Critical infrastructures – probably the most vulnerable point of a country

Critical infrastructures – probably the most vulnerable point of a country

What happens when there’s no more electricity? Food and essential medicines can no longer be cooled, life-supporting appliances in hospitals fail, the lights go out and the streets sink into chaos. A scenario that seems unimaginable. But the danger exists. Cyber-criminals are increasingly targeting vulnerable facilities that form the basis for the common good – critical infrastructures.

The president of the german Federal Office for Information Security Arne Schönbohm also sees operators of national water and power plants or, for example, the pharmaceutical industry increasing in the focus of professionalized cyber-attacks. Why? Manipulation of operating procedures in these economic sectors could put the population at risk. Protective measures for internal IT should have a high priority.

In the following, we will take a look at the critical infrastructures and give an outlook on the enormous consequences of a cyber-attack on these sensitive organizations.

A critical matter

Critical infrastructures include organizations or institutions that play an important role for the state community. They provide services or products that consumers and businesses depend on. These include facilities in energy sectors, IT and telecommunications, health, water, nutrition, transport, finance and insurance, government and administration, as well as media and culture.

Critical infrastructures are considered particularly sensitive regarding their IT infrastructure, which is why the government wants to protect them especially with the IT security law that came into force in July 2015. Operators must report faults in their IT systems and allow them to be checked regularly. The aforementioned sensitivity of the systems resulted from the fact that most of them were developed in the distant past. IT security aspects were not considered from the outset, but physical security aspects, such as the construction of highly complex fencing systems and the provision of security personnel, were initially pursued.

Another reason for this was the separation of IT systems from Internet access. However, digitization has not simply passed by. It has led to considerable changes in recent years. For example in modern industrial companies many machines, devices, and employees are now connected to the Internet. There are many advantages that arise within the networking, but there are also disadvantages that are significant: Critical infrastructures are thus even more vulnerable to cyber attacks.

Danger of a total Blackout

The extent of a cyber attack on critical infrastructures shows an unprecedented attack on Ukraine’s electricity grid in 2015. Hackers paralyzed the entire electricity supply. Households remained in the dark for hours, hospitals had to access emergency power generators. The hacker attack was allegedly carried out by state actors who sabotaged the country’s power supply with the help of the malware ‘Industroyer’. In 2017, a Saudi Arabian power plant fell victim to hackers. The aim of the attack was probably to destroy the plant.

The attack was discovered purely by chance. In this way, worse things could be prevented. According to media reports, the attack took place via a security system that is used worldwide in oil and gas power plants as well as in nuclear power plants – also in Germany. The Triton code used in the attack was published on the Internet shortly afterwards. This created the basis for further attacks by experienced hackers. According to their own statements, security researchers were able to locate another attack with the Triton code in April 2019. However, it remains unclear when the attack took place and which system was in focus. During their investigations, the researchers came to the conclusion that the attackers wanted to cause physical damage. This would also suggest that further operators of critical infrastructures were being targeted. For this reason, the researchers have made details of the detected malware public in order to support IT managers in detecting and preventing it.

Past events are worrying. But a good sign is the increasing awareness of IT security within critical infrastructures. For example disaster control has praised the growing IT security.

The worst case: cyber attack on operators of critical infrastructur

However, this does not mean that the topic is off the table for a long time, but rather that it is intended to sensitize people to the further establishment of security measures. What if this was the case? We are starting from the worst case scenario: A cyber attack turns the power off in Germany. According to Schönbohm, the network and energy supply is an attractive target for paralysing an entire country. According to this, extensive supply bottlenecks would arise in the event of a longer and larger power outage. This also raises concerns in the field of disaster control. Let us take a closer look at a possible attack scenario

The cyberkillchain

An attack extends over a total of seven steps, which are combined in a so-called Cyberkillchain. The concept of the attack chain has its orign in the military and was transferred to the IT sector.

An attack of a ransomware expires in the following steps:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command & Control
  7. Actions on objective

Reconnaissance: Identification of the target

There are basically two types of attacks: targeted and mass attacks. Killchain is mainly about targeted attacks. First, the target is chosen. As much information as possible is collected to find out how the company is set up and if there are gaps that could be used for intrusion. In focus, are usually employees that share a lot of information about themselves: contact details, job titles, holiday plans and more. Once the right vulnerability has been found, the next step is taken.

Weaponization: Preparing the attack

The attacker selects a suitable tool depending on the desired goal and the planned procedure – if possible it should be perfidious. Often an encryption trojan is the best solution, which keeps itself covered at first and collects further information. Many of these codes are freely available in darknet.

Delivery: first steps to execute the attack

In this phase the criminal has to choose a distribution channel. The criminal can use a CD-ROM, an USB-stick, or the classic email. Particularly popular are phishing e-mails that either link to a malicious website or contain an infected document that the recipient is supposed to open. The advantage of the phishing method takes us directly to the next step.

Exploitation: Detection of security vulnerabilities

The lack of awareness of employees is a popular incidence vector. Keyword “social engineering”: Phishing, CEO fraud, or whaling are used to exploit the uncertainty and ignorance of employees to get into the system. But also open attack surfaces can lie in technology, such as unpatched security holes in programs used throughout the company.

Installation: Implementation of a backdoor

Logically, no pop-up will appear once the malware has been installed. The installation runs hidden and without the knowledge of the user. The malware nests and waits for its big moment.

Command & Control: Remote control of the target system

To keep control of the malware, the remote desktop protocol can be used for remote access. Remote control is essential to achieve the actual goal. It is now even possible to use artificial intelligence so that the malware can perform self-learning actions, such as reloading other malware or spying on personal data.

Actions on objective: Achievement of objectives

The great moment has come, and the attacker can make his action concrete after the complete infiltration of the system. In our case the power supply is switched off. It can take several years until the malware is executed or detected.

From the killchain it becomes clear that the prevention and defense against sophisticated cyber-attacks is only possible with special tools and a strong and regular sensitization of employees. These include services that can detect perfidious and complicated malware such as advanced persistent threats with special analysis engines, freezing and sandboxing.

The fact is, that cyber-attacks will continue to increase and protection measures must be taken at an early stage.

In summary, cyber-attacks on critical infrastructures can pose a threat to national security. An attack on the energy network or the water supply can have consequences that could not only result in financial losses, but could also completely change life as we know it.

Mirai – The Botnet of Things

Mirai – The Botnet of Things

The dynamic of the Internet of Things shows us the daily progress of digitalization. More and more devices are connected to the Internet, providing users comfort and efficiency. The market is constantly filled with new devices and the variety of functions attracts many users. Today, there is already a huge network of data, servers and connected intelligent devices – which, however, represents a new and above all enormous target for cyber criminals due to the unconsidered security vulnerabilities of smart devices.

The malware Mirai took advantage of this weakness: In October 2016, the botnet virus became widely known for the first time due to the largest DDoS attack ever launched, targeting the DNS provider “Dyn”. As a result, the websites and services of many international companies, including Amazon, Netflix and Spotify, were unavailable for a long time. For businesses, this can mean a loss of millions. What exactly is the story behind the malware that exploits the weaknesses of technological progress?

The origin of the Mega Botnet

2016 wasn’t the first time such an IoT botnet “hit” the market: according to independent security journalist Brian Krebs from, there have been Mirai-like predecessors since 2014, known as Bashlite, Gafgytm, QBot, Remaiten and Torlus. The Botcode of Mirai was created from the improved codes of its forerunners, compiled by several developers. It was finalized by a group of hackers who joined forces in 2014 and started DDoS attacks on competing Minecraft servers under the pseudonym “lelddos”, using the Mirai Botnet to slow them down or take them off the Internet, which cost their operators a lot of money.

Mirai has been designed to eliminate malware from already infected IoT devices and eventually takes it over itself. Affected devices, again, looked for other vulnerable devices to take over. Due to the growing number of IoT products controlled by Mirai, the botnet became more extensive and hackers attempted larger targets. In September 2016, the French hosting company OVH suffered a DDoS attack with a total capacity of up to 1.5 terabits per second.

Shortly after that attack, one of the co-developers Mirais, published the source code of the malware online under the name “Anna-Senpai”. Thus, the author enabled many hackers to copy and further develop the code. The release led to a rapid increase in imitators operating their own Mirai botnets. This eventually ended in an attack on Dyn’s server just a month later. Due to the amount of new variations of Mirai, tracing those responsible became much more difficult. But only a few weeks after that, the FBI tracked down three young Americans.

On the 5th of December 2017, the hackers pleaded guilty in court in Alaska for developing the malware and merging it into a botnet to harm companies and “other targets”. According to the court documents, the cybercriminal group also planned to earn money with its own DDoS-as-a-Service offer and racketeering. To avoid a prison sentence, the 21- and 22-year-olds agreed to assist the FBI in solving complex cybercrime investigations. Nevertheless, the sentence included a five-year suspended sentence, 2,500 hours of community service, and $127,000 in refunds. Even though, the criminal malware developers are now kept in check, the malware code still exists and can be reused, converted and improved by other hackers.

The Return of Mirai

In March 2019, security experts discovered a new type of Mirai, which is aimed primarily at IoT devices within companies. Cybercriminals expect this to increase their attack power even more as they gain access to greater bandwidth over corporate networks. The new Mirai version contains several more features, including 11 additional exploits, bringing the total number of exploits of the malware to 27. These additional features give the program an even larger attack surface. The malware spreads primarily through presentation systems, smart TVs, routers and IP cameras.
Companies are advised to change the credentials of the implemented IoT devices and to consider the security of these devices in their IT security strategy as well.

This development shows the uncertainty IoT devices face in the digitized world – the security factor is essential for businesses and users. A study by the Berkeley School of Information and the Center for Long-Term Cybersecurity (CLTC) identified the total cost for consumers caused by a hack of a smart device and additional power consumption when that device is involved in a cyberattack: For example, the combined costs of the attack on Dyn in October 2016 amounted to around 115,000 dollars for IoT users. In a worst-case scenario, the calculator results in a sum of about 68 million dollars, about 100 dollars per user, for a DDoS attack involving 600,000 IoT devices.

The rise of DDoS Attacks

The additional attack surface, which results from the very weakly protected Internet of Things, is also reflected in the increasing number of DDoS attacks on companies.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Whereas three years ago, there were still around 9,000 attacks per quarter on corporate infrastructure and servers in the German-speaking area, attacks increased year by year.
In the 1st quarter of 2019, there were already 11,177 DDoS attacks registered in Germany, Austria and Switzerland alone. But not only the number of attacks is on the upswing, the volume is also growing significantly. According to the Link11 DDoS Report Q1 2019, the largest DDoS attack in German-speaking countries reached a volume of 224 gigabits per second. With an increase of 70 percent compared to the same period last year, the average of the middle range of this quarter was already 3.8 Gbps. The Internet of Things is contributing significantly to the increased performance of attacks – a fact that takes cyber security to a new level once again.

Experts interview: Dr. Yvonne Bernard about Artificial Intelligence

Experts interview: Dr. Yvonne Bernard about Artificial Intelligence


Currently the topic of artificial intelligence dominates every discussion about digitization. As a former researcher on open systems and trust- and security mechanisms, this development has prompted our Head of Product Management Dr. Yvonne Bernard to take a closer look. In her recently published article „AI – the same procedures as last century?“ she provides a view behind the current hype. In the following interview with Yvonne, we will explore the background of this innovative technology, take a look at the implementation of artificial intelligence in an entrepreneurial context, and in conclusion discuss its potential in IT security.


So, what made you decide to take a further look at AI?

Especially in recent years, I have seen an enormous increase in AI technologies applied and – perhaps more importantly – advertised by technology companies and vendors around the world.
Since I have been dealing with this topic in research and teaching for several years, I was really curious: Have the mechanisms that I used and taught at Leibniz Universität Hannover developed further? Basic research takes up to 20 years, as they say, to be separated (if at all) from basic research in business-relevant technology, but to be honest, some of the features we used back then, such as artificial neural networks, were already older than me.


If you say this technology has been around for decades, why is it actually being applied just now?

Nowadays, what makes the implementation of AI technologies really worthwhile is the possibility to store and process large amounts of data and to adapt the processing schemes if necessary. Big data doesn’t mean storing everything and then looking at what you do with it: you have to think about data types in order to calculate efficiently and effectively on the basis of these data volumes. Also, the promotion of these technologies, which have been in use for years, has of course made its contribution to the hype. Furthermore, the growing number and quality of libraries that are available to the public and not only to researchers is a further aspect. You don’t have to spend much time looking for suitable software or frameworks to realize your AI ideas in functional code. Frameworks such as TensorFlow, Caffe and CNTK can be mentioned here. Thus, AI is increasingly used for the fast and (nearly) optimum solution of real problems.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.


What has made the use of AI possible in companies and what is the necessity?

As already mentioned, the increasing number and quality of libraries and the possibility to work with large amounts of data are the main growth drivers of the use of AI in the business environment. In addition, completely new and additional techniques such as supervised machine learning can be applied. In this case, a certain amount of the available total data is used, which is assumed to be very similar to the data for which the algorithms are trained for. An “unlearning” of desired characteristics is thus to be excluded.
To compare: In research laboratories, it is always important to make sure that the algorithms to be applied are well parameterized and suitable for the targeted data set. In business life one often does not want to and cannot spend this time to evaluate every possible parameter set. Moreover, a learning algorithm that learns something unexpected is great for a researcher but cannot be tolerated in business.


In which industries and processes do you see the greatest opportunities for the application of artificial intelligence?

It is safe to say that AI will not be the only solution to each of today’s problems. But there are areas where AI techniques are easier and more accessible than ever, and nothing should prevent developers and system developers from using the former pure research technology in any way that helps them find a good (or if possible the best) solution to their real problems. I would like to emphasize that – also at Hornetsecurity – many procedures from the quantity of AI methods have already been used successfully for years. In the past, however, such techniques were not advertised consciously, whereas today AI is perceived as a quality criteria or at least as an innovation. In general, the application is generally widespread in the area of optimization procedures and is also recommended, since simple heuristics are often not sufficient in terms of quality, but the determination of the optimal solution would not be possible in the desired time due to the complexity of processing times. Suitable learning methods can achieve excellent results in a short time – if you know how to use them wisely. Optimization processes can be found in almost all industries.

And finally: Do you think that artificial intelligence will influence and change IT security?

Yes, absolutely, but in both ways: Not only security research, but also attackers will increasingly use the accessibility of these technologies. With our comprehensive understanding and many years of experience in this field of algorithms, Hornetsecurity is well prepared for this “Arms Race”.

Hornetsecurity receives millions for global growth plans

Hornetsecurity receives millions for global growth plans

Since Hornetsecurity was founded, its sales have gone in only one direction – up. The company is looking to quadruple by 2021.


With an enormous annual growth rate of more than 50%, cloud security provider Hornetsecurity is the market leader in Europe and is now getting ready to enter the U.S. market. The company is the front runner not just in growth figures, but in technology too: Released less than one year ago, the latest product, Advanced Threat Protection, now protects one in every ten users against new threats. These successes have not gone unnoticed.


New investor climbs onboard


“In just one year, the company has developed a new product and successfully established it on the market,” states Hans-Christian Semmler, CEO of HCS Beteiligungsgesellschaft, a holding firm that has invested millions in the company. “Seldom have our analysts seen such fine-tuned workflows, processes and advanced technology,” he continues. Existing investors Verdane Capital and High-Tech Gründerfonds also back the company with sums in the seven-digit range. With these investments, Hornetsecurity will extend its global reach.


“The InvestImpuls funds have achieved their goals, establishing a strong security provider on the market that gives generous returns,” explains Dr. Bert Brinkhaus from EnjoyVenture, fund manager for the Hanover-based fund. As an early-stage investor, the company will now pull out, taking the capital it has generated to help another young technology company get off the ground.


Hornetsecurity already enjoys international success


Over 20 percent of new orders already stem from countries outside the German-speaking region, and the company is now looking to tap the US market to boost this figure significantly.


To prepare for this coming growth, Hornetsecurity has already doubled its staff within one year. “We are well prepared,” says Daniel Hofmann, Managing Director of Hornetsecurity. The aim is to increase the technological lead over the competition. “With this additional staff we want to speed up the development of our current 14 technology projects,” explains Hofmann.

A decade of skyrocketing hornets

A decade of skyrocketing hornets

Hornetsecurity is celebrating! Founded under the name antispameurope ten years ago, the company has been considered as the absolute expert and pioneer in the area of cloud security for many years. Since 2007, Hornetsecurity has genuinely set a record for vertical ascent: The company has now expanded to more than 100 employees and secures data traffic for more than 35,000 companies in over 30 countries worldwide, including numerous renowned names like Dekra, Melitta or Konica Minolta.


It’s a success story made in Hannover, Germany: When Daniel Hofmann and Oliver Dehning founded the company in the summer of 2007, they gave the starting signal for a company that today plays a major role in the German IT security landscape. With a wide range of products in the area of email and web security, Hornetsecurity provides its customers with comprehensive security. The high quality of the solutions combined with an excellent service concept practiced by all employees has meant that the company has been able to enjoy two-digit growth figures for years.


This success should increase even more over the coming years. To this end, Hornetsecurity is steadily investing in new products and markets. But first comes the celebration: Hornetsecurity has invited sales partners, investors and company friends to join them over a period of two days. Visitors will have the opportunity to tour the offices at an open house before a celebration of the company anniversary in the evening, together with employees. Hornetsecurity will hold the Partnerdialog on the following day, an sales partner event which once again promises to have a record numbers of participants. Since the company was founded, the annual event has served as a springboard for intensive information exchange with the sales partners.


“We are very proud of what we have built up over the past ten years,” says Daniel Hofmann, one of the founders and managing directors of Hornetsecurity. “But this still doesn’t mean we can rest on our laurels. On the contrary: We also want to develop Hornetsecurity into one of the most important security providers on the international IT market.”