The Column – Cyber Security Week
The attack apparently started from Microsoft Teams: the attackers contacted employees, initiated screen shares, collected credentials and manipulated multi-factor authentication. Once inside, they used legitimate remote access tools, accessed critical systems, and then installed malicious components. Up until now the scene seemed like the usual one for ransomware: data theft, threats, extortion, publication on the criminals’ portal. However, according to Rapid7 and BleepingComputer, a well-known cybersecurity company and online newspaper respectively, this operation which seemed attributable to the Chaos ransomware group would instead show clues compatible with MuddyWater, an Iranian group sponsored by the Tehran government and specialized in espionage. The attribution is not certain, but is indicated with moderate confidence. If this were the case, history changes its nature. More than a criminal operation to obtain a ransom, the attack becomes a campaign of espionage, persistence and positioning inside the victim’s systems. The lesson for those who do not live by logs, alerts and acronyms is simple: ransomware is no longer just a criminal model for making money, but a diversion. This is the real transformation. In cyberspace, we fight not just to get into systems, but also to decide what story the attack will tell. If it seems like common crime, geopolitical attribution becomes more difficult. If everyone looked at the ransom note, some might not see the persistence. If the incident is interpreted as a theft, there is a risk of not recognizing a reconnaissance. It is a form of narrative warfare applied to cybersecurity. It is not enough to violate a network: you need to suggest to the defender a convenient, plausible and possibly wrong explanation. Ultimately, we are biologically ill-equipped for this world beyond the screen. In the physical world a mask arouses suspicion; in the digital one, it often reassures us because it offers us a ready-made category. This story shows that the distinction between cybercrime and state operations is becoming increasingly blurred. Not because they are the same thing, but because state actors can borrow the tools, rituals and brands of cybercrime. So the problem is that from today an affected organization cannot simply ask “how much do they want in ransom?”, but must also ask themselves “why do they want us to think that this is the problem?”.
