Cyberattack: no science-fiction, but reality in Belgium (Intersentia)

Author: Intersentia

Publication date: 01/07/2019

On June 15, 2019 ASCO Industries has broken its silence regarding the cyberattack saying it has been hit with ransomware and has shut down activities at its facilities in Belgium, Canada, the United States and Germany.

Information technology: new opportunities for, and vulnerabilities to, crime

Information technology has been offering unprecedented opportunities to the Belgian society and economy, but it also created new opportunities for, and vulnerabilities to, crime.

Cybercrime can cause serious harm to individual and corporate internet users and compromise communication, e-commerce, financial and other services that rely on digital information and infrastructure.

Five types of cybercrime might target businesses

1. Illegal access to IT systems

Illegal access to an IT system can be achieved in many different ways, for example through the use of hackertools, such as exploit kits, Trojan horses,

backdoors, password sniffers and the like. In addition, cybercriminals can also avail themselves of specific techniques in order to “socially engineer” log-in information out of unsuspecting users. Supporting techniques include (spear)phishing, password guessing or even checking discarded documents retrieved from the waste disposal The Council of Europe’s 2001 Convention also compels the parties to criminalize acts of legitimate users of the IT system (e.g., employees, hired consultants etc.) who exceed their access privileges, considering them as instances of illegal access. This obligation has, for example, been introduced in Belgian Penal Code with Art. 550bis.

2. Cyber espionage

Cyber espionage presupposes illegal access to an IT system, regardless of the technique employed. The close link between the two types was also acknowledged by the Belgian criminal (cyber) act of 2000: the Belgian legislator, in fact, has criminalized this off ence, by simply adding an extra paragraph (art. 550bis, §3, of the Belgian Penal Code) to the article concerning illegal access to an IT system. When the espionage attempt is successful, this results in the theft of confidential and protected information that for one reason or another is important for the business.

3. Data or system interference

This can be achieved through a myriad of specific techniques (e.g., viruses, worms, cryptoware, (D)Dos-attacks performed by botnets etc, but can be classified under two broad categories: data interference and system interference.

Both categories are criminalized under Belgian IT law by means of an article referring to the offence of IT sabotage (art. 550ter of the Belgian Penal Code).

In practice, most interferences are provoked by malware infections, but they can also result from malicious actions of persons or groups that first gained illegal access to the IT system.

Data interferences are mainly caused by attacks or by spamming. In both cases, the IT system becomes overloaded by the massive quantity of data (requests) sent.

In the case of data interferences, the negative impact can vary heavily depending on both their intensity and duration.

4. Cyber extortion

Over the last few years, the number of companies victimized by ransomware has been on the rise drastically. A system can become infected with this type of “crimeware” through multiple techniques, ranging from infected email attachments or links to other types of malware. The malware encrypts data stored in the IT system, making the data (or even the entire system) inaccessible or unusable to authorized users.

Recovery from this kind of infections is by and large not possible, since the data can only be “freed” when the user enters a cryptographic key that only can be obtained via the cybercriminal responsible for the infection.

According to some sources ransomware-campaigns have become a very lucrative form of cybercrime, not only because of their low cost and the low detection rate, but also because the extortionists can vary the ransom depending on the importance of the data for the business.

In addition to the demand for a ransom, two other types of extortion are also prevalent in cyberspace. First, cybercriminals may (attempt to) extract “hush money” from businesses. This may happen after the business in question has become the victim of a data breach and the extortionists subsequently threaten to make the stolen data public. Second, businesses may receive requests to pay protection money. These forms of cybercrime show great resemblance with the more classic forms of extortion that are performed in the offline world.

Therefore, they can be regarded as instances of computer-assisted crime that can be prosecuted by means of the ordinary criminal law (e.g., in Belgium, art. 470 Penal Code).

5. Internet fraud

Internet fraud, is also a computer-assisted crime and conceptualized in terms of three specific types of fraud affecting businesses, namely: fraud with internet banking, advance fee fraud and consumer fraud.

The first subtype of fraud exemplifies computer-related fraud as defined in the Council of Europe’s Convention, as it is a special case of fraud committed through “any input, alteration, deletion or suppression of computer data”. It can also be prosecuted under Belgian IT law by means of the article referring to computer fraud (i.e., art. 504quater of the Belgian Penal Code). The other two are covered by the traditional offence of fraud in national criminal laws (e.g., in Belgium, art. 496 Penal Code). Advance fee fraud typically involves promising the victim a large sum of money in return for a small up-front payment; if a victim makes the payment, the fraudster either invents a series of further fees for the victim, or simply disappears. Consumer fraud occurs when certain commodities or services are purchased and paid online but are either never delivered or are of a lower quality than the advertisement postulated.

‘The impact of cybercrime on Belgian businesses’

The book ‘The impact of cybercrime on Belgian businesses’ consists of an enhanced publication of the results of two survey waves amongst Belgium-based businesses carried out by researchers of the Leuven Institute of Criminology (LINC).

Authors: Letizia Paoli, Jonas Visschers, Cedric Verstraete, Elke van Hellemont

KU Leuven Centre for IT & IP Law Series

November 2018

Hardback €55

ISBN 9781780687735