pertinent given the procurement policy note updating the government-backed Cyber Essentials scheme stated: “In-scope organisations must ensure that effective and proportionate cyber security controls are applied to contracts to mitigate supply chain risks.”
There has to be some question as to how effective and proportionate those controls were in this case. SSCL, which provides services to 22 UK Government departments, including the Home Office and Office for Nuclear Regulation, as well as the Metropolitan Police Service, has yet to comment on the incident.
Related: Would you pass a Cyber Essentials audit? Here’s why hackers hope not
Cyber attacks on supply chains
Ian Nicholson, Incident Response Head at Pentest People, warns that “cyber adversaries are increasingly targeting supply chains due to their interconnected and often less-secured nature, posing significant risks to organisations, particularly in critical sectors like defence”.
Comprehensive vendor assessments, stringent contractual requirements, implementing enhanced access controls, maintaining real-time monitoring, and integrating incident response strategies are all cyber essentials according to Nicholson.
Ultimately, you can outsource your service, and you can outsource security (to an extent), but, as Brian Boyd, Head of Technical Delivery at i-confidential, says: “You can’t outsource accountability for the security of your data.”
Auditing supplier security stance is down to you, and should be more than just a one-time, pre-contract, box-ticking exercise. “This shouldn’t only be done when contracts are signed, but continually, based on their risk profile,” Boyd concluded, “to ensure their defences are keeping pace with modern attack trends.”
Davey Winder
NEXT UP
Nick Walker, Regional Director, EMEA at NetSPI: “The once dark art of hacking has been illuminated, not only for cybersecurity professionals but also for adversaries”
We interview Nick Walker, Regional Director, EMEA at @NetSPI, who shares his insights into how companies should think about cybersecurity in 2024
Doris Yeung, Chief Financial Officer at Tradeteq: “Technology has significantly transformed how finance functions work”
We interview Doris Yeung, Chief Financial Officer at Tradeteq, a leading private debt and trade finance marketplace.
AWS plugs another $9 billion into Singapore and launches new AI program
AWS is showering Singapore with yet more AI investment, along with the promise of 12,300 jobs and a new program to boost AI uptake