Luxembourg is not immune when it comes to cyber security. The grand duchy’s anti-cyber risk effort lacks centralisation and does not have a single point of contact, which makes its companies and institutions vulnerable. For hackers and data thieves, it means Luxembourg is attractive. “Luxembourg comes onto the radar because some of the systems that we have are vulnerable,” says one expert.
During the summer holidays, a Russia-linked ransomware group known as BlackCat ALPHV, which also played a role in the major attack against the Colonial pipeline in the US last year, attacked two Luxembourg-based energy companies. BlackCat gained access to the IT network of Encevo, parent firm of electricity and gas infrastructure owner Creos and energy producer Enovos, and stole or made inaccessible more than 150 gigabytes of sensitive client data from Creos, including contracts, passports, bills and emails.
The data theft did not stop the flow of energy to customers but BlackCat did engage in extortion, threatening to make the data public if the company did not pay a ransom. Encevo, in an update on a dedicated website, said that as a matter of policy and law enforcement advice, it has not paid the ransom and said it now is analysing data that since then has been published on the dark web (aka darknet).
The country’s national commission for data protection (CNPD) reported that it had been notified about 333 data breaches - down from 379 in the previous year. The figures were released in its 2021 annual report (released 14 October).
“It’s not that these groups are attacking you,” explained Koen Maris, an advisory partner at PwC Luxembourg with the title cyber security leader. “They buy access from freelance hackers. There’s a whole business model behind it. And these hackers go for easy targets, because that’s how they can make fast money.”
Luxembourg on hackers’ radar
“Now Luxembourg comes onto the radar, because some of the systems that we have are vulnerable and connected to the internet,” said Maris.
BlackCat ALPHV is well known to the US Federal Bureau of Investigation, which said in March that this group is responsible for some 60 attacks, using a new type of coding language called Rust and a method called “Ransomware-As-A-Service,” or Raas. The group is said to be behind other recent ransomware attacks against German and Italian energy companies.
Cyber risks are well-documented in reports from public authorities. Eiopa, the European Insurance and Occupational Pensions Authority, in July updated its risk dashboard showing that “digitalisation & cyber risks” remain at a high level. It said it expected them to increase over the following year. “The frequency of cyber incidents impacting all sectors of activity, as measured by publicly available data, increased significantly since the same quarter of last year,” said Europe’s pensions authority.
The issue gets plenty of attention on the European Union level. The EU has a cyber security strategy and this month marked its 10th Cyber Security Month. In May, the European Parliament and EU member states reached political agreement on the NIS2 Directive, which contains measures intended to provide a high common level of cyber security across the EU. The EU’s cyber security agency Enisa said in its Threat Landscape 2021 report that “cyber security attacks have continued to increase through the years 2020 and 2010, not only in terms of vectors and numbers but also in terms of their impact.”
‘Closely monitoring’
The European Central Bank, along with Esma and Eiopa – the EU’s two supervisors for financial markets, insurers and pension funds – declared earlier this year that they are “closely monitoring” cyber risks in Europe’s asset management industry. They explained that their moves were due to concerns that the Russia-Ukraine conflict, in which Ukraine is being armed and outfitted by the West, may lead to Russian-backed cyber-attacks on European economic infrastructure.
The latest annual report of Luxembourg’s financial sector regulator CSSF, published in September, includes an extensive section on “digital resilience”, noting that the financial sector has a “growing dependence” on information and communication technologies.
Increased innovation and digitalisation bring both opportunities and risks to the financial sector, said CSSF director Françoise Kauthen. “To ensure the security and the sound functioning of digital finance serving society, it is essential that these ICT risks are properly managed,” she said.
Risks being managed?
How well are cyber risks managed in Luxembourg? The country places second worldwide in Cisco’s 2019 Digital Readiness Index, the highest rank in the EU. However, PwC’s Maris points to lack of coordination.
“They are doing what they can, but of course, the landscape is very fragmented, for some people it’s even impossible to understand who’s doing what within the government,” he said.
Maris pointed to the proliferation of initiatives in Luxembourg like the cyber security agency - securitymadein.lu, and the Computer Incident Response Center Luxembourg, known as Circl. These bodies keep company with govcert.lu, the Luxembourg National Cybersecurity Competence Centre, known as NC3, the national cyber security strategy and many others, including the LHoFT cyber security archives. The government has recently renamed reorganised its lead agency to clarify its role (see sidebar).
“There is no central point addressing all of these issues,” said Maris. “That would definitely help from a country or a governmental perspective to provide some centralisation in order that everybody could know where to go.”
Hopes for something like this for now hang on the EC’s proposal for a regulation called the Digital Operational Resilience Act, or Dora, which proposes a single, harmonised and ambitious regulatory and supervisory framework for the digital resilience of the whole European financial sector.
“At the CSSF, we continue to follow the development of this important text which is expected to come into force before the year end of 2022,” said Kauthen. “Our mission will also be to raise awareness of the Luxembourg financial sector on the arrival of Dora and the need to prepare for it.”
‘Potential investor backlash’
Maris expressed reservations: “Don’t forget Europe might dictate something but it doesn’t always go through all the layers of society, or it takes time before everybody understands.”
“I think we underestimated as well the sheer volume of attacks,” he added.
The FBI last year warned that ransomware attackers may use what it calls “significant financial events” such as bond issues or IPOs to time their activities, pressing victims into a swift payout. “If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash,” the FBI has said.
Although widely believed to operate from Russia, it cannot be said for sure that the BlackCat/ALPHV group acts on the authority of the Russian government, given that relations between hackers and the Russian state are very muddied. BlackCat in recent months also has attached defense companies such as Canada’s Simex and NJVC of the U.S.
Luxembourg simplifies cybersecurity ‘ecosystem’
On Monday 17 October, In a step that will reduce the complexity of Luxembourg’s cybersecurity response, the Luxembourg government’s economy ministry rebadged the agency set up to serve as the backbone of Luxembourg’s cyber resilience “ecosystem”. The new Luxembourg House of Cybersecurity – formerly known as Security Made in Lëtzebuerg – was inaugurated. The house will be led by Pascale Steichen as CEO and will have a new headquarters in the city of Luxembourg.
Steichen has explained the change as being clearer and in line with other sectoral promotion and coordination. Luxembourg has several similarly named agencies, such as the Luxembourg House of Financial Technology and the Luxembourg House of Training.
Consolidation of activities
The restructured organisation will also consolidate activities under two specialised agencies: CIRCL, the Computer Incident Response Centre Luxembourg which will promote information flow and manage cybersecurity incidents, and the National Cybersecurity Competence Centre, or NC3, whose mission will involve coordinating and developing capacity and competence growth in cybersecurity, to develop a robust cybersecurity industrial base, and direct research efforts and ensure technical excellence, in the context of the rapidly-growing data volume.
Last February, Steichen was elected chair of the governing board of the European Cybersecurity Competence Centre (ECCC), which helps to boost the Luxembourg House of Cybersecurity’s profile.