Log4Shell, Ukraine and umbrella firm cyber attacks – Computer Weekly Downtime Upload podcast

In this episode, Alex Scroxton joins Caroline Donnelly, Clare McDonald and Brian McKenna to discuss the Log4j vulnerability and Russia’s mounting pressure on Ukraine. Also discussed are cyber attacks on umbrella companies, neuro-diversity and junk in space.

December 2021 saw IT security professionals tearing their hair out over the Log4Shell vulnerability. Alex explains what it is, and why it is important: it’s all over the web, it can be hard to find to patch, and it is easy for attackers to exploit in a variety of ways.

The zero-day bug, which is tracked as CVE-2021-44228, was made public in early December, although it seems it was being exploited for some time before. First discovered in Minecraft, it is a remote code execution (RCE) vulnerability that, if left unmitigated, enables an attacker to execute arbitrary Java code to take control of a target server. It is considered almost laughably easy to exploit.

One group of attackers who exploited it was a gang of Belarussians sympathetic to Russia, who used it, among other weapons, to attack Ukrainian government and civilian websites.

As Bill Goodwin reported in Computer Weekly, malicious malware posing as ransomware was discovered on computer systems in Ukraine following a hacking attack on Friday 14 January that targeted over 70 government websites. The National Bank of Ukraine was also attacked.

Cyber security experts are continuing to analyse the WhisperGate malware used in the cyber attacks against the Ukrainian government targets. WhisperGate masquerades as ransomware but, rather than encrypting data, it unsportingly targets a system’s master boot record for destruction.

Alex notes speculation that Vladimir Putin’s cyber supporters might have “banked” vulnerability exploits ready for use in a full-scale cyber war against Ukraine that could well claw Nato countries into its maw. However, for the time being, he also notes that cyber community professionals are advocating a “rational, level-headed response” to the cyber implications of the current escalation in tensions between Nato and Russia over Ukraine.

Cyber attacks on umbrella firms

Though perhaps less exotic than cyber warfare in the Slavic lands, cyber attacks on umbrella companies in the UK are nonetheless disquieting and very damaging to the livelihoods of contractors.

And so Caroline moves the podcast on to a discussion of a spate of recent attacks on companies that process the payroll for contractors who provide their services via an employment agency to end-clients in the private or public sector. She provides both an excellent descriptive account and an intricate analysis of this ongoing story in the 8-14 February issue of Computer Weekly, also available here.

On the podcast, she narrates how the attacks unfolded in the latter part of 2021, going into the first month of 2022. Umbrella company Giant Group was forced to “proactively” suspend its entire operations from Wednesday 22 September 2021 following the discovery of “suspicious activity” on its network that was attributed to a “sophisticated cyber attack”. In January 2022, contractor payroll service provider Brookson Group said it had suffered an “extremely aggressive” cyber attack that caused it to self-report to the UK National Cyber Security Centre. And in the same month, umbrella company Parasol declared that the root cause of an ongoing systems outage blighting the lives of thousands of contractors was linked to “malicious activity” on its network.

There are about 500 umbrella companies that manage the payment of around 600,000 contractors on behalf of 40,000 employment agencies. As Caroline comments on the podcast, this generates a labour and financial supply chain that seems to have become attractive to cyber criminals, in a region of the economy that has been relatively obscure until recently, with the prominence of the IR35 reforms. It is also something of a “wild west”. In December 2021, HM Revenue & Customs, in collaboration with HM Treasury and the Department for Business, Energy and Industrial Strategy, announced the launch of a consultation, which runs until 22 February, into how the umbrella market works.

And the All-Party Parliamentary Loan Charge and Taxpayer Fairness Group has echoed calls from the Loan Charge Action Group for regulation of the umbrella industry in a letter addressed to Freelancer and Contractor Service Association (FCSA) CEO Chris Bryce. The letter refers to reports of FCSA-accredited companies, such as Giant, Parasol and Brookson, being the target of cyber attacks.

Neuro-diversity

It’s been a regular theme of the podcast that cyber security and IT more generally benefits from a more neuro-diverse workforce.

Clare moves the podcast on to one of her recent stories about professional services firm EY’s launch of a Neuro-Diverse Centre of Excellence in Manchester.

EY’s Neuro-Diverse Centres of Excellence, of which it has six already established, are designed to create an inclusive environment for employees with conditions such as autism, ADHD and dyslexia. Clare’s story cites an Office for National Statistics data point that about 22% of adults with autism in the UK are unemployed, which is a shocking waste of talent.

“People who think in a different way can often come up with creative solutions to problems that may not have crossed the mind of someone else,” she says.

Clare and Alex go on to discuss an article in Computer Weekly by Nicholas Fearn that Alex commissioned, “What neurodivergent people really think of working in cyber security”. That piece includes this observation by Nic: “Many autistic people are great at thinking logically and dedicating their attention to a specific area. Meanwhile, those with ADHD might have a creative flair and possess the ability to hyper-focus on the subject at hand.”

More support is needed than there is at present for neuro-divergent cyber security professionals, says the article. And more discussion is needed about the language around neuro-diversity, comment Alex and Clare.

Hello space junk

Brian speculates that space science benefits, or could benefit more, from neuro-diversity. Indeed, the research team in the recent Netflix film Don’t Look Up seem relatively diverse.

Brian recently interviewed Moriba Jah, the director of computational astronautical sciences and technologies for the Oden Institute at The University of Texas at Austin. Jah and his team have built a graph database, AstriaGraph, to track space junk that is a potential threat to life on Earth – and have done so using technology from Neo4j.

Brian says Moriba Jah got the idea for using graph database technology from a TV programme that showed how people cheating on their partners can be identified by using a combination of data sources – from telephone directories to Uber ride records, and so on. He and his team are doing that for space.

He calls himself a “space environmentalist” and this is how he describes his mission: “I’d like humanity to embrace near Earth as a finite resource that is in need of environmental protection, just like land, air and ocean.

“My model is, nothing hides. My ambition is to make the mysterious go away. So either people give me data, or I can purchase data, or I’m going to reverse-engineer and find things out. I’m on a mission to make space transparent, predictable, and hold people accountable for their behaviour.”

You can try the AstriaGraph out for yourself here.

Podcast music courtesy of Joseph McDade