“Hackers are in malicious marketing”, analysis Wednesday, November 24 on franceinfo Damien Bancal, journalist specializing in issues related to cybersecurity, and founder of the Zataz.com blog, which helps victims of web hackers. “People without faith or law, who are afraid of nothing and threaten” many actors, sometimes posting some of the items they stole in order to put pressure on their victims.
Franceinfo learned on Tuesday that elements of the investigation file for the attack on Charlie Hebdo, on January 7, 2015, including at least one photo of the crime scene, were published on the Internet. They were stolen from a law firm, whose client was one of the civil parties in the file. The Russian hacker group Everest is suspected of being behind this operation, according to our information. A ransom of 500,000 euros was first demanded from the law firm, then the amount was increased due to the sensitive nature of the hacked data. A judicial investigation was opened and a hacker suspected of having played the role of intermediary between the hackers and the firm was arrested about ten days ago, still according to our information.
franceinfo: Justice has become a target like any other for hackers?
Damien Bancal: Yes, because the legal actors have a lot of information. First, hackers are really into what I call malicious marketing. They go looking where the money is. And justice, law firms are actors where there is money, and personal data, very sensitive information. In the spring of 2020, a New York law firm had the data of famous clients hacked: Lady Gaga, Madonna, Bruce Springsteen, among others. The hackers had demanded more than $42 million. It is unclear whether the law firm paid. But hackers have put their cards on the table, like in poker.
Do we have any idea of the number of companies that pay the ransoms, rather than going to court?
It’s very difficult to know. There is an omerta in this environment. Admitting to being hacked for a lot of companies, and it’s a big mistake to think that, is admitting to being fallible. So it’s better not to talk about it. We also have all these populations who pay and do not say so, because it can be embarrassing in relation to the information that has been stolen. These companies hope that the hackers, hand on heart, have erased this data.
Do not believe hackers. Once the hackers have stolen the information, they will share it, resell it.”Damien Bancal, journalist specializing in cybersecurity issues
They will also distribute them freely on the Internet, as we have seen in the case of the law firm linked to Charlie Hebdo.
Do we manage to arrest pirates?
We have authorities who are acting more and more. The French gendarmerie, but also the national police have participated, in recent weeks, in arrests abroad, such as in Ukraine. But unfortunately, opposite, it’s a bit like all mafias, whether physical or digital. One arrested, ten reappear.
What do we know about the group of Russian pirates Everest, at the origin of the hacking of the law firm, according to our information?
They are believed to be from eastern countries. But it’s still quite complicated to know all the ramifications. In any case, we know that they have been acting for several months. For example, they attacked the Toronto airport, a lot of law firms and accounting firms. These are people who spread the information they steal and, above all, clearly announce publicly how much money they want. For Charlie Hebdo, they say very clearly that they want 500,000 dollars, because they would have in hand more than 21,000 files. They also threaten the Argentine government, the Peruvian Ministry of Finance, the Brazilian police. We are dealing with people without faith or law. They are fearless and they threaten.
Do companies have the means to protect themselves against these hackers?
Cybersecurity is something that is worked on daily, with people, and a little bit of money to put on the table. It really is a game of cat and mouse. And in this game, pirates will always have a tiny head start. Companies must train their staff, educate them, make them understand the dangers associated with cybersecurity. By conducting training on this subject, I realize that employees and companies think they are protected because they have purchased protection software. But if you don’t train your staff, it’s like having a car with an airbag, but preventing it from going off, because you don’t want it.