Interview with Fabien Rech, Vice President EMEA Major Accounts at McAfee

After graduating from university with an engineering degree and starting his career as an IT structures project manager, at 25 years old Fabien Rech decided to create his own company. He and his team developed a computer network company, collaborating with well-known brands, before being bought by Lexsi, a gold standard in cybersecurity (later acquired by Orange). Fabien spent 10 years creating strategic partnerships within the French IT security ecosystem.

Looking for new challenges, Fabien joined McAfee in 2008. He is renowned for his talent and his tenacity. Over the past few years, Fabien has led the French market and, thanks to his positive energy, dynamism and commitment, he has succeeded in achieving double-digit growth and transforming France into a leading country in the EMEA region.

Fabien was appointed Senior Director Southern Europe in 2018 and in January 2020 he became Vice President, expanding his region to Southern Europe, Benelux and Israel. Since the beginning of 2021, Fabien has taken responsibility for European strategic accounts within McAfee.

 

What do you think was the last major cyber-attack?

Without a doubt the attack against Colonial Pipeline in early May. The company, which manages a large network of oil pipelines in the US, had to temporarily suspend its activity following this attack. The attack caused temporary oil supply problems on the East Coast of the US. The hackers managed to break into the company’s computer network and steal more than 100 gigabytes of data before paralyzing certain computers. The malware responsible for the attack is what is known as ransomware: it encrypts files, rendering them unusable, unless you pay to obtain the decryption key. The amounts demanded, proportionate to the size of the company, can be in the millions of euros.

How did Colonial Pipeline react?

From a technical point of view, they took a number of their systems offline to prevent the virus from spreading. This was an appropriate response under the circumstances. The virus did not affect the systems that manage fuel distribution. They also officially paid 4.4 million dollars to the hackers. This relatively modest amount raises some questions and paying the ransom did not completely resolve the situation: the tool provided by the hackers did not restore the entire computer system.

What do we know about the people behind this attack?

The virus was designed by the DarkSide crime group, which is already well-known after first appearing in the summer of 2020. They use highly sophisticated tools, which proves that they have high-level computer scientists. It operates as a “ransomware as a service”. In other words, it has a network of affiliates from the dark web who rent its malware. It is a powerful, organised group with rules imposed on its users and a real business model, including training! In some ways, it doesn’t work any differently than a legal publisher. On the other hand, with its affiliates, it practices a triple extortion: it steals data, demands a ransom from the victim company, and even extorts third parties. It’s perfectly immoral but extremely effective.

Where does DarkSide operate?

It is believed with a high degree of certainty that it operates from Russian territory. Like most criminal groups of the same nature. It does not target companies located in Russia or in the countries of the former USSR. It is obvious that the Russian authorities allow these organisations to carry out their criminal activities as long as they do not target any victims on their own territory. There are probably links, or at least exchanges, between these cybercriminal groups and the Russian services.

So nothing can be done about their actions?

I wouldn’t say that. First of all, it seems that some unknow services have counter-attacked by taking control of DarkSide’s servers and taking over its bitcoin fund. Unless it was the “leaders” of DarkSide who decided to scupper themselves before they run into problems. In any case, they have implicated one of their affiliates in the operation against Colonial Pipeline, proving that they do not approve of this attack, which is far too visible in their eyes and exposes them unreasonably. They and other cybercriminals are now seeking to keep a low profile. This does not mean that cybercrime activity will become less virulent. Unfortunately, ransomware still has a long way to go.

But can companies protect themselves against this malware?

They can and they should! Their survival may depend on it. Of course, they still have the option of paying the ransom. Unfortunately, this does not guarantee that everything will return to normal: 22% of victim organisations that paid the requested amount never received the decryption keys!  On the other hand, it is a sure way for these groups to prosper, expand and gain power. This is not the right solution. The best solution is to make these attacks ineffective, or at least limited. Of course, no protection is 100% certain. But they can often limit the damage. It is therefore essential that companies, but also administrations, hospitals, associations, etc., protect themselves with the range of tools at their disposal.

Is the awareness of cyber risk finally there?

There has been significant progress, large companies have been alerted, although it would probably be better to raise awareness among boards of directors. But there is still a lot of negligence. We need to instil a real culture of cybersecurity, especially among employees, with the risks associated with phishing. In France, with the ANSSI, we have a competent and reactive authority. But the ANSSI cannot do everything. Upstream, we need to protect ourselves effectively, to equip ourselves with surveillance tools, in particular with EDRs, a technology that can detect suspicious logins. At the same time, you have to set up precise procedures in case of an attack, and train regularly to avoid any loopholes. In short, a crisis management plan must be defined. Downstream, restarting an attacked computer network requires competent professionals. Companies need constant support, and this requires budgets that are commensurate with their needs. In terms of relations between States, creating an international law on cybercrime, which does not exist today, is definitely needed. The fight against these criminal groups must be carried out at all levels, and requires the cooperation of all. The stakes are high for our economic and democratic life.

 

Interview by Julien Malbreil, partner at Antidox