Within hours of a shooting at the U.S. Naval Air Station in Pensacola, Florida, last Friday, hackers hit the City of Pensacola with a ransomware attack.
Is there a link between the two?
The fact that it was a member of the Saudi military who shot and killed American sailors increases the likelihood that it is linked in some way.
Security researcher: link between world events and cyber attacks
Security researcher and data scientist Kenneth Geers is fascinating to talk to. He spent 20 years as an intelligence analyst for government agencies such as the NSA, NCIS, and NATO.
We were in the middle of a networking time at a SecureWorld conference when I interviewed him about a topic he's been researching for years.
There is a link, he says, between headline grabbing events in the physical world and the attacks coming at us from the cyber world.
"One of the first things you should know, for your organization or enterprise—if there is something happening in your city or state, or an election or military tension between your country and another, there will be malware that is on the rise within your space. I can promise you that."
Florida shooting and ransomware attack tensions, timeline
Geer's comments seem almost eerie now, given what just transpired in Pensacola, Florida.
The timeline goes like this:
- 7 a.m. on December 6, "Active Shooter" at Naval Air Station Pensacola:
Mohammed Alshamrani, a 21-year-old Second Lieutenant in the Royal Saudi Air Force, shot and killed three U.S. sailors: Ensign Joshua Kaleb Watson, age 23; Airman Mohammed Sameh Haitham, age 19; and Airman Apprentice Cameron Scott Walters, age 21. - 8:34 a.m. on December 6, word gets out that the shooter is from Saudi Arabia. Here's one example:
Social media around the world immediately lit up on this shooting: was it a terrorist attack? As Friday went on, news of his reportedly anti-American tweets and possible manifesto hit social media.
And hours later, the City of Pensacola was hit:
- 1:45 a.m. on December 7: ransomware attack begins at City of Pensacola
Physical world and cyberattacks: the link
The FBI tweeted this week it is looking for a possible link between the physical attack and the cyberattack as the investigation unfolds. So far, it has not discovered one.
Regardless of whether it finds any specific link, we can be reasonably sure that businesses, governments, and organizations in Pensacola have been inundated with cyber attacks in the last few days.
That is based on years of work by research scientist Kenneth Geers.
"Malware is super dynamic, it is changing all the time, but it is a reflection of human affairs. Everyone is connected for everything, to everything online. That's where the good guys are and the bad guys are—everybody."
During his time as Chief Research Scientist at a cybersecurity company, he was able to analyze spikes in cyberattacks against his company's customers which are located in nearly every country on the planet.
He said he noticed these sudden spikes in computer malware attacks (ransomware is one of many forms) that appeared out of the blue and were focused on one region or city.
"More sophisticated attacks are probably somewhat unique: by sector, by country, look at Saudi Arabia, Israel, Turkey, France. They really do have unique threat actors, types, families for political, technological, and socioeconomic reasons.
For me, this is really fascinating. I love to look across the planet and see what's new, see what's hot. And now with cool tools to slice and dice Big Data, you can see the spikes you need to look into."
Geopolitical events lead to cyberattack increase
For example, he told me, malware attacks spiked against North Korea after Trump labeled that country's leader "Rocket Man" and blasted him in appearances.
"I usually drop malware detections for countries on timelines and just look at where the spikes are. Was there something like an election or political violence? And there usually is.
In the case of North Korea, I dropped it on a timeline and then there was one huge spike in the middle of the year and literally, it was the day after Donald Trump was at the UN threatening to destroy North Korea.
Then I dug deeper and looked at the most serious types of malware on that map and I put them all together, and one of the things I found is that the single highest day for malware detection in North Korea was the very day that Donald Trump was in South Korea. Those are not coincidences."
[RELATED: Trump-Kim Handshake and a Spike in Cyber Attacks]
In fact, he believes his research shows that a surge in cyberattacks is not random:
"In other words, you can see, you can prove, actually, that big geopolitical events attract malware like magnets."
Perhaps that is what happened to the City of Pensacola or other organizations that may be under attack—even if no one finds a direct link between the crimes.
[RELATED: Florida, the Ransomware State]
