The dark side of the cloud: How cloud is becoming prey to sophisticated forms of cyber attack

One of India’s largest hospitals, the All India Institute of Medical Sciences (AIIMS) in New Delhi, was hit by a ransomware attack in November 2022. The attack cut off access to approximately 1.3 terabytes of data and impacted the hospital’s electronic medical records system. Its patient scheduling and billing systems were also affected, forcing the hospital to curtail its outpatient services for several days. Not only did it inconvenience patients, it also resulted in substantial financial losses for the hospital. After this incident, AIIMS strengthened its network by switching to a dedicated and secure local area network, among other security measures. Six months later, when another malware attack was mounted, it was thwarted.

This isn’t an isolated incident. Such instances are rising across both government and private enterprises. Data from Indian Computer Emergency Response Team (CERT-In) reveals that India Inc. encountered nearly 1.4 million cyberattacks in 2022, and among these, attacks on cloud systems were the highest. “With the adoption of digital technologies, critical infrastructure systems are no longer air-gapped, exposing them to significant cyber vulnerabilities. This shift has become particularly evident due to the increased reliance on digital solutions, virtualisation of government and citizen services, and the rise of remote workforces,” says Samir Kumar Mishra, Director of Security Business at Cisco India & SAARC.

Incidentally, attacks on cloud-based networks per organisation has increased by 48 per cent between 2021 and 2022, per data from cybersecurity solutions provider Check Point Software Technologies. As organisations grapple with the rising complexity of managing security across multiple environments, and struggle to detect and respond to emerging threats that span on-premise and other cloud set-ups, security is emerging as a top priority. Consequently, the global cloud security software market—that was worth $29.3 billion in 2022—is expected to reach $39.3 billion by 2028, per market research firm IMARC Group. Revenues of India’s cloud market are also expected to clock $25.39 million in 2023, and reach $136.20 million by 2028.

BUT WHY the CLOUD?

As businesses increasingly adopt cloud-based solutions, cyber criminals—who are constantly looking for new vulnerabilities to exploit—are finding it easier to engineer data breaches, explains Rajesh Garg, EVP, Chief Digital Officer & Head of Applications & Cybersecurity at data centre service provider Yotta Data Services. Around 98 per cent of organisations globally now utilise some form of cloud-based tech, while many have adopted multi-cloud deployments from multiple cloud service providers. The massive adoption of the cloud environment has also given rise to Shadow IT, where employees or departments use hardware or software from external sources without the knowledge of the IT or security group of the organisation. This creates a vacuum, where the responsibility of managing security within organisations is not clearly defined.

“Cloud infrastructure is inherently complex; that increases manifold with the addition of hybrid and multiple-cloud models,” says Atul Gupta, Partner and Head of Digital Trust and Cyber Security Services at KPMG in India. “This makes it difficult for organisations to identify and address vulnerabilities in their environments, leaving them more vulnerable.”

This has created the notion that cloud systems are less secure. Not only that, once bad actors identify a vulnerability, they deploy various strategies to exploit it and gain unauthorised access to one or many accounts/systems, from where they can move laterally within the complete cloud environment. This allows them to access critical accounts, services and data. But this doesn’t mean the cloud isn’t secure. It is usually as vulnerable or as secure as on-premise infrastructure. What really makes a difference is the cybersecurity frameworks deployed to protect and prevent these systems against attacks.

UNRAVELLING the ATTACKS

Primarily motivated by financial gain, recognition and visibility, espionage, geopolitical reasons, etc., cyber intruders usually target industries that have large-scale manufacturing or sales operations, or those that deal with sensitive personal information, such as hospitals and financial services firms, or those that run critical infrastructure, such as power plants, and transmission and distribution companies, among others. “For now, private sector banks, healthcare and consumer product industries are the most commonly targeted since they are the early adopters of cloud,” says Chintan Matalia, Partner at Deloitte India.

“Earlier, these sectors were unwilling to utilise clouds for their essential data assets due to control issues. But now, even these industries are moving to the cloud,” says Anshuman Sharma, Associate Director CSIRT & Investigative Response, APJ at Verizon Business. By targeting financial services firms, cyber criminals aim to steal sensitive customer information, financial records and transaction data to commit fraud, initiate unauthorised transactions, or demand ransom to restore the data and services they have impacted.

On the other hand, healthcare data can be used to gain access to personal health information, which can then be used for identity theft, insurance fraud, or even be sold on the dark web. E-commerce platforms and retailers are also often targeted to access customer payment information, including credit and debit card details, etc. Often, this data is sold on the dark web, from where people can buy it to perpetrate more financial crimes. Such breaches can lead to financial losses for the business as well as its customers, reputational damage, and loss of trust among customers.

Cyber criminals use various methods to gain unauthorised access to cloud accounts. “Most attackers perform extensive reconnaissance, searching for leaked credentials, default or weak passwords, misconfigurations, and human errors,” says Anand Trivedi, Head of APAC at cyber security services provider CyberProof, a UST company. Cyber attackers usually attempt to go after the weakest link in the chain, normally a human, by launching multiple social engineering attacks—which manipulate an individual into divulging sensitive information, such as passwords, access codes, etc. Phishing is another tactic where bad actors hoodwink users into clicking on malicious links or attachments, which can then be further exploited to infect a system. “The attacker will employ tactics such as phishing, or try to get credentials through brute force attacks to unlawfully access user accounts, so they can access [an employee’s] mobile or hack it, and then impersonate [that individual] to create issues,” says Huzefa Motiwala, Director for Systems Engineering, India and SAARC at Palo Alto Networks. Brute force attack uses trial and error to crack passwords, login credentials and encryption keys.

Another common method used by cyber criminals is through misconfiguration. This refers to improper or inadequate set-up of cloud services, resources and security settings, which occurs when cloud environments are not configured according to security guidelines. Even poorly secured interfaces and APIs provided by cloud service providers can be exploited by cyber criminals to gain unauthorised access and manipulate cloud resources. Denial of service attacks (DoS) is another method where malicious attempts are made to disrupt the normal functioning of a computer system, network, or online service by overwhelming it with a large volume of traffic or requests, rendering it inaccessible to users.

Both government and private entities need to be wary of these techniques used by attackers. “Additionally, insider threats and third-party vendors are a critical part of the network today, and must be considered when planning defences,” adds Trivedi of CyberProof.

SECURING THE CLOUD

Enterprises should focus on fundamental security policies and procedures necessary to protect their systems. “To begin with, a configuration management database is imperative, with visibility into who has access to what and whether access is being monitored and audited,” says Anant Adya, EVP of Infosys Cobalt, a services, solutions, and platform within Infosys that helps businesses with their cloud-led transformation. Running vulnerability scans and developing a plan to address those vulnerabilities is also critical, along with identifying end-of-life/end-of-support technologies.

“Another crucial approach is the adoption of a zero-trust model. The model... requires explicit verification of all relevant factors before granting access,” says Ranganath Sadasiva, CTO at enterprise IT solutions provider HPE India. The model involves implementing the principle of least privilege, risk-based authentication built on network segmentation, continuous monitoring for signs of attacks, and active defence mechanisms.

Businesses should also conduct regular security assessments and penetration tests to identify vulnerabilities. “These tests simulate real-world attack scenarios and help organisations identify and remediate weaknesses proactively,” says Monisha Oberoi, Asia Pacific Security Services Leader at IBM Consulting. In addition, maintaining continuous monitoring of cloud environments and leveraging threat intelligence feeds to stay informed about emerging threats and attack techniques also enables proactive threat detection and response, she adds.

Having a robust security framework is advisable. Take for instance Tata Communications that has over 700+ clients spanning large- and mid-market enterprises across sectors. The company has deployed a full-fledged security information and event management solution that automates the complete remediation process. “Our network analytics and intelligence platform analyses 25 million traffic-flow records from around the world every minute. This enables us to proactively detect and prevent approximately 2.6 million threats per day, globally,” says Rajesh Awasthi, VP and Global Head of Managed Hosting and Cloud at Tata Communications. Experts also emphasise the need to keep cloud infrastructure, applications, and systems up to date with the latest security patches to avoid any breach.

IS INDIA PREPARED?

A lack of awareness among enterprises plays an integral role in companies not deploying sufficient security measures for their IT systems. Sundar Balasubramanian, MD of Check Point Software Technologies, India & SAARC says, “Limited awareness, budget constraints, misaligned priorities, trust concerns, and compliance requirements are some potential reasons for companies hesitating to invest in cloud security.” He adds that raising awareness among companies around cloud security risks, offering cost-effective solutions, building trust in service providers, and ensuring compliance with regulations are crucial.

The lack of a data protection law also hampers cloud security. Amit Jaju, Senior MD of Ankura Consulting Group (India) that helps firms mitigate the risks associated with cloud computing, estimates that the “average spending on cloud security in India among large-cap companies, SMEs and start-ups ranges from $1-5 million, $100,000-$1 million, and $50,000-$100,000, respectively.” Jaju adds that it can be difficult for companies to know what they need to do to protect their data when there are no clear regulations and guidelines. “This can lead to complacency and a lack of investment in security measures.”

However, recent advisories by regulators and government agencies have reiterated the need to deploy robust cybersecurity measures and incident response systems for everyone from mainstream organisations to emerging fintech companies, start-ups and SMEs.

Whatever the reasons, it is only by adopting a comprehensive cybersecurity approach that organisations in India can mitigate risks, safeguard sensitive data, and ensure the resilience of their digital infrastructure in the face of an expanding threat landscape. 

@nidhisingal