As John Chambers, former CEO of Cisco, said, “There are two types of companies: those that have been hacked and those that don't know they have been hacked.” This statement has never been stronger in Colombia than on September 12, 2023, when the country woke up to the digital chaos of an unprecedented cyberattack that left more than 70 digital services of the national government and several private entities offline.

What initially appeared to be a technical inconvenience quickly turned out to be a sophisticated and devastating cyber operation, exposing the vulnerability of our digital infrastructure.

The worrying issue for various people who work in cybersecurity was the poor communication of the incident by the provider IFX Networks, which published a statement that did not give many clues.

The government acted correctly by convening cybersecurity capabilities, including the support of the Colombian Cyber Emergency Response Group (COLCERT) and the Computer Emergency Response Team (CSIRT) associated with the Presidency, as the creation of a PMU (Unified Command Post), with different actors including MINTIC.

Identification of the adversary

Three days later, on September 15, COLCERT and CSIRT Presidency issued an official statement, called the context of the incident. The diagnosis: a ransomware known as MarioLocker. This threat was not unknown in the world of cybersecurity. With more than 459 incidents globally. «COLCERT, through its Cyber Threat Intelligence analysis, identified linked artifacts that indicate possible vulnerabilities that could be exploited by third parties. These vulnerabilities can affect devices and assets related to cloud resources, as Microsoft notes. The spread of the threat can impact services linked to information systems and remote connection tools in virtualized environments,” reads the report.

This already showed several issues: cybercriminals were able to take advantage of the vulnerabilities of virtualized environments, and strategically plan the cyberattack. Such as the lack of continuity strategy of public and private entities and the service provider. The damage is incalculable due to the lack of availability of information. This is the biggest 'scar' left by the crisis of recent weeks. All of this vital data is something that the government will have to identify, as many entities were unable to access the information for more than 8 days.

Establishing consequential damage and lost profits is presented as a monumental challenge, mainly because we do not have a precedent for an attack of this magnitude and nature.

Some causes behind the attack

Several factors contributed to the magnitude of this cyberattack. First, it is good to highlight something that has not been mentioned and that is that Colombia has had an MSPI model for years that includes documentation, standards and procedures on cybersecurity issues. Likewise, in the MSPI model, you can even find the incident report formats.

Saying that there are no processes and documents is false. The Colombian model is good in documentation, the problem is that controls failed in several processes.

Some of the causes of the attack can be reflected in topics such as:

1- Lack of backup copies and continuity strategy The resources were literally in the same place. This means that some entities do not have easy access to backup copies. The IFX Networks incident revealed a critical vulnerability in many entities' data backup strategy: all their data, including backups, was stored in the same cloud. This concentration of information at a single point of failure underscores the importance of diversifying storage and backup strategies to ensure business continuity in the face of attacks. The absence of simulation exercises was strongly manifested: the real attack became the crudest and most revealing simulation, evidencing failures in RPO (Recovery Point Objective) and RTO (Recovery Time Objective).

2- Prioritizing price over security In some cases the Colombia Compra Eficiente pricing framework clouds were purchased at a lower price, but not with better information security. It is worth reviewing the model in terms of cybersecurity; in the existing catalog, security should prevail rather than price.

3 –Vulnerability management Everything indicates that cybercriminals exploited a specific vulnerability related to virtualization in the IFX Networks infrastructure. This breach, apparently not properly managed, allowed unprecedented access to the systems, revealing a lack of proactive strategy in vulnerability management. Controls on cloud providers must be increasingly stricter and ethical hacking tests, vulnerability analysis and controls must be constantly demonstrated in all environments.

4 –Communication management During the incident, IFX Networks' communication processes left much to be desired. Despite the magnitude of the attack and the implications for numerous entities, the information provided was scarce and, at times, late. It was not until September 19 that clearer and more detailed statements about the situation began to emerge.

The lack of transparency and intermittency in the availability of its website in the previous days only intensified the uncertainty and concern among the affected entities and the general public. Timely and clear communication is essential in times of crisis, and in this case, a notable deficiency in that regard was evident. On September 21, 2023, the company reported that it had managed to restore services for 90% of its customers, with the expectation of a full recovery soon.

5 –The evolution of Ransomware Which has been evolving over the years, making its anatomy more and more specialized, cybercriminals could take advantage of vulnerabilities and achieve their objectives. According to reports from cybersecurity companies, such as Sophos, ransomware attacks are becoming increasingly specialized. In fact, in 76% of cases, cybercriminals manage to successfully encrypt their victims' data, evidencing a growing sophistication in their methods.

6 – The response and implications for the future Although the provider has announced the solution to the recent cyberattack, the outlook still presents uncertainty. Since September 18, the Ministry of Information and Communications Technologies (MinTIC) has expressed in different media its decision to take legal action, which predicts a period of analysis and possibly litigation. At the same time, authorities are increasing surveillance on the dark web, looking for signs of leaks that may be linked to the incident, but this is just beginning. Sometimes the information is leaked months later and the patience of a cybercriminal is their greatest virtue. It must be investigated with cyber intelligence and OSINT. This is what is coming in the next few days to establish if any type of information could have been exposed. It is good to establish whether IFX performed any computer forensics to establish all the context.

Likewise, it is not clear if the company had any type of insurance policy or what it is doing for the investigation process. Only IFX Networks and the cracker group truly know the depth of the access and what information was compromised. Time will undoubtedly reveal the truth.

At the end of the day, there are two types of companies: those that have been hacked and those that don't know it yet. But to this reality, we add a third type: those hacked that demonstrate capacity and resilience in their response.