Sitting in the ground floor boardroom of Kroll in St Stephen’s Green in Dublin, Jason Smolanoff, a softly spoken and thoughtful American, is explaining a recent case involving a client who was the victim of a cyberattack by a nation-state.
Smolanoff is loath to divulge the names of those involved – after all, he built a career in counter-espionage and counter-terrorism with the FBI. But the story resonates as an example of the lengths that some state actors will go to to obtain information and then to cover up the tracks.
The hackers took in the region of four terabytes of data from this one entity. It was, according to Smolanoff, designed to look like a massive data breach with no real motivation. However, the more Smolanoff and his team at Kroll investigated, the more they realised that the hackers were only looking for a sliver of financial information relating to just a few hours.
“They made it look like a financially motivated crime to conceal themselves, but it was really to identify information for a set of individuals who did a transaction on one particular day,” said Smolanoff.
The president of the cyber risk practice with Kroll, the global business advisory firm, Smolanoff spends his days unpicking the intricacies of cyberattacks – advising governments and corporations on how to avoid them, and how to deal with them if they are targeted.
It is an increasingly complex task. Cyberattacks have become increasingly common, used by criminal gangs, activists, and governments alike. Jens Stoltenberg, the secretary general of Nato, summed it up best in November 2022: “Cyber is now a domain of operations equal to those of land, sea, air, or space”.
And the economic cost is large – costs related to cybercrime are forecast to reach $10.25 trillion a year by 2025 worldwide. Yet, many companies remain unprepared. And many corporations tend not to disclose when they have been attacked.
“It can be the wild west,” said Smolanoff. “And it is only getting worse.”
Jason Smolanoff has been many things over the course of his career.
First, he was a physical chemist, specialising in helping manufacture cutting-edge computer chip technology for clients such as IBM, Sony, and Motorola. In this role, he even registered two patents in his own name.
After that, he moved into law enforcement, working all over the world as an agent with the FBI. He has worked as an independent consultant, started his own business, and now holds a senior position for Kroll, the global financial advisory company. He is an adjunct professor at Loyola Law School and also serves as a Commissioner for the San Miguel Gaming Commission in California.
While it may seem like an eclectic resume, it has tended to focus on a particular area: cybersecurity and electronic crime.
He was a supervisory special agent for the FBI’s cyber national security squad between 1999 and 2011, working on counter-intelligence and counter-terrorism, before holding a senior position with the Organised Crime Unit in Kabul, Afghanistan.
During his time in law enforcement, he was the primary case agent for Operation Phish Phry (OPP), which resulted in the arrest and prosecution of more than 100 individuals in the US and Egypt – the largest cyber investigation and prosecution in history. He was also the case agent for Operation Summer Solstice, the largest counterfeit software investigation in history – it gathered evidence to prosecute 50 individuals and seize more than $500 million of counterfeit software.
Over his career, he has seen the world of cyberattacks ebb, flow, and accelerate.
When he first started doing this kind of work way back in the early 2000s, he said the majority of the incidents were “national security types of events” where the “motivation behind the network or computer intrusion was focused on gathering data for intelligence gathering purposes”.
He added: “Typically, a nation-state conducting an intrusion into clear defence contractors, that’s what I saw the most. And it tended to be governments attacking governments.”
In 2006 and 2007, financial institutions started to be targeted “because that’s where the money is,” he said. “So then you’re seeing two motivations. You’re seeing both intelligence gathering, and then criminally motivated activity for financial gain.”
Over the last decade, however, he said there had been a surge of attacks against clients or entities that hold data – healthcare systems, professional services firms, and large corporates.
“Now it has become much more mainstream, in which the four main motivations that I see – the nation-state, financially motivated crime, hacktivism, where you’re attacking, to promote some type of social agenda,” he said.
“And then obviously insiders, right, who have different motivations than the rest of them. But now it’s an industry. It used to be a little more bespoke on the financially motivated crime and the nation-state attacking.
“Now, it is a criminal enterprise at this point where there’s a crossover between organised crime, financially motivated crime, and nation-state crime – some of those groups are doing both at the same time.”
According to the former federal agent, the hardest part of the job is determining who is doing the attack – and what their real motivation is: “It’s hard to say how much is state actors versus organised crime groups because they start to use the hallmarks of each other.”
The state actor
Russia’s invasion of Ukraine was backed up by several cyberattacks. There were numerous ransomware attacks on munitions companies and defacements of several US airport websites. In a recent article with Megan Greene, a prominent economist who also works with Kroll, Smolanoff also highlighted a huge distributed denial of service attack that crippled one of the largest banks in Russia.
Cyberwarfare and nation-state attacks existed long before the invasion. But it has served as a stark reminder of the role of information – and disinformation – in war.
“In general, cyber is part of any kind of warfare doctrine at this point. It’s not some side piece,” Smolanoff said. “The US has a cyber command. And that is an offensive cyber arm. Other countries have offensive cyber arms and they tend to be used in conjunction with a kinetic attack that would ultimately happen.
“Back when they invaded Crimea, it was pretty clear prior to the invasion, they did a cyber attack to take out communications and certain power prior to the troops rolling in. So I think you’re going to see a lot of that going forward. Even though most of the time you see cyber attacks on the side or on the periphery. Whether it’s an act of war or not, that’s debated by people smarter than me. But it is definitely used in conjunction with kinetic activity.”
Attacks on state agencies can be high-profile and public. However, many companies do not disclose when they have been hit. During his time in the FBI, Smolanoff said that they saw only 15 to 25 per cent of what was occurring.
“There are reputational risks that come with disclosing these types of events, especially these days. Any kind of disclosure outside of an organisation carries risk to that organisation. And these days, there’s compliance risk, there’s legal risk, there’s financial risk, there’s reputational risk. You’ll be sued, depending upon jurisdictions, by class actions. You will have regulators providing inquiries. It all costs money, and it all puts your company in not the best light,” he said.
Smolanoff said it was crucial to understand who was the victim and who made the attack. “I always have a problem with companies who have been victimised being victimised again – as if they didn’t do something right now. Some don’t. But some do. Just because a company has a cybersecurity incident doesn’t necessarily mean they have a poor cybersecurity programme. And I think that’s something that needs to be more prominent in the industry,” he said.
Another trend is the rise of ransomware, where criminal enterprises disrupt a network until a ransom is paid. Smolanoff said that ransomware is a fully-fledged business with organised groups behind these attacks.
“These groups operate like a regular company. People come into an office, they have HR functions. They have HR problems. We at Kroll are divided up in cyber and restructuring and valuation and certain things like that,” he said.
“They are designed where one group creates malware, one group deploys the malware, one group does network reconnaissance, and one group is an expert at data exfiltration. They operate in that fashion. And then other groups are negotiators, right? They do the money part of it. So when you think about these groups, they really are professional organisations that are sanctioned by governments in the countries they’re operating.”
He would not be drawn on what countries are operating in these areas other than to say “the usual suspects” and that they can be anywhere. “And for the most part, they operate like a business. If the company does pay a ransom, there’s a high likelihood that you’re going to get an actual decryption key for that because it’s part of their business model.”
In an increasingly complex and contested world, how can companies negate risk? This is something that Smolanoff has thought a great deal about – testifying before numerous government committees all over the world on the topic.
In his view, it is not about making sure you are impenetrable. Instead, it is about how quickly you can detect, and how rapidly you can respond. “Any attacker with enough time, commitment, and resources will get into your network. Hands down. But that doesn’t mean that you have a poor information security programme. It’s what you do next,” he said.
He said it was crucial that companies – and boards – took all reasonable steps to mitigate risks and to ensure that the steps and procedures were in place to deal with any attack.
“You need to demonstrate maturity in that space. So it’s not just enough to say, we did a check, and we’re here. You have to show that you have evidence that you’ve been working on this. Did you do a tabletop exercise? Do you have an incident response plan? Have you exercised that plan? Have you exercised it with the board, with your technology folks?” he said.
Eben Louw on the importance of management buy-in
Eben Louw is senior vice president, digital forensics & incident response at Kroll. Here, he explains what companies need to do to be ready for a cyber incident:
“One of the biggest struggles that companies have is getting buy-in and support from the business leadership executives, the folks who actually manage the funds. It is always a struggle. Leaders know they need to improve security, but they have to deal with budgets also. So one of the things that we’ve seen, and it’s also something that our clients are asking more and more for, is to involve senior leadership in things like a tabletop exercise. It’s an incident rehearsal, so that they can understand upfront before the incident actually occurs, what is involved. They can understand the key questions: How do we need to respond? What do we do about communications? How do we do all of this? So I think that is one thing that really needs to change and become more prominent in organisations.”