[BreachExchange] Taking the ‘cyber’ out of cyberattacks: Why hackers are going after physical infrastructure

[Sophia Kingsbury]

https://kesq.com/money/2021/06/03/taking-the-cyber-out-of-cyberattacks-why-hackers-are-going-after-physical-infrastructure/

A major gas pipeline. Dozens of government agencies. A Florida city’s water
supply. And now, one of the world’s top meat producers.

The last few months have seen a sharp rise in cyberattacks, often
disrupting products and services that are key to our everyday lives. Many
of those attacks have used ransomware, a set of tools that lets hackers
gain access to computer systems and disrupt or lock them until they get
paid.

Ransomware is not new. But there is a growing trend of hackers targeting
critical infrastructure and physical business operations, which makes the
attacks more lucrative for bad actors and more devastating for victims. And
with the rise of remote work during the pandemic, significant
vulnerabilities have been revealed that only make it easier to carry out
such attacks.

The US Department of Justice in April created a ransomware task force,
after declaring 2020 the “worst year ever” for extortion-related
cyberattacks. The issue only seems to be getting worse: The first half of
2021 has already seen a 102% increase in ransomware attacks compared to the
beginning of last year, according to a report from cybersecurity firm Check
Point Software. That doesn’t even factor in the most recent events,
including the announcement Wednesday from a ferry operator in Martha’s
Vineyard, Cape Cod and Nantucket that it was hit by a ransomware attack.

The US government is now ratcheting up efforts to address the threat of
ransomware, but experts warn that without significant cooperation and
investment from the private sector, these attacks are likely here to stay.

Bigger targets, better returns

Many people think of cyberattacks as just that: an attempt by hackers to
steal sensitive data or money online. But now hackers have found a
significant moneymaker in targeting physical infrastructure.

These attacks have potential to spark mayhem in people’s lives, leading to
product shortages, higher prices and more. The greater the disruption, the
greater the likelihood that companies will pay to alleviate it.

“If you’re a ransomware actor, your goal is to inflict as much pain as
possible to compel these companies to pay you,” said Katell Thielemann,
Gartner’s vice president analyst for security and risk management. “This is
beyond cybersecurity only, this is now a cyber-physical event where actual,
physical-world processes get halted. When you can target companies in those
environments, clearly that’s where the most pain is felt because that’s
where they make money.”

Multiple recent ransomware attacks have originated from Russia, according
to US officials. On Wednesday, the FBI attributed the attack on meat
producer JBS to Russia-based cybercriminal group called REvil, which also
tried to extort Apple supplier Quanta Computer earlier this year. REvil is
similar to DarkSide, the group US officials said was behind the ransomware
attack that shut down the Colonial Pipeline last month.

Experts say both REvil and DarkSide operate what are essentially
“ransomware-as-a-service” businesses, often employing large staffs to
create tools to help others execute ransomware attacks, and taking a cut of
the profits. In some cases, they also carry out their own attacks. Russian
law enforcement typically leaves such groups operating within the country
alone if their targets are elsewhere, because they bring money into the
country, cybersecurity experts say.

JBS has not said whether it paid any ransom to the attackers, but Colonial
Pipeline’s CEO admitted to paying $4.4 million in ransom to resume its
operations. Experts typically advise against paying ransoms to avoid
funding the criminal groups that impose them, but companies sometimes have
little choice to get back up and running.

The list of potential targets is long. The US government’s Cybersecurity
and Infrastructure Agency (CISA) lists 16 different industries as “critical
infrastructure sectors,” including energy, healthcare, financial services,
water, transportation, food and agriculture, the compromise of which could
have a “debilitating effect” on the US economy and security. But experts
say much of this infrastructure is aging, and its cyber defenses haven’t
kept up with the evolution of bad actors.

To make matters worse, many companies in those industries haven’t
historically thought of themselves as tech companies, meaning their systems
may be less sophisticated and easier to compromise, according to Mark
Ostrowski, head of engineering at Check Point.

“So hospitals, their business is to save lives; meat and poultry is to
produce goods and services; pipelines are to create gas exchange or oil
exchange,” he said. “Those certain industries also may be targeted because
maybe they’re behind in their [software] patching, maybe their cyber
program is not quite what it needs to be.”

This has become increasingly true in recent years. As technology has
evolved, more physical infrastructure has been embedded with connected
devices that link it with a company’s larger network. Even if a hacker
enters a company’s network through its email system, for example, they
could have the opportunity to wreak havoc on the machines in its production
facilities or other areas of the business.

“The world is becoming more connected” and we should expect the risks “to
multiply across all of these industries,” Thielemann said.

How the pandemic made things worse
It’s not a coincidence that ransomware has spiked during the pandemic.

The health crisis is a perfect storm, with millions of people shifting to
remote work almost overnight — including workers who may have access to
critical infrastructure systems — and ransomware that can be deployed
simply by clicking a link in an email.

“Critical infrastructure was always designed to have the control systems
isolated and physically separate from the corporate network and the
internet,” said Eric Cole, a former cybersecurity commissioner to the Obama
administration and author of the new book “Cyber Crisis.”

“Initially for automation and accelerated by the pandemic, these systems
are now connected to the internet. … The known vulnerabilities make them an
easy target,” Cole added.

The pandemic also heightened certain targets, as hackers sought
opportunities to profit by attacking crucial services.

In particular, hospital systems and other health providers frequently came
under attack even as they struggled to deal with the strain of Covid-19 —
leaving them little time to respond and update defenses. An analysis by
CISA between March and November 2020 showed that 49% of healthcare
providers it surveyed had “risky ports and services” and 58% of them were
using software versions vulnerable to attack.

An analysis by cybersecurity firm Emsisoft published in January showed that
as many as 560 healthcare facilities were hit by ransomware last year. More
than 1,500 schools and 113 government agencies were also impacted, the firm
said.

The targeting of healthcare facilities appears to predate the pandemic —
Emsisoft’s previous research showed that 764 healthcare providers suffered
ransomware attacks in 2019, though overall attacks tracked by the firm went
up in 2020.

What needs to be done

Companies, organizations and agencies will now need to work as quickly as
possible to plug potential gaps in their systems, updating software and
ensuring that their most critical functions are sufficiently insulated from
cyberattacks.

President Joe Biden last month signed an executive order requiring
companies doing work for the government to improve their cybersecurity
practices — stipulations that Congress could expand to other private firms
underpinning infrastructure and other critical levers of the US economy. On
Wednesday, following the JBS and ferry attacks, White House press secretary
Jen Psaki said the administration is also “building an international
coalition to hold countries who harbor ransom actors accountable.”

On Thursday, the White House issued an open letter urging companies to
treat the threat of ransomware attacks with greater urgency, saying
companies that “view ransomware as a threat to their core business
operations rather than a simple risk of data theft will react and recover
more effectively.”

“Every company needs to be able to heighten this and become preventative
because these attacks are weapons-grade. They’re not just casual attacks,”
Ostrowski said.

For companies, the easiest fix is to keep the most vital infrastructure
functions off the web — and to keep any online systems up to date with
software patches, Cole said.

And while systems-level upgrades or overhauls may sometimes be necessary,
Ostrowski said the risk often comes down to individual behavior. Most
ransomware is distributed through phishing attacks, where users are tricked
into clicking a link on an email that gives the hackers broad access to
their system.

“It’s actually very simple. As a cybersecurity community we’ve been trying
to solve the email problem for decades,” he said. “It’s about solving and
preventing phishing attacks, number one, and that will lead to
anti-ransomware technologies.”

In many cases, companies in healthcare, food or energy have few, if any,
executives or board members with the technical background or know-how
needed to help mitigate cyber risks, something that also needs to change as
bad actors become increasingly sophisticated.

“I think the industries expect these number of attacks to continue to
increase,” Ostrowski said. “If anything, what this has highlighted is how
important our supply chains are.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210604/a2b4f607/attachment.html>