Passwords are a weak form of protection and complacency runs high. We might not think that we, as individuals, would be unlucky enough to be targeted by hackers, or that we’re worth hacking at all. But that complacency extends from smartphone-toting citizens right up to government contractors and employees of multinational corporations.
This week, Microsoft said it had seen a surge in activity from a suspected state-sponsored group of hackers, thought to be Iranian, targeting companies in the Middle East working in defence, fossil fuels and maritime transportation. Its strategy? Guessing the passwords of Microsoft Office 365 users. Its success rate? Of more than 250 targets, fewer than 20 systems were compromised. The spoils? Data such as shipping plans, logs and satellite imagery, which, Microsoft says, could assist with Iran’s developing satellite programme.
It wasn’t a sophisticated attack, but it was an effective one. Microsoft says it used a freely available research tool to blast a series of commonly used passwords at vulnerable systems. Known as “password-spraying”, the technique is more about brute force than subtlety, but any large organisation will inevitably have a small number of systems protected by weak passwords, and these provide an incredibly convenient point of entry.
A survey conducted earlier this year by software firm Keeper Security found that more than a third of employees have incorporated their company's name into a new work-related password. The company also reported high usage of family names or birth dates. For state-sponsored hackers with a wealth of tools at their disposal, accounts secured in this way are the lowest of low-hanging fruit.
Such hackers are known as APTs, or “advanced persistent threats”, and security monitoring groups give them codes to match. The North Korean APT38, for example, also known as the Lazarus Group or Zinc, has achieved a number of successful, high-profile attacks – including a crippling one on Sony Pictures – going back as far as 2009. Their aims and strategies are self-evident: they have specific objectives to disrupt, steal or observe – usually for political or economic ends – and crucially they have the skills, time and resources to succeed.
Proving that nation states are behind APTs and their attacks is difficult; the origin of a single cyber attack is hard to detect and responsibility for it is easy to deny. But the label “state-sponsored” can cover a multitude of different involvements - some hacker groups may be tightly integrated within government departments, while others could be third parties to which governments choose to turn a blind eye because their aims happen to align very neatly. The current world leader in hacking is, according to Microsoft, Russia, as it says 58 per cent of attacks from July 2020 to June 2021 originated there, with North Korea second (23 per cent) and Iran third (11 per cent). The US and Ukraine were the most besieged by cyber attacks, receiving 46 per cent and 19 per cent, respectively.
The coronavirus pandemic has seen an escalation in nefarious activity, with Google reporting bad actors using 'Covid-related themes' to attack US government employees
The recent breach of a handful of systems via Microsoft Office would seem, on the face of it, to be a comparatively minor incident. But the past decade has demonstrated the potential that state-sponsored hackers have to wreak havoc. In 2017, the so-called “WannaCry” attack, thought to have originated in North Korea, caused huge disruption to health services in the US and the UK, along with Russian banks and corporations including Nissan. In 2018, hackers in Russia conducted a mass cyber-campaign against home routers and ISPs around the world, with weak passwords again providing them with easy pickings. In 2017, Iran was suspected of a malware attack that caused infrastructure systems in Saudi Arabia to be shut down. Connectivity has brought with it vulnerability.
The coronavirus pandemic has sparked an escalation in nefarious activity, with Google reporting bad actors using “Covid-related themes” to attack US government employees through phishing scams (including posing as fast-food outlets), while Microsoft reported a Russian hacking group called Strontium (APT28) using password-spraying in an attempt to infiltrate medical agencies working on a vaccine.
Crucially, if a weak password gives hackers a foothold, it may be possible for them to gain privileges to access other systems within the organisation. In July, the US government, in response to the rising incidence of malicious cyber activity, offered rewards of up to $10 million for information that would help authorities track down those responsible.
Multimillion-dollar rewards may well help in the fight against these attacks, but Microsoft and Google are also working with companies to prevent something as critical as national security hanging on something as threadbare as a weak password. Microsoft is urging greater use of two-factor authentication (where an extra pass key is required alongside a password) or, more preferably, sign-in methods that don’t use passwords at all. It has recently encouraged wider use of an app, Microsoft Authenticator, which signs in neatly with bolstered security. This week, Google provided 10,000 users deemed at high risk of state-sponsored attacks (activists, journalists, government employees), with free USB security keys to replace their passwords altogether.
Step-ups in security, of course, merely prompt hackers to become more ingenious. Some dispute the validity of the term “cyber warfare”, given that the cyberattacks have neither the scale nor the brutality of actual war. But both sides are mustering all their resources, and the battle – as we are seeing – is undoubtedly real.
The National Archives, Abu Dhabi
Founded over 50 years ago, the National Archives collects valuable historical material relating to the UAE, and is the oldest and richest archive relating to the Arabian Gulf.
Much of the material can be viewed on line at the Arabian Gulf Digital Archive - https://www.agda.ae/en
More from Rashmee Roshan Lall
The Kites
Romain Gary
Penguin Modern Classics
Dengue%20fever%20symptoms
%3Cp%3EHigh%20fever%20(40%C2%B0C%2F104%C2%B0F)%3Cbr%3ESevere%20headache%3Cbr%3EPain%20behind%20the%20eyes%3Cbr%3EMuscle%20and%20joint%20pains%3Cbr%3ENausea%3Cbr%3EVomiting%3Cbr%3ESwollen%20glands%3Cbr%3ERash%26nbsp%3B%3C%2Fp%3E%0A
Bridgerton%20season%20three%20-%20part%20one
%3Cp%3E%3Cstrong%3EDirectors%3A%20%3C%2Fstrong%3EVarious%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EStarring%3A%3C%2Fstrong%3E%20Nicola%20Coughlan%2C%20Luke%20Newton%2C%20Jonathan%20Bailey%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ERating%3A%20%3C%2Fstrong%3E3%2F5%3C%2Fp%3E%0A
The%20US%20Congress%20explained
%3Cp%3E-%20Congress%20is%20one%20of%20three%20branches%20of%20the%20US%20government%2C%20and%20the%20one%20that%20creates%20the%20nation's%20federal%20laws%3C%2Fp%3E%0A%3Cp%3E-%20Congress%20is%20divided%20into%20two%20chambers%3A%20The%20House%20of%20Representatives%20and%20the%20Senate%3C%2Fp%3E%0A%3Cp%3E-%C2%A0The%20House%20is%20made%20up%20of%20435%20members%20based%20on%20a%20state's%20population.%20House%20members%20are%20up%20for%20election%20every%20two%20years%3C%2Fp%3E%0A%3Cp%3E-%20A%20bill%20must%20be%20approved%20by%20both%20the%20House%20and%20Senate%20before%20it%20goes%20to%20the%20president's%20desk%20for%20signature%3C%2Fp%3E%0A%3Cp%3E-%20A%20political%20party%20needs%20218%20seats%20to%20be%20in%20control%20of%20the%20House%20of%20Representatives%3C%2Fp%3E%0A%3Cp%3E-%20The%20Senate%20is%20comprised%20of%20100%20members%2C%20with%20each%20state%20receiving%20two%20senators.%20Senate%20members%20serve%20six-year%20terms%3C%2Fp%3E%0A%3Cp%3E-%20A%20political%20party%20needs%2051%20seats%20to%20control%20the%20Senate.%20In%20the%20case%20of%20a%2050-50%20tie%2C%20the%20party%20of%20the%20president%20controls%20the%20Senate%3C%2Fp%3E%0A
MATCH INFO
FA Cup final
Chelsea 1
Hazard (22' pen)
Manchester United 0
Man of the match: Eden Hazard (Chelsea)
Correspondents
By Tim Murphy
(Grove Press)
The specs
Engine: 6.2-litre V8
Transmission: seven-speed auto
Power: 420 bhp
Torque: 624Nm
Price: from Dh293,200
On sale: now
BUNDESLIGA FIXTURES
Saturday, May 16 (kick-offs UAE time)
Borussia Dortmund v Schalke (4.30pm)
RB Leipzig v Freiburg (4.30pm)
Hoffenheim v Hertha Berlin (4.30pm)
Fortuna Dusseldorf v Paderborn (4.30pm)
Augsburg v Wolfsburg (4.30pm)
Eintracht Frankfurt v Borussia Monchengladbach (7.30pm)
Sunday, May 17
Cologne v Mainz (4.30pm),
Union Berlin v Bayern Munich (7pm)
Monday, May 18
Werder Bremen v Bayer Leverkusen (9.30pm)
Company Fact Box
Company name/date started: Abwaab Technologies / September 2019
Founders: Hamdi Tabbaa, co-founder and CEO. Hussein Alsarabi, co-founder and CTO
Based: Amman, Jordan
Sector: Education Technology
Size (employees/revenue): Total team size: 65. Full-time employees: 25. Revenue undisclosed
Stage: early-stage startup
Investors: Adam Tech Ventures, Endure Capital, Equitrust, the World Bank-backed Innovative Startups SMEs Fund, a London investment fund, a number of former and current executives from Uber and Netflix, among others.
Illegal%20shipments%20intercepted%20in%20Gulf%20region
%3Cp%3EThe%20Royal%20Navy%20raid%20is%20the%20latest%20in%20a%20series%20of%20successful%20interceptions%20of%20drugs%20and%20arms%20in%20the%20Gulf%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EMay%2011%3A%20%3C%2Fstrong%3EUS%20coastguard%20recovers%20%2480%20million%20heroin%20haul%20from%20fishing%20vessel%20in%20Gulf%20of%20Oman%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EMay%208%3A%3C%2Fstrong%3E%20US%20coastguard%20vessel%20USCGC%20Glen%20Harris%20seizes%20heroin%20and%20meth%20worth%20more%20than%20%2430%20million%20from%20a%20fishing%20boat%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EMarch%202%3A%3C%2Fstrong%3E%20Anti-tank%20guided%20missiles%20and%20missile%20components%20seized%20by%20HMS%20Lancaster%20from%20a%20small%20boat%20travelling%20from%20Iran%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EOctober%209%2C%202022%3A%20%3C%2Fstrong%3ERoyal%20Navy%20frigate%20HMS%20Montrose%20recovers%20drugs%20worth%20%2417.8%20million%20from%20a%20dhow%20in%20Arabian%20Sea%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ESeptember%2027%2C%202022%3A%3C%2Fstrong%3E%20US%20Naval%20Forces%20Central%20Command%20reports%20a%20find%20of%202.4%20tonnes%20of%20heroin%20on%20board%20fishing%20boat%20in%20Gulf%20of%20Oman%C2%A0%3C%2Fp%3E%0A
UAE currency: the story behind the money in your pockets
In numbers: PKK’s money network in Europe
Germany: PKK collectors typically bring in $18 million in cash a year – amount has trebled since 2010
Revolutionary tax: Investigators say about $2 million a year raised from ‘tax collection’ around Marseille
Extortion: Gunman convicted in 2023 of demanding $10,000 from Kurdish businessman in Stockholm
Drug trade: PKK income claimed by Turkish anti-drugs force in 2024 to be as high as $500 million a year
Denmark: PKK one of two terrorist groups along with Iranian separatists ASMLA to raise “two-digit million amounts”
Contributions: Hundreds of euros expected from typical Kurdish families and thousands from business owners
TV channel: Kurdish Roj TV accounts frozen and went bankrupt after Denmark fined it more than $1 million over PKK links in 2013
%3Cp%3EThe%20Department%20of%20Culture%20and%20Tourism%20-%20Abu%20Dhabi%E2%80%99s%20Arabic%20Language%20Centre%20will%20mark%20International%20Women%E2%80%99s%20Day%20at%20the%20Bologna%20Children's%20Book%20Fair%20with%20the%20Abu%20Dhabi%20Translation%20Conference.%20Prolific%20Emirati%20author%20Noora%20Al%20Shammari%2C%20who%20has%20written%20eight%20books%20that%20%20feature%20in%20the%20Ministry%20of%20Education's%20curriculum%2C%20will%20appear%20in%20a%20session%20on%20Wednesday%20to%20discuss%20the%20challenges%20women%20face%20in%20getting%20their%20works%20translated.%3C%2Fp%3E%0A
Our legal columnist
Name: Yousef Al Bahar
Advocate at Al Bahar & Associate Advocates and Legal Consultants, established in 1994
Education: Mr Al Bahar was born in 1979 and graduated in 2008 from the Judicial Institute. He took after his father, who was one of the first Emirati lawyers
What are the GCSE grade equivalents?
- Grade 9 = above an A*
- Grade 8 = between grades A* and A
- Grade 7 = grade A
- Grade 6 = just above a grade B
- Grade 5 = between grades B and C
- Grade 4 = grade C
- Grade 3 = between grades D and E
- Grade 2 = between grades E and F
- Grade 1 = between grades F and G
Name: Peter Dicce
Title: Assistant dean of students and director of athletics
Favourite sport: soccer
Favourite team: Bayern Munich
Favourite player: Franz Beckenbauer
Favourite activity in Abu Dhabi: scuba diving in the Northern Emirates
WWE Super ShowDown results
Seth Rollins beat Baron Corbin to retain his WWE Universal title
Finn Balor defeated Andrade to stay WWE Intercontinental Championship
Shane McMahon defeated Roman Reigns
Lars Sullivan won by disqualification against Lucha House Party
Randy Orton beats Triple H
Braun Strowman beats Bobby Lashley
Kofi Kingston wins against Dolph Zigggler to retain the WWE World Heavyweight Championship
Mansoor Al Shehail won the 50-man Battle Royal
The Undertaker beat Goldberg
UAE currency: the story behind the money in your pockets
How does ToTok work?
The calling app is available to download on Google Play and Apple App Store
To successfully install ToTok, users are asked to enter their phone number and then create a nickname.
The app then gives users the option add their existing phone contacts, allowing them to immediately contact people also using the application by video or voice call or via message.
Users can also invite other contacts to download ToTok to allow them to make contact through the app.
Infiniti QX80 specs
Engine: twin-turbocharged 3.5-liter V6
Power: 450hp
Torque: 700Nm
Price: From Dh450,000, Autograph model from Dh510,000
Available: Now
UAE currency: the story behind the money in your pockets
