The Ministry of Science and Innovation has confirmed that the Higher Council for Scientific Research (CSIC) and its affiliated centers suffered a Russian cyber attack on 16 and 17 July. The statement comes a week after several of the agency’s investigators revealed themselves through various media—including a letter to the editor published by ABC—condemning that the attack cut off all connections to the network. Were. However, to date, only a quarter of the centers have recovered them, although the Ministry of Science and Innovation has assured that the problem will be resolved “in the next few days”.
According to the ministry, the cyberattack was detected on July 18 and “the protocol identified by the Cybersecurity Operations Center (COCS) and the National Cryptologic Center (CCN) was activated immediately.” Among the measures adopted was the disconnection of the entire network, a situation that still exists for most centres, which have to be connected to their individual lines to continue functioning.
“Since last week, following a minor and localized computer attack, Spanish cyber security authorities decided to disconnect the entire CSIC from the Internet ‘Sign Die’,” he denounced in this newspaper. Paul Chacon Montes, investigator of the organism. “Shameful, the Chief Investigating Agent is passive and nobody cares.” Chacon pointed to an “apparent failure in forecasting and a complete lack of minimal damage assessment”, in addition to consequences such as investigation delays, communications cuts or administration blockades.
Other researchers also condemned the situation via social networks:
Today we got some more information… things are moving a lot and we all have to install security software… it’s still inconceivable that we still have to return to normalcy after 15 days There is also a lot. https://t.co/u2fzOW80dk
— Irene Mendoza (@phenogirl) 2 August 2022
And some pointed to a “structural problem” in the response system to this type of problem.
taking into account what happened in @CSIC Since the end of May, I’m sorry, we are not talking (and this is no small thing) about the temporary problem of (very fixable) feedback against ransomware. We are talking about structural problems.
— David Arroyo Gardeno (@davidalqabri) 2 August 2022
“We understand that a ransomware attack is something complex that can take time to resolve,” he tells ABC. David Arroyo GardenoCyber Security Researcher at CSIC’s Institute of Physical and Information Technology.–, But the problem here is that the protocol required, at the moment, does not exist. Exactly on 18 July, Arroyo was to make a critical delivery by 31 July, but the network went down without warning due to a firewall activated to try to prevent damage. He says. As a cybersecurity expert, he was able to turn to other sources to find out. He was a ransomwareA method by which cybercriminals encrypt part of an attacked organization or company’s information for the purpose of demanding a ransom in exchange for releasing the data.
However, the ministry does not indicate anything about possible payouts to cybercriminals, only that the attack is “similar to that of other research centers such as the Max Planck Institute or the National Aeronautics and Space Administration of the United States (NASA).” , “The situation in Spain cannot be compared with organizations like the US, where an attack on this type of research becomes a matter of direct national security.”
Still, Arroyo Gardeno insists that this break is already causing great harm to CSIC researchers. “I’ve been unemployed for two weeks, which is going to affect my annual plan. Six other researchers relying on me will be left on the road in January if our work doesn’t progress. Years of work is crippling.”
Although on behalf of the government they assure that “in the absence of the final report of the investigation (…), no loss or abduction of sensitive or confidential information has been detected”, the truth is that Ukraine at the beginning of the invasion Russia has already warned its employees to turn off equipment over the weekend in case of possible attacks of this type. “Something that has been observed has not been effective,” emphasizes the researcher.
What to do in case of ransomware attack?
But what steps should be taken once such an attack is detected? “We have two objectives: to restore service and identify where cybercriminals have gone,” he tells ABC. Lawrence Martinez, director of cyber security company Securízame. “And this process can be delayed for a variety of reasons, such as it is a very large organization or the backup is compromised or even non-existent.”
According to Martinez, the purpose of these cybercriminals is to obtain a ransom that “can even reach one million euros.” “Before, cybercriminals gave you the virus and left; Now, they continue to trace the data and use it against you, so interacting with them can be a difficult task.”
“The biggest problem here is that there is no defined protocol on what to do in these cases in a complex institution like CSIC. We don’t know where we are or how long it will take to solve it,” says Arroyo Gardeno. And on behalf of the government they have issued a statement only when we have condemned it through the network.
These cyber attacks on public governance bodies are not new: some bodies such as the Public Employment Service (SEPE), the National Statistical Institute and various ministries such as education and culture, justice or economic affairs and digital transformation were apparently victims in 2021. targeted attacks.
This year, along with the conflict in Ukraine, attacks continue to increase in all EU member states, including Spain. “For example, a similar attack a few months ago affected the Autonomous University of Barcelona, which was closed for almost three months. In the last decade we have seen how these incidents have increased, but with the help of COVID and more recently After the war Ukraine and Russia they grew rapidly,” says Arroyo Gardeno.