Main Page: Difference between revisions

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Content added Content deleted
VisualWikitext
(added the Homeland Justice operations against Albania)
No edit summary
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<div class="res-img no-pointer-events"><!-- OLD BANNER: [[File:MainBanner.jpg]]-->[[File:MainBanner22.jpg]]</div>
<div class="res-img no-pointer-events">[[File:MainBanner.jpg]]<!-- CfP BANNER: [[File:MainBannerCall2024.jpg]]--></div>
__NOTOC__
__NOTOC__
<!--__NONUMBEREDHEADINGS__-->
<!--__NONUMBEREDHEADINGS__-->
Line 59: Line 59:
| id="mp-right" class="MainPageBG" style="width:50%; border:1px solid #bbceed; padding:0; background:#ffffff; vertical-align:top;"|
| id="mp-right" class="MainPageBG" style="width:50%; border:1px solid #bbceed; padding:0; background:#ffffff; vertical-align:top;"|
<h2 id="mp-itn-h2" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Featured incident</h2>
<h2 id="mp-itn-h2" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Featured incident</h2>
<choose uncached>
<choose>

<option>
<!-- INCIDENT 12-->
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Microsoft_Exchange_(2019-present).svg|left|150px]]
On 2 March 2021, Microsoft issued a [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ statement] about multiple zero-day exploits in its Exchange Server email software and urged customers to update their systems using a patch released at the same time. Nevertheless, malicious cyber activities escalated, resulting in more than [https://edition.cnn.com/2021/03/10/tech/microsoft-exchange-hafnium-hack-explainer/index.html 250,000 affected customers globally] (including governments as well as the private sector) and involving at least [https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/?utm_source=Twitter&utm_medium=cpc&utm_campaign=WLS_apt_groups&utm_term=WLS_apt_groups&utm_content=blog 10 APT groups]. The original campaign was [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ attributed] by Microsoft to ‘Hafnium’, described as a State-sponsored group operating out of China. The hackers used the exploits to gain access to victim organisations’ email systems and to install malware allowing them to maintain long-term access to files, inboxes, and stored credentials. [[Scenario 02: Cyber espionage against government departments|Scenario 02]] of the Toolkit analyses cyber espionage against government departments; economic cyber espionage is discussed in [[Scenario 09: Economic cyber espionage|Scenario 09]].</div>
</option>
<option>
<!-- INCIDENT 13-->
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Solarwinds.svg|left|150px]]
On 13 December 2020, FireEye [https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html announced] the discovery of an ongoing supply chain attack that trojanized SolarWinds Orion business software updates in order to distribute malware. The [https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T victims] included many U.S. governmental organisations (such as the Department of Homeland Security, the Department of Energy, or the Treasury) and businesses (including Microsoft, Cisco, or Deloitte). Once the systems were infected, hackers could transfer files, execute files, profile the system, reboot the machines, or disable system services. The U.S. government has [https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure attributed] the attack to an ‘Advanced Persistent Threat Actor, likely Russian in origin’. Even though the campaign’s full scope remains unknown, recovering from the hack and conducting investigations may take up to [https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/ 18 months]. In the Toolkit, data theft and cyber espionage against government departments are analysed in [[Scenario 02: Cyber espionage against government departments|Scenario 02]]. Given that private sector organizations were among the victims, [[Scenario 09: Economic cyber espionage|Scenario 09]] on economic cyber espionage is also relevant.</div>
</option>
<option>
<option>
<!-- INCIDENT 14-->
<!-- INCIDENT 14-->
Line 80: Line 71:
</div>
</div>
</option>
</option>

<option weight="2">
<!-- INCIDENT 24-->
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Sellafield.png|left|150px]]
On 4 December 2023, ''The Guardian'' [https://www.theguardian.com/business/2023/dec/04/sellafield-nuclear-site-hacked-groups-russia-china reported] that the Sellafield nuclear site in the United Kingdom was hacked by groups allegedly linked to Russia and China. The breach, first detected in 2015, reportedly involved sleeper malware that may have compromised sensitive operations like radioactive waste handling. Sellafield, crucial for nuclear waste management and housing critical emergency planning documents, was placed under [https://www.onr.org.uk/documents/2023/cni-annual-report-2023.pdf special measures] by the UK Office for Nuclear Regulation. The breach raised significant national security concerns, given the [https://www.ncsc.gov.uk/news/heightened-threat-of-state-aligned-groups rising threats] of cyber-attacks against critical national infrastructure. In the Toolkit, [[Scenario 03: Cyber operation against the power grid|scenario 03]] and [[Scenario 06: Cyber countermeasures against an enabling State|scenario 06]] analyse cyber operations against the critical infrastructure of other States from the perspective of international law.
</div>
</option>

<option>
<option>
<!-- INCIDENT 15-->
<!-- INCIDENT 15-->
Line 88: Line 87:
</div>
</div>
</option>
</option>

<option weight="2">
<option>
<!-- INCIDENT 17-->
<!-- INCIDENT 17-->
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:HackedForeignMinistry.png|left|150px]]
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:HackedForeignMinistry.png|left|150px]]
Line 94: Line 94:
</div>
</div>
</option>
</option>

<option weight="2">
<option>
<!-- INCIDENT 18-->
<!-- INCIDENT 18-->
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:UN emblem blue.svg|left|150px]]
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:UN emblem blue.svg|left|150px]]
Line 100: Line 101:
</div>
</div>
</option>
</option>

<option weight="2">
<option>
<!-- INCIDENT 19-->
<!-- INCIDENT 19-->
<div id="mp-itn" style="padding:0.1em 0.6em;"> [[File:WaikatoHospital.jpg|left|150px]]
<div id="mp-itn" style="padding:0.1em 0.6em;"> [[File:WaikatoHospital.jpg|left|150px]]
Line 106: Line 108:
</div>
</div>
</option>
</option>

<option weight="2">
<option weight="2">
<!-- INCIDENT 20-->
<!-- INCIDENT 20-->
Line 112: Line 115:
</div>
</div>
</option>
</option>
<option weight="2">
<!-- INCIDENT 21-->
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Universitaetsklinikum-Duesseldorf-Logo.png|left|150px]]
In September 2020, the German University Hospital in Düsseldorf was forced to reduce healthcare service due to a [https://www.wired.co.uk/article/ransomware-hospital-death-germany ransomware attack] that crippled its systems. The attackers managed to compromise 30 clinic’s servers, reducing its capacity by [https://www.rtl.de/cms/hacker-angriff-auf-uniklinik-duesseldorf-starb-eine-patientin-wegen-einer-erpressung-4615184.html fifty per cent] for several days. This ransomware campaign with [https://www.thelocal.de/20200922/german-experts-see-russian-link-in-deadly-hospital-hacking/ links to Russian groups] is known worldwide because a woman has died when taken into a distant hospital that could accept her, even though her death was later [https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/ not concluded] as a result of the attack. The attack was most likely a mistake since the perpetrators left a note in a code addressed to Heinrich Heine University. Once the hackers were informed about their misstep, they [https://www.healthcareitnews.com/news/hospital-ransomware-attack-leads-fatality-after-causing-delay-care stopped and provided] the hospital with the encryption key without any ransom demands before [https://www.bbc.com/news/technology-54204356 cutting the communication]. Even though no data has been lost, this ransomware campaign once again showed how the healthcare sector is vulnerable to cyber attacks.


In the Toolkit, [[Scenario 20: Cyber operations against medical facilities|Scenario 20]] focuses directly on cyber operations against medical facilities. Given that the hospital suffered a ransomware attack, [[Scenario 14: Ransomware campaign|Scenario 14]] exploring the ransomware campaign is also relevant.
</div>
</option>
<option weight="2">
<option weight="2">
<!-- INCIDENT 22-->
<!-- INCIDENT 22-->
Line 128: Line 124:
</div>
</div>
</option>
</option>
<option weight="2">
<option weight="4">
<!-- INCIDENT 23-->
<!-- INCIDENT 23-->
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Flag of Albania.svg|left|150px]]
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Flag of Albania.svg|left|150px]]
The most important cyber operations attributed to the Homeland Justice group are dated to [https://www.kryeministria.al/en/newsroom/videomesazh-i-kryeministrit-edi-rama/ 15 July 2022], when multiple websites and services of the Government of Albania were rendered unavailable as well as the e-Albania portal, and [https://edition.cnn.com/2022/09/10/politics/albania-cyberattack-iran/index.html 9 September 2022], when the border system of the state police was targeted; however, other state systems were compromised [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ between October 2021 and May 2022].
Multiple websites and services of the Government of Albania were [https://www.kryeministria.al/en/newsroom/videomesazh-i-kryeministrit-edi-rama/ rendered unavailable on 15 July 2022] as well as the e-Albania portal, and [https://edition.cnn.com/2022/09/10/politics/albania-cyberattack-iran/index.html on 9 September 2022 the border system of the state police was targeted]; however, other state systems were compromised [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ between October 2021 and May 2022].

It is speculated that, although Homeland Justice declared its responsibility for the disruptive activity, the cyber operations were carried out by [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ four state-sponsored actors with ties to Iran]. The cyber operations were accompanied by [https://www.cisa.gov/uscert/ncas/alerts/aa22-264a information operations by HLJ] accusing the Albanian government of corruption and spreading messages against Mujahideen E-Khalq (an Iranian opposition organization based in Albania). Data from various state databases was allegedly exfiltrated and some even published (e.g. data related to [https://balkaninsight.com/2022/11/08/albania-authorities-silent-over-alleged-security-service-data-hack/ the Prime Minister, the State Information Service] or [https://balkaninsight.com/2022/10/03/iranian-hackers-leak-database-of-albanian-criminal-suspects/ criminal suspects]). There is a suspicion that the cyber operations serve [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ as a payback for cyber operations] attributed to a hacktivist group called Predatory Sparrow.
It is speculated that, although Homeland Justice declared its responsibility for the disruptive activity, the cyber operations were carried out by [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ four state-sponsored actors with ties to Iran].
In response to the July cyber operation, Albania decided to [https://www.reuters.com/world/albania-cuts-iran-ties-orders-diplomats-go-after-cyber-attack-pm-says-2022-09-07/ cut diplomatic ties with Iran]. NATO has declared its support of Albania and [https://www.nato.int/cps/en/natohq/official_texts_207156.htm acknowledged the attribution, by some Allies, of the responsibility for the cyber operations to Iran]. The U.S. Department of the Treasury’s Office of Foreign Assets Control [https://home.treasury.gov/news/press-releases/jy0941 has imposed sanctions] on Iran’s Ministry of Intelligence and Security and on its minister. [https://www.politico.com/news/2022/10/05/why-albania-chose-not-to-pull-the-nato-trigger-after-cyberattack-00060347 Albania was also considering invoking] Article 5 of The North Atlantic Treaty, to trigger collective defence, but eventually decided against it. Iran has denied its involvement.

In response to the July cyber operation, Albania decided to [https://www.reuters.com/world/albania-cuts-iran-ties-orders-diplomats-go-after-cyber-attack-pm-says-2022-09-07/ cut diplomatic ties with Iran]. NATO has declared its support of Albania and [https://www.nato.int/cps/en/natohq/official_texts_207156.htm acknowledged the attribution, by some Allies, of the responsibility for the cyber operations to Iran]. [https://www.politico.com/news/2022/10/05/why-albania-chose-not-to-pull-the-nato-trigger-after-cyberattack-00060347 Albania was also considering invoking] Article 5 of The North Atlantic Treaty, to trigger collective defence, but eventually decided against it. Iran has denied its involvement.
In the Toolkit, [[Scenario 02: Cyber espionage against government departments|Scenario 02]] considers cyber espionage against government departments and [[Scenario 17: Collective responses to cyber operations|Scenario 17]] addresses collective responses to cyber operations.
In the Toolkit, [[Scenario 02: Cyber espionage against government departments|Scenario 02]] considers cyber espionage against government departments and [[Scenario 17: Collective responses to cyber operations|Scenario 17]] addresses collective responses to cyber operations.
</div>
</div>
</option>
</choose>
</choose>
<h2 id="mp-other" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Quick links</h2>
<h2 id="mp-other" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Quick links</h2>
Line 153: Line 152:


<h2 id="mp-otd-h2" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Behind the scenes</h2>
<h2 id="mp-otd-h2" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Behind the scenes</h2>
<div id="mp-otd" style="padding:0.1em 0.6em 0.5em;">The project is supported by the following six partner institutions: the [https://www.nukib.cz/en/ Czech National Cyber and Information Security Agency] (NÚKIB), the [https://www.icrc.org International Committee of the Red Cross] (ICRC), the [https://ccdcoe.org/ NATO Cooperative Cyber Defence Centre of Excellence] (CCDCOE), the [https://www.exeter.ac.uk/ University of Exeter], United Kingdom, the [https://usnwc.edu/ U.S. Naval War College], United States, and [https://en.whu.edu.cn Wuhan University], China. The core of the project team consists of [https://socialsciences.exeter.ac.uk/law/staff/macak/ Dr Kubo Mačák] (ICRC) – General Editor; Mr Tomáš Minárik (NÚKIB) – Managing Editor; and Ms Taťána Jančárková (CCDCOE) – Scenario Editor. <!-- The pilot year of the project (2018/19) was supported through the [https://esrc.ukri.org/collaboration/collaboration-oportunities/impact-acceleration-accounts/ UK ESRC IAA Project Co-Creation] scheme.--> The individual scenarios and the Toolkit as such have been reviewed by a team of over 30 [[People#Peer_reviewers|peer reviewers]]. The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia; its Chinese launch took place on 2 November 2019 in Wuhan, China; it received its most recent general annual update on 20 October 2022; and it remains continuously updated. For questions about the project including media enquiries, please contact us at cyberlaw@exeter.ac.uk.</div>
<div id="mp-otd" style="padding:0.1em 0.6em 0.5em;">The project is supported by the following six partner institutions: the [https://www.nukib.cz/en/ Czech National Cyber and Information Security Agency] (NÚKIB), the [https://www.icrc.org International Committee of the Red Cross] (ICRC), the [https://ccdcoe.org/ NATO Cooperative Cyber Defence Centre of Excellence] (CCDCOE), the [https://www.exeter.ac.uk/ University of Exeter], United Kingdom, the [https://usnwc.edu/Research-and-Wargaming/Research-Centers/Stockton-Center-for-International-Law U.S. Naval War College], United States, and [https://en.whu.edu.cn Wuhan University], China. The core of the project team consists of [https://socialsciences.exeter.ac.uk/law/staff/macak/ Dr Kubo Mačák] (University of Exeter) – General Editor; Mr Tomáš Minárik (NÚKIB) – Managing Editor; and Mr Otakar Horák (CCDCOE) – Scenario Editor. <!-- The pilot year of the project (2018/19) was supported through the [https://esrc.ukri.org/collaboration/collaboration-oportunities/impact-acceleration-accounts/ UK ESRC IAA Project Co-Creation] scheme.--> The individual scenarios and the Toolkit as such have been reviewed by a team of over 30 [[People#Peer_reviewers|peer reviewers]]. The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia; its Chinese launch took place on 2 November 2019 in Wuhan, China; it received its most recent general annual update on 20 October 2022; and it remains continuously updated. For questions about the project including media enquiries, please contact us at cyberlaw@exeter.ac.uk.</div>
|}
|}
<!-- END OF MIDDLE BOX -->
<!-- END OF MIDDLE BOX -->
<!-- SECTIONS AT BOTTOM OF PAGE -->
<!-- SECTIONS AT BOTTOM OF PAGE -->
<!-- CALL FOR SUBMISSIONS SECTION - CURRENTLY NOT IN USE
<!--
<div id="mp-lower" style="padding-top:4px; padding-bottom:2px; overflow:auto; border:1px solid #e2e2e2; overflow:auto; margin-top:4px;"><h2 id="mp-other" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Call for submissions</h2>
<div id="mp-lower" style="padding-top:4px; padding-bottom:2px; overflow:auto; border:1px solid #e2e2e2; overflow:auto; margin-top:4px;"><h2 id="mp-other" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Call for submissions</h2>
<span style="color:red">'''NEW!'''</span>Cyber Law Toolkit is now inviting submissions for its next general update in 2022. Successful authors will be awarded an honorarium. This call for submissions is open until '''1 November 2021'''. Full text of the call with submission dates and contacts is available for download here: [https://static.miraheze.org/cyberlawwiki/0/0d/Call_for_submissions_2021-22.pdf Call for submissions (PDF)]
Cyber Law Toolkit is now inviting submissions for its next general update in 2024. Successful authors will be awarded an honorarium. This call for submissions is open until '''1 December 2023'''. Full text of the call with submission dates and contacts is available for download here: [Https://ccdcoe.org/uploads/2023/10/Cyber-Law-Toolkit-call-for-submissions-2024.pdf Call for submissions (PDF)] -->
-->
<!-- REMOVED OLD OTHER RESOURCES BOX
<!-- REMOVED OLD OTHER RESOURCES BOX
<h2 id="mp-other" style="margin:0.5em; background:#eeeeee; border:1px solid #ddd; color:#222; padding:0.2em 0.4em; font-size:120%; font-weight:bold; font-family:inherit;">Other resources</h2>
<h2 id="mp-other" style="margin:0.5em; background:#eeeeee; border:1px solid #ddd; color:#222; padding:0.2em 0.4em; font-size:120%; font-weight:bold; font-family:inherit;">Other resources</h2>
Line 176: Line 174:


</div>
</div>

<!-- TO ADD A SECTION JUST DELETE THIS LINE...
<!-- TO ADD A SECTION JUST DELETE THIS LINE...
<h2 id="mp-sister" style="margin:0.5em; background:#eeeeee; border:1px solid #ddd; color:#222; padding:0.2em 0.4em; font-size:120%; font-weight:bold; font-family:inherit;">[EMPTY SECTION]</h2>
<h2 id="mp-sister" style="margin:0.5em; background:#eeeeee; border:1px solid #ddd; color:#222; padding:0.2em 0.4em; font-size:120%; font-weight:bold; font-family:inherit;">[EMPTY SECTION]</h2>
Line 229: Line 226:
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Brno_(znak).svg|left|150px]]
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Brno_(znak).svg|left|150px]]
On 13 March 2020, Brno University Hospital, the second-largest hospital in the Czech Republic, at the time also providing COVID-19 testing capacities, was [[Brno University Hospital ransomware attack (2020)|targeted by ransomware]]. The hospital was forced to shut down its entire IT network, postpone urgent surgical interventions, and reroute patients to other nearby hospitals. It took several weeks before the hospital was fully operational again. [[Scenario 14: Ransomware campaign|Scenario 14]] in the Toolkit provides the legal analysis of a ransomware campaign against municipal and health care services abroad; [[Scenario 20: Cyber operations against medical facilities|Scenario 20]] and [[Scenario 23: Vaccine research and testing|Scenario 23]] both focus on various cyber operations against hospitals.</div>
On 13 March 2020, Brno University Hospital, the second-largest hospital in the Czech Republic, at the time also providing COVID-19 testing capacities, was [[Brno University Hospital ransomware attack (2020)|targeted by ransomware]]. The hospital was forced to shut down its entire IT network, postpone urgent surgical interventions, and reroute patients to other nearby hospitals. It took several weeks before the hospital was fully operational again. [[Scenario 14: Ransomware campaign|Scenario 14]] in the Toolkit provides the legal analysis of a ransomware campaign against municipal and health care services abroad; [[Scenario 20: Cyber operations against medical facilities|Scenario 20]] and [[Scenario 23: Vaccine research and testing|Scenario 23]] both focus on various cyber operations against hospitals.</div>
</option>
<option>
<!-- INCIDENT 12
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Microsoft_Exchange_(2019-present).svg|left|150px]]
On 2 March 2021, Microsoft issued a [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ statement] about multiple zero-day exploits in its Exchange Server email software and urged customers to update their systems using a patch released at the same time. Nevertheless, malicious cyber activities escalated, resulting in more than [https://edition.cnn.com/2021/03/10/tech/microsoft-exchange-hafnium-hack-explainer/index.html 250,000 affected customers globally] (including governments as well as the private sector) and involving at least [https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/?utm_source=Twitter&utm_medium=cpc&utm_campaign=WLS_apt_groups&utm_term=WLS_apt_groups&utm_content=blog 10 APT groups]. The original campaign was [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ attributed] by Microsoft to ‘Hafnium’, described as a State-sponsored group operating out of China. The hackers used the exploits to gain access to victim organisations’ email systems and to install malware allowing them to maintain long-term access to files, inboxes, and stored credentials. [[Scenario 02: Cyber espionage against government departments|Scenario 02]] of the Toolkit analyses cyber espionage against government departments; economic cyber espionage is discussed in [[Scenario 09: Economic cyber espionage|Scenario 09]].</div>
</option>
<option>
<!-- INCIDENT 13
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Solarwinds.svg|left|150px]]
On 13 December 2020, FireEye [https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html announced] the discovery of an ongoing supply chain attack that trojanized SolarWinds Orion business software updates in order to distribute malware. The [https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T victims] included many U.S. governmental organisations (such as the Department of Homeland Security, the Department of Energy, or the Treasury) and businesses (including Microsoft, Cisco, or Deloitte). Once the systems were infected, hackers could transfer files, execute files, profile the system, reboot the machines, or disable system services. The U.S. government has [https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure attributed] the attack to an ‘Advanced Persistent Threat Actor, likely Russian in origin’. Even though the campaign’s full scope remains unknown, recovering from the hack and conducting investigations may take up to [https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/ 18 months]. In the Toolkit, data theft and cyber espionage against government departments are analysed in [[Scenario 02: Cyber espionage against government departments|Scenario 02]]. Given that private sector organizations were among the victims, [[Scenario 09: Economic cyber espionage|Scenario 09]] on economic cyber espionage is also relevant.</div>
</option>
</option>
<option>
<option>
Line 236: Line 243:


In the context of the incident, the main issue is the responsibility of the host State for providing the security of the international organisation, which is developed in [[Scenario 04: A State’s failure to assist an international organization|Scenario 04]].
In the context of the incident, the main issue is the responsibility of the host State for providing the security of the international organisation, which is developed in [[Scenario 04: A State’s failure to assist an international organization|Scenario 04]].
</div>
</option>
<option weight="2">
<!-- INCIDENT 21
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Universitaetsklinikum-Duesseldorf-Logo.png|left|150px]]
In September 2020, the German University Hospital in Düsseldorf was forced to reduce healthcare service due to a [https://www.wired.co.uk/article/ransomware-hospital-death-germany ransomware attack] that crippled its systems. The attackers managed to compromise 30 clinic’s servers, reducing its capacity by [https://www.rtl.de/cms/hacker-angriff-auf-uniklinik-duesseldorf-starb-eine-patientin-wegen-einer-erpressung-4615184.html fifty per cent] for several days. This ransomware campaign with [https://www.thelocal.de/20200922/german-experts-see-russian-link-in-deadly-hospital-hacking/ links to Russian groups] is known worldwide because a woman has died when taken into a distant hospital that could accept her, even though her death was later [https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/ not concluded] as a result of the attack. The attack was most likely a mistake since the perpetrators left a note in a code addressed to Heinrich Heine University. Once the hackers were informed about their misstep, they [https://www.healthcareitnews.com/news/hospital-ransomware-attack-leads-fatality-after-causing-delay-care stopped and provided] the hospital with the encryption key without any ransom demands before [https://www.bbc.com/news/technology-54204356 cutting the communication]. Even though no data has been lost, this ransomware campaign once again showed how the healthcare sector is vulnerable to cyber attacks.

In the Toolkit, [[Scenario 20: Cyber operations against medical facilities|Scenario 20]] focuses directly on cyber operations against medical facilities. Given that the hospital suffered a ransomware attack, [[Scenario 14: Ransomware campaign|Scenario 14]] exploring the ransomware campaign is also relevant.
</div>
</div>
</option>
</option>

Revision as of 10:00, 8 March 2024

Welcome to the Cyber Law Toolkit, an interactive online resource on international law and cyber operations.
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Main_Page?oldid=4044"